SlideShare une entreprise Scribd logo

Linux – routing and firewall for beginners v 1.0

Télécharger en tant que PPTX, PDF
Sriram Narayanan
Sriram Narayanan

The slides for a full day workshop that I ran on April 12th 2014.

Technologie
1  sur  36
Linux – Routing and Firewall for beginners sriram@belenix.org @sriramnrn
Agenda • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
What we should have achieved today • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
Setup • Download and extract iptables.zip from https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip • Change into the iptables directory • Run “vagrant up” • Will download a 350 MB file from the vagrant cloud.
Working with the infrastructure • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
Some network basics • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
Getting started with routing • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
Before we set up a route • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
Setting up a direct route to further hops • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
About routes and return routes • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
When routes and return routes are not enough • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
About packet forwarding • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
Persisting packet forwarding settings • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
When both the sides have the same IP range • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
Some exercises • One “office”, two DMZs • Two “offices”, one DMZ
Questions • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
The need for a firewall • Making a DMZ a DMZ
iptables and netfilter • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
iptables – getting around • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
iptables – What are tables? • View the Wikipedia diagram
iptables Rules – the basics • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
iptables Rules – persisting • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
Iptables – default policies • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
Iptables – logging packets • How do we log a packet?
Iptables – allowing packets • How do we log a packet?
Iptables – dropping and rejecting packets • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
Iptables – Let’s make that DMZ a DMZ! • What rules should we have?
Iptables – port forwarding – Exercise 1 • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
Iptables – port forwarding – Exercise 2 • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
Reality check: What a firewall is and isn’t • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
iptables - NAT • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
iptables – NAT – Behind the scenes • Checking the NAT table
iptables – NAT – One on One, vs a range • What if we have a pool of public IPs available for NAT?
When both the sides have the same IP range • What should the solution be?
Some exercises • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops
Thank you! www.sriramnarayanan.com www.belenix.org @sriramnrn

Recommandé

Dokku - your own heroku
Dokku - your own herokuDokku - your own heroku
Dokku - your own herokuAleksandr Simonov
 
Dokku your own heroku 21
Dokku your own heroku 21Dokku your own heroku 21
Dokku your own heroku 21Amoniac OÜ
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltStack
 
Scaling with Symfony - PHP UK
Scaling with Symfony - PHP UKScaling with Symfony - PHP UK
Scaling with Symfony - PHP UKRicard Clau
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)SaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltStack
 
OpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentOpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentNETWAYS
 
Redis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRedis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRicard Clau
 

Recommandé

Dokku - your own heroku
Dokku - your own herokuDokku - your own heroku
Dokku - your own herokuAleksandr Simonov
 
Dokku your own heroku 21
Dokku your own heroku 21Dokku your own heroku 21
Dokku your own heroku 21Amoniac OÜ
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltStack
 
Scaling with Symfony - PHP UK
Scaling with Symfony - PHP UKScaling with Symfony - PHP UK
Scaling with Symfony - PHP UKRicard Clau
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)SaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltStack
 
OpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentOpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentNETWAYS
 
Redis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRedis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRicard Clau
 
High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014Derek Collison
 
Introduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackIntroduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackCraig Sebenik
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logsTomas Doran
 
Ryu dynamic loader
Ryu dynamic loaderRyu dynamic loader
Ryu dynamic loaderYi Tseng
 
Migrating big data
Migrating big dataMigrating big data
Migrating big datalauraxthomson
 
Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Kentaro Ebisawa
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltStack
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?Nick den Engelsman
 
Don't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinDon't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinPerforce
 
OpenStack@NBU
OpenStack@NBUOpenStack@NBU
OpenStack@NBUiTransformers
 
Compression talk
Compression talkCompression talk
Compression talkIlya Ganelin
 
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Chris Fregly
 
Hashicorp at holaluz
Hashicorp at holaluzHashicorp at holaluz
Hashicorp at holaluzRicard Clau
 
Deploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrDeploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrJordi Llonch
 
Pluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshPluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshRatheesh Kaniyala
 
LWP + libcurl
LWP + libcurlLWP + libcurl
LWP + libcurlStanislaw Pusep
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencyThomas Jackson
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axeJim Leitch
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginnersn|u - The Open Security Community
 

Contenu connexe

Tendances

High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014Derek Collison
 
Introduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackIntroduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackCraig Sebenik
 
Ryu dynamic loader
Ryu dynamic loaderRyu dynamic loader
Ryu dynamic loaderYi Tseng
 
Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Kentaro Ebisawa
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltStack
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?Nick den Engelsman
 
Don't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinDon't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinPerforce
 
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Chris Fregly
 
Hashicorp at holaluz
Hashicorp at holaluzHashicorp at holaluz
Hashicorp at holaluzRicard Clau
 
Deploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrDeploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrJordi Llonch
 
Pluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshPluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshRatheesh Kaniyala
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencyThomas Jackson
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axeJim Leitch
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010idsecconf
 

Tendances (20)

High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014
 
Introduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackIntroduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStack
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
 
Ryu dynamic loader
Ryu dynamic loaderRyu dynamic loader
Ryu dynamic loader
 
Migrating big data
Migrating big dataMigrating big data
Migrating big data
 
Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 
A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?
 
Don't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinDon't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your Checkin
 
OpenStack@NBU
OpenStack@NBUOpenStack@NBU
OpenStack@NBU
 
Compression talk
Compression talkCompression talk
Compression talk
 
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
 
Hashicorp at holaluz
Hashicorp at holaluzHashicorp at holaluz
Hashicorp at holaluz
 
Deploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrDeploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and Solr
 
Pluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshPluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheesh
 
LWP + libcurl
LWP + libcurlLWP + libcurl
LWP + libcurl
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrency
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axe
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 

En vedette

Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySriram Narayanan
 
Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™Stephen Hemminger
 
Linux Based DiffServ. Router
Linux Based DiffServ. RouterLinux Based DiffServ. Router
Linux Based DiffServ. RouterTarek Amr
 
Lession3 Routing
Lession3 RoutingLession3 Routing
Lession3 Routingleminhvuong
 
Effective Framework for Continuous Auditing
Effective Framework for Continuous AuditingEffective Framework for Continuous Auditing
Effective Framework for Continuous AuditingCaseWare IDEA
 
Fraud in the Non Profit Industry
Fraud in the Non Profit IndustryFraud in the Non Profit Industry
Fraud in the Non Profit IndustryRachelle_1
 
Thieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized OrganizationsThieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized OrganizationsAllen, Gibbs & Houlik, L.C.
 
Pembahasansoallks2013
Pembahasansoallks2013Pembahasansoallks2013
Pembahasansoallks2013dedd_simbolon
 
Tugas 1 analisa transaksi
Tugas 1 analisa transaksiTugas 1 analisa transaksi
Tugas 1 analisa transaksiDicky Alejandro
 
Soal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 BinangunSoal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 BinangunRudi AdiTia
 
Ketika cinta berbuah surga
Ketika cinta berbuah surgaKetika cinta berbuah surga
Ketika cinta berbuah surgaWalid Umar
 
Soal lks-smk-jateng2015
Soal lks-smk-jateng2015Soal lks-smk-jateng2015
Soal lks-smk-jateng2015George Kartutu
 
Cowok Rasa Apel
Cowok Rasa ApelCowok Rasa Apel
Cowok Rasa ApelWalid Umar
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEric Pesik
 
Security & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoftSecurity & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoftSmart ERP Solutions, Inc.
 
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4I Putu Hariyadi
 

En vedette (20)

Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous Delivery
 
Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™
 
Linux Based DiffServ. Router
Linux Based DiffServ. RouterLinux Based DiffServ. Router
Linux Based DiffServ. Router
 
6 networking
6 networking6 networking
6 networking
 
Lession3 Routing
Lession3 RoutingLession3 Routing
Lession3 Routing
 
Effective Framework for Continuous Auditing
Effective Framework for Continuous AuditingEffective Framework for Continuous Auditing
Effective Framework for Continuous Auditing
 
Fraud in the Non Profit Industry
Fraud in the Non Profit IndustryFraud in the Non Profit Industry
Fraud in the Non Profit Industry
 
Thieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized OrganizationsThieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized Organizations
 
Pembahasansoallks2013
Pembahasansoallks2013Pembahasansoallks2013
Pembahasansoallks2013
 
Tugas 1 analisa transaksi
Tugas 1 analisa transaksiTugas 1 analisa transaksi
Tugas 1 analisa transaksi
 
Route Summarization
Route SummarizationRoute Summarization
Route Summarization
 
Soal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 BinangunSoal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 Binangun
 
Ketika cinta berbuah surga
Ketika cinta berbuah surgaKetika cinta berbuah surga
Ketika cinta berbuah surga
 
Soal lks-smk-jateng2015
Soal lks-smk-jateng2015Soal lks-smk-jateng2015
Soal lks-smk-jateng2015
 
Cowok Rasa Apel
Cowok Rasa ApelCowok Rasa Apel
Cowok Rasa Apel
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
Security & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoftSecurity & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoft
 
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
 

Similaire à Linux – routing and firewall for beginners v 1.0

Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'dJason Ross
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationopenstackindia
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer NetworkingAmit Saha
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenterssuser4b98f0
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DCAPNIC
 
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of OhioNagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of OhioNagios
 
Automation & Programmability.pptx
Automation & Programmability.pptxAutomation & Programmability.pptx
Automation & Programmability.pptxSajjadAhmad879503
 

Similaire à Linux – routing and firewall for beginners v 1.0 (20)

Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'd
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer Networking
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hosting
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DC
 
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of OhioNagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
 
Automation & Programmability.pptx
Automation & Programmability.pptxAutomation & Programmability.pptx
Automation & Programmability.pptx
 
Template
TemplateTemplate
Template
 

Dernier

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Linux – routing and firewall for beginners v 1.0

  • 1. Linux – Routing and Firewall for beginners sriram@belenix.org @sriramnrn
  • 2. Agenda • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
  • 3. What we should have achieved today • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
  • 4. Setup • Download and extract iptables.zip from https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip • Change into the iptables directory • Run “vagrant up” • Will download a 350 MB file from the vagrant cloud.
  • 5. Working with the infrastructure • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
  • 6. Some network basics • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
  • 7. Getting started with routing • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
  • 8. Before we set up a route • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
  • 9. Setting up a direct route to further hops • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
  • 10. About routes and return routes • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
  • 11. When routes and return routes are not enough • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
  • 12. About packet forwarding • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
  • 13. Persisting packet forwarding settings • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
  • 14. When both the sides have the same IP range • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
  • 15. Some exercises • One “office”, two DMZs • Two “offices”, one DMZ
  • 16. Questions • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
  • 17. The need for a firewall • Making a DMZ a DMZ
  • 18. iptables and netfilter • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
  • 19. iptables – getting around • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
  • 20. iptables – What are tables? • View the Wikipedia diagram
  • 21. iptables Rules – the basics • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
  • 22. iptables Rules – persisting • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
  • 23. Iptables – default policies • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
  • 24. Iptables – logging packets • How do we log a packet?
  • 25. Iptables – allowing packets • How do we log a packet?
  • 26. Iptables – dropping and rejecting packets • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
  • 27. Iptables – Let’s make that DMZ a DMZ! • What rules should we have?
  • 28. Iptables – port forwarding – Exercise 1 • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
  • 29. Iptables – port forwarding – Exercise 2 • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
  • 30. Reality check: What a firewall is and isn’t • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
  • 31. iptables - NAT • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
  • 32. iptables – NAT – Behind the scenes • Checking the NAT table
  • 33. iptables – NAT – One on One, vs a range • What if we have a pool of public IPs available for NAT?
  • 34. When both the sides have the same IP range • What should the solution be?
  • 35. Some exercises • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops