Professional Documents
Culture Documents
Modul 8 Firewalll
Modul 8 Firewalll
1
Konsep Firewall
2
Konfigurasi Sederhana
pc (jaringan local) <==> firewall <==> internet (jaringan lain)
Firewall
3
Firewall Topologi :
Basic Two-interface Firewall (no DMZ)
4
Firewall Topologi :
Three-interface Firewall (with DMZ)
5
Tipe Firewall
Berdasarkan mekanisme cara kerja :
Packet Filtering
– Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar
IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number
Application Level
– Biasa disebut proxy firewall, filter bisa berdasarkan content paket
Circuit Level Gateway
– Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake.
– Terdapat sesi NEW/ESTABLISH
Statefull Multilayer Inspection Firewall
– Kombinasi dari ketiga tipe firewall diatas
6
Circuit Level / Stateful Inspection Firewalls
Default Behavior
Permit connections initiated by an internal host
Deny connections initiated by an external host
Can change default behavior with ACL
For DMZ Implementation
Router Internet
7
DMZ Configuration
Place web servers in the “DMZ” network
Only allow web ports (TCP ports 80 and 443)
internet
Firewall
Web Server
8
DMZ Configuration
Don’t allow web servers access to your network
Allow local network to manage web servers (SSH)
Don’t allow servers to connect to the Internet
Patching is not convenient Mas ..yang
merah gak
boleh lewat
lho
internet
Firewall
Web Server
9
IPTABLES
10
IPTABLES
11
Prinsip Kerja iptables
12
Prinsip Kerja Firewall
Firewall Machine
13
Sintaks IPTABLES
Opsi
1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir
iptables –A INPUT …
1. -D, menghapus rule
iptables –D INPUT 1
iptables –D –s 202.154.178.2 …
2. -I, menambah aturan baru penempatan bisa disisipkan sesuai
nomor
iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT
3. -R, mengganti rule
iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT
4. -F, menghapus seluruh rule
iptables –F
5. -L, melihat Rule
iptables -L
14
Parameter
-p [!] protocol, protokol yang akan dicek
Iptables –A INPUT –p tcp …
-s [!] address/[mask], memeriksa kecocokan sumber paket
Iptables –A INPUT –s 10.252.44.145 …
-d [!] address/[mask], memerika kecocokan tujuan paket
Iptables –A INPUT –d 202.154.178.2 …
-j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT
Iptables –A INPUT –d 202.154.178 –j DROP
-i [!] interface_name, identifikasi kartu jaringan tempat masuknya data
Iptables –A INPUT –i etho ….
-o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket
Iptables –A OUTPUT –o eth1 ….
15
Match iptables
16
Target/Jump iptables
ACCEPT, setiap paket langsung diterima
Iptables –A INPUT –p tcp –dport 80 –j ACCEPT
DROP, paket datang langsung dibuang
Iptables –A INPUT –p tcp –dport 21 –j DROP
REJECT, paket yang ditolak akan dikirimi pesan ICMP error
Iptables –A INPUT –p tcp –dport 21 –j REJECT
SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet
Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2
DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal,
supaya internet bisa tetap akses diubah ke publik
Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to-
destination 192.168.1.1
MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai
mapping ip lokal ke publik
Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE
REDIRECT, sigunakan untuk transparent proxy
Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080
LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa
dibuka /etc/syslog.conf
Iptables –A FORWARD –j LOG –log-level-debug
Iptables –A FORWARD –j LOG –log-tcp-options
17
Firewall Option
# Mengeluarkan Modul-modul Iptables
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
18
Menghapus Rule iptables
19
Packet Filtering Firewall
20
Packet Filtering Firewall
21
Circuit Level Gateway
22
Forward
iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j
MASQUERADE
#iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT
Iptables –A INPUT –p imcp –s 0/0 –j DROP
#iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d
192.168.108.5 –j ACCEPT
#iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j
REJECT
23
