Computer networks -- 2007-2008 -- info.uvt.ro/Laboratory 12
From Wikiversity
Quick links:
- front;
- courses 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13;
- laboratories agenda, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, evaluation, tools, repository.
Contents |
[edit] Firewalls
- concepts:
- connection tracking;
- connection state;
- tables;
- chains;
- default policy;
- interfaces;
- actions;
- matching modules:
- state;
- mac;
- tcp, udp;
- links:
- wikipedia:Firewall (networking) -- introductory;
- wikipedia:Netfilter/iptables -- Linux firewall system;
- wikipedia:Ipfirewall -- FreeBSD firewall system;
- iptables man page;
[edit] Firewall front-ends
- 101 FreeBSD Ipfw resources
- wikipedia:Shorewall
- wikipedia:FireHOL
- Firewall Builder
- dwall
- Firestarter
- KMyFirewall
- Abyle
- Fiaif
- ferm
- Guarddog
- HLFL
- ipkungfu
- Knetfilter
- Lokkit
- Pyroman
[edit] Iptables examples
[edit] Strict firewall
#!/bin/bash # Loading modules modprobe ip_tables modprobe iptable_filter modprobe iptable_nat # Reseting filter table iptables --table filter --flush iptables --table filter --delete-chain iptables --table filter --zero iptables --table filter --policy INPUT DROP iptables --table filter --policy OUTPUT DROP iptables --table filter --policy FORWARD DROP # Reseting nat table iptables --table nat --flush iptables --table nat --delete-chain iptables --table nat --zero iptables --table nat --policy PREROUTING ACCEPT iptables --table nat --policy POSTROUTING ACCEPT iptables --table nat --policy OUTPUT ACCEPT # Configuring filter table ## Allowing established iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT ## Allowing related iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT ## Allowing loop iptables --table filter --append INPUT --in-interface lo --match state --state NEW --jump ACCEPT iptables --table filter --append OUTPUT --out-interface lo --match state --state NEW --jump ACCEPT ## Allowing outgoing iptables --table filter --append OUTPUT --out-interface eth0 --match state --state NEW --jump ACCEPT ## Allowing incoming iptables --table filter --append INPUT --in-interface eth0 --protocol tcp --destination-port 22 --match state --state NEW --jump ACCEPT
[edit] Simple router + NAT firewall
iptables --table filter --flush iptables --table filter --delete-chain iptables --table filter --zero iptables --table filter --policy INPUT DROP iptables --table filter --policy OUTPUT DROP iptables --table filter --policy FORWARD DROP iptables --table nat --flush iptables --table nat --delete-chain iptables --table nat --zero iptables --table nat --policy PREROUTING ACCEPT iptables --table nat --policy POSTROUTING ACCEPT iptables --table nat --policy OUTPUT ACCEPT iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT iptables --table filter --append FORWARD --match state --state ESTABLISHED --jump ACCEPT iptables --table filter --append FORWARD --match state --state RELATED --jump ACCEPT iptables --table filter --append INPUT --match state --state NEW --in-interface lo --jump ACCEPT iptables --table filter --append OUTPUT --match state --state NEW --out-interface lo --jump ACCEPT iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --protocol tcp --destination-port 22 --jump ACCEPT iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT iptables --table filter --append OUTPUT --match state --state NEW --out-interface eth0 --jump ACCEPT iptables --table filter --append FORWARD --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT iptables --table nat --append POSTROUTING --out-interface eth0 --source 192.168.1.0/24 --jump SNAT --to-source 100.100.100.100
