Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Linux Firewall

    Hochgeladen von

    Sartaj That's All
    22 Ansichten30 Seiten
    how to create linux firewall for dummies

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    how to create linux firewall for dummies

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    22 Ansichten30 Seiten

    Linux Firewall

    Hochgeladen von

    Sartaj That's All
    how to create linux firewall for dummies

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 30

    Linuxfirewall

    Needoffirewall
    Singleconnectionbetween
    network
    Allowsrestrictedtrafficbetween
    networks
    Deniesunauthorizedusers

    Linuxfirewall
    Linuxisaopensourceoperating
    systemandanyfirewallinlinuxisopen
    source
    Lowcost
    Worldwidesupport

    DifferencebetweenHardware
    firewallandsoftwareFirewall

    LinuxFirewall
    Implementingiptables

    Installingiptables
    mostLinuxinstallsiptables.iptableshas
    becomeastandardoption,especially
    RedHat.Thereisaverygoodchance
    thatiptablesisalreadyinstalledonyour
    machine.
    Openingaterminalwindow(makingsureto
    beloggedinasroot).
    Typing:#iptables

    Installingiptables
    Ifiptablesisinstalled,youshouldgetthe
    followingmessage:
    iptablesv1.2.8:nocommandspecified
    Try'iptablesh'or'iptableshelp'for
    moreinformation

    Installingiptables
    Ifthismessagedoesnotappear,
    thenfollowthedirections
    belowtoinstalliptables.

    o Downloadsareavailableat
    http://www.netfilter.org/downloads.html

    Installingiptables
    #tarxvjf./iptables1.*.*.tar.bz2C/
    usr/src
    wheretheasterisksrepresentthe
    versionnumberofthefileyou
    downloaded.
    Changetothedirectoryitcreated
    (typicallyiptables1.*.*),bytyping:
    #cd/usr/src/iptables1.*.*

    Installingiptables

    #/bin/shcmake
    Tofinishtheinstall,type:
    #/bin/shcmakeinstall

    Featuresof
    Iptables
    Packetfiltering
    Connectiontracking
    NetworkAddressTranslation

    Packetfiltering
    Therealfirewallispacketfiltering
    Packetfilteringoccursinlayer3and
    4ofOpenSystemInterconnect(OSI)
    modelienetworkand
    Application
    transportlayer.

    Presentation
    Session
    Transport
    Network
    Datalink
    Physical

    Netfilterchains
    Filtertable
    NATtable
    Mangletable

    Netfilture
    Architecture
    Table
    Chain

    Policy

    Rule

    MatchSpecification

    Target

    NETFILTERTABLESAND
    CHAINS
    TABLES
    FILTER
    Input

    YES

    Output

    YES

    Forward

    YES

    NAT

    MANGLE
    YES

    YES

    YES
    YES

    PREROUTING

    YES

    YES

    POSTROUTING

    YES

    YES

    Netfilterpacketflow
    PREROUTING

    RoutingDecision

    FORWARD

    DNAT

    POSTROUTING

    SNAT
    Filtertable

    D
    INPUT

    Filtertable

    Localprocess

    OUTPUT
    Filtertable

    ImplementingRules
    andpolicyin
    iptables
    Policy
    #iptablesPINPUTDROP/ACCEPT
    #iptablesPOUTPUTDROP/ACCEPT
    #iptablesPFORWARDDROP/ACCEPT

    ImplementingRules
    #iptablesAINPUTieth0ptcp(s192.168.0.222)dport
    22jdrop
    A

    toappendtheruleatthebottomofspecifiedchain

    toinserttheruleatthetopofthespecfifiedchain

    incomeinterface

    protocol

    incomingip

    dportdestinationport
    sportsourceport
    o
    d

    outgoinginterface
    destinationip

    #iptablesAINPUTieth0ptcp(s192.168.0.222)dport22jdrop
    #serviceiptablessave

    ChainINPUT(policyACCEPT)
    target
    DROP

    protocol port source


    destination
    tcp
    22 192.168.0.222 anywhere

    Deletingrules
    #iptablesDINPUT<number>
    #iptablesDINPUTieth0ptcpdport22jDROP

    NetworkAddress
    Translation
    NAT

    SNAT
    SOURCENAT

    DNAT
    DESTINATIONNAT

    SNAT
    192.168.0.1

    SNAT

    192.168.0.2
    192.168.0.3

    172.16.0.1

    192.168.0.4
    EachIPaddressistranslatedtodistinctexternalIP1:1
    AllinternalIPaddressistranslatedtoasingleexternalIPaddress.
    InternalIPmaybeDynamicx:1
    Masquerading.Specialcase
    X:X
    DynamicinternalIPconvertedtodynamicoutgoingIP

    DNAT
    192.168.0.1
    SNAT
    172.16.0.1

    192.168.0.2
    192.168.0.3
    192.168.0.4

    DestinationNATtranslatesthedestinationIPaddresstodifferentvalue
    Translation1:X
    IncomingrequestforoneIPaddress(andport)aretranslatedtomany
    differentIPaddress(andport).Thiscanbeusedtoimplementsome
    kindofloadbalancing
    Translation1:1
    IncomingrequestsforoneIPaddress(andport)aretranslatedtoa
    singleinternalIPaddressandport

    SimpleimplementationofNAT
    Internalnetworkconnectstotheinternetwitha
    dynamicpublicIPaddress
    #iptablestnatAPOSTROUTINGieth0oppp0jMASQUERADE

    Redirection:redirectionisaspecialcaseofthethe
    abovepoint.
    RedirectiontranslatesincomingrequestsforoneIP
    Addressandporttoadifferentlocalport.Thepacketis
    resubmittedtothefirewallaftertranslation

    PROXY
    (Application
    Firewall)
    PROXYorapplicationFirewallis
    implementedattheapplication
    levelofOSImodel.

    ScreeningRouter
    INTERNET

    ScreeningRouter

    INTERNALNETWORK

    Asimplecombinedrouterandpacket
    filteriscalledascreeningRouter
    Ascreeningrouteriscapableof
    implementingsimpleruleandsimple
    NAT
    Asimplescreeningrouteristhusable
    torestrictthepacketstransferred
    betweentheinternetandtheinternal
    network.
    Usuallycommerciallyavailablerouters
    implementthesesimplefeatures

    DMZ(DemilitarisedZone)
    INTERNET
    DMZ

    ScreeningRouter

    Wheneveraninternalnetworkneedsto
    accesstotheinternetitconnectstothe
    applicationlevelgatewaysinDMZwhich
    thenforwardtherequesttotheinternet.
    Theresponsereachestheapplication
    levelgatewaysinDMZwhichthen
    forwardstherequesttotherequesting
    client

    ReverseProxy
    INTERNET

    Screeningrouter

    PROXY

    PROXY

    WEBSERVER

    Reverseproxyisnotafirewall.
    Mainfeatureofreverseproxyare
    ProtectionagainstDoSattacktools

    SincetheproxyunpacksallIPpacketsitwilldropinvalid
    packets
    Accleration:
    Theproxymaintainscachesothatitcangivereplyto
    therequestfromthecashalso
    Loadbalancingisalsodonebythereverseproxy

    Das könnte Ihnen auch gefallen