The Best Damn Firewall Book Period

Introduction

Over the years, the open source community has excelled in creating firewall software that is ideally suited for networks of any size. Linux natively supports the ability to route and/or filter packets. Modern Linux systems use either Ipchains or Iptables to do this.

Iptables supports Linux kernel 2.4 and higher (it was first implemented in Linux kernel 2.3). For those still using Linux kernel 2.2, use Ipchains instead. The Iptables package supports packet masquerading and filtering functionality as found in the 2.3 kernel and later. This functionality is known as netfilter, which is what Iptables is based on. Therefore, in order to use Iptables, you must recompile the kernel so that netfilter is installed, and you must also install the Iptables package. This is found by clicking Networking Options | IP: NetFilter Configuration.

Note

Ipfwadm is the precursor to both Ipchains and Iptables. Because it is used in older Linux kernels, this chapter does not consider it.

Depending on your kernel version, you can use these applications to configure your Linux system to act as a router, which means that it ensures that packets are sent from one network to another. At this level, a Linux router does not examine or filter any traffic. It simply ensures that all traffic addressed to a remote network gets sent to it.

Ipchains and Iptables also allow you to configure your Linux router to masquerade traffic (in other words, to rewrite IP headers so that a packet appears to originate from a certain host), or to examine and block traffic. It is even possible to configure your Linux router to do both. The practice of examining and blocking traffic is often called packet filtering. In this chapter, you will learn how to invoke packet filtering on your Linux system.

A packet filter works at the network layer of the Open System Interconnection Reference Model (OSI/RM). Daemons such as Squid (www.squid-cache.org) also allow you to examine and block traffic. However, Squid is not a packet filter; it is a proxy server that is designed to operate at the application layer of the OSI/RM. The primary difference between a packet filtering router (for example, one created by using Ipchains or Iptables) and a proxy server (for example, one enabled by Squid) is that a packet filtering router does not inspect network packets as deeply as a proxy server does.

However, proxy servers require more system resources in order to process network packets. As a result, a proxy server can sometimes be slow when honoring requests, especially if the machine is not powerful enough. This is why packet filters and proxy servers are both necessary in a network: one (the packet filter) blocks and filters the majority of network traffic, and the proxy server inspects only certain traffic types.

In this chapter, you will learn how to configure a system as a simple router and how to implement complex packet filtering so that you can protect your network from various attacks.

Категории