The IPTables program that comes with Linux distributions allows administrators to configure the operating system so that it allows applications and clients to connect through the network and stop unwanted applications and clients from communicating and corrupting the operating system.

The Internet Protocol (IP) is a data oriented protocol that allows multiple hosts to talk to each other across network connections. Data in an IP network are sent in blocks referred to as packets or datagrams. They typically have a source host, destination host, and source and destination ports associated with the communication. The port is similar to a post office box where the host address would be similar to a zip code. If you address a letter to P. O. Box 2112, Houston, Texas 77005, the post office knows to route the mail to a specific part of the city of Houston corresponding to zip code 77005. The post office box is a specific location in that post office. The IP address uses similar notation. When we connect to www.cnn.com on port 80, our client creates an IP packet requesting that the packet get delivered to www.cnn.com and it be delivered to port 80. The packet also includes a return address, the IP address of our client, and a port number to use for the communication

Layered on top of the IP protocol are other protocols. These are typically transport layers. There are two main transport protocols that are heavily used. Transmission control protocol (TCP) is a stateful delivery mechanism that makes a best effort to deliver the packets requested. If the first attempt fails, multiple attempts are made to route and deliver the packet. This protocol is very good at delivering text files that can not tolerate data corruption. With this protocol clients have the ability to request redelivery of packets that were not properly received and can handle our of order delivery of packets. This protocol is very good for applications like patch delivery, email, network file shares, and web pages. It is not very good for delivery of streaming video or voice over IP applications.

Applications that require real time streams or can accept data loss typically use the user datagram protocol (UDP). This protocol is lighter weight and does not provide reliability or ordering guarantees. Typical applications that use UDP are online games, streaming media, domain name servers (DNS), or voice over IP.

When we look at protecting a computer, we typically want to filter ports and IP addresses. To do this we need to open up the data packets, figure out what protocol is being used, what the source address and port are as well as the destination address and port to make sure that it is destined for us. Finding out what port allows us to route the data to a specific application and deliver it for use.

If we compare the analyzing the packets to the operation performed by the campus post office, we can describe the operation of the IPTable program. If, for example, we get a delivery truck that drops off a pallet of boxes at the loading dock, someone in the post office will need to unwrap the pallet and figure out where each box gets delivered. If the police department has told the post office that it needs to inspect all packages that come from overseas, the packages must be held until they are inspected. The boxes are not delivered to the department that they have on their delivery address but held for inspection. If a professor is waiting for a package and has asked a graduate student or administrator to go to the post office every hour and check to see if the package has arrived the post office will typically keep an eye out for the boxes and graduate students.

If we configure rules on a computer to drop any traffic destined for a specific port, the data packets will never be seen by any application. This dropping of traffic effectively creates a firewall or filter that protect the operating system. The Linux operating system has software configured into the kernel that inspects packets and either passes the data to the application waiting for the data or drops the data. We can configure this data by modifying the iptables configuration file located in /etc/sysconfig/iptables.

Content actions

Add module to:

My Favorites Login Required (?)

'My Favorites' is a special kind of lens which you can use to bookmark modules and collections. 'My Favorites' can only be seen by you, and collections saved in 'My Favorites' can remember the last module you were on. You need an account to use 'My Favorites'.

| A lens I own Login Required (?)

Definition of a lens

Lenses

A lens is a custom view of the content in the repository. You can think of it as a fancy kind of list that will let you see content through the eyes of organizations and people you trust.

What is in a lens?

Lens makers point to materials (modules and collections), creating a guide that includes their own comments and descriptive tags about the content.

Who can create a lens?

Any individual member, a community, or a respected organization.

What are tags?

Tags are descriptors added by lens makers to help label content, attaching a vocabulary that is meaningful in the context of the lens.

| External bookmarks

Footer

This work is licensed by Pat Shuff under a Creative Commons Attribution License (CC-BY 2.0), and is an Open Educational Resource.

Last edited by Pat Shuff on Aug 12, 2005 2:01 am -0500.