Istory rewal

Download 136.18 Kb.
Hajmi136.18 Kb.

istory rewal

Kernel Versions

b 2.0.X IP Masquerading

fi 2.2.X IP Chains P 2.4.X IP Tables b 2.6.X IP Tables

Why use a firewall?

P Firewalls are generally setup for one of
3 reasons.
P To keep people out of your network (Viruses, crackers)
b To keep people in your network
(employees, children)
b To share a public IP address.
What is a firewall?
b A firewall is a device that provides isolation between 2 or more networks.
P They are generally used to protect a private network from the Internet.

b There are two types of firewalls.
› Packet Filtering firewalls
› Proxy Servers

What is a Proxy sewer?

P A proxy is a firewall that acts as a middle-man.
b When one device requests a network service the request is forwarded to a proxy.
b The proxy will then make a request for
the device, then relay the reply back.
Features Proxies
b A proxy may cache a copy of the information for future requests.
b Proxies suppol user authentication
P Advanced logging can provide audit trails as to everything that is done on the network.

based proxies

  • Squid

  • TIS Firewall Toolkit (FWTK)



Packet Filtering Firewalls
I Packet filtering is the most common type of fire walling.
fi Every packet that is sent across the firewall is compared against a set of rules.
1 These rules will determine what will
happen to any packet.

F Rules are based on source, destination,
pols type and some times contents.
Overview of Packet Itering

flwMre Private Network lNL0Ff\€›t

Linux Based Packet Filtering

P Packet filtering is built into the kernel

and operates on the network layer.
b The kernel starts with three lists that are called firewall chains or just chains.
P The three chains are called INPUT,


Configu a packet filtering firewall

b Using the menuconfig tool add the following options. Then recompile the the kernel.

b Networking Options
Packet socket
› Socket filtering
P Most packet filtering firewalls are NAT Network Address Translation. This involes changing the source/destination Ips and/or port addresses.
SNAT -Source Network Address Translation

fi This is used for changing the source address of packets.

fi It will hide the local networks
b . An example is firewall that has a public side IP address, but need to substitute our local network’s IP numbers whit that of our firewall.
b The firewall will automatically SNAT and De- SNAT the packets, and make it possible to make connections from the LAN to the Internet.
DNAT Destination Network Address Translation

b This is used when the firewall has a public IP and you want to redirect accesses to the firewall to some other host.

P In other words, we change the destination address of the packet and reroute it to the host.
F This is the same as SNAT, but the uAsquEeaDE takes a little bit more overhead to compute. because each time that the MASIgUERADE receives a packet, it automatically checks for the IP address to use.
k SNAT uses the single configured IP address. The MAsquEeaDE target makes it possible to work properly with Dynamic DHCP IP addresses that your ISP might provide for your PPP, PPPoE.

Filter Table

b This is the lookup table that is used to filter packets.
P It can match packets and filter them in whatever way we want.

b This is what determines whether to DROP or ACCEPT the packets.
Exa ples filters

F Action F Deny fi Accept fi Deny
fi redirect
& Rule
b All outgoing web to
b incoming SMTP mail
b All outgoing to
b Incoming web requests to company

Creati rewall Policies

• —I Lists all firewall rules.
! z“pfabl'ee -K Flushes rules (removes all rules.)
I z“jzfabIez -D {rule} Removes a firewall rule
• —7 {rizle} Inserts a firewall rule
I z“pfabl'ee -R {rzzte} replaces a firewall rule
fi z“pfabIez -A {rvfe} Appends a firewall rule

SeRing up a basic firewall

A Sample rc.firewall

P iptables -P INPUT ACCEPT
b iptables -P FORWARD ACCEPT P iptables -F INPUT
P iptables -F OUTPUT
P iptables -F FORWARD
b iptables -A FORWARD -i eth1 -j ACCEPT
Sample rc.firewall con’t

iptables -A INPUT -p TCP -s 0/0 --dport 80 -j allowed

iptables -A blocking -p tcp -d --dpol 0:1000 -j DROP iptables -A blocking -p udp -d --dport 0:1000 -j DROP iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Download 136.18 Kb.

Do'stlaringiz bilan baham:

Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan © 2024
ma'muriyatiga murojaat qiling