Linux Lab 21 Firewall
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Linux Lab 21 Firewall as PDF for free.
More details
- Words: 390
- Pages: 1
Linux Workshop
Lab 21 Firewall Requirements
Quick Reference Objectives to learn
➢ Linux ➢ Not an LPIC1 exam objective ➢ Optional ethereal package
Firewall
#netfilter, 3 tables, 11 built-in chains, e.g.:
vi firewall.sh
#Create example firewall script for the
#!/bin/bash #INPUT chain iptables -F #Flush all rules iptables -X #Delete all chains iptables -Z #Zero counters iptables -P INPUT DROP #Set default INPUT Policy iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p icmp -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT /etc/init.d/iptables save #Save all rules iptables-save > file #Save all rules exit 0 #Tip: portnr/tcp/udp is in /etc/services iptables -nvL #List current rules (numeric, verbose)
To Do 1. Create a script to flush and close the firewall. The firewall should disable all incoming protocols. Test the results by using the ping command. It should not work. 2. Modify the firewall script and accept incoming ssh (22), web services (80, 443) and the ping command (icmp). Test the results by using the ping command. 3. (Optional) If time permits, check or install the ethereal package and capture some network packets.
service iptables on
#To survive a reboot
iptables-restore < file
#Restore all rules
#Built-in Chains: Inspection Point
Table 1
Table 2
Table 3
filter
nat
mangle
INPUT
√
FORWARD
√
OUTPUT
√
√ √
PREROUTING POSTROUTING
√
√
√
√
√
√
#Ethereal
#Free sniffer
ip.addr== 172.28.24.1
#Capture using example filters
tcp.port== 631
#Capture using example filters
tcp.port==80&&ip.addr== 1.2.2.1 #Capture using example filters
PREROUTING
routing decision
FORWARD
telnet nu.nl 80
#Check web availability with: get /
netcat -v -w 1 -z nu.nl 80
#Check web availability ('open')
POSTROUTING
Theory Modules INPUT
OUTPUT
local machine
LPIC 1 Certification Bible, isbn 0-7645-4772-0 ➢ p. 721-727 Blocking unwanted connections with IP chains (kernel version 2.2). Downloadable manual(www.novell.com/documentation) SUSE LINUX Enterprise Server – Install. and Admin. ➢ p. 643-651 Masquerading and Firewalls
Extra References ➢ www.tldp.org ➢ www.ethereal.com ➢ Red Hat Linux Firewalls, Bill McCarty,
isbn 0-7645-2463-1 Note: There are lots of tools used to configure the iptables netfilter (built-in in the kernel). The SuSEfirewall service is an example.
➢ iptables-tutorial.frozentux.net/iptables-tutorial.html
© October 2, 2005, wiki.novell.com/index.php/Roberts_Quick_References, author of Foundations of Linux networking
Lab 21 Firewall Requirements
Quick Reference Objectives to learn
➢ Linux ➢ Not an LPIC1 exam objective ➢ Optional ethereal package
Firewall
#netfilter, 3 tables, 11 built-in chains, e.g.:
vi firewall.sh
#Create example firewall script for the
#!/bin/bash #INPUT chain iptables -F #Flush all rules iptables -X #Delete all chains iptables -Z #Zero counters iptables -P INPUT DROP #Set default INPUT Policy iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p icmp -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT /etc/init.d/iptables save #Save all rules iptables-save > file #Save all rules exit 0 #Tip: portnr/tcp/udp is in /etc/services iptables -nvL #List current rules (numeric, verbose)
To Do 1. Create a script to flush and close the firewall. The firewall should disable all incoming protocols. Test the results by using the ping command. It should not work. 2. Modify the firewall script and accept incoming ssh (22), web services (80, 443) and the ping command (icmp). Test the results by using the ping command. 3. (Optional) If time permits, check or install the ethereal package and capture some network packets.
service iptables on
#To survive a reboot
iptables-restore < file
#Restore all rules
#Built-in Chains: Inspection Point
Table 1
Table 2
Table 3
filter
nat
mangle
INPUT
√
FORWARD
√
OUTPUT
√
√ √
PREROUTING POSTROUTING
√
√
√
√
√
√
#Ethereal
#Free sniffer
ip.addr== 172.28.24.1
#Capture using example filters
tcp.port== 631
#Capture using example filters
tcp.port==80&&ip.addr== 1.2.2.1 #Capture using example filters
PREROUTING
routing decision
FORWARD
telnet nu.nl 80
#Check web availability with: get /
netcat -v -w 1 -z nu.nl 80
#Check web availability ('open')
POSTROUTING
Theory Modules INPUT
OUTPUT
local machine
LPIC 1 Certification Bible, isbn 0-7645-4772-0 ➢ p. 721-727 Blocking unwanted connections with IP chains (kernel version 2.2). Downloadable manual(www.novell.com/documentation) SUSE LINUX Enterprise Server – Install. and Admin. ➢ p. 643-651 Masquerading and Firewalls
Extra References ➢ www.tldp.org ➢ www.ethereal.com ➢ Red Hat Linux Firewalls, Bill McCarty,
isbn 0-7645-2463-1 Note: There are lots of tools used to configure the iptables netfilter (built-in in the kernel). The SuSEfirewall service is an example.
➢ iptables-tutorial.frozentux.net/iptables-tutorial.html
© October 2, 2005, wiki.novell.com/index.php/Roberts_Quick_References, author of Foundations of Linux networking
Related Documents
Linux Lab 21 Firewall
December 2019 21
Linux Lab 21 Firewall Definitions
December 2019 13
Firewall Para Linux Puppy
May 2020 16
Linux Firewall & Proxy Server
November 2019 26
Mengenal Firewall Pada Linux
May 2020 17