Istory rewal
Download 136.18 Kb.
|
- Bu sahifa navigatsiya:
- P They are generally used to protect a private network from the Internet.
- Linux Based Packet Filtering
- SNAT -Source Network Address Translation
- P It can match packets and filter them in whatever way we want.
- Creati rewall Policies
- SeRing up a basic firewall
istory rewalKernel Versions b 2.0.X IP Masquerading fi 2.2.X IP Chains P 2.4.X IP Tables b 2.6.X IP Tables Why use a firewall?P Firewalls are generally setup for one of 3 reasons. P To keep people out of your network (Viruses, crackers) b To keep people in your network (employees, children) b To share a public IP address. What is a firewall? b A firewall is a device that provides isolation between 2 or more networks. P They are generally used to protect a private network from the Internet.b There are two types of firewalls. › Packet Filtering firewalls › Proxy Servers What is a Proxy sewer?P A proxy is a firewall that acts as a middle-man. b When one device requests a network service the request is forwarded to a proxy. b The proxy will then make a request for the device, then relay the reply back. Features Proxies b A proxy may cache a copy of the information for future requests. b Proxies suppol user authentication P Advanced logging can provide audit trails as to everything that is done on the network. based proxies Squid TIS Firewall Toolkit (FWTK) •SOCKS NOCAT Packet Filtering Firewalls I Packet filtering is the most common type of fire walling. fi Every packet that is sent across the firewall is compared against a set of rules. 1 These rules will determine what will happen to any packet.F Rules are based on source, destination, pols type and some times contents. Overview of Packet Itering flwMre Private Network lNL0Ff\€›t Linux Based Packet FilteringP Packet filtering is built into the kerneland operates on the network layer. b The kernel starts with three lists that are called firewall chains or just chains. P The three chains are called INPUT,OUTPUT and FORWARD. Configu a packet filtering firewall b Using the menuconfig tool add the following options. Then recompile the the kernel. b Networking Options › Packet socket › Socket filtering NAT,SNAT,DNAT P Most packet filtering firewalls are NAT Network Address Translation. This involes changing the source/destination Ips and/or port addresses. SNAT -Source Network Address Translationfi This is used for changing the source address of packets. fi It will hide the local networks b . An example is firewall that has a public side IP address, but need to substitute our local network’s IP numbers whit that of our firewall. b The firewall will automatically SNAT and De- SNAT the packets, and make it possible to make connections from the LAN to the Internet. DNAT Destination Network Address Translation b This is used when the firewall has a public IP and you want to redirect accesses to the firewall to some other host. P In other words, we change the destination address of the packet and reroute it to the host. MAS§UERADE F This is the same as SNAT, but the uAsquEeaDE takes a little bit more overhead to compute. because each time that the MASIgUERADE receives a packet, it automatically checks for the IP address to use. k SNAT uses the single configured IP address. The MAsquEeaDE target makes it possible to work properly with Dynamic DHCP IP addresses that your ISP might provide for your PPP, PPPoE. Filter Table b This is the lookup table that is used to filter packets. P It can match packets and filter them in whatever way we want.b This is what determines whether to DROP or ACCEPT the packets. Exa ples filters F Action F Deny fi Accept fi Deny fi redirect & Rule b All outgoing web to playboy.com b incoming SMTP mail b All outgoing to login.icq.com b Incoming web requests to company website. Creati rewall Policies• —I Lists all firewall rules. ! z“pfabl'ee -K Flushes rules (removes all rules.) I z“jzfabIez -D {rule} Removes a firewall rule • —7 {rizle} Inserts a firewall rule I z“pfabl'ee -R {rzzte} replaces a firewall rule fi z“pfabIez -A {rvfe} Appends a firewall rule SeRing up a basic firewallA Sample rc.firewall P iptables -P INPUT ACCEPT P iptables -P OUTPUT ACCEPT b iptables -P FORWARD ACCEPT P iptables -F INPUT P iptables -F OUTPUT P iptables -F FORWARD b iptables -A FORWARD -i eth1 -j ACCEPT Sample rc.firewall con’t iptables -A INPUT -p TCP -s 0/0 --dport 80 -j allowed iptables -A blocking -p tcp -d 0.0.0.0/0 --dpol 0:1000 -j DROP iptables -A blocking -p udp -d 0.0.0.0/0 --dport 0:1000 -j DROP iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Download 136.18 Kb. Do'stlaringiz bilan baham: 
|