FIREWALL

1
Konsep Firewall

 salah satu lapisan pertahanan yang mengatur

hubungan komputer dengan dunia luar melalui
interogasi setiap traffic, packet, dan port-port yang
diatur dengan rule-rule yang ada
 Dilakukan dengan cara :
Menyaring hubungan /kegiatan suatu segmen pada
membatasi jaringan pribadi dengan jaringan luar yang
menolak bukan merupakan ruang lingkupnya

2
 Konfigurasi Sederhana
pc (jaringan local) <==> firewall <==> internet (jaringan lain)

Boleh lewat mbak ?

Nih surat-suratnya
Anak kecil ga boleh
keluar.. sudah malam

Firewall

3
Firewall Topologi :
Basic Two-interface Firewall (no DMZ)

 Connects to ISP using DSL,

Cable Modem, ISDN, Dial-up,
…
 Provides for “Internet
Connection Sharing” of a
single public IP address for a
local network using
SNAT/Masquerading

4
Firewall Topologi :
Three-interface Firewall (with DMZ)

 Provides internet connection

sharing of one or more public IP
addresses.
 Had a DMZ containing servers
that are exposed to the internet.
 If a server is hacked, the Firewall
and the Local network aren’t
compromised.

5
Tipe Firewall
Berdasarkan mekanisme cara kerja :
 Packet Filtering
– Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar
IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number
 Application Level
– Biasa disebut proxy firewall, filter bisa berdasarkan content paket
 Circuit Level Gateway
– Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake.
– Terdapat sesi NEW/ESTABLISH
 Statefull Multilayer Inspection Firewall
– Kombinasi dari ketiga tipe firewall diatas

6
Circuit Level / Stateful Inspection Firewalls
 Default Behavior
Permit connections initiated by an internal host
Deny connections initiated by an external host
Can change default behavior with ACL
 For DMZ Implementation

Automatically Accept Connection Attempt

Router Internet

Automatically Deny Connection Attempt

7
DMZ Configuration
 Place web servers in the “DMZ” network
 Only allow web ports (TCP ports 80 and 443)

internet

Firewall

Web Server

8
DMZ Configuration
 Don’t allow web servers access to your network
 Allow local network to manage web servers (SSH)
 Don’t allow servers to connect to the Internet
 Patching is not convenient Mas ..yang
merah gak
boleh lewat
lho
internet

Firewall

Web Server

9
IPTABLES

10
IPTABLES

 iptables is a networking administration

command-line tool on Linux which
interfaces to the kernel-provided Netfilter
modules. This allows for stateless and
stateful firewalls and NAT. It is useful to
think of IPtables as being a specialised
firewall-creation programming language.

11
Prinsip Kerja iptables

 Paket masuk diproses berdasarkan tujuan :

– Destination IP untuk Firewall  masuk proses input
– Destination IP bukan untuk firewall tapi diteruskan  masuk proses
FORWARD
 Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall
apakah di-accept atau di-drop

12
Prinsip Kerja Firewall

Firewall Machine

13
Sintaks IPTABLES
 Opsi
1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir
iptables –A INPUT …
1. -D, menghapus rule
iptables –D INPUT 1
iptables –D –s 202.154.178.2 …
2. -I, menambah aturan baru penempatan bisa disisipkan sesuai
nomor
iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT
3. -R, mengganti rule
iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT
4. -F, menghapus seluruh rule
iptables –F
5. -L, melihat Rule
iptables -L

14
 Parameter
 -p [!] protocol, protokol yang akan dicek
Iptables –A INPUT –p tcp …
 -s [!] address/[mask], memeriksa kecocokan sumber paket
Iptables –A INPUT –s 10.252.44.145 …
 -d [!] address/[mask], memerika kecocokan tujuan paket
Iptables –A INPUT –d 202.154.178.2 …
 -j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT
Iptables –A INPUT –d 202.154.178 –j DROP
 -i [!] interface_name, identifikasi kartu jaringan tempat masuknya data
Iptables –A INPUT –i etho ….
 -o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket
Iptables –A OUTPUT –o eth1 ….

