knowplace.org

Resources

The Netfilter project (http://www.netfilter.org/) - netfilter/iptables project home

Step-by-step Iptables tutorial (http://www.BoingWorld.com/workshops/linux/iptables-tutorial/) by Oskar Andreasson

Linux 2.4 packet filtering HOWTO (http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html)

Linux 2.4 NAT HOWTO (http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/index.html)

Iptables packet traverse diagram (http://ods.dyndns.org/ipt_flow.html)

Iptables connection tracking explained (http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html)

Linux Networking-concepts HOWTO (http://netfilter.samba.org/unreliable-guides/networking-concepts-HOWTO/index.html)

RFC 1340 (http://andrew2.andrew.cmu.edu/rfc/rfc1340.html) - contains assigned numbers such as IP protocol number or well known port numbers

ICMP type-code summary (http://www.iana.org/assignments/icmp-parameters)

Netfilter mailing-list archive (http://msgs.securepoint.com/cgi-bin/get/netfilter-current.html) - searchable web interface provided by SecurePoint

Linux kernel howto http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html

ulogd project http://www.gnumonks.org/gnumonks/projects/project_details?p_id=1

The HoneyNet Project http://project.honeynet.org/ - know your enemies well

CERT® Coordination Center vulnerability news http://www.cert.org/nav/index_red.html

Understanding IP addressing http://www.3com.com/solutions/en_US/ncs/501302.html

IP Spoofing Explained http://www.wbglinks.net/pages/reads/ipspoof/ipspoofp.html

Abnormal IP packets http://www.securityfocus.com/focus/ids/articles/abnormal1.html

TCP/IP refresher http://www.cs.wright.edu/~pmateti/Courses/499/TCPIP/

An Internet Encyclopedia http://packetderm.cotse.com/CIE/Topics/index.htm

SYN cookies ftp://koobera.math.uic.edu/syncookies.html

Three-Way Handshake via TCP/IP http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q172983&LN=EN-US

TCP Protocol Layers Explained http://www.onlamp.com/lpt/a/681

TCP window size http://www.ncsa.uiuc.edu/People/vwelch/net_perf/tcp_windows.html

Sequence Number Attacks http://www.networkcomputing.com/unixworld/security/001.txt.html

Linux 2.4 Advanced Routing & Traffic Control http://www.ds9a.nl/2.4Routing/

Netfilter log format http://logi.cc/linux/netfilter-log-format.php3

Netfilter log analyzer http://logi.cc/linux/NetfilterLogAnalyzer.php3

Glossary

bastion host - A heavily secured host.

host - Any computer that is connected to a network.

ICMP - Internet Control Message Protocol (RFC 792)

IP - Internet Protocol (RFC 791)

IP body - contains the actual data in an IP packet

IP packet - an IP packet is made up of an IP header and an IP body

IP header - an IP header contains meta-data about the IP body (diagram stolen from RFC 791)

        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |Version|  IHL  |Type of Service|          Total Length         |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |         Identification        |Flags|      Fragment Offset    |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Time to Live |    Protocol   |         Header Checksum       |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                       Source Address                          |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                    Destination Address                        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Network Address Translation (NAT) - A process that modifies either the source IP address or destination IP address of an IP packet.

packet - A unit of data exchange between hosts.

server - a host that will provide a network service to other hosts (i.e. accept new connections)

TCP - Transmission Control Protocol (RFC 793)

TCP body - contains the actual data in a TCP packet.

TCP handshake - common term that refers to the three step process that takes to initiate a TCP connection. Though less frequent, it also refers to the four step process that’s required to gracefully tear down a TCP connection. (stolen diagram - don't remember where. Email me and I'll be glad to give you credit or take it down)

TCP header - a TCP header contains meta-data about the TCP body (diagram stolen from RFC 793) *slightly modified to add ECN and CWR.

        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |          Source Port          |       Destination Port        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                        Sequence Number                        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                    Acknowledgment Number                      |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |  Data |       |C|E|U|A|P|R|S|F|                               |
        | Offset|Resrved|W|C|R|C|S|S|Y|I|            Window             |
        |       |       |R|N|G|K|H|T|N|N|                               |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |           Checksum            |         Urgent Pointer        |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |                    Options                    |    Padding    |
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

TCP packet - a TCP packet is made up of an TCP header and a TCP body.

TCP/IP - even though commonly spoken as if it's a single protocol, TCP/IP is actually a TCP tunnel over the IP layer

  
Shane Tzen © 2008
 
brought to you by the number 7 and the letter S