Beruflich Dokumente
Kultur Dokumente
Needoffirewall
Singleconnectionbetween
network
Allowsrestrictedtrafficbetween
networks
Deniesunauthorizedusers
Linuxfirewall
Linuxisaopensourceoperating
systemandanyfirewallinlinuxisopen
source
Lowcost
Worldwidesupport
DifferencebetweenHardware
firewallandsoftwareFirewall
LinuxFirewall
Implementingiptables
Installingiptables
mostLinuxinstallsiptables.iptableshas
becomeastandardoption,especially
RedHat.Thereisaverygoodchance
thatiptablesisalreadyinstalledonyour
machine.
Openingaterminalwindow(makingsureto
beloggedinasroot).
Typing:#iptables
Installingiptables
Ifiptablesisinstalled,youshouldgetthe
followingmessage:
iptablesv1.2.8:nocommandspecified
Try'iptablesh'or'iptableshelp'for
moreinformation
Installingiptables
Ifthismessagedoesnotappear,
thenfollowthedirections
belowtoinstalliptables.
o Downloadsareavailableat
http://www.netfilter.org/downloads.html
Installingiptables
#tarxvjf./iptables1.*.*.tar.bz2C/
usr/src
wheretheasterisksrepresentthe
versionnumberofthefileyou
downloaded.
Changetothedirectoryitcreated
(typicallyiptables1.*.*),bytyping:
#cd/usr/src/iptables1.*.*
Installingiptables
#/bin/shcmake
Tofinishtheinstall,type:
#/bin/shcmakeinstall
Featuresof
Iptables
Packetfiltering
Connectiontracking
NetworkAddressTranslation
Packetfiltering
Therealfirewallispacketfiltering
Packetfilteringoccursinlayer3and
4ofOpenSystemInterconnect(OSI)
modelienetworkand
Application
transportlayer.
Presentation
Session
Transport
Network
Datalink
Physical
Netfilterchains
Filtertable
NATtable
Mangletable
Netfilture
Architecture
Table
Chain
Policy
Rule
MatchSpecification
Target
NETFILTERTABLESAND
CHAINS
TABLES
FILTER
Input
YES
Output
YES
Forward
YES
NAT
MANGLE
YES
YES
YES
YES
PREROUTING
YES
YES
POSTROUTING
YES
YES
Netfilterpacketflow
PREROUTING
RoutingDecision
FORWARD
DNAT
POSTROUTING
SNAT
Filtertable
D
INPUT
Filtertable
Localprocess
OUTPUT
Filtertable
ImplementingRules
andpolicyin
iptables
Policy
#iptablesPINPUTDROP/ACCEPT
#iptablesPOUTPUTDROP/ACCEPT
#iptablesPFORWARDDROP/ACCEPT
ImplementingRules
#iptablesAINPUTieth0ptcp(s192.168.0.222)dport
22jdrop
A
toappendtheruleatthebottomofspecifiedchain
toinserttheruleatthetopofthespecfifiedchain
incomeinterface
protocol
incomingip
dportdestinationport
sportsourceport
o
d
outgoinginterface
destinationip
#iptablesAINPUTieth0ptcp(s192.168.0.222)dport22jdrop
#serviceiptablessave
ChainINPUT(policyACCEPT)
target
DROP
Deletingrules
#iptablesDINPUT<number>
#iptablesDINPUTieth0ptcpdport22jDROP
NetworkAddress
Translation
NAT
SNAT
SOURCENAT
DNAT
DESTINATIONNAT
SNAT
192.168.0.1
SNAT
192.168.0.2
192.168.0.3
172.16.0.1
192.168.0.4
EachIPaddressistranslatedtodistinctexternalIP1:1
AllinternalIPaddressistranslatedtoasingleexternalIPaddress.
InternalIPmaybeDynamicx:1
Masquerading.Specialcase
X:X
DynamicinternalIPconvertedtodynamicoutgoingIP
DNAT
192.168.0.1
SNAT
172.16.0.1
192.168.0.2
192.168.0.3
192.168.0.4
DestinationNATtranslatesthedestinationIPaddresstodifferentvalue
Translation1:X
IncomingrequestforoneIPaddress(andport)aretranslatedtomany
differentIPaddress(andport).Thiscanbeusedtoimplementsome
kindofloadbalancing
Translation1:1
IncomingrequestsforoneIPaddress(andport)aretranslatedtoa
singleinternalIPaddressandport
SimpleimplementationofNAT
Internalnetworkconnectstotheinternetwitha
dynamicpublicIPaddress
#iptablestnatAPOSTROUTINGieth0oppp0jMASQUERADE
Redirection:redirectionisaspecialcaseofthethe
abovepoint.
RedirectiontranslatesincomingrequestsforoneIP
Addressandporttoadifferentlocalport.Thepacketis
resubmittedtothefirewallaftertranslation
PROXY
(Application
Firewall)
PROXYorapplicationFirewallis
implementedattheapplication
levelofOSImodel.
ScreeningRouter
INTERNET
ScreeningRouter
INTERNALNETWORK
Asimplecombinedrouterandpacket
filteriscalledascreeningRouter
Ascreeningrouteriscapableof
implementingsimpleruleandsimple
NAT
Asimplescreeningrouteristhusable
torestrictthepacketstransferred
betweentheinternetandtheinternal
network.
Usuallycommerciallyavailablerouters
implementthesesimplefeatures
DMZ(DemilitarisedZone)
INTERNET
DMZ
ScreeningRouter
Wheneveraninternalnetworkneedsto
accesstotheinternetitconnectstothe
applicationlevelgatewaysinDMZwhich
thenforwardtherequesttotheinternet.
Theresponsereachestheapplication
levelgatewaysinDMZwhichthen
forwardstherequesttotherequesting
client
ReverseProxy
INTERNET
Screeningrouter
PROXY
PROXY
WEBSERVER
Reverseproxyisnotafirewall.
Mainfeatureofreverseproxyare
ProtectionagainstDoSattacktools
SincetheproxyunpacksallIPpacketsitwilldropinvalid
packets
Accleration:
Theproxymaintainscachesothatitcangivereplyto
therequestfromthecashalso
Loadbalancingisalsodonebythereverseproxy