Presentation is loading. Please wait.

Presentation is loading. Please wait.

LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.

Published byBarnard Dorsey Modified over 7 years ago

Similar presentations

Presentation on theme: "LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for."— Presentation transcript:

1 LINUX® Netfilter The Linux Firewall Engine

2 Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for the command-line tool used to configure Netfilter

3 Constructs Netfilter makes use of the following constructs to define firewall policy: – Table – Chain – Rule – Target

4 Tables Tables contain Chains There are currently four (4) tables used by Netfilter: – raw – mangle – nat – filter The default table is filter (the filter and nat tables are the most commonly used)

5 Chains Chains contain Rules Chains can be user-defined There are default chains associated with each table: – PREROUTING – INPUT – FORWARD – OUTPUT – POSTROUTING The filter table only has INPUT, FORWARD, and OUTPUT. The nat table has PREROUTING and POSTROUTING

6 Chains (Cont) INPUT chain filters packets routed to the OS FORWARD chain filters packets routed through the OS OUTPUT chain filters packets sent from the OS When working with a host firewall we use the INPUT chain When working with a network firewall we use the FORWARD chain

7 Rules Rules within a chain are evaluated sequentially A rule will define what packets it is applied to (a match) and take action (a target) Example: Match packets from 192.168.0.13 and DROP

8 Targets A target is an action taken on a packet that is matched by a rule A target can be a user-defined chain (which is useful if you want to perform more than one action on matched traffic) Common targets: – ACCEPT – DROP – REJECT – LOG Each chain has a default policy which is applied in the event no rule is matched. The default policy can be ACCEPT, REJECT, or DROP By default, the default policy for a chain is ACCEPT

9 Packet Flow Packets flow through the tables and chains in a precise way Within a chain, each rule is evaluated sequentially until a match is found and an action (target) is taken

10

11 Connection Tracking To provide Stateful Packet Inspection (SPI) we need a way to track the state of packets Netfilter implements this though connection tracking For all traffic that flows through Netfilter the state of a packet is kept Common states: – NEW – ESTABLISHED – RELATED

12 Stateful Packet Inspection Common practice is to block all incoming requests by default Allow all outgoing requests by default But how do we allow the return traffic? By matching against packet state Commonly implemented as: Match state RELATED,ESTABLISHED target ACCEPT

13 NAT Network Address Translation Re-writing of source and destination IP addresses in packets Implimented in Netfilter as targets in the nat table Types of NAT: – SNAT (Source NAT) – DNAT (Destination NAT) – MASQURADE (SNAT by Interface instead of IP)

14 NAT (Cont) DHCP on WAN interface: MASQ Static IP for NAT: SNAT Port Forwarding: DNAT One-to-One NAT: SNAT and DNAT for a single IP (Note, incoming traffic must be allowed in FORWARD chain)

15 Packet Matching When creating rules for IP its most common to match by: – Source Address (or Network) – Destination Address (or Network) – Protocol and Destination Port (example: TCP port 80) This requires you understand the traffic you’re attempting to create a rule for

16 Advanced Topics The mangle table can be used to change packet properties (such as TTL or QoS tagging) It can also be used to mark packets so that Linux can match traffic for routing or QoS policy

17 More Reading Oskar Andreasson’s Iptables How-To http://www.frozentux.net/iptables- tutorial/iptables-tutorial.html http://www.frozentux.net/iptables- tutorial/iptables-tutorial.html

Download ppt "LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for."

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
1 Firewall & IP Tables. 2 Firewall IP Tables 3 32-4 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.

1 Firewall & IP Tables. 2 Firewall IP Tables FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.

Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.
Cryptography and Network Security Chapter 20 Firewalls

Cryptography and Network Security Chapter 20 Firewalls
LİNUX-ROUTER-1 Gw1: 74.90.92.1 GW2: 95.111.62.129 ISP1 eth0 74.90.92.246 95.111.62.136 eth1 10.3.3.1/30 LİNUX-ROUTER-2 Gw1:192.168.198.2 Gw2:10.3.3.1 eth1.

LİNUX-ROUTER-1 Gw1: GW2: ISP1 eth eth /30 LİNUX-ROUTER-2 Gw1: Gw2: eth1.
System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.

System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall
IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.

IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Similar presentations

Ads by Google