SlideShare a Scribd company logo

Linux firewall

chanmyaeag
chanmyaeag

A firewall monitors incoming and outgoing network traffic and filters packets based on rules. A Linux firewall uses iptables to define rules for inbound and outbound traffic. Rules can allow or deny traffic by source, destination, and protocol. Network address translation (NAT) with iptables performs IP masquerading to hide private IP addresses and enable outbound internet access.

Technology
1 of 25
Download to read offline
LINUX FIREWALL SHAR THU 1
WHAT IS FIREWALL? • Firewall is anything, hardware or software, that monitors transmission of packets of digital information that attempt to pass the perimeter of a network. • Firewalls perform two basic security functions: • (Network Traffics) Packet filtering • Application proxy 2
3 FIREWALL SECURITY FEATURES Some firewall manufacturers add features like:  Logging unauthorized accesses into/out of a network  Providing VPN link to another network  Authenticating users  Shielding hosts inside the network from hackers  Caching data  Filtering content considered inappropriate or dangerous
4 FIREWALL COMPONENTS • Packet filter • Proxy server • Authentication system • Software that performs Network Address Translation (NAT) • Some firewalls: • Can encrypt traffic • Help establish VPNs • Come packaged in a hardware device that also functions as a router • Make use of a bastion host
TYPES OF FIREWALL • Client Firewall • Windows firewall • For a computer • Network firewall • Between private network & public network • VPN, Routing, . . . . • For each network by its rules 5
NETWORK TRAFFIC • Inbound traffic • Outbound traffic 6 Source Destination (Requester) (Replier) Ping 192.168.0.1 ICMP Outbound Inbound My Service (My internal network or my PC His service
FILTER NETWORK TRAFFIC • ACL (Access Control List) • Allow (accept) • Deny (drop or reject) 7
FIREWALL RULES (OR) POLICIES • Rule Name • Action (allowed or deny) • Traffic (inbound or outbound protocols) • Source • Destination 8 source destination Traffic Action 1.1.1.1 192.1.1.1 ICMP Allow Default Rule in Network Firewall >> All Traffic Deny (last priority)
NETWORK FIREWALL 9 WHERE DOES USE A NETWORK FIREWALL? Public Private Private Private BETWEEN PRIVATE & PUBLIC NETWORK!
NETWORK FIREWALL • Front End • Back End 10 Internet LAN SW SW LAN SVR ROOM Private DMZ Front EndBack End
FIREWALLS 11 SOHO FIREWALL DEVICES
FIREWALLS 12 NETWORK FIREWALL DEVICES
LINUX FIREWALL 13
LINUX IPTABLES FIREWALL 14 Client Firewall (iptables) #iptables –L INPUT (for input chain type or Inbound) #iptables –L OUTPUT (for output chain type or outbound) List
LINUX IPTABLES FIREWALL 15 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p ICMP –j DROP # iptables –A INPUT –s 192.168.0.0/24 –d 192.168.0.254/32 –p ICMP –j DROP # iptables –L INPUT # service iptables save # service iptables start Append INBOUND Rules in iptables ( Client Firewall ) Append Source Destination Protocol Jump # iptables –D INPUT 1 Delete Line Number
LINUX IPTABLES FIREWALL 16 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --sport xxx --dport 22 –j DROP # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --dport 443 –j ACCEPT # iptables –A INPUT –s 0.0.0.0/0 –d 192.168.0.254 –p ICMP –j DROP # iptables –A OUTPUT –s 192.168.0.254 –d 192.168.0.1 –p ICMP –j DROP Append INBOUND Rules in iptables ( Client Firewall ) # iptables –D OUTPUT 1
PRIORITY OF FIREWALL RULE Rule Name Action Rule 1 ACCEPT Rule 2 ACCEPT Rule 3 ACCEPT Rule 4 DROP All Traffic Deny 17
NAT WITH IPTABLE 18 • Post Routing • snat • Pre Routing • dnat • Masquerade (Port Address Translation (PAT)) • Port Address Table • IP Translation
NAT WITH IPTABLE 19 • Masquerade (Port Address Translation (PAT)) 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 20000 203.203.203.203 20000
NAT WITH IPTABLE 20 • IP Translation 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 203.203.203.203 10000 Requester
NAT WITH IPTABLES 21 Internet Web :80 SW IP= 200.200.200.1 GW=200.200.200.254 IP= 192.168.0.254 IP= 192.168.0.1 GW=192.168.0.254 IP= 192.168.0.100 GW=192.168.0.254
SNAT (POSTROUTING) WITH IPTABLES 22 Stap 1 Open Routing Function Stap 2 Set Static IP (LAN/WAN)
SNAT (POSTROUTING) WITH IPTABLES 23 One to One # iptables -t nat -A POSTROUTING -s 192.168.1.2(LAN) -j SNAT --to 200.200.200.1(WAN-Public IP) Many to One # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 200.200.200.1 Many to Many # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to 200.200.200.1-200.200.200.6 Many to One(PAT) # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0(WAN) -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Port (1 to 65535) # iptables –t nat –L # iptables –t nat –L POSTROUTING # iptables –t nat –F
DNAT (PREROUTING) WITH IPTABLES 24 Port Forwarding
THANKS!! 25

