SlideShare a Scribd company logo

Modul 3 Firewalll.ppt

Download as PPT, PDF
C
cemporku

Firewalll

Education
1 of 56
1 FIREWALL
2 Konsep Firewall  salah satu lapisan pertahanan yang mengatur hubungan komputer dengan dunia luar melalui interogasi setiap traffic, packet, dan port-port yang diatur dengan rule-rule yang ada  Dilakukan dengan cara : Menyaring membatasi menolak hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya
3 Konfigurasi Sederhana pc (jaringan local) <==> firewall <==> internet (jaringan lain) Firewall Boleh lewat mbak ? Nih surat-suratnya Anak kecil ga boleh keluar.. sudah malam
4 Firewall Topologi : Basic Two-interface Firewall (no DMZ)  Connects to ISP using DSL, Cable Modem, ISDN, Dial-up, …  Provides for “Internet Connection Sharing” of a single public IP address for a local network using SNAT/Masquerading
5 Firewall Topologi : Three-interface Firewall (with DMZ)  Provides internet connection sharing of one or more public IP addresses.  Had a DMZ containing servers that are exposed to the internet.  If a server is hacked, the Firewall and the Local network aren’t compromised.
6
7
8 Tipe Firewall Berdasarkan mekanisme cara kerja :  Packet Filtering – Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number  Application Level – Biasa disebut proxy firewall, filter bisa berdasarkan content paket  Circuit Level Gateway – Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake. – Terdapat sesi NEW/ESTABLISH  Statefull Multilayer Inspection Firewall – Kombinasi dari ketiga tipe firewall diatas
9 Circuit Level / Stateful Inspection Firewalls  Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL  For DMZ Implementation Internet Automatically Accept Connection Attempt Router Automatically Deny Connection Attempt
10 DMZ Configuration  Place web servers in the “DMZ” network  Only allow web ports (TCP ports 80 and 443) internet Firewall Web Server
11 DMZ Configuration  Don’t allow web servers access to your network  Allow local network to manage web servers (SSH)  Don’t allow servers to connect to the Internet  Patching is not convenient Firewall Web Server internet Mas ..yang merah gak boleh lewat lho
12 IPTABLES
13 IPTABLES iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. This allows for stateless and stateful firewalls and NAT. It is useful to think of IPtables as being a specialised firewall-creation programming language.
14 Prinsip Kerja iptables  Paket masuk diproses berdasarkan tujuan : – Destination IP untuk Firewall  masuk proses input – Destination IP bukan untuk firewall tapi diteruskan  masuk proses FORWARD  Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall apakah di-accept atau di-drop
15 Prinsip Kerja Firewall Firewall Machine
16 Sintaks IPTABLES  Opsi 1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir iptables –A INPUT … 1. -D, menghapus rule iptables –D INPUT 1 iptables –D –s 202.154.178.2 … 2. -I, menambah aturan baru penempatan bisa disisipkan sesuai nomor iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT 3. -R, mengganti rule iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT 4. -F, menghapus seluruh rule iptables –F 5. -L, melihat Rule iptables -L
17 Parameter  -p [!] protocol, protokol yang akan dicek Iptables –A INPUT –p tcp …  -s [!] address/[mask], memeriksa kecocokan sumber paket Iptables –A INPUT –s 10.252.44.145 …  -d [!] address/[mask], memerika kecocokan tujuan paket Iptables –A INPUT –d 202.154.178.2 …  -j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT Iptables –A INPUT –d 202.154.178 –j DROP  -i [!] interface_name, identifikasi kartu jaringan tempat masuknya data Iptables –A INPUT –i etho ….  -o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket Iptables –A OUTPUT –o eth1 ….
18 Match iptables  --mac address, matching paket berdasarkan nomor MAC Address Iptables –m mac –mac-address 44:45:53:54:00:FF  Multiport, mendifinisikan banyak port Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT  State, mendefinisikan state dari koneksi Iptables –A INPUT –m state –state NEW, ESTABLISH –j ACCEPT
19 Target/Jump iptables  ACCEPT, setiap paket langsung diterima Iptables –A INPUT –p tcp –dport 80 –j ACCEPT  DROP, paket datang langsung dibuang Iptables –A INPUT –p tcp –dport 21 –j DROP  REJECT, paket yang ditolak akan dikirimi pesan ICMP error Iptables –A INPUT –p tcp –dport 21 –j REJECT  SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2  DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal, supaya internet bisa tetap akses diubah ke publik Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to- destination 192.168.1.1  MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai mapping ip lokal ke publik Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE  REDIRECT, sigunakan untuk transparent proxy Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080  LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa dibuka /etc/syslog.conf Iptables –A FORWARD –j LOG –log-level-debug Iptables –A FORWARD –j LOG –log-tcp-options
20 Firewall Option  # Mengeluarkan Modul-modul Iptables  /sbin/modprobe ip_tables  /sbin/modprobe ip_conntrack  /sbin/modprobe iptable_filter  /sbin/modprobe iptable_mangle  /sbin/modprobe iptable_nat  /sbin/modprobe ipt_LOG  /sbin/modprobe ipt_limit  /sbin/modprobe ipt_state  /sbin/modprobe ip_conntrack_ftp  /sbin/modprobe ip_conntrack_irc  /sbin/modprobe ip_nat_ftp  /sbin/modprobe ip_nat_irc
21 Menghapus Rule iptables  # Menghapus aturan iptables $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F  # Menghapus nama kolom yg dibuat manual $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
22 Packet Filtering Firewall
23 Packet Filtering Firewall
24 Circuit Level Gateway
25 Forward  iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j MASQUERADE  #iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT  Iptables –A INPUT –p imcp –s 0/0 –j DROP  #iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d 192.168.108.5 –j ACCEPT  #iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j REJECT
26 Studi Kasus 1  Bangun Jaringan sendiri  Install web server dan FTP Server pada jaringan Internet (10.252.105.xxx)  Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP
27 Setting Komputer Router PC1  Setting Ip_forward #echo 1> /proc/sys/net/ipv4/ip_forward  Setting menggunakan NAT iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE  Setting IP Eth0  192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0 Eth0:1  192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0  Setting Routing # route add default gw 192.168.105.1
28 Setting Setiap Client  PC2 Setting IP inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0  PC3 Setting IP inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0  PC4 Setting IP inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0  Setting Gateway untuk PC2, PC3 & PC4 route add default gw 192.168.108.1
29 Test Konektifitas  Router PC 1 ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 2 ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 3 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 4 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5, ping 192.168.105.1, ping 202.154.187.4
30 Rule Firewall  Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport www, -j REJECT #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport ftp, -j REJECT #iptables –restore, iptables save
31 Studi Kasus 2 - DMZ  eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system  eth1 with 202.54.1.1 public IP address - WAN connected to ISP router  eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers
32 Routing traffic between public and DMZ server  To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.  This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):
33 Routing traffic between public and DMZ server ### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2 # Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3 # Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###
34  Where,  -i eth1 : Wan network interface  -d 202.54.1.1 : Wan public IP address  --dport 25 : SMTP Traffic  -j DNAT : DNAT target used set the destination address of the packet with --to-destination  --to-destination 192.168.2.2: Mail server ip address (private IP)
35 Multi port redirection  You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:  iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3
36 Studi Kasus 3 - Tugas 10.252.2.3/24 192.168.1.3/24 10.252.0.2/24 10.252.2.2/24 10.252.0.3/24 192.168.1.2/24 202.0.0.100/24 202.0.0.200/24
37 SHOREWALL
38 Shorewall
39 Shorewall  Shorewall tools for building a firewall variable : interfaces, zones, rules  Konfigurasi Shorewall terdapat pada direktori /etc/shorewall, yang minimal terdiri dari zone, interfaces, rule, policy, dan shorewall.conf.
40 Topologi Shorewall
41 Zone  Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan di /etc/shorewall/zones  diibaratkan komputer terdiri dari dua interfaces maka akan kita buat menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones sbb:  #ZONE TYPE OPTIONS IN OUT  # OPTIONS OPTIONS  fw firewall  net ipv4  loc ipv4  – Zone net adalah zona internet – zone loc adalah zona lokal – Zona fw mendeskripsikan mesin firewall itu sendiri.  Penamaan zona terserah kepada kita.
42
43 Interfaces  Kemudian kita definisikan interfaces apa saja yang akan kita terapkan zona tadi pada /etc/shorewall/interfaces, konfigurasinya kira-kira seperti : #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918 loc eth1 detect
44
45 Rules  Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh konfigurasi /etc/shorewall/rules :  #ACTION SOURCE DEST PROTO DEST PORT(S)  Ping/ACCEPT loc:192.168.0.1 $FW  ACCEPT $FW all icmp  Web/ACCEPT all $FW  SSH/ACCEPT loc:192.168.0.1 $FW
46
47 Policy  Policy adalah kebijakan umum yang diterapkan untuk hubungan masing- masing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan :  #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST  loc net ACCEPT  net all DROP info  all all REJECT info
48
49  Untuk instalasi berbasis debian biasanya file /etc/shorewall kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples
50 Installation  Remove :~# apt-get remove portmap :~# apt-get remove nfs-common :~# apt-get remove pidentd
51
52 Installation  Install Shorewall :~# apt-get install shorewall  Install documentation :~# apt-get install shorewall-doc
53 Configuration  goto shorewall directory :~# cd /etc/shorewall  look inside :/etc/shorewall# ls
54 Configuration  Change /etc/default/shorewall from startup=0 to startup=1  # vim /etc/default/shorewall change the startup
55 Activate the firewall  do this # /etc/init.d/shorewall start  watch your firewall # iptables –nL | less
56 Configure shorewall dari webmin

