Section 2.4. Overview of Firewalls and Masquerading

Previous page
Table of content
Next page

2.4. Overview of Firewalls and Masquerading

A firewall is a secure computer that sits between an internal network and an external network (i.e., the Internet). It is configured with a set of rules that it uses to determine what traffic is allowed to pass and what traffic is barred. While a firewall is generally intended to protect the network from malicious or even accidentally harmful traffic from the outside, it can also be configured to monitor traffic leaving the network. As the sole entry point into the system, the firewall makes it easier to construct defenses and monitor activity.

The firewall can also be set up to present a single IP address to the outside world, even though multiple IP addresses may be used internally. This is known as masquerading. Masquerading can act as additional protection, hiding the very existence of a network. It also saves the trouble and expense of obtaining multiple IP addresses.

IP firewalling and masquerading are implemented with netfilter, also known as iptables. Earlier Linux kernels used ipchains or ipfwadm, which will not be covered here. Unlike the older tools, the facilities provided by netfilter are designed to be extensible; if there is some function missing from the implementation, you can add it.

The packet filtering facilities provide built-in rule sets. Each network packet is checked against each rule in the rule set until the packet either matches a rule or is not matched by any rule. These sets of rules are called chains. These chains are organized into tables that separate filtering functions from masquerading and packet mangling functions. If a match is found, the counters on that rule are incremented and any target for that rule is applied. A target might accept, reject, or masquerade a packet, or even pass it along to another chain for processing. Details on the chains provided in iptables can be found in Chapter 3.

In addition to these chains, you can create your own user-defined chains. You might want a special chain for your PPP interfaces or for packets from a particular site. To call a user-defined chain, you just make it the target for a match.

It is possible to make it through a chain without matching any rules that have a target. If no rule matches the packet in a user-defined chain, control returns to the chain from which it was called, and the next rule in that chain is checked. If no rule matches the packet in a built-in chain, a default policy for that chain is used. The default policy can be any of the special targets that determine what is done with a packet. The valid targets are detailed in Chapter 3.

You use the iptables command to define the rules. Once you have the rules defined you can use iptables-save to create a file with all the rule definitions, and iptables-restore to restore those definitions when you reboot.

For more information on the kinds of decisions you need to make and the considerations that go into defining the rules, see a general book on firewalls such as Building Internet Firewalls (O'Reilly). For more details on iptables, consult the Linux Network Administrator's Guide (O'Reilly), Linux iptables Pocket Reference (O'Reilly), or one of the relevant HOWTOs, such as the "Packet Filtering HOWTO." These HOWTOs and a number of tutorials are available on the Netfilter web site at http://www.netfilter.org/.


Previous page
Table of content
Next page
Linux in a Nutshell
Linux in a Nutshell
ISBN: 0596154488
EAN: 2147483647
Year: 2004
Pages: 147
Authors: Ellen Siever, Stephen Figgins, Robert Love, Arnold Robbins
BUY ON AMAZON
Project Management JumpStart
Oracle Developer Forms Techniques
Introduction to 80x86 Assembly Language and Computer Architecture
Data Structures and Algorithms in Java
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy