Firewall : Filter & NAT. Divisi Training PT UFOAKSES SUKSES LUARBIASA Jakarta

Transcription

1 Firewall : Filter & NAT Divisi Training PT UFOAKSES SUKSES LUARBIASA Jakarta nux@ufoakses.co.id

2 Firewall Rules or filter NAT (source nat and destination nat) Mangle Address List Service Ports Connection For monitoring Only

3 What s Firewall Filters The firewall filters is tools for packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. The firewall filter is on of the tools that allow user to control data flow to, from and through his computer In any way he/she wish.

4 Firewall Filters Structure Firewall filters consist of IF THEN rules IF<condition(s)>THEN<action> When processing the firewall filters, packet process through rules in the order they are listed there from top to bottom. If a packet matches condition(s) of the rule, then the specified action is performed on it, else packet jumps to the next rule.

5 Firewall Filters Chains Firewall filters rules are organized in chains There are built in chains : Input : processed packets addressd to the router itself Output : processes packets sent by the router itself Forward : processes traffic sent through the router

6 Firewall Filters Structure New user defined chains can be added, as necessary Deafult chains must have rule, that redirect packet flow to user defined chains, because other way yhis chains have no default traffic to match User defined chains are used in order to reduce average number of passed rules to make firewall faster, or in order to optimize firewall strucrture and make it more readeble and manageable

7 Actions Accept accept the packet. No action is taken, I.e the packet is passed thourgh and no more rules applied to it Add dst to address list adds destination address of an IP packet to the address list specified by address list parameter Add src to address list adds source address of an IP packet to the address list specified by address list parameter Drop silently drop the packet (without sending the ICMP reject messege) Jump jump to the chain specified by the value of the jump targetparameter Log each match with this action will add a messege to the system log Passthrogh ignores this rule and goes on the next one Reject reject the packet and send an ICMP reject messege Return passes control back to the chain where the jump took place Tarpit captures and hold incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet

8 What is Firewall NAT NAT is used for secure IP address and destionation IP address translation. First packet of the flow traverses NAT rule rule, other packets of this flow are automatically NATed with same action as first one NAT is one of the tools that allow user to control data flow to, from and through his computer in any way he wish.

9 NAT Rules

10 Firewall NAT structure NAT consist of IF THEN rules IF<condition(s)>THEN<action> When processing the NAT, packet process through rules in order they are listed there from top to bottom. If a packet matches the conditions(s) of the rule, then the specified action is performed on it, else packet jump to the next rule.

11 Firewall NAT structure NAT rules are organized in chains There are two built in chains : Dst nat used for changing destination address and ports and then reroute packet. Srcnat used for changing source address and ports. (action dst nat and redirect can be used in this chain) New user defined chains can be added

12 Known NAT actions Accept the packet is accepted and passed through NAT without taking any action Jump jump to the chain specified by value of the jumptarget argument Return return to the previous chain, from where the jump took place Log log packet matches Passthrough ignore this rule and go on to the next one Add dst address list add packet s destination address to the specified address list Add src address list add packet s source address to the specified address list

13 New NAT actions There are 6 new actions in the NAT : dst nat and redirect Src nat and masquerade Netmap same

14 Src nat and masquerade Src nat allow source address and oirt change to local address and port of the router (masquerading) or to some other specified and port Typical application of SRC NAT is to hide private address behind one or more [public] external address to allow multiple host behind one address

15 Dst nat and redirect Dst nat allows destination address and port change to local address and port of the router (redirect) or to some other specified address and port Typically used for accessing services on a private network from public address via public address

16 Netmap and Same Netmap creates a static 1:1 mapping of one set of ip addresses to another one Same gives a particular client the same source/destination IP address from supplied range for each connection (or all the time if you specify not_by_dst option)