The netfilter/iptables project has a very modular design and its sub-projects can be divided into several parts: netfilter, iptables, connection tracking, NAT and packet mangling.

While most users will already have learned how to use the basic functions of netfilter/iptables in order to convert their old ipchains firewalls to iptables, netfilter/iptables also offers capabilities that are more advanced, but less used.

The presentation covers the design principles behind the netfilter/iptables implementation. This knowledge enables us to understand how the individual parts of netfilter/iptables fit together, and the potential applications for which they are useful.

Topics covered:

• Overview of the internal netfilter/iptables architecture
  • The netfilter hooks inside the network protocol stacks
  • Packet selection with IPtables
  • How connection tracking and NAT are integrated in the framework
• The connection tracking system
  • How well does it track the TCP state?
  • How does it track ICMP and UDP states at all?
  • Layer 4 protocol helpers (GRE, ...)
  • Application helpers (FTP, IRC, H.323, ...)
  • Restrictions/limitations
• The NAT system
  • How does it interact with connection tracking?
  • Layer 4 protocol helpers
  • Application helpers (FTP, IRC, ...)
• Other topics
  • How far advanced is IPv6 firewalling with ip6tables?
  • Advances in failover/HA of stateful firewalls
  • Invisible firewalls with iptables on a bridge
  • Userspace packet queueing with QUEUE
  • Userspace packet logging with ULOG

Requirements:

• Knowledge of the TCP/IP protocol family
• Knowledge of general firewalling and packet filtering concepts
• Prior experience with Linux packet filters

Audience:

• Firewall administrators
• Network developers