Computer networks -- 2007-2008 -- info.uvt.ro/Laboratory 12
Appearance
Quick links:
- front;
- courses 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13;
- laboratories agenda, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, evaluation, tools, repository.
Firewalls
[edit]- concepts:
- connection tracking;
- connection state;
- tables;
- chains;
- default policy;
- interfaces;
- actions;
- matching modules:
- state;
- mac;
- tcp, udp;
- links:
- wikipedia:Firewall (networking) -- introductory;
- wikipedia:Netfilter/iptables -- Linux firewall system;
- wikipedia:Ipfirewall -- FreeBSD firewall system;
- iptables man page;
Firewall front-ends
[edit]- 101 FreeBSD Ipfw resources
- wikipedia:Shorewall
- wikipedia:FireHOL
- Firewall Builder
- dwall
- Firestarter
- KMyFirewall
- Abyle
- Fiaif
- ferm
- Guarddog
- HLFL
- ipkungfu
- Knetfilter
- Lokkit
- Pyroman
Iptables examples
[edit]Strict firewall
[edit]#!/bin/bash
# Loading modules
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
# Reseting filter table
iptables --table filter --flush
iptables --table filter --delete-chain
iptables --table filter --zero
iptables --table filter --policy INPUT DROP
iptables --table filter --policy OUTPUT DROP
iptables --table filter --policy FORWARD DROP
# Reseting nat table
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --zero
iptables --table nat --policy PREROUTING ACCEPT
iptables --table nat --policy POSTROUTING ACCEPT
iptables --table nat --policy OUTPUT ACCEPT
# Configuring filter table
## Allowing established
iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT
## Allowing related
iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT
## Allowing loop
iptables --table filter --append INPUT --in-interface lo --match state --state NEW --jump ACCEPT
iptables --table filter --append OUTPUT --out-interface lo --match state --state NEW --jump ACCEPT
## Allowing outgoing
iptables --table filter --append OUTPUT --out-interface eth0 --match state --state NEW --jump ACCEPT
## Allowing incoming
iptables --table filter --append INPUT --in-interface eth0 --protocol tcp --destination-port 22 --match state --state NEW --jump ACCEPT
Simple router + NAT firewall
[edit]iptables --table filter --flush
iptables --table filter --delete-chain
iptables --table filter --zero
iptables --table filter --policy INPUT DROP
iptables --table filter --policy OUTPUT DROP
iptables --table filter --policy FORWARD DROP
iptables --table nat --flush
iptables --table nat --delete-chain
iptables --table nat --zero
iptables --table nat --policy PREROUTING ACCEPT
iptables --table nat --policy POSTROUTING ACCEPT
iptables --table nat --policy OUTPUT ACCEPT
iptables --table filter --append INPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append INPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state RELATED --jump ACCEPT
iptables --table filter --append FORWARD --match state --state ESTABLISHED --jump ACCEPT
iptables --table filter --append FORWARD --match state --state RELATED --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface lo --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state NEW --out-interface lo --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --protocol tcp --destination-port 22 --jump ACCEPT
iptables --table filter --append INPUT --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT
iptables --table filter --append OUTPUT --match state --state NEW --out-interface eth0 --jump ACCEPT
iptables --table filter --append FORWARD --match state --state NEW --in-interface eth0 --match mac --mac-source xx:xx:xx:xx:xx:xx --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 --source 192.168.1.0/24 --jump SNAT --to-source 100.100.100.100