Firewall Course Basic PDF

Introduction
Getting started
The gory details
A Script
Documentation
Linux Firewalls:
The basics
Wouter Heyse
February 28, 2007
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Introduction
Getting started
The gory details
A Script
Documentation
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls and Networking
Firewalls in linux
Introduction
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
What is a firewall?
control internet traffic
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
What is a firewall?
enforce security policies
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
What is a firewall?
enforce security policies
connect zones of different trust levels
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
The TCP/IP protocol suite

I
Network Layer
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
IP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
IP
ICMP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
IP
ICMP
...
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
IP
ICMP
...
Transport Layer
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
IP
ICMP
...
Transport Layer
I
TCP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
IP
ICMP
...
Transport Layer
I
I
TCP
UDP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
IP
ICMP
...
Transport Layer
I
I
I
TCP
UDP
...
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
Transport Layer
I
I
I
IP
ICMP
...
TCP
UDP
...
Application Layer
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
Transport Layer
I
I
I
IP
ICMP
...
TCP
UDP
...
Application Layer
I
FTP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
Transport Layer
I
I
I
IP
ICMP
...
TCP
UDP
...
Application Layer
I
I
FTP
HTTP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
Transport Layer
I
I
I
IP
ICMP
...
TCP
UDP
...
Application Layer
I
I
I
FTP
HTTP
SSH
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux

I
Network Layer
I
I
I
Transport Layer
I
I
I
IP
ICMP
...
TCP
UDP
...
Application Layer
I
I
I
I
FTP
HTTP
SSH
DNS-lookup
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
The IP Protocol
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
The UDP Protocol
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
The TCP Protocol
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
The TCP Protocol
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Firewalls in linux
network layer filtering
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Firewalls in linux
ipfilter: kernel modules for intercepting and manipulating

network packets
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
What is a firewall?
Firewalls in linux
Firewalls in linux
ipfilter: kernel modules for intercepting and manipulating

network packets
iptables: userspace administration tool
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Requirements specification
Installation
Setting up the kernel
Rules
Examples
Getting started
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Requirements specifications
Where will it be deployed?
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
filtering connections
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
forwarding packets
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
forwarding packets
blocking content / hacker attempts
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
I
forwarding packets
...
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
I
forwarding packets
...
Will it have to . . .
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
I
forwarding packets
...
I
support specific protocols
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
I
forwarding packets
...
I
I

log traffic
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
I
I

What is it for?
I
I
I
I
forwarding packets
...
I
I
I

log traffic
match packets on specific propetries
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Installation
Get it from the official website: http://www.netfilter.org

or download the package from your favorite distribution.
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Installation
Get it from the official website: http://www.netfilter.org

or download the package from your favorite distribution.
Make sure you got the latest kernel version:

http://www.kernel.org.
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Iptables needs certain options build into the kernel:

I
Required: CONFIG PACKAGE, CONFIG NETFILTER
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Iptables needs certain options build into the kernel:

I
Required: CONFIG PACKAGE, CONFIG NETFILTER
Optional: all CONFIC PACKET NF options
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Additional options
A description of the available kerneloptions can be found at

http://www.netfilter.org
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Additional options

If you want to try the scripts in this course, enable

CONFIG PACKET NF CONNTRACK,
CONFIG IP NF IPTABLES, CONFIG IP NF FILTER,
CONFIG IP NF NAT, CONFIG IP NF MATCH STATE
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Additional options

If you want to try the scripts in this course, enable

CONFIG PACKET NF CONNTRACK,
CONFIG IP NF IPTABLES, CONFIG IP NF FILTER,
CONFIG IP NF NAT, CONFIG IP NF MATCH STATE
Extra modules can be found at: http://www.netfilter.org
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
The anatomy of a rule
iptables [-t TABLE] [COMMAND] [MATCH] [-j TARGET]
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Examples
I
block ping packets

iptables -A INPUT -p icmp -j DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Examples
I
block ping packets

allow a host to use the http server

iptables -A INPUT -s 134.184.49.28 -dport http -j ACCEPT
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Examples
I
block ping packets


disallow the use of a server

iptables -A OUTPUT -d 148.34.49.5 -dport 6666 -j DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Examples
I
block ping packets



flush all chains

iptables -F
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Installation
Rules
Examples
Examples
I
block ping packets



flush all chains

iptables -F
set default policy

iptables -P DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
The gory details
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
The gory details
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Tables
filter: default
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Tables
filter: default
nat: packets that create new connections
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Tables
filter: default
mangle: specialized packet alteration
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Tables
filter: default
mangle: specialized packet alteration
raw: configure exemptions from connection tracking
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
Commands:
I
New chain: iptables -N newchain
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
Commands:
I
Delete chain: iptables -X newchain
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
Commands:
I
Set policy: iptables -P newchain target
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
Commands:
I
Set policy: iptables -P newchain target
Rename chain: iptables -E oldchain newchain
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
INPUT: all incoming packets
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
OUTPUT: all outgoing packets
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
FORWARD: all forwarded packets
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Chains
FORWARD: all forwarded packets
custom
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Targets
Targets:
I
ACCEPT
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Targets
Targets:
I
ACCEPT
DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Targets
Targets:
I
ACCEPT
DROP
REJECT
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Targets
Targets:
I
ACCEPT
DROP
REJECT
...
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Commands
Commands:
I
Insert rule: iptables -I chain rule-spec
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Commands
Commands:
I
Append rule: iptables -A chain rule-spec
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Commands
Commands:
I
Delete rule: iptables -D chain rule-id
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Commands
Commands:
I
Replace rule: iptables -R chain rule-id rule
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Commands
Commands:
I
Replace rule: iptables -R chain rule-id rule
List rules: iptables -L
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
TCP/IP related matches:
I
Protocol: -p udp
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
Destination ip: -d 134.184.0.0/24
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
Source port: sport 21
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
Destination port: dport 80
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
In interface: -i eth0
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
Out interface: -o wlan0
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
I
I

Tcp flags: tcp-flags [SYN,ACK,FIN,RST]
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
I
I

Source type: src-type [LOCAL,MULTICAST,UNICAST,...]
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Matches
I
Protocol: -p udp
Source ip: -s 134.184.49.3
I
I
I

Source type: src-type [LOCAL,MULTICAST,UNICAST,...]
Destination type: dst-type

Wouter Heyse
[LOCAL,MULTICAST,UNICAST,...]
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
State machine matches

State machine matches:
I Connection tracking: -m state
Wouter Heyse
[NEW,ESTABLISHED,RELATED,INVALID]
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

I
Connection marking: -m connmark -mark 4
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

MAC address: -m mac mac-source 00:00:00:00:00:01
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

User identification: -m owner -uid-owner 500
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

Match strings: -m string string 7FELF
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

Time related: -m time timestart 3:00 timestop 6:00 -days

Fri
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples

Time related: -m time timestart 3:00 timestop 6:00 -days

Fri
Random: -m random average 33
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Tables
Chains
Commands
Matches
Useful examples
Useful Examples
Coming right up!
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Blocking - allowing traffic
Other stuff
A Script
Initialize
Standard procedures
Other stuff
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Initializing
# 1.2.1 Flush
$IPTABLES F
$IPTABLES X
$IPTABLES Z
any existing rules from all chains

# rules in filter - table
# userdefined rules
# zero counters
# 1.2.2 Split the chain in different user chains

$IPTABLES N $DEFAULTi n
$IPTABLES N $DEFAULTo u t
$IPTABLES N f l o o d i n
$IPTABLES N f l o o d o u t
# 1.2.3 Set the default policy
$IPTABLES P INPUT
DROP
$IPTABLES P OUTPUT DROP
$IPTABLES P FORWARD DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Initializing ...
# 1.2.4 keep established connections

$IPTABLES A INPUT m s t a t e s t a t e RELATED , ESTABLISHED j ACCEPT
$IPTABLES A OUTPUT m s t a t e s t a t e RELATED , ESTABLISHED j ACCEPT
# 1.2.5 Disallow fragmented and invalid packets
$IPTABLES A INPUT p t c p ! s y n m s t a t e s t a t e NEW j DROP
$IPTABLES A INPUT m s t a t e s t a t e INVALID j DROP
$IPTABLES A OUTPUT m s t a t e s t a t e INVALID j DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Initializing ... kernelvariables
# enable ip forwarding
echo " 1 " > / p r o c / s y s / n e t / i p v 4 / i p f o r w a r d
# block ping requests
echo " 0 " > / p r o c / s y s / n e t / i p v 4 / i c m p e c h o i g n o r e a l l
# tcp
echo
echo
echo
echo
echo
echo
related
" 10 " > / p r o c / s y s / n e t / i p v 4 / t c p f i n t i m e o u t
" 1800 " > / p r o c / s y s / n e t / i p v 4 / t c p k e e p a l i v e t i m e
"0" > / proc / s y s / net / i p v 4 / t c p w i n d o w s c a l i n g
"0" > / proc / s y s / net / i p v 4 / t c p s a c k
" 1280 " > / p r o c / s y s / n e t / i p v 4 / t c p m a x s y n b a c k l o g
" 1000 2000 " > / p r o c / s y s / n e t / i p v 4 / i p l o c a l p o r t r a n g e
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Standard procedures
# allow dns - servers

cat $RESOLVE |
while read type i p ; do
if [ " $type " == " nameserver " ] ; then
echo " allowing dns server : $ip "
$IPTABLES A OUTPUT d $ip p udp d p o r t 53 j ACCEPT
$IPTABLES A INPUT s $ip p udp s p o r t 53 j ACCEPT
fi
done
$IPTABLES
$IPTABLES
$IPTABLES
$IPTABLES
A
A
A
A
INPUT p ICMP icmptype 8 j ACCEPT

INPUT p ICMP icmptype 11 j ACCEPT
OUTPUT p ICMP icmptype 8 j ACCEPT
OUTPUT p ICMP icmptype 11 j ACCEPT
# Unlimited traffic on the loopback interface

$IPTABLES A INPUT i $ L O O P B A C K _ I N T E R F A C E j ACCEPT
$IPTABLES A OUTPUT o $ L O O P B A C K _ I N T E R F A C E j ACCEPT
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Incoming traffic
$IPTABLES A INPUT s 1 3 4 . 1 8 4 . 0 . 0 / 2 4 j t r u s t e d
$IPTABLES A INPUT i e t h 1 j t r u s t e d
$IPTABLES A INPUT i e t h 0 j u n t r u s t e d
$IPTABLES A t r u s t e d m m u l t i p o r t d p o r t s s s h , f t p , h t t p j ACCEPT
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Outgoing traffic
$IPTABLES A OUTPUT d 1 3 4 . 1 8 4 . 0 . 0 / 2 4 j t r u s t e d
$IPTABLES A OUTPUT i e t h 1 j t r u s t e d
$IPTABLES A OUTPUT i e t h 0 j u n t r u s t e d
$IPTABLES A u n t r u s t e d m m u l t i p o r t s p o r t s 5555 j DROP
$IPTABLES A u n t r u s t e d p udp DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Logging
$IPTABLES A INPUT p t c p t c pf l a g s ALL FIN , URG, PSH \\

m l i m i t l i m i t 1/ s l i m i t b u r s t 1 j LOG l o gl e v e l \\
$LOGLEVEL l o gp r e f i x " iptables : invalid tcp flags "
$IPTABLES A INPUT p t c p t c pf l a g s SYN , RST SYN , RST \\
$IPTABLES A INPUT p t c p t c pf l a g s SYN , FIN SYN , FIN \\
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Reset
# Flush any existing rules from all chains

$IPTABLES F # rules in filter - table
$IPTABLES X # userdefined rules
$IPTABLES Z # zero counters
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Deny All
# Flush any existing rules from all chains

$IPTABLES F # rules in filter - table
$IPTABLES X # userdefined rules
$IPTABLES Z # zero counters
# Set the default policy to deny
$IPTABLES P INPUT
DROP
$IPTABLES P OUTPUT DROP
$IPTABLES P FORWARD DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Flood protection
$IPTABLES A INPUT p t c p s y n j f l o o d i n
$IPTABLES A INPUT p t c p s y n j f l o o d i n
$IPTABLES A OUTPUT p udp j f l o o d o u t
$IPTABLES A OUTPUT p udp j f l o o d o u t
$IPTABLES A f l o o d i n m l i m i t l i m i t $BURSTRATE / $BURSTSCALE \\
l i m i t b u r s t $BURST j RETURN
$IPTABLES A f l o o d o u t m l i m i t l i m i t $BURSTRATE / $BURSTSCALE \\
l i m i t b u r s t
$BURST j RETURN
$IPTABLES A f l o o d i n j DROP
$IPTABLES A f l o o d o u t j DROP
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Initializing
Standard procedures
Other stuff
Make a gateway
i p t a b l e s t a b l e n a t append POSTROUTING outi n t e r f a c e e t h 1 j MASQUERADE

i p t a b l e s append FORWARD i ni n t e r f a c e e t h 0 j ACCEPT
echo 1 > / p r o c / s y s / n e t / i p v 4 / i p f o r w a r d
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Documentation
http://www.netfilter.org/
http://www.linuxguruz.com/iptables
Wouter Heyse
Linux Firewalls
Introduction
Getting started
The gory details
A Script
Documentation
Questions?
Wouter Heyse
Linux Firewalls

Firewall Course Basic PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Firewall Course Basic PDF

Загружено:

Авторское право:

Доступные форматы

Introduction

February 28, 2007

control internet traffic

control internet traffic

enforce security policies

control internet traffic

enforce security policies

connect zones of different trust levels

Firewalls and Networking

Firewalls and Networking

Firewalls and Networking

Firewalls and Networking

Firewalls and Networking

Firewalls and Networking

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The TCP/IP protocol suite

The UDP Protocol

The TCP Protocol

The TCP Protocol

network layer filtering

network layer filtering

ipfilter: kernel modules for intercepting and manipulating

network layer filtering

ipfilter: kernel modules for intercepting and manipulating

iptables: userspace administration tool

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

Where will it be deployed?

support specific protocols

Where will it be deployed?

support specific protocols

Where will it be deployed?

support specific protocols

Get it from the official website: http://www.netfilter.org

Get it from the official website: http://www.netfilter.org

Make sure you got the latest kernel version:

Setting up the kernel

Iptables needs certain options build into the kernel:

Required: CONFIG PACKAGE, CONFIG NETFILTER

Setting up the kernel

Iptables needs certain options build into the kernel:

Required: CONFIG PACKAGE, CONFIG NETFILTER

Optional: all CONFIC PACKET NF options

A description of the available kerneloptions can be found at

A description of the available kerneloptions can be found at

If you want to try the scripts in this course, enable

A description of the available kerneloptions can be found at