SlideShare une entreprise Scribd logo

Introduction to firewalls through Iptables

Bud Siddhisena
Bud Siddhisena

A quick intro into Firewalls through iptables found in any GNU/Linux system

Technologie
1  sur  18
Télécharger pour lire hors ligne
Introduction to Firewalls through Linux iptables By: Buddhika Siddhisena <bud@thinkcube.com> Co-Founder & CTO, THINKCube, Avid FOSS advocate
What is a firewall? ● Network barrier ● Packet filtering ● Packet Mangling (NAT)
Firewall Usage ● Personal Firewall ● Multi-homed (DMZ) Firewall ● Router Firewall ● Internet connection sharing (NAT) ● Transparent Proxying ● Content filtering ● Poor-mans load balancer ● Internet Hotspots
What is iptables? ● Linux's built in firewall ● Successor to ipchains ● Organizes several chains into tables, hence iptables ● Consists of Userspace tool (iptables) and kernel drivers
A table of Chains Filter Table (default) INPUT FORWARD OUTPUT NAT Table PREROUTING INPUT OUTPUT POSTROUTING Mangle Table PREROUTING INPUT OUTPUT FORWARD POSTROUTING X Table (user defined) ● INPUT – Packets entering an interface and destined to a local process. ● FORWARD – Only packets routed from one interface to another. ● OUTPUT – Packets leaving an interface which originated from a local process. ● PREROUTING – Before deciding to use INPUT or FORWARD. DNAT is configured here. ● POSTROUTING – After OUTPUT or FORWARD but before leaving interface. SNAT is configured here.
A Chain of Rules INPUT CHAIN Rule 1 Rule 2 X Jump to Action! Rule 3 Refer to Default Policy
Chain Order PREROUTING POSTROUTING Chain FORWARD Chain (Pre-routing Chain (Post routing Decisions) Decisions) INPUT OUTPUT Chain Chain Local Process
Security Policy Block everyone Allow everyone by default by default (default policy:DROP) (default policy:ACCEPT) White Black Listing Listing Sorry! Bang! Can't let Bang! (REJECT) (DROP) Best security is when you.. ●Trust no one ● Make it un economical
Using iptables Synopsis iptables [table] [action] [chain] [option] [target] table – {filter, nat, mangle} action – {-A (add), -D (delete), -R (replace)} chain – {INPUT, FORWARD, OUTPUT etc.} options - {-s(source), -d(destination), --sport(source port, --dport(destination port), -m (module), --sync (sync packed) etc.} target – {ACCEPT, DROP, REJECT, MASQUERADE, DNAT etc.}
Basic Usage iptables -L // List all rules for filter table iptables -t nat -L // List all rules for nat table iptables -F // Flush (clear) all rules of all chains iptables -F INPUT // Flush all rules for INPUT chain iptables -P INPUT DROP // Set default policy of INPUT
Filtering Soure IP: 192.168.1.80 Source Port: 80 Dest IP: 192.168.2.10 Dest Port: X? Soure IP: 192.168.2.10 Source Port: X? Dest IP: 192.168.1.80 Dest Port: 80 iptables -P INPUT DROP // Drop (block) everything iptables -P OUTPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT // Only allow http iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT // allow packet to go out
Filtering Examples // Allow ping iptables -A INPUT -p icmp -j ACCEPT // Allow all incoming tcp connections on interface eth0 to port 80 (www) iptables -A INPUT -i eth0 -p tcp --sport 1024: --dport 80 -j ACCEPT // Allow DNS iptables -A INPUT -p udp --dport 53 -j ACCEPT // Allow multiple ports for Email iptables -A INPUT -p tcp -m multiport --dport 25,110,143 -j ACCEPT // Allow a MAC iptables -A INPUT -m mac --mac-source 00:02:8A:A1:71:71 -j ACCEPT
Connection Tracking Soure IP: 192.168.1.80 Source Port: 80 Dest IP: 192.168.2.10 Dest Port: X? Soure IP: 192.168.2.10 Source Port: X? Dest IP: 192.168.1.80 Dest Port: 80 // Allow http new and existing connections iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT // Allow only existing connections to go out iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
No Action, Log only // Log Syn flooding iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j LOG --log-prefix “SYN flood: ”
Network Address Translation SNAT (Source) DNAT (Dest) Change source from Change destination from private to public IP public to pirvate IP ● Your ADSL Router ● DMZ setups ● Internet Connection ● Transparent Proxies Sharing ● Load balancers ● WiFi hotspots ● High availability ● IP Spoofing
NATing Examples // First enable ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward // Sharing internet (3G) iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE // Poor man's http load balancer iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.80:8080 // Transparent Proxy iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Persistence // Save rules iptables-save > /etc/iptables.conf // Restore rules iptables-restore < /etc/iptables.conf // If you have virtual service /etc/init.d/iptables [stop|start|save] // If you don't have virtual service to auto start add restore command to /etc/rc.local or any other bootup script
Thank You!

