SlideShare a Scribd company logo

Firewall and IPtables

Download as PPTX, PDF
Gaurav Mishra
Gaurav Mishra

Details about firewall and IPtables in Linux environment.

Technology
1 of 9
Gaurav Mishra <gmishx@gmail.com> Linux - 3 Firewall and IPtables Unrestricted 2/24/2018
Gaurav Mishra <gmishx@gmail.com> Firewalls • Firewall is a program used to filter packets. • It uses set of preset security rules to filter packets. • It is used to restrict access from unknown or non-trusted sources. • Firewalls can perform NAT translations as well. • Linux systems have firewalls installed for them. • Any Linux system can act as a firewall for a network. 2/24/2018
Gaurav Mishra <gmishx@gmail.com> IPtables • The security rules and NAT translations used by firewall are stored in IPtables. • Netfilter is a modular firewall. • It stores packet filtering and NAT translations separately. • Each set of rules to be checked for packet filtering is called as Chain. • Modules used are Netfilter are located at: ▫ /usr/lib/<kernel- version>/kernel/net/ipv<4/6>/net filter 2/24/2018
Gaurav Mishra <gmishx@gmail.com> Packet filtering • Each rule in a chain contains following parts: ▫ Protocol (-p)  TCP, UDP, ICMP or ALL ▫ Source address (-s)  ip address[/mask][port[:port]] ▫ Destination address (-d)  ip address[/mask][port[:port]] ▫ Network interface (-i)  name[+] ▫ Target (-j)  ACCEPT, DROP, REJECT, QUEUE, RETURN ▫ State (-m)  NEW, ESTABLISHED, RELATED, INVALID, RELATED+REPLY 2/24/2018
Gaurav Mishra <gmishx@gmail.com> Packet filtering • Accepting packets only from 192.168.56.102 ▫ iptables -A INPUT -j REJECT ! -s 192.168.56.102 • Accepting packets only on port 80, 8080, 22 and 24 ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 80 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 8080 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 22 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 24 -j ACCEPT ▫ sudo iptables -A INPUT -j REJECT • Accepting packets only on local network ▫ sudo iptables -A INPUT -p all -j REJECT ! -s 192.168.56.1/16 • Preventing new connections on port 22 ▫ sudo iptables -A INPUT -p all -m --state NEW -s 0/0 –d 0/0 --dport 22 –j REJECT 2/24/2018
Gaurav Mishra <gmishx@gmail.com> NAT operations • Network Address Translation allows one system to change the source/destination address of a packet and forward it. • NAT enabled machine remembers the changes made so it can reverse them on a reply packet. • NAT is specially used in networks with a single IP address exposed. • NAT enabled routers allows many machines on a single network to share the same IP address provided by ISP. 2/24/2018
Gaurav Mishra <gmishx@gmail.com> NAT translation 2/24/2018
Gaurav Mishra <gmishx@gmail.com> NAT targets • SNAT ▫ Modify source address, use --to-source • DNAT ▫ Modify destination address, use --to-destination • REDIRECT ▫ Redirect a packet to other destination/port • MASQUERADE ▫ IP masquerading • MIRROR ▫ Swap source and destination address • MARK ▫ Modify Mark field to control message routing 2/24/2018
Gaurav Mishra <gmishx@gmail.com> NAT chains • NAT can be divided into two types: Destination NAT and Source NAT • NAT have following chains: ▫ PREROUTING  Corresponds to DNAT, arriving packets ▫ POSTROUTING  Corresponds to SNAT, leaving packets ▫ OUTPUT  Locally generated packets • Changing source of packets leaving the system ▫ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.56.101 • Changing destination of packets entering the system ▫ sudo iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.56.103 2/24/2018

Recommended

Linux firewall
Linux firewallLinux firewall
Linux firewallchanmyaeag
 
Intelimax Lite HSPA+ Modem - Maxon Solutions
Intelimax Lite HSPA+ Modem - Maxon SolutionsIntelimax Lite HSPA+ Modem - Maxon Solutions
Intelimax Lite HSPA+ Modem - Maxon SolutionsMaxon Data Communications
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies toolsgocybersec
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 
Лекц 7
Лекц 7Лекц 7
Лекц 7Muuluu
 
