linux firewall and NAT

 

TCP Wrappers

services supported:

  • super daemon : xinetd
  • service linked ton libwrap.so
    • ldd $(which sshd) grep libwrap

configure file:

  • /etc/hosts.allow
    • ALL: 127.0.0.1
    • rsync:     192.168.1.0/255.255.255.0 10.10.10.1
  • /etc/hosts.deny
    • rsync:     ALL

NetFileter : iptables

version

  • kernel 2.0     ipfwadm
  • kernel 2.2    ipchains
  • kernel 2.4-2.6    iptables

table and chain

  • filter
    • input
    • output
    • forward
  • NAT,
    • prerouting
    • postrouting
    • output
  • Mangle
    • preRouting
    • output
    • input
    • forward

iptables command sytax

iptables

  • –t tables     filter/nat
  • -L    list tables
  • -n    numeric, no reverse DNS lookup
  • -v    verbose

iptables-save

–t table

iptables

  • –t tables
  • -F
  • -X
  • -Z

iptables [-t table] {-A|-D} chain rule-specification

iptables [-t table] -I chain [rulenum] rule-specification

iptables [-t table] -R chain rulenum rule-specification

iptables [-t table] -D chain rulenum

iptables [-t table] -S [chain [rulenum]]

iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]

iptables [-t table] -N chain

iptables [-t table] -X [chain]

iptables [-t table] -P chain target

iptables [-t table] -E old-chain-name new-chain-name

rule-specification = [matches...] [target]

match = -m matchname [per-match-options]

target = -j targetname [per-target-options]

 

iptables

[–AI INPUT|OUTPUT|FORWARD]

[-io lo|eth0]

[-p tcp|udp]

[-s s_net –sport s_port ]

[-d d_net –dport d_port]

-j ACCEPT|DROP|REJECT

 

-t, –table table filter,nat,mangle

-A, –append

-D, –delete

 

-I, –insert

-R, –replace

-L, –list

 

 

 

 

-S, –list-rules

 

-F, –flush chain

-Z, –zero counters

 

-N, –new-chain

 

-X, –delete-chain

 

-P, –policy

 

-E, –rename-chain

 

 

 

 

 

-j, –jump target ACCEPT/DROP/REJECT/LOG

[!] -i, –in-interface name

[!] -o, –out-interface name

[!] -p, –protocol protocol tcp, udp, udplite,icmp, esp, ah, sctp or all

[!] -s, –source address[/mask][,...]

[!] -d, –destination address[/mask][,...]

 

 

 

 

 

/etc/sysconfig/iptables

  • # Firewall configuration written by system-config-firewall
  • # Manual customization of this file is not recommended.
  • *filter
  • :INPUT ACCEPT [0:0]
  • :FORWARD ACCEPT [0:0]
  • :OUTPUT ACCEPT [0:0]
  • -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
  • -A INPUT -p icmp -j ACCEPT
  • -A INPUT -i lo -j ACCEPT
  • -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
  • -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
  • -A INPUT -j REJECT –reject-with icmp-host-prohibited
  • -A FORWARD -j REJECT –reject-with icmp-host-prohibited

/etc/sysctl.conf

  • net.ipv4.tcp_syncookies = 1 (syn flooding)
  • net.ipv4.icmp_echo_ignore_broadcasts = 1 (ping flooding)

 

 

NAT

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s