Recommandé

Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
IP tables
IP tablesIP tables
IP tablesaamodt
 

Recommandé

Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Iptables fundamentals
Iptables fundamentalsIptables fundamentals
Iptables fundamentalsram_b17
 
Iptables Configuration
Iptables ConfigurationIptables Configuration
Iptables Configurationstom123
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
Fcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall NatFcsi601 Linux Firewall Nat
Fcsi601 Linux Firewall Natnarayannpp
 
Basics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesBasics of firewall, ebtables, arptables and iptables
Basics of firewall, ebtables, arptables and iptablesPrzemysław Piotrowski
 
IP tables
IP tablesIP tables
IP tablesaamodt
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall Syed fawad Gillani
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Ip tables
Ip tablesIp tables
Ip tablesnavid ashrafi
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptablesDenys Haryachyy
 
IPTABLES
IPTABLESIPTABLES
IPTABLESTan Huynh Cong
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2Nishanth Kumar Pathi
 
Router commands
Router commandsRouter commands
Router commandsLaura Lahbib
 
Cisco router command configuration overview
Cisco router command configuration overviewCisco router command configuration overview
Cisco router command configuration overview3Anetwork com
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab GuideSalachudin Emir
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1n|u - The Open Security Community
 
Cisco CCENT Cram Notes
Cisco CCENT Cram NotesCisco CCENT Cram Notes
Cisco CCENT Cram NotesVijayanand Yadla
 
11 module configuring novell ipx
11 module configuring novell ipx11 module configuring novell ipx
11 module configuring novell ipxAsif
 
Ccna icnd2-labs exercices
Ccna icnd2-labs exercicesCcna icnd2-labs exercices
Ccna icnd2-labs exercicessaqrjareh
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Fighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the RescueFighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the RescueSeshika Fernando
 
iptables
iptablesiptables
iptablesAlexander Gerasiov
 
Snort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.comSnort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.comphanleson
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 

Contenu connexe

Tendances

Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using IptablesAhmed Mekkawy
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Cisco router command configuration overview
Cisco router command configuration overviewCisco router command configuration overview
Cisco router command configuration overview3Anetwork com
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
11 module configuring novell ipx
11 module configuring novell ipx11 module configuring novell ipx
11 module configuring novell ipxAsif
 
Ccna icnd2-labs exercices
Ccna icnd2-labs exercicesCcna icnd2-labs exercices
Ccna icnd2-labs exercicessaqrjareh
 

Tendances (17)

Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Packet Filtering Using Iptables
Packet Filtering Using IptablesPacket Filtering Using Iptables
Packet Filtering Using Iptables
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
Ip tables
Ip tablesIp tables
Ip tables
 
Understanding iptables
Understanding iptablesUnderstanding iptables
Understanding iptables
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
 
IPTables Primer - Part 2
IPTables Primer - Part 2IPTables Primer - Part 2
IPTables Primer - Part 2
 
Router commands
Router commandsRouter commands
Router commands
 
Cisco router command configuration overview
Cisco router command configuration overviewCisco router command configuration overview
Cisco router command configuration overview
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
 
IP Tables Primer - Part 1
IP Tables Primer - Part 1IP Tables Primer - Part 1
IP Tables Primer - Part 1
 
Cisco CCENT Cram Notes
Cisco CCENT Cram NotesCisco CCENT Cram Notes
Cisco CCENT Cram Notes
 
