Professional Documents
Culture Documents
What is it?
Firewall
What is it?
What is it?
Firewall is a hardware or software that prevents
unauthorized access to or from a network
What is it?
Firewall is a hardware or software that prevents
unauthorized access to or from a network
●
Application layer firewall
Firewall – third generation
Firewall
Telnet port 23
Iptables, xtables-addons
ebtables, arptables
Firewall - ebtables
3. broute
In this table we place rules which should route frames
● BROUTING
192.168.1.1 192.168.2.1
192.168.1.2
192.168.2.2
eth0 eth1
Firewall – ebtables - bridge
192.168.1.1 192.168.2.1
192.168.1.2
192.168.2.2
eth0 eth1
Firewall – ebtables - bridge
192.168.1.1 192.168.2.1
192.168.1.2
192.168.2.2
eth0 eth1
192.168.1.1 192.168.2.1
192.168.1.2
192.168.2.2
eth0 eth1
Installation:
root@Bridge:# apt-get install ebtables
Firewall – ebtables – installation & rules
Installation:
root@Bridge:# apt-get install ebtables
Installation:
root@Bridge:# apt-get install ebtables
Installation:
root@Bridge:# apt-get install ebtables
Append the rule to the end of the chain: iptables -A rule_specification -j target
root@Harvey:# iptables -A INPUT --dport 80 -j DROP
Rule specifications:
-p protocol - protocol responsible for creating the frame
-i interface - the interface the frame was originally received from
-o interface - the interface by which the frame is going to be sent
-s source - source MAC address
-d destination - destination MAC address
Firewall – ebtables – targets
This is a basic filter configuration which will only let frames made by the
protocols IP version 4 and ARP through
Firewall – ebtables – MAC NAT
192.168.2.2
eth0 eth1
192.168.2.2
eth0 eth1
192.168.2.2
eth0 eth1
192.168.2.2
eth0 eth1
Installation:
root@Harvey:# apt-get install arptables
Firewall – arptables – tables
Installation:
root@Harvey:# apt-get install arptables
Firewall – arptables – tables
Installation:
root@Harvey:# apt-get install arptables
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
To set the policy for the chain: (only for built-in chains)
arptables -P chain policy (ACCEPT/DROP/RETURN)
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
Firewall – arptables – rule building & commands
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
To set the policy for the chain: (only for built-in chains)
arptables -P chain policy (ACCEPT/DROP/RETURN)
Firewall – arptables – rule building & commands
Rule building:
arptables [-t table] command rule-specification [options]
● Option -t can be omitted
To set the policy for the chain: (only for built-in chains)
arptables -P chain policy (ACCEPT/DROP/RETURN)
Rule specifications:
● '-s address[/mask]' - the Source IP specification
● '-i name' - the interface via which a frame is received (for the INPUT
'!' option before the specification inverts the test for that specification
Firewall - arptables - example
Computer1
192.168.2.2
Harvey
BB:BB:BB:BB:BB:BB
Router
192.168.2.3
Switch CC:CC:CC:CC:CC:CC
192.168.2.1
AA:AA:AA:AA:AA:AA
Firewall - arptables - example
Computer1
192.168.2.2
Harvey
BB:BB:BB:BB:BB:BB
Router
192.168.2.3
Switch CC:CC:CC:CC:CC:CC
192.168.2.1
AA:AA:AA:AA:AA:AA
● Harvey sends valuable data to Router and wants to protect himself
from Computer1 ARP Spoofing
Firewall - arptables - example
Computer1
192.168.2.2
Harvey
BB:BB:BB:BB:BB:BB
Router
192.168.2.3
Switch CC:CC:CC:CC:CC:CC
192.168.2.1
AA:AA:AA:AA:AA:AA
● Harvey sends valuable data to Router and wants to protect himself
from Computer1 ARP Spoofing
root@Harvey:# arptables -A INPUT -s 192.168.2.1 --source-mac ! AA:AA:AA:AA:AA:AA -j DROP
root@Harvey:# arptables -A OUTPUT -d 192.168.2.1 --destination-mac ! AA:AA:AA:AA:AA:AA -j
DROP
Firewall - arptables - example
Computer1
192.168.2.2
Harvey
BB:BB:BB:BB:BB:BB
Router
192.168.2.3
Switch CC:CC:CC:CC:CC:CC
192.168.2.1
AA:AA:AA:AA:AA:AA
● Harvey sends valuable data to Router and wants to protect himself
from Computer1 ARP Spoofing
root@Harvey:# arptables -A INPUT -s 192.168.2.1 --source-mac ! AA:AA:AA:AA:AA:AA -j DROP
root@Harvey:# arptables -A OUTPUT -d 192.168.2.1 --destination-mac ! AA:AA:AA:AA:AA:AA -j
DROP
root@Harvey:# arptables -L
Chain INPUT (policy ACCEPT)
-j DROP -s 192.168.2.1 ! --src-mac aa:aa:aa:aa:aa:aa
● filter ● mangle
– INPUT – PREROUTING
– FORWARD – INPUT
– OUTPUT – OUTPUT
● nat – FORWARD
– PREROUTING – POSTROUTING
– OUTPUT ● raw
– POSTROUTING – PREROUTING
– OUTPUT
Firewall - iptables - tables
● Other matches:
● -m or --match
● -m conntrack
Allows filter rules to match based on connection state. Permits the use
of the --ctstate option.
● --ctstate
Example: iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j
ACCEPT
Firewall - iptables - rule specifications (matches)
● Other matches:
● -m or --match
● -m conntrack
Allows filter rules to match based on connection state. Permits the use
of the --ctstate option.
● --ctstate
Example: iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j
ACCEPT
● There are two types of NAT: Source NAT (SNAT) and Destination
NAT (DNAT)
● There are two types of NAT: Source NAT (SNAT) and Destination
NAT (DNAT)
● There are two types of NAT: Source NAT (SNAT) and Destination
NAT (DNAT)
● There are two types of NAT: Source NAT (SNAT) and Destination
NAT (DNAT)
●
1st Example: IP Masquerading
Internet
Host 1 Router
Packet source IP: Packet source IP:
192.168.1.2 178.36.119.72
●
1st Example: IP Masquerading
Internet
Host 1 Router
Packet source IP: Packet source IP:
192.168.1.2 178.36.119.72
●
1st Example: IP Masquerading
Internet
Host 1 Router
Packet source IP: Packet source IP:
192.168.1.2 178.36.119.72