Complete.Org: Mailing Lists: Archives: announce: December 2001:
[announce] Aclug Meeting: Tuesday Dec 4: IP Tables

[announce] Aclug Meeting: Tuesday Dec 4: IP Tables

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <announce@xxxxxxxxx>
Subject: [announce] Aclug Meeting: Tuesday Dec 4: IP Tables
From: "Info" <info@xxxxxxxxx>
Date: Mon, 3 Dec 2001 13:12:17 -0600
Reply-to: announce@xxxxxxxxx

             Air Capital Linux Users Group of Wichita, KS

 * Tuesday, Dec 4 - IP Tables 

Contact:  info@xxxxxxxxx


7:00/7:30 PM in Jabara Hall at Wichita State University (details below)
This event is free and open to the public.  Please forward this message to
anyone you feel may be interested in attending.

Aclug Meeting: Tuesday, Dec 4: IP Tables

This meeting will introduce you to IP Tables, the new firewalling tools
for the 2.4.x Kernel.  

Iptables is the replacement for the userspace tool ipchains in the Linux
2.4 kernel. It is part of the kernelspace netfilter project. Iptables has
many more features than ipchains and is also structured more sensibly. The
main points of note are as follows: 

Connection tracking capability, i.e. the ability to do stateful packet
inspection. This works for icmp and udp as well as tcp connections. For
instance, stateful icmp filtering allows you to only allow an icmp
echo-reply in if an echo-request went out. This is something you couldn't
do with ipchains ....... most people would block echo-requests but blindly
accept echo-replies with the assumption that they would always be in
response to their own pings. Not true. Unsolicited echo-replies can be a
sign of a Smurf amplification attack, a Tribe Flood Network communication
between master and daemon, or a Loki 2 back-door. 
Simplified behaviour of packets negotiating the built-in chains (INPUT,
OUTPUT and FORWARD). On multi-homed hosts, packets travelling between
interfaces negotiate only the FORWARD chain rather than all three built-in
chains as they did before (providing packet forwarding is enabled of
A clean separation of packet filtering and network address translation
(NAT). This is very nice; in ipchains masquerading was done as part of the
packet-filtering, but in iptables masqerading is treated as a particular
type of source NAT (SNAT) as it should be. Redirection, in turn, is
treated as a particular type of destination NAT (DNAT). SNAT is done after
routing and DNAT is done before routing, which makes it easy to define
your rulebase and add NAT as an afterthought. 
Rate-limited connection and logging capability. Now you can limit both
connection attempts, as in SYN-flooding Denial of Service (DOS) attacks,
and also prevent your logs being flooded, as happened in the Jolt2
fragment-driven DOS attack against Checkpoint's Firewall-1. Another very
nice feature. 
The ability to filter on tcp flags and tcp options, and also MAC

Tom Bloom will be our guest speaker for this topic.


Meetings are typically held every other Tuesday at 7:00/7:30pm in 260
Jabara Hall on the campus of Wichita State University.  A sign will be
posted outside Room 260 in the event that we need to meet elsewhere.
Details on the event schedule and upcoming events can be found at; maps can be found at

7:00PM to 7:30PM is reserved for open discussion. 7:30PM to 7:45PM we will
cover old and new business, and make announcements of upcoming ACLUG

Our regular presentation will begin after the announcements, at
approximately 7:45. Of course, if you can make it at 7, you're encouraged
to stay for the whole program.  You are welcome to arrive at either 7 or

Further details will be posted to the aclug-announce mailing list; you can
subscribe for free at

      Dale W Hodge  - Secretary & Website Maintainer -  info@xxxxxxxxx
      Visit the Aclug Companion at

-- This is the announce@xxxxxxxxx list.  To unsubscribe,

[Prev in Thread] Current Thread [Next in Thread]
  • [announce] Aclug Meeting: Tuesday Dec 4: IP Tables, Info <=