11 module configuring novell ipx
11 module configuring novell ipx11 module configuring novell ipx
11 module configuring novell ipx
 
Ccna icnd2-labs exercices
Ccna icnd2-labs exercicesCcna icnd2-labs exercices
Ccna icnd2-labs exercices
 

En vedette

25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Fighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the RescueFighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the RescueSeshika Fernando
 
Snort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.comSnort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.comphanleson
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 

En vedette (8)

25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
Fighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the RescueFighting Identity Theft: Big Data Analytics to the Rescue
Fighting Identity Theft: Big Data Analytics to the Rescue
 
iptables
iptablesiptables
iptables
 
Snort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.comSnort it-slideshares.blogspot.com
Snort it-slideshares.blogspot.com
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Projet IPTable
Projet IPTableProjet IPTable
Projet IPTable
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 

Similaire à Introduction to firewalls through Iptables

How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.pptcemporku
 
CCNA_LAB_MANUAL_part1.pptx
CCNA_LAB_MANUAL_part1.pptxCCNA_LAB_MANUAL_part1.pptx
CCNA_LAB_MANUAL_part1.pptxSanathKumarV3
 
Complete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingComplete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingChanaka Lasantha
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpnChanaka Lasantha
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricksJim MacLeod
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntaxguestcc37e8c
 
Reducing iptables configuration complexity using chains
Reducing iptables configuration complexity using chainsReducing iptables configuration complexity using chains
Reducing iptables configuration complexity using chainsDieter Adriaenssens
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 

Similaire à Introduction to firewalls through Iptables (20)

How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
CCNA_LAB_MANUAL_part1.pptx
CCNA_LAB_MANUAL_part1.pptxCCNA_LAB_MANUAL_part1.pptx
CCNA_LAB_MANUAL_part1.pptx
 
Complete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac bindingComplete squid &amp; firewall configuration. plus easy mac binding
Complete squid &amp; firewall configuration. plus easy mac binding
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpn
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorial
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntax
 
Reducing iptables configuration complexity using chains
Reducing iptables configuration complexity using chainsReducing iptables configuration complexity using chains
Reducing iptables configuration complexity using chains
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guide
 
03 linuxfirewall1
03 linuxfirewall103 linuxfirewall1
03 linuxfirewall1
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 

Plus de Bud Siddhisena

Building apis that don’t suck!
Building apis that don’t suck!Building apis that don’t suck!
Building apis that don’t suck!Bud Siddhisena
 
Why should you android (archived)
Why should you android (archived)Why should you android (archived)
Why should you android (archived)Bud Siddhisena
 
Virtualization, The future of computing (archived)
Virtualization, The future of computing (archived)Virtualization, The future of computing (archived)
Virtualization, The future of computing (archived)Bud Siddhisena
 
Building the Next big thing (archived)
Building the Next big thing (archived)Building the Next big thing (archived)
Building the Next big thing (archived)Bud Siddhisena
 
GNU/Linux for a better home (archived)
GNU/Linux for a better home (archived)GNU/Linux for a better home (archived)
GNU/Linux for a better home (archived)Bud Siddhisena
 
Recipe of a linux Live CD (archived)
Recipe of a linux Live CD (archived)Recipe of a linux Live CD (archived)
Recipe of a linux Live CD (archived)Bud Siddhisena
 
Gaming on linux (archived)
Gaming on linux (archived)Gaming on linux (archived)
Gaming on linux (archived)Bud Siddhisena
 
FOSS in Sri Lanka (archived)
FOSS in Sri Lanka (archived)FOSS in Sri Lanka (archived)
FOSS in Sri Lanka (archived)Bud Siddhisena
 
Contributing to FOSS (archived)
Contributing to FOSS (archived)Contributing to FOSS (archived)
Contributing to FOSS (archived)Bud Siddhisena
 
Choosing your GNU/Linux distribution (archived)
Choosing your GNU/Linux distribution (archived)Choosing your GNU/Linux distribution (archived)
Choosing your GNU/Linux distribution (archived)Bud Siddhisena
 
Beyond desktop/server with GNU/Linux (archived)
Beyond desktop/server with GNU/Linux (archived)Beyond desktop/server with GNU/Linux (archived)
Beyond desktop/server with GNU/Linux (archived)Bud Siddhisena
 
Opensource opportunity
Opensource opportunityOpensource opportunity
Opensource opportunityBud Siddhisena
 
Scale Apache with Nginx
Scale Apache with NginxScale Apache with Nginx
Scale Apache with NginxBud Siddhisena
 
Secure your IT infrastructure with GNU/Linux
Secure your IT infrastructure with GNU/LinuxSecure your IT infrastructure with GNU/Linux
Secure your IT infrastructure with GNU/LinuxBud Siddhisena
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and CompilationBud Siddhisena
 

Plus de Bud Siddhisena (20)

JIT qa-docker
JIT qa-dockerJIT qa-docker
JIT qa-docker
 
Building apis that don’t suck!
Building apis that don’t suck!Building apis that don’t suck!
Building apis that don’t suck!
 
Why should you android (archived)
Why should you android (archived)Why should you android (archived)
Why should you android (archived)
 
Virtualization, The future of computing (archived)
Virtualization, The future of computing (archived)Virtualization, The future of computing (archived)
Virtualization, The future of computing (archived)
 
Building the Next big thing (archived)
Building the Next big thing (archived)Building the Next big thing (archived)
Building the Next big thing (archived)
 
GNU/Linux for a better home (archived)
GNU/Linux for a better home (archived)GNU/Linux for a better home (archived)
GNU/Linux for a better home (archived)
 
Recipe of a linux Live CD (archived)
Recipe of a linux Live CD (archived)Recipe of a linux Live CD (archived)
Recipe of a linux Live CD (archived)
 
Gaming on linux (archived)
Gaming on linux (archived)Gaming on linux (archived)
Gaming on linux (archived)
 
FOSS in Sri Lanka (archived)
FOSS in Sri Lanka (archived)FOSS in Sri Lanka (archived)
FOSS in Sri Lanka (archived)
 
Contributing to FOSS (archived)
Contributing to FOSS (archived)Contributing to FOSS (archived)
Contributing to FOSS (archived)
 
Choosing your GNU/Linux distribution (archived)
Choosing your GNU/Linux distribution (archived)Choosing your GNU/Linux distribution (archived)
Choosing your GNU/Linux distribution (archived)
 
Beyond desktop/server with GNU/Linux (archived)
Beyond desktop/server with GNU/Linux (archived)Beyond desktop/server with GNU/Linux (archived)
Beyond desktop/server with GNU/Linux (archived)
 
UX talk
UX talkUX talk
UX talk
 
Opensource opportunity
Opensource opportunityOpensource opportunity
Opensource opportunity
 
Remembering steve
Remembering steveRemembering steve
Remembering steve
 
Scale Apache with Nginx
Scale Apache with NginxScale Apache with Nginx
Scale Apache with Nginx
 
FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
 
Secure your IT infrastructure with GNU/Linux
Secure your IT infrastructure with GNU/LinuxSecure your IT infrastructure with GNU/Linux
Secure your IT infrastructure with GNU/Linux
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
 
Foss Gadgematics
Foss GadgematicsFoss Gadgematics
Foss Gadgematics
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Introduction to firewalls through Iptables

