I ptable

Seminar Seminar onon

Window FIREWALL Window FIREWALL And IPTABLESAnd IPTABLES

Turning small Mind Into

Hackers

Topic CoveredTopic CoveredWhat is Firewall ?.Types of Firewall.What is Iptables ?.Packet Processing In Iptables.Various Commands.Example.

What is FirewallWhat is Firewall A firewall is a software or hardware-

based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on applied rule set.

A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.[

Types of Types of FirewallFirewallThere are different types of firewalls

depending on where the communication is taking place, where the communication is intercepted and the state that is being traced :->

1.Network Layer/Packet Filters.2.Application layer. 3.Proxies.4.Network Address Translation(NAT).

Types of FirewallTypes of Firewall Network layer or packet filters Network layer firewalls, also

called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply.

The term "packet filter" originated in the context of BSD operating systems.

Types of FirewallTypes of FirewallStateful and Stateless Stateful and Stateless

Network LayerNetwork Layer Stateful Stateless

Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.

Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.

Types of FirewallTypes of FirewallApplication Layer:-> Application-layer

firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets travelling to or from an application and they block other packets.

-> Application firewalls function by determining whether a process should accept any given connection. Application firewalls accomplish their function by hooking into socket calls to filter the connections between the application layer and the lower layers of the OSI model. Application firewalls that hook into socket calls are also referred to as socket filters

Types of FirewallTypes of FirewallProxies:-> A proxy server may act as a

firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets.

A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.

Intruders may hijack a publicly reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines

Types of FirewallTypes of FirewallNetwork Address Translation(NAT):-> ->Firewalls often have network

address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918.

-> Firewalls often have such functionality to hide the true address of protected hosts.

IP-TABLESIP-TABLESIptables is the firewall used on the

Linux platform. Prior to Iptables and Ipchains were

among the most popular Linux firewalls.

They had certain imperfections which were fixed, resulting in a new product from the NetFilter organization called IP-TABLES.

RedHat and Fedora Linux have made Iptables their default pre-installed firewall package.

Packet Processing In Packet Processing In IptablesIptables

Every packet passes via a series of built-in queues called tables for processing.

Basically, there are three tables:-> Filter Table: The default table for handling

network packets.

-> NAT Table: Used to alter packets that create a new connection.

-> Mangle Table: Used for specific types of packet alteration. It is a combination of both filter and Nat table.

Option used in Iptable Option used in Iptable commandscommandsWhen using the iptables command,

specify the following options: ◦Packet Type : Dictates what type of

packets the command filters. ◦Packet Source/Destination : Dictates

which packets the command filters based on the source or destination of the packet.

◦Target : Dictates what action is taken on packets matching the above criteria.

Various CommandsVarious Commands–A : Appends the iptables rule to the

end of the specified chain. –F : Flushes the selected chain, which

effectively deletes every rule in the the chain.

–L : Lists all of the rules in the chain specified after the command.

iptables –L <chain-name> –t <table-name>

–N : Creates a new chain with a user-specified name.

–P : Sets the default policy for a particular chain, so that when packets traverse an entire chain without matching a rule, they will be sent on to a particular target, such as ACCEPT or DROP.

General Iptables Match General Iptables Match Criteria Criteria

Iptables command Description

-t <table> If you don't specify a table, then the filter table is assumed. As discussed before, the possible built-in tables include: filter, nat, mangle

-j <target> Jump to the specified target chain when the packet matches the current rule.

-p <protocol-type> Match protocol. Types include, icmp, tcp, udp, and all

-s/-d <ip-address> Match source/destination IP address

-i <interface-name>

Match "input" interface on which the packet enters.

-o <interface-name>

Match "output" interface on which the packet exits

Loading Kernel Modules Needed Loading Kernel Modules Needed By IptablesBy IptablesThe iptables application requires you to load

certain kernel modules to activate some of its functions. Whenever any type of NAT is required, the

iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and

should always be loaded with the ip_conntrack module which tracks TCP connection states.

# File: /etc/rc.local

# Module to track the state of connectionsmodprobe ip_conntrack

# Load the iptables active FTP module, requires ip_conntrack

modprobe ip_conntrack_ftp # Load iptables NAT module when required

modprobe iptable_nat # Module required for active an FTP server using NAT modprobe ip_nat_ftp

Example: Example: Allowing DNS Access To Allowing DNS Access To FirewallFirewall#------------------------------------------------------

# Allow outbound DNS queries from the FW and the replies too

# Interface eth0 is the internet interface# Zone transfers use TCP and not UDP. Most home networks

# websites using a single DNS server won't require TCP statements

#------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT

Allowing Firewall To Access The Allowing Firewall To Access The InternetInternet# Allow port 80 (www) and 443 (https)

connections from the firewalliptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dport 80,443 -m multiport --sport 1024:65535

# Allow previously established connections# - Interface eth0 is the internet interfaceiptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp

If you want all TCP traffic originating from the firewall to be accepted, then remove the line:

-m multiport --dport 80,443 -m multiport --sport 1024:65535

“Thank You for your time

and Listening me.”