diff options
| author | Holger Dengler <dengler@linutronix.de> | 2013-04-02 18:35:17 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2015-02-20 16:32:50 +0100 |
| commit | e2e68a9f9357143640ee542665a4958865b5c5fa (patch) | |
| tree | 4b9657cb44357e052cb9a4cd38782bce91c7f84a | |
| parent | fca02ba4f66802961312bf4c6cfbfbde89a6153b (diff) | |
Add Firewall Presentation
Signed-off-by: Holger Dengler <dengler@linutronix.de>
| -rw-r--r-- | images/firewall-osi.odg | bin | 0 -> 12216 bytes | |||
| -rw-r--r-- | images/firewall-osi.png | bin | 0 -> 21602 bytes | |||
| -rw-r--r-- | images/firewall-schema.odg | bin | 0 -> 11768 bytes | |||
| -rw-r--r-- | images/firewall-schema.png | bin | 0 -> 25289 bytes | |||
| -rw-r--r-- | security/firewall/Makefile | 9 | ||||
| -rw-r--r-- | security/firewall/pres_iptables.tex | 439 | ||||
| -rw-r--r-- | security/firewall/pres_iptables.tex.bak | 426 |
7 files changed, 874 insertions, 0 deletions
diff --git a/images/firewall-osi.odg b/images/firewall-osi.odg Binary files differnew file mode 100644 index 0000000..74cb823 --- /dev/null +++ b/images/firewall-osi.odg diff --git a/images/firewall-osi.png b/images/firewall-osi.png Binary files differnew file mode 100644 index 0000000..bfed3b5 --- /dev/null +++ b/images/firewall-osi.png diff --git a/images/firewall-schema.odg b/images/firewall-schema.odg Binary files differnew file mode 100644 index 0000000..8d72ddb --- /dev/null +++ b/images/firewall-schema.odg diff --git a/images/firewall-schema.png b/images/firewall-schema.png Binary files differnew file mode 100644 index 0000000..a1ed457 --- /dev/null +++ b/images/firewall-schema.png diff --git a/security/firewall/Makefile b/security/firewall/Makefile new file mode 100644 index 0000000..257d70d --- /dev/null +++ b/security/firewall/Makefile @@ -0,0 +1,9 @@ +all: + for pdf in `ls -1 handout_*.tex pres_*.tex 2> /dev/null` ; do \ + TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \ + TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \ + done + +clean: + rm -f *.aux *.log *.pdf *.log *.snm *.toc *.vrb *.nav *.out + diff --git a/security/firewall/pres_iptables.tex b/security/firewall/pres_iptables.tex new file mode 100644 index 0000000..7b49ed0 --- /dev/null +++ b/security/firewall/pres_iptables.tex @@ -0,0 +1,439 @@ +\def\lximg{/usr/share/lx/icons/fueller.png} + +\input{configpres} + +\subsection{Firewall} + +\title{Firewall} +\maketitle + +\def\lximg{none} + +\begin{frame} +\frametitle{Contents} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsubsection{Basics} + +\begin{frame}[fragile] +\frametitle{Open System Interconnection Model (OSI)} +\begin{itemize} +\item Separate Communication Flow into Levels +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[scale=0.6]{images/firewall-osi.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Firewalls} +\begin{itemize} +\item Focus of Packet Filter + \begin{itemize} + \item Layer 3 and 4 + \end{itemize} +\item Focus of state-full Firewalls + \begin{itemize} + \item Layer 4 and higher + \item Deep Packet Inspection + \item Protocol and Application Specific Filtering + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Netfilter / iptables} +\begin{itemize} +\item Standard Firewall for Linux +\item based on Netfilter (Kernel) +\item related tools (userspace) + \begin{itemize} + \item iptables (for IPv4) + \item ip6tables (for IPv6) + \item arptables (for Layer 2, ARP) + \item ebtables (for Ethernet bridges) + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Elements} + +\begin{frame} +\frametitle{} +\begin{itemize} +\item Elements: Tables, Chains and Rules +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[scale=0.5]{images/firewall-schema.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Tables} +\begin{itemize} +\item Multiple Chains +\item One Table for each Hook +\begin{itemize} +\item raw: Pre-connection Tracking +\item mangle: Packet Modification +\item nat: Network Address Translation +\item filter: Packet filtering, e.g. for Security +\item security: for Mandatory Access Control, e.g. SELinux +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Chains (1)} +\begin{itemize} +\item Multiple Rules +\item Processing from top to bottom +\item Pre-defined Chains +\begin{itemize} +\item PREROUTING: Packet reception +\item INPUT: Locally delivered +\item FORWARD: Forwarding +\item OUTPUT: Locally produced +\item POSTROUTING: Packet send +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Chains (2)} +\begin{itemize} +\item User-defined Chains +\item Simple reuse for multiple projects +\item Separate common Rules +\item