MarsBoard - NXP IMX6 Processor
MarsBoard - NXP IMX6 ProcessorMarsBoard - NXP IMX6 Processor
MarsBoard - NXP IMX6 ProcessorNEEVEE Technologies
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 

Recommended

Linux firewall
Linux firewallLinux firewall
Linux firewallchanmyaeag
 
Intelimax Lite HSPA+ Modem - Maxon Solutions
Intelimax Lite HSPA+ Modem - Maxon SolutionsIntelimax Lite HSPA+ Modem - Maxon Solutions
Intelimax Lite HSPA+ Modem - Maxon SolutionsMaxon Data Communications
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies toolsgocybersec
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 
Лекц 7
Лекц 7Лекц 7
Лекц 7Muuluu
 
MarsBoard - NXP IMX6 Processor
MarsBoard - NXP IMX6 ProcessorMarsBoard - NXP IMX6 Processor
MarsBoard - NXP IMX6 ProcessorNEEVEE Technologies
 
Switch security
Switch securitySwitch security
Switch securitynullowaspmumbai
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
15 can.ppt
15 can.ppt15 can.ppt
15 can.pptkeerthana bathini
 
IP anycasting
IP anycasting IP anycasting
IP anycastingBangladesh Network Operators Group
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Tag your Routes Before Redistribution
Tag your Routes Before Redistribution Tag your Routes Before Redistribution
Tag your Routes Before Redistribution Bangladesh Network Operators Group
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracerAnabia Anabia
 
CC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul CurtisCC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul CurtisAMD Developer Central
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2Carmelo de Jesús
 
Router configuration
Router configurationRouter configuration
Router configurationClaret Malmaceda Castillo
 
Java Abs Network Border Patrol
Java Abs Network Border PatrolJava Abs Network Border Patrol
Java Abs Network Border Patrolncct
 
Static Routing
Static RoutingStatic Routing
Static RoutingSachii Dosti
 
Cisco router basic
Cisco router basicCisco router basic
Cisco router basicTapan Khilar
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Mender.io
 
MTCNA
MTCNAMTCNA
MTCNAgurubelajarmandiri
 
Usb protocol
Usb protocol Usb protocol
Usb protocol PREMAL GAJJAR
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3Waqas Ahmed Nawaz
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Netgate
 
Routing Protocols
Routing Protocols Routing Protocols
Routing Protocols KhushbirSinghSandhu
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 

More Related Content

What's hot

MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower OffloadNetronome
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracerAnabia Anabia
 
CC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul CurtisCC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul CurtisAMD Developer Central
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNAAli Layth
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2Carmelo de Jesús
 
Java Abs Network Border Patrol
Java Abs Network Border PatrolJava Abs Network Border Patrol
Java Abs Network Border Patrolncct
 
Cisco router basic
Cisco router basicCisco router basic
Cisco router basicTapan Khilar
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Mender.io
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3Waqas Ahmed Nawaz
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Netgate
 

What's hot (20)

MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
15 can.ppt
15 can.ppt15 can.ppt
15 can.ppt
 
IP anycasting
IP anycasting IP anycasting
IP anycasting
 
TC Flower Offload
TC Flower OffloadTC Flower Offload
TC Flower Offload
 
Tag your Routes Before Redistribution
Tag your Routes Before Redistribution Tag your Routes Before Redistribution
Tag your Routes Before Redistribution
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracer
 
CC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul CurtisCC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
CC-4153, Verizon Cloud Compute and the SM15000, by Paul Curtis
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2Exploration Lan Switching Chapter2
Exploration Lan Switching Chapter2
 
Router configuration
Router configurationRouter configuration
Router configuration
 
Java Abs Network Border Patrol
Java Abs Network Border PatrolJava Abs Network Border Patrol
Java Abs Network Border Patrol
 
Static Routing
Static RoutingStatic Routing
Static Routing
 
Cisco router basic
Cisco router basicCisco router basic
Cisco router basic
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018
 
MTCNA
MTCNAMTCNA
MTCNA
 
Usb protocol
Usb protocol Usb protocol
Usb protocol
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 3
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014
 

