iptables easy to understand articles/pdf

Hi, I am working on a longish "tutorial" that explains iptables for pretty much anyone. I have encountered so far only pretty high level documents that go immediately into the code. My approach is more from a nothing to everything approach and i have 3 parts already. I am now writing the last part (IMHO), but I would like to have some input to see where this guide could be more expanded or made better. This will be converted into a pdf once the whole is complete for easy offline reading. My last document is about different iptables modules and i haven't published it yet but the other 3 are online already. Any suggestions please email me, i am looking forward to it. Part 1:

formatting link
formatting link
Part 3:
formatting link
Thanks already for any constructive criticism.


formatting link
PS: yes i am posting this in a couple of groups, but not at once.

Reply to
Loading thread data ...

Great - I look forwards to reading it!

I use Shorewall in a Leaf router/firewall, and would like to understand more of the 'nuts and bolts' of iptables.

Jim Ford

Reply to
Jim Ford

Where have you looked? A Linux distribution comes with a bunch of HOWTOs and mini-howtos aimed at answering a lot of the questions a user may have. Looking at the current documents (here from sunsite):

-rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO

-rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX

-rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO

-rw-rw-r-- 1 gferg ldp 17605 Jul 21 2004 Masquerading-Simple-HOWTO

-rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO

-rw-rw-r-- 1 gferg ldp 278012 Jul 23 2002 Security-Quickstart-HOWTO

-rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

but the more authoritative documents are on Rusty Russell's site at

formatting link
- the so-called "unofficial" HOWTOs:

[TXT] NAT-HOWTO.txt 17-Oct-2004 14:34 25K [TXT] netfilter-double-nat-HOWTO.txt 17-Oct-2004 14:34 9.4K [TXT] netfilter-extensions-HOWTO.txt 17-Oct-2004 14:34 79K [TXT] netfilter-hacking-HOWTO.txt 17-Oct-2004 14:35 84K [TXT] netfilter-mirror-HOWTO.txt 17-Oct-2004 14:33 8.1K [TXT] networking-concepts-HOWTO.txt 17-Oct-2004 14:34 28K [TXT] packet-filtering-HOWTO.txt 17-Oct-2004 14:34 52K

Additionally, there are some relevant guides at

formatting link
* Securing & Optimizing Linux: The Ultimate Solution * The Linux Cookbook: Tips and Techniques for Everyday Use * Linux Administrator's Security Guide

Part 1

you can set in these policies are ACCEPT,DENY and DROP. the difference

The difference (missed capitalization in a number of places besides this. This also applies to the second and third part.)

between DENY and DROP is that DROP will just disregard the package whereas DENY will send a TCP package back telling the other machine that the traffic has been denied.

send a TCP packet

Part 2


Wrong closing quote (several places besides this)

rules and the packet will go through all the rules uuntil the end of

speel chequer not used ;-)

Part 3

Now, the explanation. The AP is WEP capable only and WEP is good but not good enough for us security people).

WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked. WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is

20 characters or more, consisting of non-dictionary words. WPA encryption based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether very short or short dictionary words), and not TKIP which changes the encryption key frequently. (People rant about this subject in the Usenet newsgroup 'alt.internet.wireless' quite frequently.)

The 3 networks we are using here are : * for our MAIN network on eth * for our WLAN on eth1 * for our OpenVPN WLAN network on tun0 * for our OpenVPN PUBLIC network on tun1

3??? Oh, you're a Geek, and count from zero. OK ;-)

$IPT -A local -s -d -j ACCEPT

Minor quibble - I'd use, simply because the system knows that any address in that range is loopback. Try pinging/connecting to - and your own computer will answer.


Looks good.

Think also of leaving it as raw text - the advantage is that you can use a search feature like 'grep' to find keywords which is impossible with a pdf.

Would be better to cross-post (put all the newsgroups in a comma separated line) and set a Followup-To: as I have done here than to individually post.. (I also see two copies of the other post to alt.computer.security and comp.os.linux.networking.)

Old guy

Reply to
Moe Trin

Hi Moe, excellent, thank you very much for the comments (and corrections). I will change the quibbles as soon as I get home. about the raw text, i guess I can leave that as well yes. My main point was that mainly there are so many documents that a person would have to read to get a grasp of iptables, that a single one would be nicer and easier, imho.

Again thanks for the comments and anyone who has still something to add or suggestions please do so anyone who wants something to be added in the whole, like something they want explained, please let me know.



formatting link

Moe Tr> On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article

Reply to

Please do post an announcement when the rest of the document is available.

Oh, I agree with that. The reason I was suggesting having the text version available is the ease in searching for things that the document may contain. I'm sure you are used to using 'apropos' and 'whatis' to search for man pages (as one example), but I've also found it very useful to use grep (or zgrep) to search for keywords within the man pages.

[compton ~]$ apropos routing | wc -l 2 [compton ~]$ find /usr/share/man/ -mindepth 2 -type f | wc -l 3018 [compton ~]$ zgrep -l routing /usr/share/man/man*/* | wc -l 17 [compton ~]$

That's just one example where being able to access the _words_ in a document may be useful. Going along with your point, there are 448 different HOWTOs and mini-howtos (totalling 3.8 million words), and

29 of them mention 'iptables'. But what use is that if you can't _find_ which one?

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.