- Slides: 21
History of Linux Firewalls Kernel Versions 2. 0. X 2. 2. X 2. 4. X 2. 6. X IP IP Masquerading Chains Tables
Why use a firewall? Firewalls are generally setup for one of 3 reasons. To keep people out of your network (Viruses, crackers) To keep people in your network (employees, children) To share a public IP address.
What is a firewall? A firewall is a device that provides isolation between 2 or more networks. They are generally used to protect a private network from the Internet. There are two types of firewalls. Packet Filtering firewalls Proxy Servers
What is a Proxy server? A proxy is a firewall that acts as a middle -man. When one device requests a network service the request is forwarded to a proxy. The proxy will then make a request for the device, then relay the reply back.
Features of Proxies A proxy may cache a copy of the information for future requests. Proxies support user authentication Advanced logging can provide audit trails as to everything that is done on the network.
Linux based proxies Squid TIS Firewall Toolkit (FWTK) SOCKS NOCAT
Packet Filtering Firewalls Packet filtering is the most common type of fire walling. Every packet that is sent across the firewall is compared against a set of rules. These rules will determine what will happen to any packet. Rules are based on source, destination, ports type and some times contents.
Overview of Packet Filtering
Linux Based Packet Filtering Packet filtering is built into the kernel and operates on the network layer. The kernel starts with three lists that are called firewall chains or just chains. The three chains are called INPUT, OUTPUT and FORWARD.
Configuring a packet filtering firewall Using the menuconfig tool add the following options. Then recompile the kernel. Networking Options Packet socket Socket filtering
NAT, SNAT, DNAT Most packet filtering firewalls are NAT Network Address Translation. This involes changing the source/destination Ips and/or port addresses.
SNAT -Source Network Address Translation This is used for changing the source address of packets. It will hide the local networks. An example is firewall that has a public side IP address, but need to substitute our local network's IP numbers whit that of our firewall. The firewall will automatically SNAT and De. SNAT the packets, and make it possible to make connections from the LAN to the Internet.
DNAT Destination Network Address Translation This is used when the firewall has a public IP and you want to redirect accesses to the firewall to some other host. In other words, we change the destination address of the packet and reroute it to the host.
MASQUERADE This is the same as SNAT, but the MASQUERADE takes a little bit more overhead to compute. because each time that the MASQUERADE receives a packet, it automatically checks for the IP address to use. SNAT uses the single configured IP address. The MASQUERADE target makes it possible to work properly with Dynamic DHCP IP addresses that your ISP might provide for your PPP, PPPo. E.
Filter Table This is the lookup table that is used to filter packets. It can match packets and filter them in whatever way we want. This is what determines whether to DROP or ACCEPT the packets.
Examples of filters Action Deny Accept Deny redirect Rule All outgoing web to playboy. com incoming SMTP mail All outgoing to login. icq. com Incoming web requests to company website.
Creating Firewall Policies iptables –L Lists all firewall rules. iptables –F Flushes rules (removes all rules. ) iptables –D (rule) Removes a firewall rule iptables –I (rule) Inserts a firewall rule iptables –R (rule) replaces a firewall rule iptables –A (rule) Appends a firewall rule
Setting up a basic firewall
A Sample rc. firewall iptables iptables -P INPUT ACCEPT -P OUTPUT ACCEPT -P FORWARD ACCEPT -F INPUT -F OUTPUT -F FORWARD -A FORWARD -i eth 1 -j ACCEPT
A Sample rc. firewall con’t iptables -A INPUT -p TCP -s 0/0 --dport 80 -j allowed iptables -A blocking -p tcp -d 0. 0/0 --dport 0: 1000 -j DROP iptables -A blocking -p udp -d 0. 0/0 --dport 0: 1000 -j DROP iptables -t nat -A POSTROUTING -o eth 1 -j MASQUERADE