  • 1. Introduction to Firewalls through Linux iptables By: Buddhika Siddhisena <bud@thinkcube.com> Co-Founder & CTO, THINKCube, Avid FOSS advocate
  • 2. What is a firewall? ● Network barrier ● Packet filtering ● Packet Mangling (NAT)
  • 3. Firewall Usage ● Personal Firewall ● Multi-homed (DMZ) Firewall ● Router Firewall ● Internet connection sharing (NAT) ● Transparent Proxying ● Content filtering ● Poor-mans load balancer ● Internet Hotspots
  • 4. What is iptables? ● Linux's built in firewall ● Successor to ipchains ● Organizes several chains into tables, hence iptables ● Consists of Userspace tool (iptables) and kernel drivers
  • 5. A table of Chains Filter Table (default) INPUT FORWARD OUTPUT NAT Table PREROUTING INPUT OUTPUT POSTROUTING Mangle Table PREROUTING INPUT OUTPUT FORWARD POSTROUTING X Table (user defined) ● INPUT – Packets entering an interface and destined to a local process. ● FORWARD – Only packets routed from one interface to another. ● OUTPUT – Packets leaving an interface which originated from a local process. ● PREROUTING – Before deciding to use INPUT or FORWARD. DNAT is configured here. ● POSTROUTING – After OUTPUT or FORWARD but before leaving interface. SNAT is configured here.
  • 6. A Chain of Rules INPUT CHAIN Rule 1 Rule 2 X Jump to Action! Rule 3 Refer to Default Policy
  • 7. Chain Order PREROUTING POSTROUTING Chain FORWARD Chain (Pre-routing Chain (Post routing Decisions) Decisions) INPUT OUTPUT Chain Chain Local Process
  • 8. Security Policy Block everyone Allow everyone by default by default (default policy:DROP) (default policy:ACCEPT) White Black Listing Listing Sorry! Bang! Can't let Bang! (REJECT) (DROP) Best security is when you.. ●Trust no one ● Make it un economical
  • 9. Using iptables Synopsis iptables [table] [action] [chain] [option] [target] table – {filter, nat, mangle} action – {-A (add), -D (delete), -R (replace)} chain – {INPUT, FORWARD, OUTPUT etc.} options - {-s(source), -d(destination), --sport(source port, --dport(destination port), -m (module), --sync (sync packed) etc.} target – {ACCEPT, DROP, REJECT, MASQUERADE, DNAT etc.}
  • 10. Basic Usage iptables -L // List all rules for filter table iptables -t nat -L // List all rules for nat table iptables -F // Flush (clear) all rules of all chains iptables -F INPUT // Flush all rules for INPUT chain iptables -P INPUT DROP // Set default policy of INPUT
  • 11. Filtering Soure IP: 192.168.1.80 Source Port: 80 Dest IP: 192.168.2.10 Dest Port: X? Soure IP: 192.168.2.10 Source Port: X? Dest IP: 192.168.1.80 Dest Port: 80 iptables -P INPUT DROP // Drop (block) everything iptables -P OUTPUT DROP iptables -A INPUT -p tcp --dport 80 -j ACCEPT // Only allow http iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT // allow packet to go out
  • 12. Filtering Examples // Allow ping iptables -A INPUT -p icmp -j ACCEPT // Allow all incoming tcp connections on interface eth0 to port 80 (www) iptables -A INPUT -i eth0 -p tcp --sport 1024: --dport 80 -j ACCEPT // Allow DNS iptables -A INPUT -p udp --dport 53 -j ACCEPT // Allow multiple ports for Email iptables -A INPUT -p tcp -m multiport --dport 25,110,143 -j ACCEPT // Allow a MAC iptables -A INPUT -m mac --mac-source 00:02:8A:A1:71:71 -j ACCEPT
  • 13. Connection Tracking Soure IP: 192.168.1.80 Source Port: 80 Dest IP: 192.168.2.10 Dest Port: X? Soure IP: 192.168.2.10 Source Port: X? Dest IP: 192.168.1.80 Dest Port: 80 // Allow http new and existing connections iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 80 -j ACCEPT // Allow only existing connections to go out iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
  • 14. No Action, Log only // Log Syn flooding iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j LOG --log-prefix “SYN flood: ”
  • 15. Network Address Translation SNAT (Source) DNAT (Dest) Change source from Change destination from private to public IP public to pirvate IP ● Your ADSL Router ● DMZ setups ● Internet Connection ● Transparent Proxies Sharing ● Load balancers ● WiFi hotspots ● High availability ● IP Spoofing
  • 16. NATing Examples // First enable ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward // Sharing internet (3G) iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE // Poor man's http load balancer iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.80:8080 // Transparent Proxy iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
  • 17. Persistence // Save rules iptables-save > /etc/iptables.conf // Restore rules iptables-restore < /etc/iptables.conf // If you have virtual service /etc/init.d/iptables [stop|start|save] // If you don't have virtual service to auto start add restore command to /etc/rc.local or any other bootup script