15
Match iptables

 --mac address, matching paket berdasarkan nomor

MAC Address
Iptables –m mac –mac-address 44:45:53:54:00:FF

 Multiport, mendifinisikan banyak port

Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT

 State, mendefinisikan state dari koneksi

Iptables –A INPUT –m state –state NEW, ESTABLISH –j
ACCEPT

16
Target/Jump iptables
 ACCEPT, setiap paket langsung diterima
Iptables –A INPUT –p tcp –dport 80 –j ACCEPT
 DROP, paket datang langsung dibuang
Iptables –A INPUT –p tcp –dport 21 –j DROP
 REJECT, paket yang ditolak akan dikirimi pesan ICMP error
Iptables –A INPUT –p tcp –dport 21 –j REJECT
 SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet
Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2
 DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal,
supaya internet bisa tetap akses diubah ke publik
Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to-
destination 192.168.1.1
 MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai
mapping ip lokal ke publik
Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE
 REDIRECT, sigunakan untuk transparent proxy
Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080
 LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa
dibuka /etc/syslog.conf
Iptables –A FORWARD –j LOG –log-level-debug
Iptables –A FORWARD –j LOG –log-tcp-options
17
Firewall Option
 # Mengeluarkan Modul-modul Iptables
 /sbin/modprobe ip_tables
 /sbin/modprobe ip_conntrack
 /sbin/modprobe iptable_filter
 /sbin/modprobe iptable_mangle
 /sbin/modprobe iptable_nat
 /sbin/modprobe ipt_LOG
 /sbin/modprobe ipt_limit
 /sbin/modprobe ipt_state
 /sbin/modprobe ip_conntrack_ftp
 /sbin/modprobe ip_conntrack_irc
 /sbin/modprobe ip_nat_ftp
 /sbin/modprobe ip_nat_irc

18
Menghapus Rule iptables

 # Menghapus aturan iptables

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

 # Menghapus nama kolom yg dibuat manual

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

19
Packet Filtering Firewall

20
Packet Filtering Firewall

21
Circuit Level Gateway

22
Forward
 iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j
MASQUERADE
 #iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT
 Iptables –A INPUT –p imcp –s 0/0 –j DROP
 #iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d
192.168.108.5 –j ACCEPT
 #iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j
REJECT

23
Studi Kasus 1

 Bangun Jaringan sendiri

 Install web server dan FTP Server pada jaringan Internet
(10.252.105.xxx)
 Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web
dan FTP

24
Setting Komputer Router
PC1

 Setting Ip_forward
#echo 1> /proc/sys/net/ipv4/ip_forward
 Setting menggunakan NAT
iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE

 Setting IP
Eth0  192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0
Eth0:1  192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0

 Setting Routing
# route add default gw 192.168.105.1

25
Setting Setiap Client
 PC2
Setting IP
inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0
 PC3
Setting IP
inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0
 PC4
Setting IP
inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0
 Setting Gateway untuk PC2, PC3 & PC4
route add default gw 192.168.108.1

26
Test Konektifitas

 Router PC 1
ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
 PC 2
ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
 PC 3
ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20,
ping 192.168.105.1, ping 202.154.187.4
 PC 4
ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5,
ping 192.168.105.1, ping 202.154.187.4

27
Rule Firewall

 Setting memblok PC2 dan PC3 supaya tidak bisa

mengakses web dan FTP
#iptables –A FORWARD –m state –state NEW –m
multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport
www, -j REJECT

#iptables –A FORWARD –m state –state NEW –m

multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport
ftp, -j REJECT

#iptables –restore, iptables save

28
Studi Kasus 2 - DMZ
 eth0 with 192.168.1.1 private IP
address - Internal LAN ~ Desktop
system
 eth1 with 202.54.1.1 public IP
address - WAN connected to ISP
router
 eth2 with 192.168.2.1 private IP
address - DMZ connected to Mail /
Web / DNS and other private
servers

29
 Routing traffic between public and DMZ server

 To set a rule for routing all incoming SMTP requests to a dedicated Mail
server at IP address 192.168.2.2 and port 25, network address translation
(NAT) calls a PREROUTING table to forward the packets to the proper
destination.

