Firewalls IPtables NAT and ip6tables

A good foundation for your network's security is to set up a Linux system to operate as a firewall for your network, protecting it from unauthorized access. You can use a firewall to implement either packet filtering or proxies. Packet filtering is simply the process of deciding

Web Site

Security Application

www.netfilter.org

Netfilter project, Iptables, and NAT

www.netfilter.org/ipchains

IP Chains firewall

www.openssh.org

Secure Shell encryption

www.squid-cache.org

Squid Web Proxy server

web.mit.edu/Kerberos

Kerberos network authentication

Table 20-1 Network Security Applications

Table 20-1 Network Security Applications whether a packet received by the firewall host should be passed on into the local network. The packet-filtering software checks the source and destination addresses of the packet and sends the packet on, if it's allowed. Even if your system is not part of a network but connects directly to the Internet, you can still use the firewall feature to control access to your system. Of course, this also provides you with much more security.

With proxies, you can control access to specific services, such as Web or FTP servers. You need a proxy for each service you want to control. The Web server has its own Web proxy, while an FTP server has an FTP proxy. Proxies can also be used to cache commonly used data, such as Web pages, so that users needn't constantly access the originating site. The proxy software commonly used on Linux systems is Squid, discussed in Chapter 24.

An additional task performed by firewalls is network address translation (NAT). Network address translation redirects packets to appropriate destinations. It performs tasks such as redirecting packets to certain hosts, forwarding packets to other networks, and changing the host source of packets to implement IP masquerading.

NOTE The IP Chains package is the precursor to IPtables that was used on Linux systems running the 2.2 kernel. It is still in use on many Linux systems. The Linux Web site for IP Chains, which is the successor to ipfwadm used on older versions of Linux, is currently www.netfilter.org/ ipchains. IP Chains is no longer included with Fedora Linux.

The Netfilter software package implements both packet-filtering and NAT tasks for the Linux 2.4 kernel and above. The Netfilter software is developed by the Netfilter Project, which you can find out more about at www.netfilter.org. The Red Hat Enterprise Linux Security Guide provides a helpful description on using Netfilter on Red Hat systems (www.redhat.com, Red Hat Enterprise Linux Documentation page).

0 0

Post a comment