Recommended

Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfezonesolutions
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleVoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleFaisal Khan
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Networking in Gnu/Linux
Networking in Gnu/LinuxNetworking in Gnu/Linux
Networking in Gnu/LinuxAhmed Mekkawy
 

Recommended

Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfNote I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdfezonesolutions
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleVoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleFaisal Khan
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1n|u - The Open Security Community
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Linux internet server security and configuration tutorial
Linux internet server security and configuration tutorialLinux internet server security and configuration tutorial
Linux internet server security and configuration tutorialannik147
 
Networking in Gnu/Linux
Networking in Gnu/LinuxNetworking in Gnu/Linux
Networking in Gnu/LinuxAhmed Mekkawy
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallCassiano Campes
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall FactsDAVID RAUDALES
 
Iptables
IptablesIptables
Iptablesleminhvuong
 
IPTABLES
IPTABLESIPTABLES
IPTABLESTan Huynh Cong
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewallnewbie2019
 
Firewall
FirewallFirewall
Firewallkhalid abdelazim
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linuxMandeep Singh
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slidesadam_merritt
 
Nat 03
Nat 03Nat 03
Nat 03Davinder Chauhan
 
7 hands on
7 hands on7 hands on
7 hands onvideos
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guideabhijitgnbbl
 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translationtmavroidis
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Agnieszka Kuba
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
FreeBSD VPN Server
FreeBSD VPN ServerFreeBSD VPN Server
FreeBSD VPN ServerTelkom Institute of Management
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricksJim MacLeod
 
MikroTik Firewall : Securing your Router with Port Knocking
MikroTik Firewall : Securing your Router with Port KnockingMikroTik Firewall : Securing your Router with Port Knocking
MikroTik Firewall : Securing your Router with Port KnockingAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1cemporku
 
Week5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptWeek5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptcemporku
 

More Related Content

Similar to Modul 3 Firewalll.ppt

NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallCassiano Campes
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewallnewbie2019
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slidesadam_merritt
 
7 hands on
7 hands on7 hands on
7 hands onvideos
 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translationtmavroidis
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Agnieszka Kuba
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricksJim MacLeod
 

Similar to Modul 3 Firewalll.ppt (20)

NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Iptables
IptablesIptables
Iptables
 
IPTABLES
IPTABLESIPTABLES
IPTABLES
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
 
Firewall
FirewallFirewall
Firewall
 
Ip6 tables in linux
Ip6 tables in linuxIp6 tables in linux
Ip6 tables in linux
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
Nat 03
Nat 03Nat 03
Nat 03
 
7 hands on
7 hands on7 hands on
7 hands on
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guide
 
Nad710 Network Address Translation
Nad710 Network Address TranslationNad710 Network Address Translation
Nad710 Network Address Translation
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe Zdalna komunikacja sieciowa - zagadnienia sieciowe
Zdalna komunikacja sieciowa - zagadnienia sieciowe
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
FreeBSD VPN Server
FreeBSD VPN ServerFreeBSD VPN Server
FreeBSD VPN Server
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
 