Recommended

Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip security
Meletis Belsis MPhil/MRes/BSc
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
Sachin Tripathi
 
Deu datasheet rev_u
Deu datasheet rev_uDeu datasheet rev_u
Deu datasheet rev_u
Trường Tiền
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asterisk
Mohsin Zahid
 
Internet Protocol version6
Internet Protocol version6Internet Protocol version6
Internet Protocol version6
bhavin008
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco Routers
SolarWinds
 
Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...
상엽 이
 

Recommended

Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip security
Meletis Belsis MPhil/MRes/BSc
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
Sachin Tripathi
 
Deu datasheet rev_u
Deu datasheet rev_uDeu datasheet rev_u
Deu datasheet rev_u
Trường Tiền
 
Wireshark and asterisk
Wireshark and asteriskWireshark and asterisk
Wireshark and asterisk
Mohsin Zahid
 
Internet Protocol version6
Internet Protocol version6Internet Protocol version6
Internet Protocol version6
bhavin008
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
How to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco RoutersHow to Configure NetFlow v5 & v9 on Cisco Routers
How to Configure NetFlow v5 & v9 on Cisco Routers
SolarWinds
 
Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...Development of Automotive Multimedia System using the Wireless Optical Commun...
Development of Automotive Multimedia System using the Wireless Optical Commun...
상엽 이
 
G6 datasheet
G6 datasheetG6 datasheet
G6 datasheet
Larry Stell
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
Toshimitsu YAMAGUCHI
 
Day 10.1 enablingrip
Day 10.1 enablingripDay 10.1 enablingrip
Day 10.1 enablingrip
CYBERINTELLIGENTS
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
Paul Coomans
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
Dhruv Sharma
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction
Mohamed Sana
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
Anna Volynkina
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
TommyBtown
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Pine Cove Consulting
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
EIGRP Default Route
EIGRP Default Route EIGRP Default Route
EIGRP Default Route
NetProtocol Xpert
 
Draytek Vigor 2912
Draytek Vigor 2912Draytek Vigor 2912
Draytek Vigor 2912
Fanky Christian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
Networkel
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd
 
OSPF Authentication
OSPF Authentication OSPF Authentication
OSPF Authentication
NetProtocol Xpert
 
Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik
Siber Güvenlik Toplululuğu
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
Networkel
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
Ahmed Habib
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
Eric Vanderburg
 

More Related Content

What's hot

G6 datasheet
G6 datasheetG6 datasheet
G6 datasheet
Larry Stell
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
Toshimitsu YAMAGUCHI
 
Day 10.1 enablingrip
Day 10.1 enablingripDay 10.1 enablingrip
Day 10.1 enablingrip
CYBERINTELLIGENTS
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
Paul Coomans
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
Dhruv Sharma
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction
Mohamed Sana
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
Anna Volynkina
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
TommyBtown
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Pine Cove Consulting
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
EIGRP Default Route
EIGRP Default Route EIGRP Default Route
EIGRP Default Route
NetProtocol Xpert
 