Standard Services and Protocols +\begin{itemize} +\item Web-Services +\item Remote Access +\item Virtual Private Network (VPN) +\item NTP +\end{itemize} +\item Standard Behavior +\begin{itemize} +\item LOG and DROP +\item Bandwidth throttling +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Rules (1)} +\begin{itemize} +\item Specification +\begin{itemize} +\item Source/Destination: Address, Mask, and Port +\item In- and Out-Interface +\end{itemize} +\item Match extension +\begin{itemize} +\item protocol specific: icmp, tcp udp, \dots +\item connbytes/-limit/-mark/-track +\item state +\item time +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Rules (2)} +\begin{itemize} +\item Actions (final) +\begin{itemize} +\item ACCEPT +\item REJECT +\item DROP +\end{itemize} +\item Actions (continue) +\begin{itemize} +\item LOG +\item JUMP +\item GOTO +\item RETURN +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Workflow} +\begin{figure}[h] +\centering +\includegraphics[scale=0.5]{images/firewall-schema.png} +\end{figure} +\end{frame} + +% ---------------------------- +\subsubsection{Tools} + +\begin{frame} +\frametitle{Tools} +\begin{itemize} +\item Configuration +\begin{itemize} +\item iptables / ip6tables +\item iptables-persistence +\item shorewall +\item fwbuilder +\end{itemize} +\item Analysis +\begin{itemize} +\item Logfile +\item nmap +\item wireshark +\item Kali-Linux +\end{itemize} +\end{itemize} +Note: Use penetration tools \emph{very} carefully! +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Show all Chains of Table \emph{filter}:} +\begin{tiny} +\begin{verbatim} +iptables -t filter -L +iptables -L # Table filter is default +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Flush all Chains:} +\begin{tiny} +\begin{verbatim} +iptables -F +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Set default Policies:} +\begin{tiny} +\begin{verbatim} +iptables -P <CHAIN> <ACTION> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{User-defined Chains:} +\begin{tiny} +\begin{verbatim} +iptables -N <CHAIN> # create new chain +iptables -X <CHAIN> # delete chain +iptables -E <old> <new> # rename chain +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Rules:} +\begin{tiny} +\begin{verbatim} +iptables -A <CHAIN> <rule-spec> # append rule to chain +iptables -C <CHAIN> <rule-spec> # find matching rule in chain +iptables -D <CHAIN> <rule-spec> # remove rule from chain +iptables -D <CHAIN> <rule-num> +iptables -I <CHAIN> <rule-num> <rule-spec> # insert rule in chain as rule-num +iptables -R <CHAIN> <rule-num> <rule-spec> # replace rule in chain +iptables -F <CHAIN> # flush all rules in chain +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Rule specifications:} +\begin{tiny} +\begin{verbatim} +--source <addr>/<mask> # match source IP/IP-range +--sport <port> # match source port +--destination <addr>/<mask> # match destination IP/IP-range +--dport <port> # match destination port +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Match extensions:} +\begin{tiny} +\begin{verbatim} +--modprobe <module> # load target or match extension module +--m connstate --ctstate <state> # extension connstate, match state +--m icmp --icmp-type <type> # extension icmp-type, match packet type +--m limit --limit <rate>/<ival> # extension limit, limit to rate per interval +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Pitfalls} + +\begin{frame} +\frametitle{Pitfalls} +\begin{itemize} +\item IPv4 and IPv6 +\item complex or multi-port protocols (e.g. FTP) +\item Infrastructure Services (e.g. DHCP, DNS) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Examples} + +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Preparation} +\begin{tiny} +\begin{verbatim} +# set default policy +iptables -P INPUT DROP # opt: REJECT, ACCEPT +iptables -P FORWARD DROP # opt: REJECT, ACCEPT +iptables -P OUTPUT DROP # opt: REJECT, ACCEPT +# flush all tables +iptables -F +... +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{SSH-Client} +\begin{tiny} +\begin{verbatim} +# +# Allow incoming traffic only +# on established connections +# +iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Web-Server} +\begin{tiny} +\begin{verbatim} +# +# Allow outgoing traffic only +# on established connections +# +iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{FTP-Server (iptables-persistent script)} +\begin{tiny} +\begin{verbatim} +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +# FTP Server +-A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT +-A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Important: always necessary for iptables-restore +COMMIT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{User-defined LOGDROP chain} +\begin{tiny} +\begin{verbatim} +# create new chain +iptables -X LOGDROP +iptables -N LOGDROP +iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --log-level 7 +iptables -A LOGDROP -j DROP +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Trace all outgoing traffic} +\begin{tiny} +\begin{verbatim} +*filter + +# create new chain +-N LOGACCEPT +-A LOGACCEPT -j LOG +-A LOGACCEPT -j ACCEPT + +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT LOGACCEPT [0:0] + +# Important: always necessary for iptables-restore +COMMIT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Related Links} + +\begin{frame} +Project Homepage +\begin{itemize} +\item \url{http://www.netfilter.org/projects/iptables/} +\end{itemize} +Tools +\begin{itemize} +\item Firewall Builder \\ + \url{http://www.fwbuilder.org/} +\item Shorewall \\ + \url{http://shorewall.net/} +\item Kali-Linux \\ + \url{http://www.kali.org/} +\end{itemize} +\end{frame} + +\subsection{} +\input{tailpres} diff --git a/security/firewall/pres_iptables.tex.bak b/security/firewall/pres_iptables.tex.bak new file mode 100644 index 0000000..5ff1543 --- /dev/null +++ b/security/firewall/pres_iptables.tex.bak @@ -0,0 +1,426 @@ +\def\lximg{/usr/share/lx/icons/fueller.png} + +\input{configpres} + +\subsection{Firewall} + +\title{Firewall} +\maketitle + +\def\lximg{none} + +\begin{frame} +\frametitle{Contents} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsubsection{Basics} + +\begin{frame}[fragile] +\frametitle{Open System Interconnection Model (OSI)} +\begin{itemize} +\item Separate Communication Flow into Levels +\end{itemize} +\begin{figure}[h] +\centering +\includegraphics[scale=0.6]{images/firewall-osi.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Firewalls} +\begin{itemize} +\item Focus of Paket Filter + \begin{itemize} + \item Layer 3 and 4 + \end{itemize} +\item Focus of Stateful Firewalls + \begin{itemize} + \item Layer 4 and higher + \item Deep Packet Inspection + \item Protocol and Application Specific Filtering + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Netfilter / iptables} +\begin{itemize} +\item Standard Firewall for Linux +\item based on Netfilter (Kernel) +\item related tools (userspace) + \begin{itemize} + \item iptables (for IPv4) + \item ip6tables (for IPv6) + \item arptables (for Layer 2, ARP) + \item ebtables (for Ethernet bridges) + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Elements} + +\begin{frame} +\frametitle{Workflow} +\begin{figure}[h] +\centering +\includegraphics[scale=0.5]{images/firewall-schema.png} +\end{figure} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Tables} +\begin{itemize} +\item Multiple Chains +\item One Table for each Hook +\begin{itemize} +\item raw: Pre-connection Tracking +\item mangle: Packet Modification +\item nat: Network Address Translation +\item filter: Packet filtering, e.g. for Security +\item security: for Mandatory Access Control, e.g. SELinux +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Chains (1)} +\begin{itemize} +\item Multiple Rules +\item Processing from top to bottom +\item Pre-defined Chains +\begin{itemize} +\item PREROUTING: Packet reception +\item INPUT: Locally delivered +\item FORWARD: Forwarding +\item OUTPUT: Locally produced +\item POSTROUTING: Packet send +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Chains (2)} +\begin{itemize} +\item User-defined Chains +\item Simple reuse for multiple projects +\item Sepatare common Rules +\item Standard Services and Protocols +\begin{itemize} +\item Web-Services +\item Remote Access +\item Virtual Private Network (VPN) +\item NTP +\end{itemize} +\item Standard Behavior +\begin{itemize} +\item LOG and DROP +\item Bandwidth throtteling +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Rules (1)} +\begin{itemize} +\item Specification +\begin{itemize} +\item Source/Destination: Address, Mask, and Port +\item In- and Out-Interface +\end{itemize} +\item Match extension +\begin{itemize} +\item protocol specific: icmp, tcp udp, \dots +\item connbytes/-limit/-mark/-track +\item state +\item time +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame} +\frametitle{Rules (2)} +\begin{itemize} +\item Actions (final) +\begin{itemize} +\item ACCEPT +\item REJECT +\item DROP +\end{itemize} +\item Actions (continue) +\begin{itemize} +\item LOG +\item JUMP +\item GOTO +\item RETURN +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Tools} + +\begin{frame} +\frametitle{Tools} +\begin{itemize} +\item Configuration +\begin{itemize} +\item iptables / ip6tables +\item iptables-persistence +\item shorewwall +\item fwbuilder +\end{itemize} +\item Analysis +\begin{itemize} +\item Logfile +\item nmap +\item wireshark +\item Kali-Linux +\end{itemize} +\end{itemize} +Note: Use nmap and Kali-Linux \emph{very} carefully! +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Show all Chains of Table \emph{filter}:} +\begin{tiny} +\begin{verbatim} +iptables -t filter -L +iptables -L # Table filter is default +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Flush all Chains:} +\begin{tiny} +\begin{verbatim} +iptables -F +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Set default Policies:} +\begin{tiny} +\begin{verbatim} +iptables -P <CHAIN> <ACTION> +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{User-defined Chains:} +\begin{tiny} +\begin{verbatim} +iptables -N <CHAIN> # create new chain +iptables -X <CHAIN> # delete chain +iptables -E <old> <new> # rename chain +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Rules:} +\begin{tiny} +\begin{verbatim} +iptables -A <CHAIN> <rule-spec> # append rule to chain +iptables -D <CHAIN> <rule-spec> # remove rule from chain +iptables -D <CHAIN> <rule-num> +iptables -I <CHAIN> <rule-num> <rule-spec> # insert rule in chain as rule-num +iptables -R <CHAIN> <rule-num> <rule-spec> # replace rule in chain +iptables -F <CHAIN> # flush all rules in chain +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{iptables: Commands} +\begin{beamerboxesrounded}[shadow=true]{Rule specifications:} +\begin{tiny} +\begin{verbatim} +--source <addr>/<mask> # match source IP/IP-range +--sport <port> # match source port +--destination <addr>/<mask> # match destination IP/IP-range +--dport <port> # match destination port +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Match extentions:} +\begin{tiny} +\begin{verbatim} +--modprobe <module> # load target or match extension module +--m connstate --ctstate <state> # extention connstate, match state +--m icmp --icmp-type <type> # extention icmp-type, match packet type +--m limit --limit <rate>/<ival> # extention limit, limit to rate per interval +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Pitfalls} + +\begin{frame} +\frametitle{Pitfalls} +\begin{itemize} +\item IPv4 and IPv6 +\item complex or multi port protocols (e.g. FTP) +\item Infrastructure Services (e.g. DHCP, DNS) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Examples} + +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Preparation} +\begin{tiny} +\begin{verbatim} +# set default policy +iptables -P INPUT DROP # opt: REJECT, ACCEPT +iptables -P FORWARD DROP # opt: REJECT, ACCEPT +iptables -P OUTPUT DROP # opt: REJECT, ACCEPT +# flush all tables +iptables -F +... +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{SSH-Client} +\begin{tiny} +\begin{verbatim} +# +# Allow incoming traffic only +# on established connections +# +iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Web-Server} +\begin{tiny} +\begin{verbatim} +# +# Allow outgoing traffic only +# on established connections +# +iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{FTP-Server (iptables-persistant script)} +\begin{tiny} +\begin{verbatim} +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +# FTP Server +-A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT +-A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Important: always necessary for iptables-restore +COMMIT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{User-defined LOGDROP chain} +\begin{tiny} +\begin{verbatim} +# create new chain +iptables -X LOGDROP +iptables -N LOGDROP +iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --log-level 7 +iptables -A LOGDROP -j DROP +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[containsverbatim] +\frametitle{Example} +\begin{beamerboxesrounded}[shadow=true]{Trace all outgoing traffic} +\begin{tiny} +\begin{verbatim} +*filter + +# create new chain +-N LOGACCEPT +-A LOGACCEPT -j LOG +-A LOGACCEPT -j ACCEPT + +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT LOGACCEPT [0:0] + +# Important: always necessary for iptables-restore +COMMIT +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Related Links} + +\begin{frame} +Project Homepage +\begin{itemize} +\item \url{http://www.netfilter.org/projects/iptables/} +\end{itemize} +Tools +\begin{itemize} +\item Firewall Builder \\ + \url{http://www.fwbuilder.org/} +\item Shorewall \\ + \url{http://shorewall.net/} +\item Kali-Linux \\ + \url{http://www.kali.org/} +\end{itemize} +\end{frame} + +\subsection{} +\input{tailpres} |