Similar to Firewall and IPtables

Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with LinuxHenry Osborne
 
Routed networks sydney
Routed networks sydneyRouted networks sydney
Routed networks sydneyMiguel Lavalle
 
Firewalld : A New Interface to Your Netfilter Stack
Firewalld : A New Interface to Your Netfilter StackFirewalld : A New Interface to Your Netfilter Stack
Firewalld : A New Interface to Your Netfilter StackMahmoud Shiri Varamini
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14KALRAY
 
CCNP v6 Route: Implementing IP Routing Chapter 2
CCNP v6 Route: Implementing IP Routing Chapter 2CCNP v6 Route: Implementing IP Routing Chapter 2
CCNP v6 Route: Implementing IP Routing Chapter 2Andy Juan Sarango Veliz
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Netgate
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5newbie2019
 

Similar to Firewall and IPtables (20)

Routing Protocols
Routing Protocols Routing Protocols
Routing Protocols
 
Networking Basics with Linux
Networking Basics with LinuxNetworking Basics with Linux
Networking Basics with Linux
 
Routed networks sydney
Routed networks sydneyRouted networks sydney
Routed networks sydney
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
 
Firewalld : A New Interface to Your Netfilter Stack
Firewalld : A New Interface to Your Netfilter StackFirewalld : A New Interface to Your Netfilter Stack
Firewalld : A New Interface to Your Netfilter Stack
 
Ocpeu14
Ocpeu14Ocpeu14
Ocpeu14
 
CCNP v6 Route: Implementing IP Routing Chapter 2
CCNP v6 Route: Implementing IP Routing Chapter 2CCNP v6 Route: Implementing IP Routing Chapter 2
CCNP v6 Route: Implementing IP Routing Chapter 2
 
CCNP Route EIGRP Overview
CCNP Route EIGRP OverviewCCNP Route EIGRP Overview
CCNP Route EIGRP Overview
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
 
Routing protocols
Routing protocolsRouting protocols
Routing protocols
 
Linux securities
Linux securitiesLinux securities
Linux securities
 
CCCNP ROUTE v6_ch02
CCCNP ROUTE v6_ch02CCCNP ROUTE v6_ch02
CCCNP ROUTE v6_ch02
 
Ipv6
Ipv6 Ipv6
Ipv6
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Ccna routing
Ccna routingCcna routing
Ccna routing
 
6978047_2.ppt
6978047_2.ppt6978047_2.ppt
6978047_2.ppt
 
Chapter07
Chapter07Chapter07
Chapter07
 
Ch09 system administration
Ch09 system administration Ch09 system administration
Ch09 system administration
 
wget, curl and scp
wget, curl and scpwget, curl and scp
wget, curl and scp
 
It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5It nv51 instructor_ppt_ch5
It nv51 instructor_ppt_ch5
 

More from Gaurav Mishra

FOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and AutomationFOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and AutomationGaurav Mishra
 
FOSSology & GSOC Journey
FOSSology & GSOC JourneyFOSSology & GSOC Journey
FOSSology & GSOC JourneyGaurav Mishra
 
Block Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchangeBlock Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchangeGaurav Mishra
 
Block Chain - Introduction
Block Chain - IntroductionBlock Chain - Introduction
Block Chain - IntroductionGaurav Mishra
 
Disk quota and sysd procd
Disk quota and sysd procdDisk quota and sysd procd
Disk quota and sysd procdGaurav Mishra
 
Linux User Management
Linux User ManagementLinux User Management
Linux User ManagementGaurav Mishra
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxyGaurav Mishra
 

More from Gaurav Mishra (9)

FOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and AutomationFOSSology and OSS-Tools for License Compliance and Automation
FOSSology and OSS-Tools for License Compliance and Automation
 
FOSSology & GSOC Journey
FOSSology & GSOC JourneyFOSSology & GSOC Journey
FOSSology & GSOC Journey
 
Block Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchangeBlock Chain - Merkel and Key exchange
Block Chain - Merkel and Key exchange
 
Block Chain - Introduction
Block Chain - IntroductionBlock Chain - Introduction
Block Chain - Introduction
 