Draytek Vigor 2912
Draytek Vigor 2912Draytek Vigor 2912
Draytek Vigor 2912
Fanky Christian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
Networkel
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd
 
OSPF Authentication
OSPF Authentication OSPF Authentication
OSPF Authentication
NetProtocol Xpert
 
Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik
Siber Güvenlik Toplululuğu
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
Networkel
 

What's hot (20)

G6 datasheet
G6 datasheetG6 datasheet
G6 datasheet
 
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-第53回WIT研究会におけるリアルタイム映像配信 -技術編-
第53回WIT研究会におけるリアルタイム映像配信 -技術編-
 
Day 10.1 enablingrip
Day 10.1 enablingripDay 10.1 enablingrip
Day 10.1 enablingrip
 
Lorawan: What you need to know
Lorawan: What you need to knowLorawan: What you need to know
Lorawan: What you need to know
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASA
 
001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction001 introduction Fortigate Administration Introduction
001 introduction Fortigate Administration Introduction
 
HKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: IntroductionHKG18-212 - Trusted Firmware M: Introduction
HKG18-212 - Trusted Firmware M: Introduction
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
 
Final presentation phases1_2_3
Final presentation phases1_2_3Final presentation phases1_2_3
Final presentation phases1_2_3
 
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can HelpChanges to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
Changes to Priority 2 E-Rate: How Pine Cove Consulting and Sophos Can Help
 
Palo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El LathyPalo alto outline course | Mostafa El Lathy
Palo alto outline course | Mostafa El Lathy
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
EIGRP Default Route
EIGRP Default Route EIGRP Default Route
EIGRP Default Route
 
Draytek Vigor 2912
Draytek Vigor 2912Draytek Vigor 2912
Draytek Vigor 2912
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
 
CCNA part 5 routing
CCNA part 5 routingCCNA part 5 routing
CCNA part 5 routing
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster Forward
 
OSPF Authentication
OSPF Authentication OSPF Authentication
OSPF Authentication
 
Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik Kablosuz İletişim ve Güvenlik
Kablosuz İletişim ve Güvenlik
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
 

Similar to Linux firewall

CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
Ahmed Habib
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
Eric Vanderburg
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
Joel W. King
 
CCNA
CCNACCNA
CCNA
Abhishek Parihari
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
Lakshan Perera
 
TCP/IP
TCP/IPTCP/IP
TCP/IP
Rehan ali
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
Jim Gilsinn
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
EIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NATEIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NAT
Md. Rakibul Islam
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
ssuser88346b
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
DAVID RAUDALES
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
Achmad Yudo
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
Mandeep Singh
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Basic network training2
Basic network training2Basic network training2
Basic network training2
Arunchai Seangparch
 

Similar to Linux firewall (20)

CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
 
Guide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric VanderburgGuide to protecting networks - Eric Vanderburg
Guide to protecting networks - Eric Vanderburg
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
CCNA
CCNACCNA
CCNA
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
TCP/IP
TCP/IPTCP/IP
TCP/IP
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
EIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NATEIGRP, DHCP, OSPF, NAT
EIGRP, DHCP, OSPF, NAT
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Why choose pan
Why choose panWhy choose pan
Why choose pan
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Basic network training2
Basic network training2Basic network training2
Basic network training2
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 

