Www.mitntraining.com



4910455-3175009525078105mobile itnTSolutions, LLC.00mobile itnTSolutions, LLC.4572002857500Linux Systems AdministratorProgramClass Notes:“Securing Your Server with iptables”Part I00Linux Systems AdministratorProgramClass Notes:“Securing Your Server with iptables”Part IsTopics Covered:Understanding FirewallsSetting Up a Firewall with system-config-firewallSetting Up a Firewall with iptablesAdvanced iptables ConfigurationConfiguring NATRed Hat Enterprise Linux is often used to offer services on the Internet. That means that unauthorized users will try to attack your server and get access to parts of the server that you don’t want to be available to unauthorized usersTo prevent this, you need to install a firewallYou will learn how to install a firewall on Red Hat Enterprise Linux and thus protect valuable assets on your serverUnderstanding Firewalls:Too often, when a hacker breaks through the security wall of a server, it is done by using ports that are actually allowed on the serverFor instance, the hacker can abuse an Apache web server and have it launch a script that opens connections to external machinesIn the previous section, you learned how SELinux can be used to avoid this scenarioIn this section of the program, you’ll learn how a firewall can be used to make sure that no connections are initiated to nodes that haven’t specifically been allowed beforehandA firewall works through “packet inspection”This means that the firewall screens incoming and outgoing packets to check whether the address, protocol, and port of the packet is either allowed or deniedFrom the perspective of the OSI model, a firewall works on layers 3, 4, and 5A firewall cannot typically check on the user that has sent the packetFirewalls normally have a hard time checking the actual data portion of the packet. . .a “proxy” is needed for thisAlthough a firewall is important, not every server is using it. By default, Red Hat switches it on, but in some cases it doesn’t make much sense, therefore, the administrator disables itIn large company networks, firewalls are often handled by the router that connects the network to the InternetEverything behind the router is considered to be secure and doesn’t need a firewall of its ownIf a server is directly connected to the Internet, the server does require a firewallAlso, if a company has a specific role in a company network and you want to configure it for additional security, it’s a good idea to configure it with a filter is the default firewall offered through the Linux kernelTo configure Netfilter on Red Hat Enterprise Linux, you can use the system-config-firewall tool if you prefer to use graphical interface or the “iptable” command if you want to work from the command lineSetting Up a Firewall with system-config-firewallIf you just need basic firewall services and have a graphical desktop available, system-config-firewall is the simplest way to get startedUsing the graphical interface, allows you to set up some of the more advanced configurations, including IP masquerading and port forwardingIn a text-only mode, you can use the system-config-firewall-tui command if you want a menu-drive interface to configure the firewallBefore starting to configure a firewall with the system-config-firewall, one important thing to realize is that it wipes clean all configurations you created manuallyAllowing Services:The simplest way to allow specific services through the firewall is by selecting them using the Trusted Services option in system-config-firewallThis interface offers a list of commonly used servicesTo enable a service, you just have to select it from the listAfter selecting the desired services, you click the Apply button to save the current configurationTo make the configurations you just created operational, do the following:Check that the iptables service is enabledUse the “iptables –L” command to verify that the rules have been appliedExercise Time: Allow the Basic services Through the Firewall (online)10.1The system-config-firewall utility offers an interface to select common servicesIn some situations, your service might be activated on a nondefault portIf that’s the case, you need to use the Other Ports interface in system-config-firewall to open that portFrom Other Ports, click “Add” to open the Port And Protocol windowYou’ll see a list containing all known port assignments in this windowIf the port is not available from this list, you can click “User Defined” to enter the port or port range manuallySee example below:Trusted Interfaces:Typically, there are two cases for firewalls:On routers On serversIf the firewall is installed on a server, there is normally just one network interface on which the firewall is operationalIf the firewall is on a server that is used as a router, usually there is an internal network interface and an external network interfacePackets are routed between these interfaces by a routing processBy default, all network interfaces are considered untrustedIf your server works as a router and you want to specify some interfaces as trusted, from system-config-firewall, click Trusted Interfaces and select the interfaces you want to addFrom that moment on, no packets will be filtered on that interface. . .see image:Masquerading:In IP masquerading, you can configure a server to connect your local network to the InternetIn this configuration, IP addresses from the private address ranges are used on the private networkThese addresses cannot communicate on the Internet, but they will be translated to the public IP address on the interface that faces the InternetThis process is known as IP masquerading, also referred to as Network Address Translation(NAT)The major benefit of using masquerading is that with just one public IP address, you can connect many devices on the private network to the InternetIP masquerading is commonly used in home and corporate networksTo enable masquerading, you need to select the public interface, as shown in the pic:Once this interface is masqueraded, all packets are rewritten with the IP address of the public interface as the source addressTo trace the packet back to its original sender, the NAT router maintains a NAT tableA port address is used to trace every connection in this NAT tableOnce a reply to the packet comes back and has to be forwarded by the NAT router to the originating host, it will use the NAT table to find the address of the host from which the packet is originating, and it forwards the packetYou can also use “port forwarding” in combination with masqueradingThis means you assign a port on the public interface of the NAT router and forward everything that comes in on that port to a specific host and port on the private networkYou can use this approach if one of the computers on the private network is not directly reachable from the Internet, but it offers a specific service that you want to make available on the internetUsers that want to use that service address the masquerading router and the specific port that is assigned on that routerPort forwarding will then forward the packet to the destination hostYou select port forwarding to add a port that is to be forwarded from system-config-firewallNext you click Add and select the interface and port you want to make available. . .See Pic BelowAfter specifying the source port, you need to assign a destinationYou can choose between forwarding to a local port (a port on the masquerading router itself) or you can forward packets to a specific IP address and port on that nodeIn this next exercise, you’ll learn how to configure port forwardingExercise: Configuring Port Forwarding ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download