Articles
Writers

Internet Security Firewall Using IPtables

How to Set Up Computer Firewalls to Protect Networks

© Fleur Hupston

Oct 20, 2009
Network Protection Imperative, Alandale_photo
Using a Linux firewall is a good way to implement network protection against intruders. Linux uses iptables as part of the network firewall.

Understanding the components of a network firewall, and how to use iptables when setting up a Linux firewall can be a challenge.

Components of Network Protection

A typical computer environment using a Linux firewall would consist of the following components:

  • WAN or Wide Area Network: The WAN could be the connection to the Internet, or it could be the connection to remote branches of the same company. Either way, it provides an access point for intruders and needs to be secured by means of a firewall.
  • DMZ (Demilitarized Zone): Location of the company web and/or mail server or any other servers the company wants the outside world to have access to.
  • LAN (Internal or Local Area Network: Workstations and servers that are not connected directly to the Internet. They have access to the DMZ and WAN but can't be accessed from the WAN or DMZ.
  • Linux Firewall: Firewall protection for the LAN and DMZ. A Linux firewall will provide the physical or logical connection between the LAN, DMZ and WAN

What is a Network Firewall?

A network firewall protects the company LAN from the outside world while filtering packets and allowing selected WAN traffic through. The LAN should be protected in such a way that no unwanted traffic should be allowed access it from the DMZ or WAN. The LAN, however, will need access to the DMZ and the WAN.

The DMZ will need to be accessed by the WAN and the LAN. All the services that need to be accessed by the WAN, like mail and web servers, should be located in the DMZ. Everything else should be on the LAN.

Implementing a Linux Firewall

Linux uses "iptables" to provide network protection by filtering and blocking of ports and protocols.

With iptables a Linux firewall can match traffic based on source and destination address, source and destination port; and protocol (ip, tcp, udp and so on). To filter connections based on ports, network, IP addresses, interfaces and protocols, an understanding of the INPUT, OUTPUT and FORWARD components of iptables is important.

Input and Output Tables

INPUT and OUTPUT tables are used for connections to the local computer running the firewall, for services originating from the computer and services accepting incoming connections. An example of this would be if the firewall server was used as a proxy server as well.

Forward Table

The FORWARD table is used for filtering connections passing through the firewall but not originating on the server running the firewall.

An example of this would be LAN users connecting through the firewall to the Internet. Another example would be users connecting through the firewall to a mail server in the DMZ.

Network Address Translation (NAT)

There are two types of NAT (Network Address Translation) used on a firewall. These are “Source Network Address Translation” (SNAT) and “Destination Network Address Translation” (DNAT).

DNAT is responsible for redirecting of "inbound" network traffic to "Internal" Computers within the DMZ. In other words, the destination address of a packet can be changed. For example, if someone on the Internet wanted to browse the company web site in the DMZ, the destination address would be the public IP address. This destination IP address would have to be changed, "pre-routing" to the IP address of the web server in the DMZ, which has a Private IP address.

SNAT is responsible for masquerading "outbound" connections behind a single "public" IP address. In other words the source address of a packet can be changed to reflect another IP address making it appear as if coming from another source. If the company only had one public IP address, SNAT can make it appear that all the LAN users are browsing the Internet from the one public IP address.

Secure Network Protection

When setting up an internet security firewall make sure everything is closed. Then, open up only what is needed. Hackers use port scanners to scan the Internet for open ports, these scanners then report back to the hacker. Once a vulnerable port is discovered, the hacker will try to capitalize on the weakness to gain access to the network. Network Protection should be taken seriously. It would be prudent to research all aspects of network security, since the risk to the company comes not only from the “outside” but also from “within” the company.

Source:

Peter Hupston, IT Manager, Legalwise S.A., interviewed 19 October, 2009


The copyright of the article Internet Security Firewall Using IPtables in Internet Security is owned by Fleur Hupston. Permission to republish Internet Security Firewall Using IPtables in print or online must be granted by the author in writing.


Network Protection Imperative, Alandale_photo
What is a Network Firewall?, largemoney
Linux Firewall - Componenet of Network Protection, Flaivoloka
    


Post this Article to facebook Add this Article to del.icio.us! Digg this Article furl this Article Add this Article to Reddit Add this Article to Technorati Add this Article to Newsvine Add this Article to Windows Live Add this Article to Yahoo Add this Article to StumbleUpon Add this Article to BlinkLists Add this Article to Spurl Add this Article to Google Add this Article to Ask Add this Article to Squidoo




about us Limelight Blog freelance writing jobs careers press room Site Map Terms & Conditions Privacy Policy