Presentation is loading. Please wait.

Presentation is loading. Please wait.

Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

Published byJewel Clarke Modified over 9 years ago

Similar presentations

Presentation on theme: "Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache."— Presentation transcript:

1 iptables and apache 魏凡琮 (Jerry Wei)

2 Agenda iptables apache

3 iptables What is Firewall 用來防範未經允許的程式或使用者來存取內部資 源的軟體或硬體。 依據封包資訊以及 ip header 的內容來進行過濾的 一種機制。 UTM (Unified Threat Management) 。

4 iptables Firewall options Commercial firewall devices. (UTM) (Cisco PIX/ASA 、 Junpier SSG 、 Fortinet fortiGate...etc.) Router (ACL list.) Linux (tcp wrapper 、 iptables) Software Packages. (BlackIce 、 Norton personal firewall...etc.)

5 iptables Linux Firewall i pfwadm (kernel 2.0.X) i pchains (kernel 2.2.X) i ptables (kernel 2.4.X)

6 iptables What is iptables Integration with Linux kernel (netfilter). Stateful packet inspection. Filter packets according to TCP header and MAC address. Network address translation (NAT). A rate limit feature.

7 iptables iptables rule table Filter : packet filter. (FORWARD 、 INPUT 、 OUTPUT) NAT : network address translation. (PREROUTING 、 POSROUTING 、 OUPUT) Managle : TCP header modification. (PREROUTING 、 POSTROUTING 、 OUTPUT 、 INPUT 、 FORWARD)

8 iptables iptables flow mangle table PREROUTING nat table PREROUTING routing Data for the firewall? mangle table FORWARD filter table FORWARD mangle table POSTROUTI NG nat table POSTROUTI NG mangle table INPUT filter table INPUT Local processing Of data routing mangle table OUPUT nat table OUTPUT filter table POSTROUTIN G mangle table POSTROUTIN G nat table POSTROUTIN G

9 iptables Tagets and Jumps ACCPET DROP REJECT LOG

10 iptables Tagets and Jumps DNAT SNAT MASQUERADE

11 iptables Command options 1 -t [table] -j [target] -A : Append rule to end of chain. -F : Flush. Deletes all the rules in the selected table. -D : Delete rule from the selected table.

12 iptables Command options 1 -p [protocol type] : match protocol. tcp 、 udp 、 icmp 、 all. -s [ip address] : match source ip address. -d [ip address] : match destination ip address. -i [interface] : match“INPUT“ interface on which the packet enters. -o [interface] : match“OUTPUT“ interface on which the packet exits.

13 iptables Example1-1 i ptables -A INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j DROP i ptables -L --line-numbers i ptables -A OUTPUT -o eth0 -p icmp -s 0/0 -d 0/0 -j DROP i ptables -F i ptables -P INPUT DROP 、 iptables -P OUTPUT DROP

14 iptables Example1-2 i ptables -A INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j REJECT i ptables -I INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j LOG i ptables -I INPUT -i eth0 -p icmp -s 0/0 -d 0/0 -j ACCEPT

15 iptables Command options 2 -p tcp --sport {[port] | [start-port:end-port] } -p tcp --dport {[port] | [start-port:end-port] } -p tcp { --syn | !--sync } -p udp --sport {[port] | [start-port:end-port] } -p udp --dport {[port] | [start-port:end-port] } -p icmp --icmp-type [type]

16 iptables Example2-1 iptables -A OUTPUT -o eth0 -p tcp --sport 1024:65535 --dport 80 -j DROP iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -j DROP

17 iptables Command options 3 -m multiport --sports [port1,port2,port3] -m multiport --dports [port1,port2,port3] -m multiport --ports [port1,port2,port3] -m state --state [NEW | ESTABLISHED | RELATED | INVALID] -m limit --limit [rate] -m limit --limit-burst

