|
Firewalls: Building Firewalls with iptables, Part 1 |
|
|
Exposing any system, no matter how briefly, to an untrusted network is suicidal. A firewall, while not a 100% secure solution, is absolutely vital. The Linux world gives us an excellent firewall utility in netfilter/iptables. It is free and runs nicely on feeble old PCs. Netfilter/iptables is flexible, powerful, and enables fine-grained control of incoming and outgoing traffic. The two main functions this series will address are building firewalls and sharing Internet connections, which commonly go hand-in-hand. In Part 1 we'll cover basic concepts; Part 2 will offer examples of rulesets for various uses. [more...]
May 28, 2003
By Carla Schroder
Netfilter/iptables is included with the 2.4/2.5 Linux kernel for firewall,
network address translation (NAT), and packet mangling functions. Netfilter
works inside the kernel, while iptables is the table structure for the
user-defined rulesets. Netfilter/iptables is the descendant of our old friends
ipchains and ipwadfm (IP firewall administration); for simplicity, let's call it
iptables from this point forward.
Some other excellent uses for iptables are for building firewalls for
individual Unix/Linux/BSD workstations and also for building firewalls for
subnets to protect other platforms. It's free, so why not construct layers of
defenses? Depending solely on a gateway firewall is not enough.
iptables reads only packet headers, and as a result does not inspect payload.
It also does not perform authentication. For extra security, combine it with a
proxy server such as squid. For Windows users, AnalogX is a popular proxy server
noted for its ease of use. (Beware that the default configuration is completely
insecure. Do not "set it and forget it," as it installs wide open.)
What It Does
The typical setup is to have two network interfaces -- one "outward" and one
"inward" (or call them public and private). iptables reads incoming (and
outgoing -- don't forget egress
filtering!) packet headers and compares them to the rulesets, then forwards
the acceptable packets from one interface to the other. Rejected packets are
dropped on the spot -- boom splat -- or are directed in other ways, as you
prefer.
Packets must traverse tables and chains. iptables has three
built-in tables: filter, NAT, and mangle. (The mangle table is for
specialized packet alterations, which we will not cover in this series.)
Chains are the lists of rules in each table that match packets and then
tell what to do with them. Target is any rule that applies to a matching
packet. You'll see these terms a lot.
Unlike ipchains and ipfwadm, iptables uses stateful packet inspection.
iptables inspects the source and destination IP addresses, the source and
destination ports, and the sequence numbers of incoming packets. In a sense,
iptables "remembers" which packets are already permitted on an existing
connection. This provides a significant gain in security -- ephemeral ports are
open only for as long as they are needed, as opposed to requiring all manner of
permanent holes in the firewall to accomodate the various protocols. Malicious
packets with altered headers are detected and dropped, even when they contain an
allowed destination address and port.
| |
|
Article continues...
CrossNodes |
 | |
|
|
|
 |
| "Firewalls: Building Firewalls with iptables, Part 1" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