MikroTik Firewall : Securing your Router with Port Knocking
MikroTik Firewall : Securing your Router with Port KnockingMikroTik Firewall : Securing your Router with Port Knocking
MikroTik Firewall : Securing your Router with Port Knocking
 

More from cemporku

Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1cemporku
 
Week5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptWeek5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptcemporku
 
JARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxJARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxcemporku
 
Slide-01.pptx
Slide-01.pptxSlide-01.pptx
Slide-01.pptxcemporku
 
Keamanan Jaringan.ppt
Keamanan Jaringan.pptKeamanan Jaringan.ppt
Keamanan Jaringan.pptcemporku
 
Modul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptModul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptcemporku
 
Modul 5 VPN_2.ppt
Modul 5 VPN_2.pptModul 5 VPN_2.ppt
Modul 5 VPN_2.pptcemporku
 
Modul 5 VPN.ppt
Modul 5 VPN.pptModul 5 VPN.ppt
Modul 5 VPN.pptcemporku
 
Modul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptModul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptcemporku
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
Minggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasiMinggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasicemporku
 
Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4cemporku
 

More from cemporku (12)

Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1Materi matakuliah Ekonomi Digital Pertemuan Ke 1
Materi matakuliah Ekonomi Digital Pertemuan Ke 1
 
Week5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.pptWeek5-Jaringan-Komputer.ppt
Week5-Jaringan-Komputer.ppt
 
JARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptxJARINGAN KOMUNIKASI DATA.pptx
JARINGAN KOMUNIKASI DATA.pptx
 
Slide-01.pptx
Slide-01.pptxSlide-01.pptx
Slide-01.pptx
 
Keamanan Jaringan.ppt
Keamanan Jaringan.pptKeamanan Jaringan.ppt
Keamanan Jaringan.ppt
 
Modul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.pptModul 7 Trojan, Backdoors,RootKit.ppt
Modul 7 Trojan, Backdoors,RootKit.ppt
 
Modul 5 VPN_2.ppt
Modul 5 VPN_2.pptModul 5 VPN_2.ppt
Modul 5 VPN_2.ppt
 
Modul 5 VPN.ppt
Modul 5 VPN.pptModul 5 VPN.ppt
Modul 5 VPN.ppt
 
Modul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.pptModul 4 Intrusion Detection System IDS.ppt
Modul 4 Intrusion Detection System IDS.ppt
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
Minggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasiMinggu #1 konsep sistem temu kembali informasi
Minggu #1 konsep sistem temu kembali informasi
 
Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4Materi Pemrograman Visual Pertemuan 4
Materi Pemrograman Visual Pertemuan 4
 

Recently uploaded

Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPoojaSen20
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

Recently uploaded (20)

Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
PSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptxPSYCHIATRIC History collection FORMAT.pptx
PSYCHIATRIC History collection FORMAT.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 

