· learnings · 2 min read
Linux学习日志 Ⅺ
*************************************************************
Firewall Architectures
●Basic Packet Filter (Dual Homed Firewall)
●Screened Host (use bastion hosts )
●Screened Subnet (Uses two packet filters and at least one bastion host)
Firewall architecture should be based on firewall policy statements
*************************************************************
Filter
Set policy
iptables –t
Ex.
Iptables –t filter –P Forward Drop
Listing Rules
●iptables -t
–Lists all rules in all chains in the table in order
●iptables -t
–Lists all rules in that chain in the table in order
Adding Rules
●iptables -t
–Inserts rule into position
●iptables -t
–Appends rule to end of chain
-----------------------------------------------------------------------------------------------------------
Ex.
Mail Server can connect to the SMTP port of computers on the Internet
–ACCEPT: From Mail Server to port 25 of computers on the Internet
iptables -t filter -A FORWARD —protocol tcp
—destination-port 25 —source 201.21.2.2 -j ACCEPT
–ACCEPT: From port 25 of computers on the Internet to Mail Server
iptables -t filter -A FORWARD —protocol tcp
—source-port 25 —destination 201.21.2.2 -j ACCEPT
Deleting Rules
●iptables -t
–Deletes specified rule
●iptables -t
–Flushes all rules in that chain in table
●iptables -t
–Flushes all rules in table
NAT
--------------------------------------------------------------------- Scenario:
packet file address:212.10.3.11/192.168.90.250
bastion Host: 192.168.90.113
---------------------------------------------------------------------
SNAT: Translates source address on packets to that of the packet filter
Ex.
iptables -t nat -A POSTROUTING —protocol tcp
—destination-port 25 —source 192.168.90.113
-j SNAT —to-source 212.10.3.11
DNAT: translates original destination address to desired destination address
Ex.(Need to set both direction)
iptables -t nat -A PREROUTING —protocol tcp
—destination-port 25 —destination 212.10.3.11
-j DNAT —to-destination 192.168.90.113
iptables -t nat -A POSTROUTING —protocol tcp
—destination-port 25 —destination 192.168.90.113
-j SNAT —to-source 192.168.90.250
Intrusion Detection Systems
Receive information about host or network being monitored
Components
●Sensors
●Engine/Analyzer
●Console/Manager
Host-based Intrusion Detection Systems
Monitors individual hosts
Network-based Intrusion Detection Systems (Snort)
Monitoring network traffic
Snort configuration file /etc/snort/snort.conf