Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting Up Firewall using Netfilter and Iptables

Similar presentations


Presentation on theme: "Setting Up Firewall using Netfilter and Iptables"— Presentation transcript:

1 Setting Up Firewall using Netfilter and Iptables

2 What is a Firewall? A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules used to protect networks from unauthorized access while permitting legitimate communications to pass. Netfilter and Iptable is used to define the rules to be used

3 Netfilter & Iptables NetFilter is the set of kernel components that actually executes the firewall rules. Iptables is the program that is used to define and insert the rules. We can refer netfilter as iptables as well. Iptable is often referred to as a packet filter as it examines each packet transferred in every network connection to, from, and within your computer.

4 Cont.. iptables replaced ipchains in the 2.4 kernel and added many new features including connection tracking (also known as stateful packet filtering) ie the network communication detail like TCP UDP etc is maintained. iptables configuration requires specification of a "table", a "chain" and the rule details. A chain is a group of rules. The table is a group of chains.

5 Rules, Targets, Chains, Tables, States
iptables makes decisions on what to do with a packet based on rules that the system administrator creates. Data is passed through the Internet in the form of packets of information; connecting from your computer to a website will cause many packets to be exchanged in both directions. A rule specifies the criteria necessary for a packet to match it. A decision is known as a target

6 Target ACCEPT Allow the packet through the firewall. DROP
Drops the packet; the packet is not allowed through the firewall and the sender of the packet is not notified.

7 Rules and Chains Rules are grouped into chains which in turn are contained in tables. There are three default tables which the packets may traverse; One of these is the filter table. This is the default table and contains three chains.

8 Chains of Filter table OUTPUT
For packets generated by and leaving your computer; for example when you connect to a web site, your browser created a packet and sent it out of your computer to the some server. INPUT Any packets coming into your computer; for example the packets containing the requested web page sent back by its server to your browser. FORWARD For packets being routed through your computer; for example entering one network card and leaving through the other.

9 Other tables The two other tables available by default are the nat table and the mangle table; we will use nat table for setting up a home network when only one network connection is available.

10 States iptables is capable of stateful packet filtering. This means that we can create rules not only based on IPs and ports but also on whether a packet exists in any of the following states: NEW - The packet is trying to start a new connection ESTABLISHED - A connection that has seen packets travel in both directions RELATED - A packet that is starting a new connection but is related to an existing connection INVALID - This packet is associated with no known connection. These packets should be dropped

11 Creating and Storing Rules
Rules can be appended to the chains directly by using the iptables command. For example, to add a new rule to allow new connections to a web server running on your computer from anywhere we would execute the following: $ iptables -A INPUT -s 0/0 -d m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT

12 Explanation s (or --src or --source) and -d (or --dst or --destination) is the source and destination specification of the packet. It is usually an IP address with an optional mask. -m state --state NEW matches only packets that have a status of NEW -p tcp apply this rule to packets using the TCP protocol only. This can be anyone of tcp, udp, icmp --dport 80 (or --destination-port) matches a packet trying to connect to port 80. A range of ports can be given in the format begin:end. -i eth0 (or --in-interface eth0) name of an interface via which a packet is going to be received( ethernet, wifi) -j ACCEPT the target.

13 Configuration of firewall
Each packet traverses the rules of the appropriate chain from the first to the last. If a packet matches a rule then it stops traversing the chain at that rule and its fate is decided by that rule's target. If the packet does not match any rule then its fate is the default target of its chain.

14 Sample Conf file filter :INPUT DROP [0:0]
:FORWARD DROP [0:0] default targets :OUTPUT ACCEPT [0:0] # allow local loopback connections -A INPUT -i lo -j ACCEPT # drop INVALID connections -A INPUT -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A FORWARD -m state --state INVALID -j DROP # allow all established and related -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # add anymore rules here COMMIT


Download ppt "Setting Up Firewall using Netfilter and Iptables"

Similar presentations


Ads by Google