Modul 3 Firewalll.ppt

  • 2. 2 Konsep Firewall  salah satu lapisan pertahanan yang mengatur hubungan komputer dengan dunia luar melalui interogasi setiap traffic, packet, dan port-port yang diatur dengan rule-rule yang ada  Dilakukan dengan cara : Menyaring membatasi menolak hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya
  • 3. 3 Konfigurasi Sederhana pc (jaringan local) <==> firewall <==> internet (jaringan lain) Firewall Boleh lewat mbak ? Nih surat-suratnya Anak kecil ga boleh keluar.. sudah malam
  • 4. 4 Firewall Topologi : Basic Two-interface Firewall (no DMZ)  Connects to ISP using DSL, Cable Modem, ISDN, Dial-up, …  Provides for “Internet Connection Sharing” of a single public IP address for a local network using SNAT/Masquerading
  • 5. 5 Firewall Topologi : Three-interface Firewall (with DMZ)  Provides internet connection sharing of one or more public IP addresses.  Had a DMZ containing servers that are exposed to the internet.  If a server is hacked, the Firewall and the Local network aren’t compromised.
  • 6. 6
  • 7. 7
  • 8. 8 Tipe Firewall Berdasarkan mekanisme cara kerja :  Packet Filtering – Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number  Application Level – Biasa disebut proxy firewall, filter bisa berdasarkan content paket  Circuit Level Gateway – Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake. – Terdapat sesi NEW/ESTABLISH  Statefull Multilayer Inspection Firewall – Kombinasi dari ketiga tipe firewall diatas
  • 9. 9 Circuit Level / Stateful Inspection Firewalls  Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL  For DMZ Implementation Internet Automatically Accept Connection Attempt Router Automatically Deny Connection Attempt
  • 10. 10 DMZ Configuration  Place web servers in the “DMZ” network  Only allow web ports (TCP ports 80 and 443) internet Firewall Web Server
  • 11. 11 DMZ Configuration  Don’t allow web servers access to your network  Allow local network to manage web servers (SSH)  Don’t allow servers to connect to the Internet  Patching is not convenient Firewall Web Server internet Mas ..yang merah gak boleh lewat lho
  • 13. 13 IPTABLES iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. This allows for stateless and stateful firewalls and NAT. It is useful to think of IPtables as being a specialised firewall-creation programming language.
  • 14. 14 Prinsip Kerja iptables  Paket masuk diproses berdasarkan tujuan : – Destination IP untuk Firewall  masuk proses input – Destination IP bukan untuk firewall tapi diteruskan  masuk proses FORWARD  Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall apakah di-accept atau di-drop
  • 16. 16 Sintaks IPTABLES  Opsi 1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir iptables –A INPUT … 1. -D, menghapus rule iptables –D INPUT 1 iptables –D –s 202.154.178.2 … 2. -I, menambah aturan baru penempatan bisa disisipkan sesuai nomor iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT 3. -R, mengganti rule iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT 4. -F, menghapus seluruh rule iptables –F 5. -L, melihat Rule iptables -L
  • 17. 17 Parameter  -p [!] protocol, protokol yang akan dicek Iptables –A INPUT –p tcp …  -s [!] address/[mask], memeriksa kecocokan sumber paket Iptables –A INPUT –s 10.252.44.145 …  -d [!] address/[mask], memerika kecocokan tujuan paket Iptables –A INPUT –d 202.154.178.2 …  -j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT Iptables –A INPUT –d 202.154.178 –j DROP  -i [!] interface_name, identifikasi kartu jaringan tempat masuknya data Iptables –A INPUT –i etho ….  -o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket Iptables –A OUTPUT –o eth1 ….
  • 18. 18 Match iptables  --mac address, matching paket berdasarkan nomor MAC Address Iptables –m mac –mac-address 44:45:53:54:00:FF  Multiport, mendifinisikan banyak port Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT  State, mendefinisikan state dari koneksi Iptables –A INPUT –m state –state NEW, ESTABLISH –j ACCEPT
  • 19. 19 Target/Jump iptables  ACCEPT, setiap paket langsung diterima Iptables –A INPUT –p tcp –dport 80 –j ACCEPT  DROP, paket datang langsung dibuang Iptables –A INPUT –p tcp –dport 21 –j DROP  REJECT, paket yang ditolak akan dikirimi pesan ICMP error Iptables –A INPUT –p tcp –dport 21 –j REJECT  SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2  DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal, supaya internet bisa tetap akses diubah ke publik Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to- destination 192.168.1.1  MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai mapping ip lokal ke publik Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE  REDIRECT, sigunakan untuk transparent proxy Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080  LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa dibuka /etc/syslog.conf Iptables –A FORWARD –j LOG –log-level-debug Iptables –A FORWARD –j LOG –log-tcp-options
  • 20. 20 Firewall Option  # Mengeluarkan Modul-modul Iptables  /sbin/modprobe ip_tables  /sbin/modprobe ip_conntrack  /sbin/modprobe iptable_filter  /sbin/modprobe iptable_mangle  /sbin/modprobe iptable_nat  /sbin/modprobe ipt_LOG  /sbin/modprobe ipt_limit  /sbin/modprobe ipt_state  /sbin/modprobe ip_conntrack_ftp  /sbin/modprobe ip_conntrack_irc  /sbin/modprobe ip_nat_ftp  /sbin/modprobe ip_nat_irc