Studi Kasus 1
24
Setting Komputer Router
PC1
Setting Ip_forward
#echo 1> /proc/sys/net/ipv4/ip_forward
Setting menggunakan NAT
iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE
Setting IP
Eth0 192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0
Eth0:1 192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0
Setting Routing
# route add default gw 192.168.105.1
25
Setting Setiap Client
PC2
Setting IP
inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0
PC3
Setting IP
inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0
PC4
Setting IP
inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0
Setting Gateway untuk PC2, PC3 & PC4
route add default gw 192.168.108.1
26
Test Konektifitas
Router PC 1
ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
PC 2
ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
PC 3
ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
PC 4
ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5,
ping 192.168.105.1, ping 202.154.187.4
27
Rule Firewall
28
Studi Kasus 2 - DMZ
eth0 with 192.168.1.1 private IP
address - Internal LAN ~ Desktop
system
eth1 with 202.54.1.1 public IP
address - WAN connected to ISP
router
eth2 with 192.168.2.1 private IP
address - DMZ connected to Mail /
Web / DNS and other private
servers
29
Routing traffic between public and DMZ server
To set a rule for routing all incoming SMTP requests to a dedicated Mail
server at IP address 192.168.2.2 and port 25, network address translation
(NAT) calls a PREROUTING table to forward the packets to the proper
destination.
This can be done with appropriate IPTABLES firewall rule to route traffic
between LAN to DMZ and public interface to DMZ. For example, all incoming
mail traffic from internet (202.54.1.1) can be send to DMZ mail server
(192.168.2.2) with the following iptables prerouting rule (assuming default
DROP all firewall policy):
30
Routing traffic between public and DMZ server
# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4
### End DMZ .. Add other rules ###
31
Where,
-i eth1 : Wan network interface
-d 202.54.1.1 : Wan public IP address
--dport 25 : SMTP Traffic
-j DNAT : DNAT target used set the destination address
of the packet with --to-destination
--to-destination 192.168.2.2: Mail server ip address
(private IP)
32
Multi port redirection
33
Studi Kasus 3 - Tugas
10.252.2.3/24
10.252.2.2/24
192.168.1.2/24 202.0.0.100/24
10.252.0.3/24
10.252.0.2/24
192.168.1.3/24
202.0.0.200/24
34
SHOREWALL
35
Shorewall
36
Shorewall
Shorewall
tools for building a firewall
variable : interfaces, zones, rules
37
Topologi Shorewall
38
Zone
Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan
di /etc/shorewall/zones
diibaratkan komputer terdiri dari dua interfaces maka akan kita buat
menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones
sbb:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
– Zone net adalah zona internet
– zone loc adalah zona lokal
– Zona fw mendeskripsikan mesin firewall itu sendiri.
Penamaan zona terserah kepada kita.
39
40
Interfaces
41
42
Rules
Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh
konfigurasi /etc/shorewall/rules :
#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT loc:192.168.0.1 $FW
ACCEPT $FW all icmp
Web/ACCEPT all $FW
SSH/ACCEPT loc:192.168.0.1 $FW
43
44
Policy
45
46
Untuk instalasi berbasis debian biasanya file
/etc/shorewall kosong, file-file rule default dapat di copy
dari /usr/share/doc/shorewall/default-config serta
contoh-contoh konfigurasi juga ada pada
/usr/share/doc/shorewall/examples
47
Installation
Remove
:~# apt-get remove portmap
:~# apt-get remove nfs-common
:~# apt-get remove pidentd
48
49
Installation
Install Shorewall
:~# apt-get install shorewall
Install documentation
:~# apt-get install shorewall-doc
50
Configuration
goto shorewall directory
:~# cd /etc/shorewall
look inside
:/etc/shorewall# ls
51
Configuration
to
startup=1
# vim /etc/default/shorewall
change the startup
52
Activate the firewall
do this
# /etc/init.d/shorewall start
watch your firewall
# iptables –nL | less
53
Configure shorewall dari webmin
54