Chapter 5: Implementing a Firewall with Ipchains and Iptables

Previous page
Table of content
Next page


Introduction

Over the years, the open source community has excelled in creating firewall software that is ideally suited for networks of any size. Linux natively supports the ability to route and/or filter packets. Modern Linux systems use either Ipchains or Iptables to do this.

Iptables supports Linux kernel 2.4 and higher (it was first implemented in Linux kernel 2.3). For those still using Linux kernel 2.2, use Ipchains instead. The Iptables package supports packet masquerading and filtering functionality as found in the 2.3 kernel and later. This functionality is known as netfilter, which is what Iptables is based on. Therefore, in order to use Iptables, you must recompile the kernel so that netfilter is installed, and you must also install the Iptables package. This is found by clicking Networking Options | IP: NetFilter Configuration.

Note

Ipfwadm is the precursor to both Ipchains and Iptables. Because it is used in older Linux kernels, this chapter does not consider it.

Depending on your kernel version, you can use these applications to configure your Linux system to act as a router, which means that it ensures that packets are sent from one network to another. At this level, a Linux router does not examine or filter any traffic. It simply ensures that all traffic addressed to a remote network gets sent to it.

Ipchains and Iptables also allow you to configure your Linux router to masquerade traffic (in other words, to rewrite IP headers so that a packet appears to originate from a certain host), or to examine and block traffic. It is even possible to configure your Linux router to do both. The practice of examining and blocking traffic is often called packet filtering. In this chapter, you will learn how to invoke packet filtering on your Linux system.

A packet filter works at the network layer of the Open System Interconnection Reference Model (OSI/RM). Daemons such as Squid (www.squid-cache.org) also allow you to examine and block traffic. However, Squid is not a packet filter; it is a proxy server that is designed to operate at the application layer of the OSI/RM. The primary difference between a packet filtering router (for example, one created by using Ipchains or Iptables) and a proxy server (for example, one enabled by Squid) is that a packet filtering router does not inspect network packets as deeply as a proxy server does.

However, proxy servers require more system resources in order to process network packets. As a result, a proxy server can sometimes be slow when honoring requests, especially if the machine is not powerful enough. This is why packet filters and proxy servers are both necessary in a network: one (the packet filter) blocks and filters the majority of network traffic, and the proxy server inspects only certain traffic types.

In this chapter, you will learn how to configure a system as a simple router and how to implement complex packet filtering so that you can protect your network from various attacks.


Previous page
Table of content
Next page
The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240
Authors: Cherie Amon, Thomas W. Shinder, Anne Carasik-Henmi
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
An Introduction to Design Patterns in C++ with Qt 4
InDesign Type: Professional Typography with Adobe InDesign CS2
Junos Cookbook (Cookbooks (OReilly))
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy