SlideShare a Scribd company logo

NAT and firewall presentation - how setup a nice firewall

Cassiano Campes
Cassiano Campes

This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES. I hope this can be useful to somebody in the future.

Technology
1 of 44
Download to read offline
NAT & Firewall in Linux Cassiano Campes R&D Internship @ PARKS
How distinct networks communicate? NAT TABLES
Network example
Network Address Translation - NAT There are three different NAT methods: ↝ Static NAT; ↝ Dynamic NAT; ↝ NAT Overload;
↝ Useful to map hosts in different networks; ↝ Address translation turn the hosts invisible to different domains; ↝ Still manageable in case of limited IP addresses; Why use NAT?
A typical network ↝ On this example, there are 3 private networks connected to Internet; SamSong Net AppleT Net Intelog Net Internet G W G W G W
Static NAT - example NAT Table 200.152.8.20to.21 Router’s Private Interface Router’s Public Interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ An internal view of the router; 192.168.10.8 192.168.10.26 HTTP SERVER (Port 80) 192.168.10.8 FTP SERVER (Port 21) 192.168.10.26 HTTP SERVER = 200.152.8.20 FTP SERVER = 200.152.8.21 INTERNAL NETWORK 192.168.10.0/24 200.152.8.20 200.152.8.21 Use-case example: ● HTTP server, where it requires a static IP to allow external (Internet traffic) arrive
Dynamic NAT - example NAT Table PoolIPsdispon. Router’s Private Interface Router’s Public Interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ Router without requests; Pool of Available IPs 200.152.8.20 200.152.8.21 200.152.8.22 200.152.8.23 INTERNAL NETWORK 192.168.10.0/24 Internal IP NAT IP
Dynamic NAT - example (Cont’d) NAT Table PoolIPsdispon. 192.168.10.10 Internal IP NAT IP ↝ Router with 2 requests; 192.168.10.8 200.152.8.20 From IP 192.168.10.26 to 8.8.8.8 Pool of Available IPs 200.152.8.22 200.152.8.23 From IP 192.168.10.8 to 201.157.92.45 Internal IP NAT IP 192.168.10.8 192.168.10.26 200.152.8.20 200.152.8.21 From IP 200.152.8.21 to 8.8.8.8 From IP 200.152.8.20 to 201.157.92.45 Use-case example: ● Hosts that want to connect to the Internet, however they are limited by the number of available IP on the Router’s public interface. Router’s Private Interface Router’s Public InterfaceROUTERINTERNAL NETWORK 192.168.10.0/24
Dynamic NAT - example (Cont’d) NAT Table PoolIPsdispon. 192.168.10.10 Internal IP NAT IP ↝ Router with 4 requests; 192.168.10.8 200.152.8.20 From IP 192.168.10.26 to 207.20.10.1 Pool of Available IPs From IP 192.168.10.8 to 201.157.92.45 Internal IP NAT IP 192.168.10.8 192.168.10.26 201.157.92.45 207.20.10.1 From IP 200.152.8.21 to 207.20.10.1 From IP 200.152.8.20 to 201.157.92.45 From IP 192.168.10.21 to 8.8.8.8 From IP 192.168.10.9 to 201.157.92.45 From IP 200.152.8.22 to 201.157.92.45 From IP 200.152.8.23 to 8.8.8.8 192.168.10.9 201.157.92.45 192.168.10.21 8.8.8.8 Use-case example: ● Hosts that want to connect to the Internet, however they are limited by the number of available IP on the Router’s public interface. Router’s Private Interface Router’s Public InterfaceROUTER
NAT Overload - IP’s limitations ↝ Alternative to handle public IPs limitations; ↝ Dynamic IP translation, translating both source to destination IPs in the packet; ↝ For a single public IP, it is possible to map approximately 64510 hosts;
NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination. 192.168.10.8 200.152.8.20 Port 1200 Port 5200 From IP 200.152.8.20 sport 5200 to 201.157.92.45 dport 80
NAT Overload - example (Cont’d) NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 192.168.10.26 200.152.8.20 Port 1200 Port 5240 From IP 201.157.92.45 sport 80 to 200.152.8.20 dport 1200 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination. From IP 201.157.92.45 sport 80 to 200.152.8.20 dport 5240
NAT - translation examplee ↝ Summary of mod. done in the packets IP Src: IP Dest: Source Port: Dest. Port: 200.152.8.20 201.10.0.5 1450 80 192.168.10.8 201.10.0.5 1450 80 Router Before NATAfter NAT Outbound interface IP Src: IP Dest: Source Port: Dest. Port: 201.10.0.5 200.152.8.20 80 1450 201.10.0.5 192.168.10.8 80 1450 Router After NATBefore NAT Inbound interface Internet
TCP/IP Header ↝ Manipulating packets - under the covers;
↝ Uses a “state machine”; ■ To track connections; ↝ It is needed to keep information of all connections being performed; ■ It is also possible to not track connections; ↝ conntrack is the tracker used for this; ○ /proc/sys/net/ipv4/netfilter Where are the registers?
Manipulating packets in a network IP TABLES
Net. Security - Firewall ● Private networks must be “invisible” to the external world (in the security aspects); ● A firewall controls the data traffic that passes through the network, as a wall, verifying what is sent and received; ● The firewall can be translated as a system that, when configured, “blocks” the unwanted packet traffic by applying secure policies in specific points in the network. A typical example of a network connected to the Internet
Firewall Linux - iptables ● Flow control at packet-level through iptables; ● Tables with a set of rules (chains) that allow to filter and manipulate packets in different points of the packet flow; ● Chains have a set of rules that are applied to the packets; ● There are 4 types of tables, each one corresponds to a specific packet flow (explained later)
Type of tables ↝ Raw ↝ Routing without packet tracking; ↝ Filter ↝ The default table for packet filters; ↝ Nat ↝ Used for address translation; ↝ Mangle ↝ Used for specific changes in the packets;
Built-in Chains ↝ Default Chains on each table; PREROUTING CHAIN OUTPUT CHAIN RAW TABLE
Fluxo dos pacotes
Packets destination ↝ ACCEPT ↝ Jumps a set of rules; ↝ REJECT ↝ The packet is discarded, sending an ICMP notification - destination unreachable - to the source; ↝ DROP ↝ The packet is discarded, without notifying the source; ↝ QUEUE ↝ Packet is transferred to user space for further processing
Study-case scenarios ↝ Create a subnetwork in a host within the PARKS network; ↝ Configure a DHCP server on this host; ↝ Add rules for packet forwarding; ↝ Allow access to the Internet for this subnetwork;
Server properties ↝ Create a subnetwork in a PARKS host; ↝ Configure a DHCP server; ↝ Configure iptables with specific rules: ➢ Allow HTTP[S] traffic to a specific time; ➢ Translate addresses with access to Internet; ➢ Allow FTP traffic; ➢ HTTP server in a specific host in the subnet, with external access permission; ➢ FTP server allowed only to work within the subnet;
PARKS network - overview Host1 Host2 Host3 Host4 Host5 Firewall Internet Rede interna 192.168.200.188 Hub/Switch
PARKS network - scenario Firewall Internet Rede interna Host11 Host12 Host1 Host2 Host3 Host4 Host5(Firewall) Hub/Switch
Required configuration ↝ Fixed IP for the server (in this case); ↝ echo “1” > /proc/sys/net/ipv4/ip_forward ↝ tail -f /var/log/messages
Source code
NAT - [PRE-POST]ROUTING
Flush Tables & Default Filter
NAT - [PRE-POST]ROUTING
NAT - [PRE-POST]ROUTING
Filter - INPUT
Filter - INPUT
Filter - FORWARD, OUTPUT
Filter - FORWARD, OUTPUT ↝ By default, the OUTPUT chain is set as ACCEPT;
Mangle - OUTPUT
Mangle - OUTPUT
Configured tables
↝ Any questions? Thank you!