Linux firewall

  • 2. WHAT IS FIREWALL? • Firewall is anything, hardware or software, that monitors transmission of packets of digital information that attempt to pass the perimeter of a network. • Firewalls perform two basic security functions: • (Network Traffics) Packet filtering • Application proxy 2
  • 3. 3 FIREWALL SECURITY FEATURES Some firewall manufacturers add features like:  Logging unauthorized accesses into/out of a network  Providing VPN link to another network  Authenticating users  Shielding hosts inside the network from hackers  Caching data  Filtering content considered inappropriate or dangerous
  • 4. 4 FIREWALL COMPONENTS • Packet filter • Proxy server • Authentication system • Software that performs Network Address Translation (NAT) • Some firewalls: • Can encrypt traffic • Help establish VPNs • Come packaged in a hardware device that also functions as a router • Make use of a bastion host
  • 5. TYPES OF FIREWALL • Client Firewall • Windows firewall • For a computer • Network firewall • Between private network & public network • VPN, Routing, . . . . • For each network by its rules 5
  • 6. NETWORK TRAFFIC • Inbound traffic • Outbound traffic 6 Source Destination (Requester) (Replier) Ping 192.168.0.1 ICMP Outbound Inbound My Service (My internal network or my PC His service
  • 7. FILTER NETWORK TRAFFIC • ACL (Access Control List) • Allow (accept) • Deny (drop or reject) 7
  • 8. FIREWALL RULES (OR) POLICIES • Rule Name • Action (allowed or deny) • Traffic (inbound or outbound protocols) • Source • Destination 8 source destination Traffic Action 1.1.1.1 192.1.1.1 ICMP Allow Default Rule in Network Firewall >> All Traffic Deny (last priority)
  • 9. NETWORK FIREWALL 9 WHERE DOES USE A NETWORK FIREWALL? Public Private Private Private BETWEEN PRIVATE & PUBLIC NETWORK!
  • 10. NETWORK FIREWALL • Front End • Back End 10 Internet LAN SW SW LAN SVR ROOM Private DMZ Front EndBack End
  • 14. LINUX IPTABLES FIREWALL 14 Client Firewall (iptables) #iptables –L INPUT (for input chain type or Inbound) #iptables –L OUTPUT (for output chain type or outbound) List
  • 15. LINUX IPTABLES FIREWALL 15 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p ICMP –j DROP # iptables –A INPUT –s 192.168.0.0/24 –d 192.168.0.254/32 –p ICMP –j DROP # iptables –L INPUT # service iptables save # service iptables start Append INBOUND Rules in iptables ( Client Firewall ) Append Source Destination Protocol Jump # iptables –D INPUT 1 Delete Line Number
  • 16. LINUX IPTABLES FIREWALL 16 # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --sport xxx --dport 22 –j DROP # iptables –A INPUT –s 192.168.0.1 –d 192.168.0.254 –p TCP --dport 443 –j ACCEPT # iptables –A INPUT –s 0.0.0.0/0 –d 192.168.0.254 –p ICMP –j DROP # iptables –A OUTPUT –s 192.168.0.254 –d 192.168.0.1 –p ICMP –j DROP Append INBOUND Rules in iptables ( Client Firewall ) # iptables –D OUTPUT 1
  • 17. PRIORITY OF FIREWALL RULE Rule Name Action Rule 1 ACCEPT Rule 2 ACCEPT Rule 3 ACCEPT Rule 4 DROP All Traffic Deny 17
  • 18. NAT WITH IPTABLE 18 • Post Routing • snat • Pre Routing • dnat • Masquerade (Port Address Translation (PAT)) • Port Address Table • IP Translation
  • 19. NAT WITH IPTABLE 19 • Masquerade (Port Address Translation (PAT)) 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 20000 203.203.203.203 20000
  • 20. NAT WITH IPTABLE 20 • IP Translation 1.1.1.1 10000 NAT (PAT) 1.1.1.1 10000 203.203.203.203 10000 Requester
  • 21. NAT WITH IPTABLES 21 Internet Web :80 SW IP= 200.200.200.1 GW=200.200.200.254 IP= 192.168.0.254 IP= 192.168.0.1 GW=192.168.0.254 IP= 192.168.0.100 GW=192.168.0.254
  • 22. SNAT (POSTROUTING) WITH IPTABLES 22 Stap 1 Open Routing Function Stap 2 Set Static IP (LAN/WAN)
  • 23. SNAT (POSTROUTING) WITH IPTABLES 23 One to One # iptables -t nat -A POSTROUTING -s 192.168.1.2(LAN) -j SNAT --to 200.200.200.1(WAN-Public IP) Many to One # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 200.200.200.1 Many to Many # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j SNAT --to 200.200.200.1-200.200.200.6 Many to One(PAT) # iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0(WAN) -j MASQUERADE # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Port (1 to 65535) # iptables –t nat –L # iptables –t nat –L POSTROUTING # iptables –t nat –F
  • 24. DNAT (PREROUTING) WITH IPTABLES 24 Port Forwarding