  • 21. 21 Menghapus Rule iptables  # Menghapus aturan iptables $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F  # Menghapus nama kolom yg dibuat manual $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
  • 25. 25 Forward  iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j MASQUERADE  #iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT  Iptables –A INPUT –p imcp –s 0/0 –j DROP  #iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d 192.168.108.5 –j ACCEPT  #iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j REJECT
  • 26. 26 Studi Kasus 1  Bangun Jaringan sendiri  Install web server dan FTP Server pada jaringan Internet (10.252.105.xxx)  Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP
  • 27. 27 Setting Komputer Router PC1  Setting Ip_forward #echo 1> /proc/sys/net/ipv4/ip_forward  Setting menggunakan NAT iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE  Setting IP Eth0  192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0 Eth0:1  192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0  Setting Routing # route add default gw 192.168.105.1
  • 28. 28 Setting Setiap Client  PC2 Setting IP inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0  PC3 Setting IP inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0  PC4 Setting IP inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0  Setting Gateway untuk PC2, PC3 & PC4 route add default gw 192.168.108.1
  • 29. 29 Test Konektifitas  Router PC 1 ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 2 ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 3 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4  PC 4 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5, ping 192.168.105.1, ping 202.154.187.4
  • 30. 30 Rule Firewall  Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport www, -j REJECT #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport ftp, -j REJECT #iptables –restore, iptables save
  • 31. 31 Studi Kasus 2 - DMZ  eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system  eth1 with 202.54.1.1 public IP address - WAN connected to ISP router  eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers
  • 32. 32 Routing traffic between public and DMZ server  To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.  This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):
  • 33. 33 Routing traffic between public and DMZ server ### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2 # Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3 # Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###
  • 34. 34  Where,  -i eth1 : Wan network interface  -d 202.54.1.1 : Wan public IP address  --dport 25 : SMTP Traffic  -j DNAT : DNAT target used set the destination address of the packet with --to-destination  --to-destination 192.168.2.2: Mail server ip address (private IP)
  • 35. 35 Multi port redirection  You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:  iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3
  • 36. 36 Studi Kasus 3 - Tugas 10.252.2.3/24 192.168.1.3/24 10.252.0.2/24 10.252.2.2/24 10.252.0.3/24 192.168.1.2/24 202.0.0.100/24 202.0.0.200/24
  • 39. 39 Shorewall  Shorewall tools for building a firewall variable : interfaces, zones, rules  Konfigurasi Shorewall terdapat pada direktori /etc/shorewall, yang minimal terdiri dari zone, interfaces, rule, policy, dan shorewall.conf.
  • 41. 41 Zone  Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan di /etc/shorewall/zones  diibaratkan komputer terdiri dari dua interfaces maka akan kita buat menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones sbb:  #ZONE TYPE OPTIONS IN OUT  # OPTIONS OPTIONS  fw firewall  net ipv4  loc ipv4  – Zone net adalah zona internet – zone loc adalah zona lokal – Zona fw mendeskripsikan mesin firewall itu sendiri.  Penamaan zona terserah kepada kita.
  • 42. 42
  • 43. 43 Interfaces  Kemudian kita definisikan interfaces apa saja yang akan kita terapkan zona tadi pada /etc/shorewall/interfaces, konfigurasinya kira-kira seperti : #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918 loc eth1 detect
  • 44. 44
  • 45. 45 Rules  Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh konfigurasi /etc/shorewall/rules :  #ACTION SOURCE DEST PROTO DEST PORT(S)  Ping/ACCEPT loc:192.168.0.1 $FW  ACCEPT $FW all icmp  Web/ACCEPT all $FW  SSH/ACCEPT loc:192.168.0.1 $FW
  • 46. 46
  • 47. 47 Policy  Policy adalah kebijakan umum yang diterapkan untuk hubungan masing- masing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan :  #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST  loc net ACCEPT  net all DROP info  all all REJECT info
  • 48. 48
  • 49. 49  Untuk instalasi berbasis debian biasanya file /etc/shorewall kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples
  • 50. 50 Installation  Remove :~# apt-get remove portmap :~# apt-get remove nfs-common :~# apt-get remove pidentd
  • 51. 51
  • 52. 52 Installation  Install Shorewall :~# apt-get install shorewall  Install documentation :~# apt-get install shorewall-doc
  • 53. 53 Configuration  goto shorewall directory :~# cd /etc/shorewall  look inside :/etc/shorewall# ls
  • 54. 54 Configuration  Change /etc/default/shorewall from startup=0 to startup=1  # vim /etc/default/shorewall change the startup
  • 55. 55 Activate the firewall  do this # /etc/init.d/shorewall start  watch your firewall # iptables –nL | less