Recommended

NAT and PAT
NAT and PATNAT and PAT
NAT and PATMuuluu
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config GuideWoo Hyung Choi
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드Woo Hyung Choi
 
Iperf Tutorial
Iperf Tutorial Iperf Tutorial
Iperf Tutorial Febrian ‎
 
12 ethernet-wifi
12 ethernet-wifi12 ethernet-wifi
12 ethernet-wifiOlivier Bonaventure
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드Woo Hyung Choi
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config GuideWoo Hyung Choi
 

Recommended

NAT and PAT
NAT and PATNAT and PAT
NAT and PATMuuluu
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelOlivier Bonaventure
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config GuideWoo Hyung Choi
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드Woo Hyung Choi
 
Iperf Tutorial
Iperf Tutorial Iperf Tutorial
Iperf Tutorial Febrian ‎
 
12 ethernet-wifi
12 ethernet-wifi12 ethernet-wifi
12 ethernet-wifiOlivier Bonaventure
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드Woo Hyung Choi
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config GuideWoo Hyung Choi
 
Chapter7ccna
Chapter7ccnaChapter7ccna
Chapter7ccnaernestlithur
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalAbdel-Fattah M. Hmoud
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
Packet Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logPacket Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logRafat Khandaker
 
PSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conferencePSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conferenceRein Couperus
 
CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014Đồng Quốc Vương
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) KHNOG
 
NPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN networkNPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN networkTanay Chakraborty
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP SnoopingNetProtocol Xpert
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammInformation and Communications Technology Council
 
Day 17.1 nat pat
Day 17.1 nat pat Day 17.1 nat pat
Day 17.1 nat pat CYBERINTELLIGENTS
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성Woo Hyung Choi
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)Netwax Lab
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
Nat 03
Nat 03Nat 03
Nat 03Davinder Chauhan
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 

More Related Content

What's hot

Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesNetProtocol Xpert
 
Packet Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logPacket Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logRafat Khandaker
 
PSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conferencePSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conferenceRein Couperus
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) KHNOG
 
NPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN networkNPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN networkTanay Chakraborty
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)Netwax Lab
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet CountAmazon Web Services
 

What's hot (19)

Chapter7ccna
Chapter7ccnaChapter7ccna
Chapter7ccna
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local Networks
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Packet Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-logPacket Tracer: SNMP, Netflow, Sys-log
Packet Tracer: SNMP, Netflow, Sys-log
 
PSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conferencePSKmail presentation @ Garec 2013 conference
PSKmail presentation @ Garec 2013 conference
 
CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD)
Bidirectional Forwarding Detection (BFD)
 
NPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN networkNPV and NPIV feature in MDS switches on SAN network
NPV and NPIV feature in MDS switches on SAN network
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
 
Day 17.1 nat pat
Day 17.1 nat pat Day 17.1 nat pat
Day 17.1 nat pat
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)EIGRP (enhanced interior gateway routing protocol)
EIGRP (enhanced interior gateway routing protocol)
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 

Similar to NAT and firewall presentation - how setup a nice firewall

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
presentation_5725_1534743837.pdf
presentation_5725_1534743837.pdfpresentation_5725_1534743837.pdf
presentation_5725_1534743837.pdfHaithamAli51
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slidesadam_merritt
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2Juli Yaret
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)NYversity
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATMark Smith
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocolRafat Khandaker
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.pptcemporku
 
Ccna 2 Final V4 1
Ccna 2 Final V4 1Ccna 2 Final V4 1
Ccna 2 Final V4 1stigerj
 
Byte blower basic setting full_v2
Byte blower basic setting full_v2Byte blower basic setting full_v2
Byte blower basic setting full_v2Chen-Chih Lee
 
MULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKSMULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKSKathirvel Ayyaswamy
 

Similar to NAT and firewall presentation - how setup a nice firewall (20)

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Nat 03
Nat 03Nat 03
Nat 03
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
presentation_5725_1534743837.pdf
presentation_5725_1534743837.pdfpresentation_5725_1534743837.pdf
presentation_5725_1534743837.pdf
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
Clase 4. Routing IP.pdf
Clase 4. Routing IP.pdfClase 4. Routing IP.pdf
Clase 4. Routing IP.pdf
 
IPAddressing .pptx
IPAddressing .pptxIPAddressing .pptx
IPAddressing .pptx
 
Examen final ccna2
Examen final ccna2Examen final ccna2
Examen final ccna2
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NAT
 
Module17 nat v2
Module17 nat v2Module17 nat v2
Module17 nat v2
 
Packet Tracer: Nat protocol
Packet Tracer: Nat protocolPacket Tracer: Nat protocol
Packet Tracer: Nat protocol
 
net work iTM3
net work iTM3net work iTM3
net work iTM3
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
06 tk 1073 network layer
06 tk 1073 network layer06 tk 1073 network layer
06 tk 1073 network layer
 
Ccna 2 Final V4 1
Ccna 2 Final V4 1Ccna 2 Final V4 1
Ccna 2 Final V4 1
 
Byte blower basic setting full_v2
Byte blower basic setting full_v2Byte blower basic setting full_v2
Byte blower basic setting full_v2
 
MULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKSMULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKS
 

More from Cassiano Campes

Speed in software development
Speed in software developmentSpeed in software development
Speed in software developmentCassiano Campes
 
Project management in a research laboratory
Project management in a research laboratoryProject management in a research laboratory
Project management in a research laboratoryCassiano Campes
 
CSL Seminar presented by Cassiano Campes - 16-11-14
CSL Seminar presented by Cassiano Campes - 16-11-14CSL Seminar presented by Cassiano Campes - 16-11-14
CSL Seminar presented by Cassiano Campes - 16-11-14Cassiano Campes
 
CSL Seminar presented by Cassiano Campes - 17-03-13
CSL Seminar presented by Cassiano Campes - 17-03-13CSL Seminar presented by Cassiano Campes - 17-03-13
CSL Seminar presented by Cassiano Campes - 17-03-13Cassiano Campes
 
CSL Seminar presented by Cassiano Campes - 17-07-05
CSL Seminar presented by Cassiano Campes - 17-07-05CSL Seminar presented by Cassiano Campes - 17-07-05
CSL Seminar presented by Cassiano Campes - 17-07-05Cassiano Campes
 

More from Cassiano Campes (6)

How not program in c
How not program in cHow not program in c
How not program in c
 
Speed in software development
Speed in software developmentSpeed in software development
Speed in software development
 
Project management in a research laboratory
Project management in a research laboratoryProject management in a research laboratory
Project management in a research laboratory
 
CSL Seminar presented by Cassiano Campes - 16-11-14
CSL Seminar presented by Cassiano Campes - 16-11-14CSL Seminar presented by Cassiano Campes - 16-11-14
CSL Seminar presented by Cassiano Campes - 16-11-14
 
CSL Seminar presented by Cassiano Campes - 17-03-13
CSL Seminar presented by Cassiano Campes - 17-03-13CSL Seminar presented by Cassiano Campes - 17-03-13
CSL Seminar presented by Cassiano Campes - 17-03-13
 
CSL Seminar presented by Cassiano Campes - 17-07-05
CSL Seminar presented by Cassiano Campes - 17-07-05CSL Seminar presented by Cassiano Campes - 17-07-05
CSL Seminar presented by Cassiano Campes - 17-07-05
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

NAT and firewall presentation - how setup a nice firewall

  • 1. NAT & Firewall in Linux Cassiano Campes R&D Internship @ PARKS
  • 2. How distinct networks communicate? NAT TABLES
  • 4. Network Address Translation - NAT There are three different NAT methods: ↝ Static NAT; ↝ Dynamic NAT; ↝ NAT Overload;
  • 5. ↝ Useful to map hosts in different networks; ↝ Address translation turn the hosts invisible to different domains; ↝ Still manageable in case of limited IP addresses; Why use NAT?
  • 6. A typical network ↝ On this example, there are 3 private networks connected to Internet; SamSong Net AppleT Net Intelog Net Internet G W G W G W
  • 7. Static NAT - example NAT Table 200.152.8.20to.21 Router’s Private Interface Router’s Public Interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ An internal view of the router; 192.168.10.8 192.168.10.26 HTTP SERVER (Port 80) 192.168.10.8 FTP SERVER (Port 21) 192.168.10.26 HTTP SERVER = 200.152.8.20 FTP SERVER = 200.152.8.21 INTERNAL NETWORK 192.168.10.0/24 200.152.8.20 200.152.8.21 Use-case example: ● HTTP server, where it requires a static IP to allow external (Internet traffic) arrive
  • 8. Dynamic NAT - example NAT Table PoolIPsdispon. Router’s Private Interface Router’s Public Interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ Router without requests; Pool of Available IPs 200.152.8.20 200.152.8.21 200.152.8.22 200.152.8.23 INTERNAL NETWORK 192.168.10.0/24 Internal IP NAT IP
  • 9. Dynamic NAT - example (Cont’d) NAT Table PoolIPsdispon. 192.168.10.10 Internal IP NAT IP ↝ Router with 2 requests; 192.168.10.8 200.152.8.20 From IP 192.168.10.26 to 8.8.8.8 Pool of Available IPs 200.152.8.22 200.152.8.23 From IP 192.168.10.8 to 201.157.92.45 Internal IP NAT IP 192.168.10.8 192.168.10.26 200.152.8.20 200.152.8.21 From IP 200.152.8.21 to 8.8.8.8 From IP 200.152.8.20 to 201.157.92.45 Use-case example: ● Hosts that want to connect to the Internet, however they are limited by the number of available IP on the Router’s public interface. Router’s Private Interface Router’s Public InterfaceROUTERINTERNAL NETWORK 192.168.10.0/24
  • 10. Dynamic NAT - example (Cont’d) NAT Table PoolIPsdispon. 192.168.10.10 Internal IP NAT IP ↝ Router with 4 requests; 192.168.10.8 200.152.8.20 From IP 192.168.10.26 to 207.20.10.1 Pool of Available IPs From IP 192.168.10.8 to 201.157.92.45 Internal IP NAT IP 192.168.10.8 192.168.10.26 201.157.92.45 207.20.10.1 From IP 200.152.8.21 to 207.20.10.1 From IP 200.152.8.20 to 201.157.92.45 From IP 192.168.10.21 to 8.8.8.8 From IP 192.168.10.9 to 201.157.92.45 From IP 200.152.8.22 to 201.157.92.45 From IP 200.152.8.23 to 8.8.8.8 192.168.10.9 201.157.92.45 192.168.10.21 8.8.8.8 Use-case example: ● Hosts that want to connect to the Internet, however they are limited by the number of available IP on the Router’s public interface. Router’s Private Interface Router’s Public InterfaceROUTER
  • 11. NAT Overload - IP’s limitations ↝ Alternative to handle public IPs limitations; ↝ Dynamic IP translation, translating both source to destination IPs in the packet; ↝ For a single public IP, it is possible to map approximately 64510 hosts;
  • 12. NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
  • 13. NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
  • 14. NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination.
  • 15. NAT Overload - example NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 From IP 200.152.8.20 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination. 192.168.10.8 200.152.8.20 Port 1200 Port 5200 From IP 200.152.8.20 sport 5200 to 201.157.92.45 dport 80