18 iptables Example3-1 iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 53,80 -j DROP iptables -A OUTPUT -o eth0 -s 0/0 -d 0/0 -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p icmp -m limit --limit 1/s -j ACCEPT iptables -A INPUT -i eth0 -p icmp -m limit --limit-burst 2 -j ACCEPT

19 iptables NAT DNAT / IP mapping / Port forwarding SNAT / MASQUERADE

20 iptables DNAT Port forwarding. IP mapping

21 iptables SNAT SNAT. MASQUERADE ip_forward

22 iptables Example4-1 iptables -t nat -A PREROUTING -p tcp -d 192.168.254.17 --dport 2222 -j DNAT --to 192.168.254.17:22 iptables -t nat -A PREROUTING -i eth0 -d 192.168.254.17 -j DNAT --to-destination 10.20.1.2 iptables -t nat -A POSTROUTING -o eth0 -s 10.20.1.2 -j SNAT --to-source 192.168.254.17 iptables -t nat -A POSTROUTING -o eth0 -s 10.20.1.0/24 -j SNAT --to-source 192.168.254.17

23 iptables Example4-2 iptables -t nat -A POSTROUTING -o eth0 -s 10.20.1.0/24 -j SNAT --to-source 192.168.254.17 iptables -t nat -A POSTROUTING -o eth0 -s 10.20.1.0/24 -j MASQUERADE

24 iptables Mangle MARK TOS (IPV4 : Type Of Service) (IPV6 : set Traffic Control Value) TTL

25 iptables Example5-1 iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 1

26 iptables Save and Restore iptables-save iptables-restore rc.local

27 Q & A 休息一下 !

28 apache Install wget “source tarball file”./configure –prefix=/usr/local/apache-version --enable-rewrite make make install./bin/apachectl { start | stop | restart }

29 apache Configuration httpd.conf Virtual host.htaccess mod_rewrite

30 apache VirtualHost Include vhosts.conf

31 apache.htaccess Access control../htpasswd -c /usr/local/apache/conf/users csie User & group./conf/groups

32 apache.htaccess AuthName “Admin Login” AuthUserFile “/usr/local/apache/conf/users” AuthType Basic require valid-user AuthGroupFile “/usr/local/apache/conf/groups” require group

33 apache mod_rewrite Provides a rule-based rewriting engineto rewrite request URLs. --enable-rewrite [ NC] (no case) 、 [L] (last rule) 、 [R] (redirect) RewriteRule RewriteCond [OR] (or next)

34 Q & A 謝謝 !

Download ppt "Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache."

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti.

Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
1 Firewall & IP Tables. 2 Firewall IP Tables 3 32-4 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.

1 Firewall & IP Tables. 2 Firewall IP Tables FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
Cryptography and Network Security Chapter 20 Firewalls

Cryptography and Network Security Chapter 20 Firewalls
LİNUX-ROUTER-1 Gw1: 74.90.92.1 GW2: 95.111.62.129 ISP1 eth0 74.90.92.246 95.111.62.136 eth1 10.3.3.1/30 LİNUX-ROUTER-2 Gw1:192.168.198.2 Gw2:10.3.3.1 eth1.

LİNUX-ROUTER-1 Gw1: GW2: ISP1 eth eth /30 LİNUX-ROUTER-2 Gw1: Gw2: eth1.
System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.

System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.
SYSTEM SECURITY NETWORK (Firewall) Install a firewall Determine the type of the type of network security Identify the control network is needed Design.

SYSTEM SECURITY NETWORK (Firewall) Install a firewall Determine the type of the type of network security Identify the control network is needed Design.
Cs490ns - cotter1 Firewalls What they do. How they work.

Cs490ns - cotter1 Firewalls What they do. How they work.
Engineering Secure Software. SE Doesn’t End at Release  Deployment counts too Despite our best efforts to produce secure software Vulnerabilities can.

Engineering Secure Software. SE Doesn’t End at Release  Deployment counts too Despite our best efforts to produce secure software Vulnerabilities can.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Packet Filtering and Firewall

Packet Filtering and Firewall

Similar presentations

Ads by Google