A Leading Provider of Linux Online Training
Home Order Jobs Schools Contact Us
Books Desktop Courses Server Courses Courses on CD Download Brochures
Sendmail Mail Server

Network Security Course $349.00
Click Here to Order

The Network Security Course is designed to provide you with the skills to perform as a administrator of a server or computer. This 6 week course is a real course in that all of the skills will be completed on a real server remotely.
Students will have the option to login to the instructor's desktop and watch demonstrations of specific configurations.

Course Includes 5 Modules: More Information

A. Build an IPCop Firewall
B. VPN Connections with IPCop
C. Build a Bridge or Stealth Firewall
D. Network Intrusion Detection
E. iptables Firewall Course

 

Example from the Network Security Course: Using NAT with MASQUERADE

MASQUERADE
The simplest application of NAT is address translation from a more trusted segment to a less trusted segment. The simplest use of NAT with iptables is MASQUERADE.

Using the configuration illustrated, the following command translates the source IP addresses and port numbers of packets passing from the private segment to the public segment.

/sbin/iptables --table nat --append POSTROUTING --source 10.1.1.0/24 --out-interface eth0 --jump MASQUERADE

The command appends a MASQUERADE rule to the POSTROUTING chain of the nat table causing source addresses of all packets that originate on the 10.1.1.0/24 network to be translated to the IP address of eth0 as the packets leave that interface. Source port numbers are also translated. The destination addresses and port numbers of reply packets are translated back to the IP addresses and port numbers of the originating private segment hosts as illustrated in Figure 8-2.

The following command line shows an abbreviated form of the command.

/sbin/iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQ

Other abbreviations include --src for --source and --out for –out-interface.

This is the simplest form of NAT (Network Address Translation). Use this image as an example in writing the firewall. The firewall will be placed on the firewall box that separates the Internet (untrusted segment) from the LAN (trusted segment).

Enable Forwarding
A common mistake is to forget to modify the ip_forward setting in the /proc directory as it allows traffic to move from one network card to another on the firewall machine. The following command will enable forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward
To make this setting permanent you should edit /etc/sysctl.conf and change the “0” to a “1” and it will be enabled permanently.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0


Create a Simple MASQUERADE Script
/sbin/iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Save Your Firewall and Load on Restart
You will need to edit the /etc/sysconfig/iptables-config as root to help iptables save and reload your firewall correctly. Be sure the following settings are changed to “yes”.


# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="yes"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="yes"

Here is what the script should look like when it is complete.

This line is added in order to maintain any connections made from the trusted network to the Internet when they return to the firewall.
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

This line is added to allow any connections from the trusted network to the Internet.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT


#!/bin/sh
#
# Simple MASQUERADE Firewall
#
# Remove existing rules
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Unlimited loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set Policies to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

# Remove pre-existing user defined
iptables --delete-chain

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

 

Linux is a registered trademark of Linus Torvalds. All other trademarks are trademarks of their respective owners.
© 1999-2008 SpiderTools.com