  • 16. NAT Overload - example (Cont’d) NAT Table 200.152.8.20 Router’s private interface Router’s public interface 192.168.10.10 ROUTER Internal IP NAT IP ↝ 2 requests to the same destination; 192.168.10.8 200.152.8.20 Port 1200 Port 1200 192.168.10.26 200.152.8.20 Port 1200 Port 5240 From IP 201.157.92.45 sport 80 to 200.152.8.20 dport 1200 From IP 192.168.10.8 sport 1200 to 201.157.92.45 dport 80 From IP 192.168.10.26 sport 1200 to 201.157.92.45 dport 80 Use-case example: ● Several hosts trying to access, with the same destination port, the same IP destination. From IP 201.157.92.45 sport 80 to 200.152.8.20 dport 5240
  • 17. NAT - translation examplee ↝ Summary of mod. done in the packets IP Src: IP Dest: Source Port: Dest. Port: 200.152.8.20 201.10.0.5 1450 80 192.168.10.8 201.10.0.5 1450 80 Router Before NATAfter NAT Outbound interface IP Src: IP Dest: Source Port: Dest. Port: 201.10.0.5 200.152.8.20 80 1450 201.10.0.5 192.168.10.8 80 1450 Router After NATBefore NAT Inbound interface Internet
  • 18. TCP/IP Header ↝ Manipulating packets - under the covers;
  • 19. ↝ Uses a “state machine”; ■ To track connections; ↝ It is needed to keep information of all connections being performed; ■ It is also possible to not track connections; ↝ conntrack is the tracker used for this; ○ /proc/sys/net/ipv4/netfilter Where are the registers?
  • 20. Manipulating packets in a network IP TABLES
  • 21. Net. Security - Firewall ● Private networks must be “invisible” to the external world (in the security aspects); ● A firewall controls the data traffic that passes through the network, as a wall, verifying what is sent and received; ● The firewall can be translated as a system that, when configured, “blocks” the unwanted packet traffic by applying secure policies in specific points in the network. A typical example of a network connected to the Internet
  • 22. Firewall Linux - iptables ● Flow control at packet-level through iptables; ● Tables with a set of rules (chains) that allow to filter and manipulate packets in different points of the packet flow; ● Chains have a set of rules that are applied to the packets; ● There are 4 types of tables, each one corresponds to a specific packet flow (explained later)
  • 23. Type of tables ↝ Raw ↝ Routing without packet tracking; ↝ Filter ↝ The default table for packet filters; ↝ Nat ↝ Used for address translation; ↝ Mangle ↝ Used for specific changes in the packets;
  • 24. Built-in Chains ↝ Default Chains on each table; PREROUTING CHAIN OUTPUT CHAIN RAW TABLE
  • 26. Packets destination ↝ ACCEPT ↝ Jumps a set of rules; ↝ REJECT ↝ The packet is discarded, sending an ICMP notification - destination unreachable - to the source; ↝ DROP ↝ The packet is discarded, without notifying the source; ↝ QUEUE ↝ Packet is transferred to user space for further processing
  • 27. Study-case scenarios ↝ Create a subnetwork in a host within the PARKS network; ↝ Configure a DHCP server on this host; ↝ Add rules for packet forwarding; ↝ Allow access to the Internet for this subnetwork;
  • 28. Server properties ↝ Create a subnetwork in a PARKS host; ↝ Configure a DHCP server; ↝ Configure iptables with specific rules: ➢ Allow HTTP[S] traffic to a specific time; ➢ Translate addresses with access to Internet; ➢ Allow FTP traffic; ➢ HTTP server in a specific host in the subnet, with external access permission; ➢ FTP server allowed only to work within the subnet;
  • 29. PARKS network - overview Host1 Host2 Host3 Host4 Host5 Firewall Internet Rede interna 192.168.200.188 Hub/Switch
  • 30. PARKS network - scenario Firewall Internet Rede interna Host11 Host12 Host1 Host2 Host3 Host4 Host5(Firewall) Hub/Switch
  • 31. Required configuration ↝ Fixed IP for the server (in this case); ↝ echo “1” > /proc/sys/net/ipv4/ip_forward ↝ tail -f /var/log/messages
  • 34. Flush Tables & Default Filter
  • 40. Filter - FORWARD, OUTPUT ↝ By default, the OUTPUT chain is set as ACCEPT;