Linux Firewalls
History of Linux Firewalls
Kernel Versions
2.0.X IP Masquerading
2.2.X IP Chains
2.4.X IP Tables
2.6.X IP Tables
Why use a firewall?
Firewalls are generally setup for one of
3 reasons.
To keep people out of your network
(Viruses, crackers)
To keep people in your network
(employees, children)
To share a public IP address.
What is a firewall?
A firewall is a device that provides
isolation between 2 or more networks.
They are generally used to protect a
private network from the Internet.
There are two types of firewalls.
Packet Filtering firewalls
Proxy Servers
What is a Proxy server?
A proxy is a firewall that acts as a
middle-man.
When one device requests a network
service the request is forwarded to a
proxy.
The proxy will then make a request for
the device, then relay the reply back.
Features of Proxies
A proxy may cache a copy of the
information for future requests.
Proxies support user authentication
Advanced logging can provide audit
trails as to everything that is done on
the network.
Linux based proxies
Squid
TIS Firewall Toolkit (FWTK)
SOCKS
NOCAT
Packet Filtering Firewalls
Packet filtering is the most common type
of fire walling.
Every packet that is sent across the
firewall is compared against a set of rules.
These rules will determine what will
happen to any packet.
Rules are based on source, destination,
ports type and some times contents.
Overview of Packet Filtering
Linux Based Packet Filtering
Packet filtering is built into the kernel
and operates on the network layer.
The kernel starts with three lists that
are called firewall chains or just
chains.
The three chains are called INPUT,
OUTPUT and FORWARD.
Configuring a packet filtering firewall
Using the menuconfig tool add the
following options. Then recompile the
the kernel.
Networking Options
Packet socket
Socket filtering
NAT,SNAT,DNAT
Most packet filtering firewalls are NAT
Network Address Translation. This
involes changing the source/destination
Ips and/or port addresses.
SNAT -Source Network Address Translation
This is used for changing the source address
of packets.
It will hide the local networks
. An example is firewall that has a public side
IP address, but need to substitute our local
network's IP numbers whit that of our
firewall.
The firewall will automatically SNAT and De-
SNAT the packets, and make it possible to
make connections from the LAN to the
Internet.
DNAT Destination Network Address Translation
This is used when the firewall has a
public IP and you want to redirect
accesses to the firewall to some other
host.
In other words, we change the
destination address of the packet and
reroute it to the host.
MASQUERADE
This is the same as SNAT, but the
MASQUERADE takes a little bit more
overhead to compute. because each time that
the MASQUERADE receives a packet, it
automatically checks for the IP address to
use.
SNAT uses the single configured IP address.
The MASQUERADE target makes it possible
to work properly with Dynamic DHCP IP
addresses that your ISP might provide for
your PPP, PPPoE.
Filter Table
This is the lookup table that is used to
filter packets.
It can match packets and filter them in
whatever way we want.
This is what determines whether to
DROP or ACCEPT the packets.
Examples of filters
Action Rule
Deny All outgoing web to playboy.com
Accept incoming SMTP mail
Deny All outgoing to login.icq.com
redirect Incoming web requests to company
website.
Creating Firewall Policies
iptables –L Lists all firewall rules.
iptables –F Flushes rules (removes all rules.)
iptables –D (rule) Removes a firewall rule
iptables –I (rule) Inserts a firewall rule
iptables –R (rule) replaces a firewall rule
iptables –A (rule) Appends a firewall rule
Setting up a
basic firewall
A Sample rc.firewall
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A FORWARD -i eth1 -j ACCEPT
A Sample rc.firewall con’t
iptables -A INPUT -p TCP -s 0/0 --dport 80 -j allowed
iptables -A blocking -p tcp -d 0.0.0.0/0 --dport 0:1000 -j DROP
iptables -A blocking -p udp -d 0.0.0.0/0 --dport 0:1000 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE