Linux: Firewalls and NAT - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Linux: Firewalls and NAT

Description:

Unplugged and locked in a room, anything is secure, but not very useful. ... Multi purpose firewall systems. Boot off CD and/or floppy. http://leaf.sourceforge.net ... – PowerPoint PPT presentation

Number of Views:379
Avg rating:3.0/5.0
Slides: 17
Provided by: corey69
Category:
Tags: nat | boot | firewalls | linux

less

Transcript and Presenter's Notes

Title: Linux: Firewalls and NAT


1
Linux Firewalls and NAT
  • Security and
  • Network Address Translation
  • Using iptables

2
Why Linux?
  • Free operating system
  • Unix like
  • Lots of tools
  • www.freshmeat.net
  • www.sourceforge.net
  • Best tool for the job?

3
Security in General
  • Unplugged and locked in a room, anything is
    secure, but not very useful.
  • Principle of Least Privilege
  • Workstations
  • Do they need to be listening at all?
  • Servers
  • What, where, when, why, how
  • Expose as little as is needed

4
Security Over Time
  • Everyone is good
  • TCP Wrappers
  • Software has to implement
  • Ipchains
  • Not stateful
  • NAT is somewhat clunky
  • Iptables
  • Stateful

5
Iptables Quick Reference
  • Chains
  • input, output, forward, prerouting, postrouting
  • Targets
  • Accept, drop, reject, log
  • Conditions
  • Input, output interface (-i, -o)
  • Source, destination (-s, -d)
  • Source, destination ports (--sport, --dport)
  • SYN bit set (--syn)
  • Others
  • http//www.netfilter.org/documentation/HOWTO/packe
    t-filtering-HOWTO.html

6
Packet Path
  • Image from
  • http//www.knowplace.org/netfilter/packet_traversa
    l.gif
  • Complex version
  • http//www.docum.org/stef.coene/qos/kptd/

7
Stateful? What does that mean?
  • Connection streams are identified
  • States
  • New, Established, Related, Invalid
  • Modules for special protocols
  • Irc, ftp, h.323, quake3, snmp
  • More secure
  • Rule sets can be tighter
  • Ports above 1024 can remain closed
  • Adds some overhead
  • For more in-depth info, see
  • http//iptables-tutorial.frozentux.net/iptables-tu
    torial.html

8
Firewall Options
  • Subnet based
  • Reduces usable addresses
  • Upstream provider has to know
  • Proxy ARP based
  • Almost invisible
  • No change in addressing needed
  • Bridge based
  • Requires kernel patch

Internet
Network
9
ProxyARP
  • All interfaces get the same ip address
  • Enable proxyarp on interfaces
  • echo 1 gt /proc/sys/net/ipv4/conf/eth0/proxy_arp
  • Build the routing table
  • ip route del 128.174.5.0/24 dev eth0
  • ip route del 128.174.5.0/24 dev eth1
  • ip route add 128.174.5.1/32 dev eth0
  • ip route add 128.174.5.57/32 dev eth1
  • ip route add 128.174.5.80/32 dev eth2
  • ip route add 128.174.5.53/32 dev eth3
  • ip route add 128.174.5.0/24 eth1
  • The last one is special
  • Firewall will now answer arp requests for hosts
    on other interfaces (bridge-like)

10
Filtering with ProxyARP
  • Any filter can be applied
  • Block all incoming 135 traffic (blaster, welchia)
  • -A FORWARD -i eth0 o eth1 p tcp dport 135 j
    DROP
  • Block all outgoing web traffic
  • -A FORWARD -i eth1 o eth0 p tcp dport 80 j
    DROP
  • Block incoming DNS traffic
  • -A FORWARD -i eth0 o eth1 p udp dport 53 j
    DROP
  • Allow ssh from one host to one host
  • -A FORWARD -i eth0 o eth1 p tcp destination
    128.174.5.80 dport 22 source 192.168.1.5 j
    ACCEPT

11
Network Address Translation
  • Source NAT (SNAT)
  • Traditional Masquerading
  • Change the source address of a packet
  • Done Post Routing
  • Destination NAT (DNAT)
  • Change the destination of a packet
  • Done Pre Routing
  • Examples
  • Port Forwarding
  • Load sharing/balancing
  • Transparent proxy

12
Basic Source NAT
Assuming Eth0 public 128.174.5.58 Eth1
private 192.168.1.1
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m
state --state ESTABLISHED,RELATED -j
ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0
-j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o
eth0 -j SNAT --to 128.174.5.58
13
Source NAT and Filtering
  • /sbin/iptables -A FORWARD -i eth0 -o eth1 -m
    state --state ESTABLISHED,RELATED -j ACCEPT
  • /sbin/iptables -A FORWARD -i eth1 -s
    192.168.1.0/24 -p tcp --dport 80 -d 128.174.5.58
    -j ACCEPT
  • /sbin/iptables -A FORWARD -i eth1 -s
    192.168.1.0/24 -p tcp --dport 80 -d 0.0.0.0/0 -j
    REJECT
  • /sbin/iptables -A FORWARD -i eth1 -o eth0 -j
    ACCEPT
  • /sbin/iptables -t nat -A POSTROUTING -o eth0 -j
    SNAT --to 128.174.5.58

14
Destination NAT
  • Internal Webserver, visible to world
  • iptables -t nat -A PREROUTING -p tcp --dport 80
    -i eth0 -j DNAT --to 192.168.1.108080
  • Load balancing
  • iptables -t nat -A PREROUTING -i eth0 -j DNAT
    --to 192.168.1.5-192.168.1.10
  • Transparent proxy
  • iptables -t nat -A PREROUTING -i eth0 -p tcp
    --dport 80 -j REDIRECT --to-port 3128

15
Real Life Examples
  • General Purpose examples
  • http//www-wsg.cso.uiuc.edu/talks/iptables/
  • Linked from http//biss.beckman.uiuc.edu/security/
    workshops/
  • Multi purpose masquerading/web proxy
  • http//www.staff.uiuc.edu/betka/masq.txt
  • Dedicated proxy arp firewall
  • http//www.staff.uiuc.edu/betka/firewall.txt
  • Multi purpose firewall systems
  • Boot off CD and/or floppy
  • http//leaf.sourceforge.net/

16
Resources
  • http//www.netfilter.org/
  • http//biss.beckman.uiuc.edu/security/workshops/
  • http//pfilter.sourceforge.net/
  • http//www.shorewall.net/
  • http//smoothwall.org/
  • http//leaf.sourceforge.net/
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Linux: Firewalls and NAT" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!