Hi, I am working on a longish "tutorial" that explains iptables for pretty much anyone. I have encountered so far only pretty high level documents that go immediately into the code. My approach is more from a nothing to everything approach and i have 3 parts already. I am now writing the last part (IMHO), but I would like to have some input to see where this guide could be more expanded or made better. This will be converted into a pdf once the whole is complete for easy offline reading. My last document is about different iptables modules and i haven't published it yet but the other 3 are online already. Any suggestions please email me, i am looking forward to it. Part 1:
Thanks already for any constructive criticism.
PS: yes i am posting this in a couple of groups, but not at once.
Where have you looked? A Linux distribution comes with a bunch of HOWTOs and mini-howtos aimed at answering a lot of the questions a user may have. Looking at the current documents (here from sunsite):
-rw-rw-r-- 1 gferg ldp 85507 Aug 20 2001 Firewall-HOWTO
-rw-rw-r-- 1 gferg ldp 271987 Nov 27 14:45 HOWTO-INDEX
-rw-rw-r-- 1 gferg ldp 708351 Nov 14 2005 IP-Masquerade-HOWTO
* Securing & Optimizing Linux: The Ultimate Solution * The Linux Cookbook: Tips and Techniques for Everyday Use * Linux Administrator's Security Guide
you can set in these policies are ACCEPT,DENY and DROP. the difference
The difference (missed capitalization in a number of places besides this. This also applies to the second and third part.)
between DENY and DROP is that DROP will just disregard the package whereas DENY will send a TCP package back telling the other machine that the traffic has been denied.
send a TCP packet
Wrong closing quote (several places besides this)
rules and the packet will go through all the rules uuntil the end of
speel chequer not used ;-)
Now, the explanation. The AP is WEP capable only and WEP is good but not good enough for us security people).
WEP is not good enough for anyone. WEP64 and WEP128 can easily be cracked. WPA is better. WPA-PSK with TKIP is very safe. The usual recommendation is
20 characters or more, consisting of non-dictionary words. WPA encryption based on a PSK (Pre Shared Key) has been cracked, but only with weak (ether very short or short dictionary words), and not TKIP which changes the encryption key frequently. (People rant about this subject in the Usenet newsgroup 'alt.internet.wireless' quite frequently.)
The 3 networks we are using here are : * 192.168.0.0/24 for our MAIN network on eth * 192.168.1.0/24 for our WLAN on eth1 * 192.168.2.0/24 for our OpenVPN WLAN network on tun0 * 192.168.3.0/24 for our OpenVPN PUBLIC network on tun1
3??? Oh, you're a Geek, and count from zero. OK ;-)
$IPT -A local -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
Minor quibble - I'd use 127.0.0.0/8, simply because the system knows that any address in that range is loopback. Try pinging/connecting to
127.127.127.127 - and your own computer will answer.
Think also of leaving it as raw text - the advantage is that you can use a search feature like 'grep' to find keywords which is impossible with a pdf.
Would be better to cross-post (put all the newsgroups in a comma separated line) and set a Followup-To: as I have done here than to individually post.. (I also see two copies of the other post to alt.computer.security and comp.os.linux.networking.)
Hi Moe, excellent, thank you very much for the comments (and corrections). I will change the quibbles as soon as I get home. about the raw text, i guess I can leave that as well yes. My main point was that mainly there are so many documents that a person would have to read to get a grasp of iptables, that a single one would be nicer and easier, imho.
Again thanks for the comments and anyone who has still something to add or suggestions please do so anyone who wants something to be added in the whole, like something they want explained, please let me know.
Moe Tr> On 20 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
Please do post an announcement when the rest of the document is available.
Oh, I agree with that. The reason I was suggesting having the text version available is the ease in searching for things that the document may contain. I'm sure you are used to using 'apropos' and 'whatis' to search for man pages (as one example), but I've also found it very useful to use grep (or zgrep) to search for keywords within the man pages.
That's just one example where being able to access the _words_ in a document may be useful. Going along with your point, there are 448 different HOWTOs and mini-howtos (totalling 3.8 million words), and
29 of them mention 'iptables'. But what use is that if you can't _find_ which one?