Академический Документы
Профессиональный Документы
Культура Документы
Filter & NAT
Divisi Training
PT UFOAKSES SUKSES LUARBIASA
Jakarta
nux@ufoakses.co.id
Firewall
• Rules or filter
• NAT (sourcenat and destinationnat)
• Mangle
• Address List
• Service Ports
• Connection
– For monitoring Only
What’s Firewall Filters
• The firewall filters is tools for packet
filtering and thereby provides security
functions that are used to manage data
flow to, from and through the router.
• The firewall filter is on of the tools that
allow user to control data flow to, from and
through his computer In any way he/she
wish.
Firewall Filters Structure
• Firewall filters consist of IFTHEN rules
IF<condition(s)>THEN<action>
• When processing the firewall filters, packet
process through rules in the order they are
listed there from top to bottom. If a packet
matches condition(s) of the rule, then the
specified action is performed on it, else
packet jumps to the next rule.
Firewall Filters Chains
• Firewall filters rules are organized
in chains
• There are builtinchains :
– Input : processed packets addressd to
the router itself
– Output : processes packets sent by
the router itself
– Forward : processes traffic sent
through the router
Firewall Filters Structure
• New userdefined chains can be added, as
necessary
• Deafult chains must have rule, that redirect
packet flow to userdefined chains, because
other way yhis chains have no default traffic to
match
• User defined chains are used in order to reduce
average number of passed rules – to make
firewall faster, or in order to optimize firewall
strucrture and make it more readeble and
manageable
Actions
• Accept – accept the packet. No action is taken, I.e the packet is
passed thourgh and no more rules applied to it
• Adddsttoaddresslist – adds destination address of an IP
packet to the address list specified by addresslist parameter
• Addsrctoaddresslist – adds source address of an IP packet to
the address list specified by addresslist parameter
• Drop – silently drop the packet (without sending the ICMP reject
messege)
• Jump – jump to the chain specified by the value of the jumptarget
parameter
• Log – each match with this action will add a messege to the system
log
• Passthrogh – ignores this rule and goes on the next one
• Reject – reject the packet and send an ICMP reject messege
• Return – passes control back to the chain where the jump took
place
• Tarpit – captures and hold incoming TCP connections (replies with
SYN/ACK to the inbound TCP SYN packet
What is Firewall NAT
• NAT is used for secure IP address and
destionation IP address translation. First packet
of the flow traverses NAT rule rule, other
packets of this flow are automatically NATed
with same action as first one
• NAT is one of the tools that allow user to control
data flow to, from and through his computer in
any way he wish.
NAT Rules
Firewall NAT structure
• NAT consist of IFTHEN rules
IF<condition(s)>THEN<action>
• When processing the NAT, packet process
through rules in order they are listed there
from top to bottom. If a packet matches
the conditions(s) of the rule, then the
specified action is performed on it, else
packet jump to the next rule.
Firewall NAT structure
• NAT rules are organized in chains
• There are two builtinchains :
– Dstnat – used for changing destination address and
ports and then reroute packet.
– Srcnat – used for changing source address and ports.
(action dstnat and redirect can be used in this chain)
– New userdefined chains can be added
Known NAT actions
• Accept – the packet is accepted and passed through
NAT without taking any action
• Jump – jump to the chain specified by value of the jump
target argument
• Return – return to the previous chain, from where the
jump took place
• Log – log packet matches
• Passthrough – ignore this rule and go on to the next
one
• Adddstaddresslist – add packet’s destination
address to the specified address list
• Addsrcaddresslist – add packet’s source address to
the specified address list
New NAT actions
There are 6 new actions in the NAT :
• dstnat and redirect
• Srcnat and masquerade
• Netmap
• same
Srcnat and masquerade
• Srcnat allow source address and oirt
change to local address and port of the
router (masquerading) or to some other
specified and port
• Typical application of SRCNAT is to hide
private address behind one or more
[public] external address to allow multiple
host behind one address
Dstnat and redirect
• Dstnat allows destination address and
port change to local address and port of
the router (redirect) or to some other
specified address and port
• Typically used for accessing services on a
private network from public address via
public address
Netmap and Same
• Netmap – creates a static 1:1 mapping of
one set of ip addresses to another one
• Same – gives a particular client the same
source/destination IP address from
supplied range for each connection (or all
the time if you specify “not_by_dst” option)