SlideShare a Scribd company logo

Linux firewall

chanmyaeag
chanmyaeag

iptables

Technology
1 of 25
Download to read offline
LINUX FIREWALL SHAR THU 1
WHAT IS FIREWALL? • Firewall is anything, hardware or software, that monitors transmission of packets of digital information that attempt to pass the perimeter of a network. • Firewalls perform two basic security functions: • (Network Traffics) Packet filtering • Application proxy 2
3 FIREWALL SECURITY FEATURES Some firewall manufacturers add features like:  Logging unauthorized accesses into/out of a network  Providing VPN link to another network  Authenticating users  Shielding hosts inside the network from hackers  Caching data  Filtering content considered inappropriate or dangerous
4 FIREWALL COMPONENTS • Packet filter • Proxy server • Authentication system • Software that performs Network Address Translation (NAT) • Some firewalls: • Can encrypt traffic • Help establish VPNs • Come packaged in a hardware device that also functions as a router • Make use of a bastion host
TYPES OF FIREWALL • Client Firewall • Windows firewall • For a computer • Network firewall • Between private network & public network • VPN, Routing, . . . . • For each network by its rules 5
NETWORK TRAFFIC • Inbound traffic • Outbound traffic 6 Source Destination (Requester) (Replier) Ping 192.168.0.1 ICMP Outbound Inbound My Service (My internal network or my PC His service
FILTER NETWORK TRAFFIC • ACL (Access Control List) • Allow (accept) • Deny (drop or reject) 7
FIREWALL RULES (OR) POLICIES • Rule Name • Action (allowed or deny) • Traffic (inbound or outbound protocols) • Source • Destination 8 source destination Traffic Action 1.1.1.1 192.1.1.1 ICMP Allow Default Rule in Network Firewall >> All Traffic Deny (last priority)
NETWORK FIREWALL 9 WHERE DOES USE A NETWORK FIREWALL? Public Private Private Private BETWEEN PRIVATE & PUBLIC NETWORK!
NETWORK FIREWALL • Front End • Back End 10 Internet LAN SW SW LAN SVR ROOM Private DMZ Front EndBack End
FIREWALLS 11 SOHO FIREWALL DEVICES
FIREWALLS 12 NETWORK FIREWALL DEVICES
LINUX FIREWALL 13
LINUX IPTABLES FIREWALL 14 Client Firewall (iptables) #iptables –L INPUT (for input chain type or Inbound) #iptables –L OUTPUT (for output chain type or outbound) List
LINUX IPTABLES FIREWALL 15 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p ICMP –j DROP # iptables –A INPUT –s 192.168.0.0/24 –d 192.168.0.254/32 –p ICMP –j DROP # iptables –L INPUT # service iptables save # service iptables start Append INBOUND Rules in iptables ( Client Firewall ) Append Source Destination Protocol Jump # iptables –D INPUT 1 Delete Line Number
LINUX IPTABLES FIREWALL 16 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --sport xxx --dport 22 –j DROP # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --dport 443 –j ACCEPT # iptables –A INPUT –s 0.0.0.0/0 –d 192.168.0.254 –p ICMP –j DROP # iptables –A OUTPUT –s 192.168.0.254 –d 192.168.0.1 –p ICMP –j DROP Append INBOUND Rules in iptables ( Client Firewall ) # iptables –D OUTPUT 1
PRIORITY OF FIREWALL RULE Rule Name Action Rule 1 ACCEPT Rule 2 ACCEPT Rule 3 ACCEPT Rule 4 DROP All Traffic Deny 17
NAT WITH IPTABLE 18 • Post Routing • snat • Pre Routing • dnat • Masquerade (Port Address Translation (PAT)) • Port Address Table • IP Translation
NAT WITH IPTABLE 19 • Masquerade (Port Address Translation (PAT)) 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 20000 203.203.203.203 20000
NAT WITH IPTABLE 20 • IP Translation 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 203.203.203.203 10000 Requester
NAT WITH IPTABLES 21 Internet Web :80 SW IP= 200.200.200.1 GW=200.200.200.254 IP= 192.168.0.254 IP= 192.168.0.1 GW=192.168.0.254 IP= 192.168.0.100 GW=192.168.0.254
SNAT (POSTROUTING) WITH IPTABLES 22 Stap 1 Open Routing Function Stap 2 Set Static IP (LAN/WAN)
SNAT (POSTROUTING) WITH IPTABLES 23 One to One # iptables -t nat -A POSTROUTING -s 192.168.1.2(LAN) -j SNAT --to 200.200.200.1(WAN-Public IP) Many to One # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 200.200.200.1 Many to Many # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to 200.200.200.1-200.200.200.6 Many to One(PAT) # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0(WAN) -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Port (1 to 65535) # iptables –t nat –L # iptables –t nat –L POSTROUTING # iptables –t nat –F
DNAT (PREROUTING) WITH IPTABLES 24 Port Forwarding
THANKS!! 25

Recommended

Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis MPhil/MRes/BSc
 
Network Sniffing
Network SniffingNetwork Sniffing
Network SniffingSachin Tripathi
 
Deu datasheet rev_u
Deu datasheet rev_uDeu datasheet rev_u
Deu datasheet rev_uTrường Tiền
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asteriskMohsin Zahid
 
Internet Protocol version6
Internet Protocol version6Internet Protocol version6
Internet Protocol version6bhavin008
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...상엽 이
 

Recommended

Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis MPhil/MRes/BSc
 
Network Sniffing
Network SniffingNetwork Sniffing
Network SniffingSachin Tripathi
 
Deu datasheet rev_u
Deu datasheet rev_uDeu datasheet rev_u
Deu datasheet rev_uTrường Tiền
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asteriskMohsin Zahid
 
Internet Protocol version6
Internet Protocol version6Internet Protocol version6
Internet Protocol version6bhavin008
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
 
Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...상엽 이
 
G6 datasheet
G6 datasheetG6 datasheet
G6 datasheetLarry Stell
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-Toshimitsu YAMAGUCHI
 
Day 10.1 enablingrip
Day 10.1 enablingripDay 10.1 enablingrip
Day 10.1 enablingripCYBERINTELLIGENTS
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASADhruv Sharma
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration IntroductionMohamed Sana
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionLinaro
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sipAnna Volynkina
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3TommyBtown
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpPine Cove Consulting
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
EIGRP Default Route
EIGRP Default Route EIGRP Default Route
EIGRP Default Route NetProtocol Xpert
 
Draytek Vigor 2912
Draytek Vigor 2912Draytek Vigor 2912
Draytek Vigor 2912Fanky Christian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to pointNetworkel
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routingSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd
 
OSPF Authentication
OSPF Authentication OSPF Authentication
OSPF Authentication NetProtocol Xpert
 
Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Siber Güvenlik Toplululuğu
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network MonitoringNetworkel
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 

More Related Content

What's hot

第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-Toshimitsu YAMAGUCHI
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to knowPaul Coomans
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASADhruv Sharma
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration IntroductionMohamed Sana
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionLinaro
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sipAnna Volynkina
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3TommyBtown
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpPine Cove Consulting
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyMostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationNetProtocol Xpert
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to pointNetworkel
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network MonitoringNetworkel
 

What's hot (20)

G6 datasheet
G6 datasheetG6 datasheet
G6 datasheet
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
 
Day 10.1 enablingrip
Day 10.1 enablingripDay 10.1 enablingrip
Day 10.1 enablingrip
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
EIGRP Default Route
EIGRP Default Route EIGRP Default Route
EIGRP Default Route
 
Draytek Vigor 2912
Draytek Vigor 2912Draytek Vigor 2912
Draytek Vigor 2912
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster Forward
 
OSPF Authentication
OSPF Authentication OSPF Authentication
OSPF Authentication
 
Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
 

Similar to Linux firewall

CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgEric Vanderburg
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with WiresharkJim Gilsinn
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdfssuser88346b
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 

Similar to Linux firewall (20)

CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
CCNA
CCNACCNA
CCNA
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
TCP/IP
TCP/IPTCP/IP
TCP/IP
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
EIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NATEIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NAT
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Basic network training2
Basic network training2Basic network training2
Basic network training2
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Linux firewall