Backup using rsync
Backup using rsyncBackup using rsync
Backup using rsync
 
Disk quota and sysd procd
Disk quota and sysd procdDisk quota and sysd procd
Disk quota and sysd procd
 
Linux User Management
Linux User ManagementLinux User Management
Linux User Management
 
Apache, cron and proxy
Apache, cron and proxyApache, cron and proxy
Apache, cron and proxy
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
 

Recently uploaded

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 

Recently uploaded (20)

Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 

Firewall and IPtables

  • 1. Gaurav Mishra <gmishx@gmail.com> Linux - 3 Firewall and IPtables Unrestricted 2/24/2018
  • 2. Gaurav Mishra <gmishx@gmail.com> Firewalls • Firewall is a program used to filter packets. • It uses set of preset security rules to filter packets. • It is used to restrict access from unknown or non-trusted sources. • Firewalls can perform NAT translations as well. • Linux systems have firewalls installed for them. • Any Linux system can act as a firewall for a network. 2/24/2018
  • 3. Gaurav Mishra <gmishx@gmail.com> IPtables • The security rules and NAT translations used by firewall are stored in IPtables. • Netfilter is a modular firewall. • It stores packet filtering and NAT translations separately. • Each set of rules to be checked for packet filtering is called as Chain. • Modules used are Netfilter are located at: ▫ /usr/lib/<kernel- version>/kernel/net/ipv<4/6>/net filter 2/24/2018
  • 4. Gaurav Mishra <gmishx@gmail.com> Packet filtering • Each rule in a chain contains following parts: ▫ Protocol (-p)  TCP, UDP, ICMP or ALL ▫ Source address (-s)  ip address[/mask][port[:port]] ▫ Destination address (-d)  ip address[/mask][port[:port]] ▫ Network interface (-i)  name[+] ▫ Target (-j)  ACCEPT, DROP, REJECT, QUEUE, RETURN ▫ State (-m)  NEW, ESTABLISHED, RELATED, INVALID, RELATED+REPLY 2/24/2018
  • 5. Gaurav Mishra <gmishx@gmail.com> Packet filtering • Accepting packets only from 192.168.56.102 ▫ iptables -A INPUT -j REJECT ! -s 192.168.56.102 • Accepting packets only on port 80, 8080, 22 and 24 ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 80 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 8080 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 22 -j ACCEPT ▫ sudo iptables -A INPUT -p all -s 0/0 -d 0/0 --dport 24 -j ACCEPT ▫ sudo iptables -A INPUT -j REJECT • Accepting packets only on local network ▫ sudo iptables -A INPUT -p all -j REJECT ! -s 192.168.56.1/16 • Preventing new connections on port 22 ▫ sudo iptables -A INPUT -p all -m --state NEW -s 0/0 –d 0/0 --dport 22 –j REJECT 2/24/2018
  • 6. Gaurav Mishra <gmishx@gmail.com> NAT operations • Network Address Translation allows one system to change the source/destination address of a packet and forward it. • NAT enabled machine remembers the changes made so it can reverse them on a reply packet. • NAT is specially used in networks with a single IP address exposed. • NAT enabled routers allows many machines on a single network to share the same IP address provided by ISP. 2/24/2018
  • 7. Gaurav Mishra <gmishx@gmail.com> NAT translation 2/24/2018
  • 8. Gaurav Mishra <gmishx@gmail.com> NAT targets • SNAT ▫ Modify source address, use --to-source • DNAT ▫ Modify destination address, use --to-destination • REDIRECT ▫ Redirect a packet to other destination/port • MASQUERADE ▫ IP masquerading • MIRROR ▫ Swap source and destination address • MARK ▫ Modify Mark field to control message routing 2/24/2018
  • 9. Gaurav Mishra <gmishx@gmail.com> NAT chains • NAT can be divided into two types: Destination NAT and Source NAT • NAT have following chains: ▫ PREROUTING  Corresponds to DNAT, arriving packets ▫ POSTROUTING  Corresponds to SNAT, leaving packets ▫ OUTPUT  Locally generated packets • Changing source of packets leaving the system ▫ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.56.101 • Changing destination of packets entering the system ▫ sudo iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.56.103 2/24/2018