 This can be done with appropriate IPTABLES firewall rule to route traffic
between LAN to DMZ and public interface to DMZ. For example, all incoming
mail traffic from internet (202.54.1.1) can be send to DMZ mail server
(192.168.2.2) with the following iptables prerouting rule (assuming default
DROP all firewall policy):

30
Routing traffic between public and DMZ server

### end init firewall .. Start DMZ stuff ####

# forward traffic between DMZ and LAN
iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2

# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3

# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4
### End DMZ .. Add other rules ###

31
 Where,
 -i eth1 : Wan network interface
 -d 202.54.1.1 : Wan public IP address
 --dport 25 : SMTP Traffic
 -j DNAT : DNAT target used set the destination address
of the packet with --to-destination
 --to-destination 192.168.2.2: Mail server ip address
(private IP)

32
Multi port redirection

 You can also use multiport iptables module to matches a set of

source or destination ports. Up to 15 ports can be specified. For
example, route incoming HTTP (port 80 ) and HTTPS ( port 443)
traffic to WAN server load balancer IP 192.168.2.3:
 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m
multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3

33
Studi Kasus 3 - Tugas

10.252.2.3/24

10.252.2.2/24
192.168.1.2/24 202.0.0.100/24
10.252.0.3/24

10.252.0.2/24
192.168.1.3/24
202.0.0.200/24

34
SHOREWALL

35
Shorewall

36
Shorewall
 Shorewall
tools for building a firewall
variable : interfaces, zones, rules

 Konfigurasi Shorewall terdapat pada direktori

/etc/shorewall, yang minimal terdiri dari zone,
interfaces, rule, policy, dan shorewall.conf.

37
Topologi Shorewall

38
Zone
 Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan
di /etc/shorewall/zones
 diibaratkan komputer terdiri dari dua interfaces maka akan kita buat
menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones
sbb:
 #ZONE TYPE OPTIONS IN OUT
 # OPTIONS OPTIONS
 fw firewall
 net ipv4
 loc ipv4

– Zone net adalah zona internet
– zone loc adalah zona lokal
– Zona fw mendeskripsikan mesin firewall itu sendiri.
 Penamaan zona terserah kepada kita.

39
40
Interfaces

 Kemudian kita definisikan interfaces apa saja yang

akan kita terapkan zona tadi pada
/etc/shorewall/interfaces, konfigurasinya kira-kira
seperti :
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
loc eth1 detect

41
42
Rules
 Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh
konfigurasi /etc/shorewall/rules :
 #ACTION SOURCE DEST PROTO DEST PORT(S)
 Ping/ACCEPT loc:192.168.0.1 $FW
 ACCEPT $FW all icmp
 Web/ACCEPT all $FW
 SSH/ACCEPT loc:192.168.0.1 $FW

43
44
Policy

 Policy adalah kebijakan umum yang diterapkan untuk hubungan masing-

masing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan
:
 #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
 loc net ACCEPT
 net all DROP info
 all all REJECT info

45
46
 Untuk instalasi berbasis debian biasanya file
/etc/shorewall kosong, file-file rule default dapat di copy
dari /usr/share/doc/shorewall/default-config serta
contoh-contoh konfigurasi juga ada pada
/usr/share/doc/shorewall/examples

47
Installation
 Remove
:~# apt-get remove portmap
:~# apt-get remove nfs-common
:~# apt-get remove pidentd

48
49
Installation
 Install Shorewall
:~# apt-get install shorewall
 Install documentation
:~# apt-get install shorewall-doc

50
Configuration
 goto shorewall directory
:~# cd /etc/shorewall
 look inside
:/etc/shorewall# ls

51
Configuration

 Change /etc/default/shorewall from

startup=0

to
startup=1
 # vim /etc/default/shorewall
change the startup

52
Activate the firewall

 do this
# /etc/init.d/shorewall start
 watch your firewall
# iptables –nL | less

53
Configure shorewall dari webmin

54