  • 2. WHAT IS FIREWALL? • Firewall is anything, hardware or software, that monitors transmission of packets of digital information that attempt to pass the perimeter of a network. • Firewalls perform two basic security functions: • (Network Traffics) Packet filtering • Application proxy 2
  • 3. 3 FIREWALL SECURITY FEATURES Some firewall manufacturers add features like:  Logging unauthorized accesses into/out of a network  Providing VPN link to another network  Authenticating users  Shielding hosts inside the network from hackers  Caching data  Filtering content considered inappropriate or dangerous
  • 4. 4 FIREWALL COMPONENTS • Packet filter • Proxy server • Authentication system • Software that performs Network Address Translation (NAT) • Some firewalls: • Can encrypt traffic • Help establish VPNs • Come packaged in a hardware device that also functions as a router • Make use of a bastion host
  • 5. TYPES OF FIREWALL • Client Firewall • Windows firewall • For a computer • Network firewall • Between private network & public network • VPN, Routing, . . . . • For each network by its rules 5
  • 6. NETWORK TRAFFIC • Inbound traffic • Outbound traffic 6 Source Destination (Requester) (Replier) Ping 192.168.0.1 ICMP Outbound Inbound My Service (My internal network or my PC His service
  • 7. FILTER NETWORK TRAFFIC • ACL (Access Control List) • Allow (accept) • Deny (drop or reject) 7
  • 8. FIREWALL RULES (OR) POLICIES • Rule Name • Action (allowed or deny) • Traffic (inbound or outbound protocols) • Source • Destination 8 source destination Traffic Action 1.1.1.1 192.1.1.1 ICMP Allow Default Rule in Network Firewall >> All Traffic Deny (last priority)
  • 9. NETWORK FIREWALL 9 WHERE DOES USE A NETWORK FIREWALL? Public Private Private Private BETWEEN PRIVATE & PUBLIC NETWORK!
  • 10. NETWORK FIREWALL • Front End • Back End 10 Internet LAN SW SW LAN SVR ROOM Private DMZ Front EndBack End
  • 14. LINUX IPTABLES FIREWALL 14 Client Firewall (iptables) #iptables –L INPUT (for input chain type or Inbound) #iptables –L OUTPUT (for output chain type or outbound) List
  • 15. LINUX IPTABLES FIREWALL 15 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p ICMP –j DROP # iptables –A INPUT –s 192.168.0.0/24 –d 192.168.0.254/32 –p ICMP –j DROP # iptables –L INPUT # service iptables save # service iptables start Append INBOUND Rules in iptables ( Client Firewall ) Append Source Destination Protocol Jump # iptables –D INPUT 1 Delete Line Number
  • 16. LINUX IPTABLES FIREWALL 16 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --sport xxx --dport 22 –j DROP # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --dport 443 –j ACCEPT # iptables –A INPUT –s 0.0.0.0/0 –d 192.168.0.254 –p ICMP –j DROP # iptables –A OUTPUT –s 192.168.0.254 –d 192.168.0.1 –p ICMP –j DROP Append INBOUND Rules in iptables ( Client Firewall ) # iptables –D OUTPUT 1
  • 17. PRIORITY OF FIREWALL RULE Rule Name Action Rule 1 ACCEPT Rule 2 ACCEPT Rule 3 ACCEPT Rule 4 DROP All Traffic Deny 17
  • 18. NAT WITH IPTABLE 18 • Post Routing • snat • Pre Routing • dnat • Masquerade (Port Address Translation (PAT)) • Port Address Table • IP Translation
  • 19. NAT WITH IPTABLE 19 • Masquerade (Port Address Translation (PAT)) 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 20000 203.203.203.203 20000
  • 20. NAT WITH IPTABLE 20 • IP Translation 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 203.203.203.203 10000 Requester
  • 21. NAT WITH IPTABLES 21 Internet Web :80 SW IP= 200.200.200.1 GW=200.200.200.254 IP= 192.168.0.254 IP= 192.168.0.1 GW=192.168.0.254 IP= 192.168.0.100 GW=192.168.0.254
  • 22. SNAT (POSTROUTING) WITH IPTABLES 22 Stap 1 Open Routing Function Stap 2 Set Static IP (LAN/WAN)
  • 23. SNAT (POSTROUTING) WITH IPTABLES 23 One to One # iptables -t nat -A POSTROUTING -s 192.168.1.2(LAN) -j SNAT --to 200.200.200.1(WAN-Public IP) Many to One # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 200.200.200.1 Many to Many # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to 200.200.200.1-200.200.200.6 Many to One(PAT) # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0(WAN) -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Port (1 to 65535) # iptables –t nat –L # iptables –t nat –L POSTROUTING # iptables –t nat –F
  • 24. DNAT (PREROUTING) WITH IPTABLES 24 Port Forwarding