nat iptables nat iptables nat iptables
play

NAT & IPTables NAT & IPTables NAT & IPTables From - PowerPoint PPT Presentation

Oct 10, 2022 •580 likes •732 views

NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse) NAT IPv4 Hack One external IP for a whole network Used commonly

  1. NAT & IPTables NAT & IPTables NAT & IPTables From ACCEPT to MASQUERADE From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse) Tim(othy) Clark (eclipse)

  2. NAT • IPv4 Hack • One external IP for a whole network • Used commonly in home routers • All external traffic goes through the router

  3. IPTABLES • Packet Filtering • Packet Manipulation • Creates firewalls • NATs • Cool stuff

  4. Command Structure IPTABLES –A INPUT –s 137.44.10.0/24 –j DROP • “-A chain” adds rules to a chain • This is followed by a match • And then an action • Can match on lost of things • Can ACCEPT, DROP or jump to a user defined chain

  5. Tables, Chains and Rules • Tables define basic usage • Chains contain rules that are checked till one is executed • Different built in chains execute in different paces • Rules execute actions on packets that match the condition.

  6. Example Traversal Source: 137.44.10.6 –A INPUT –s 137.44.10.0/24 –j DROP –A INPUT –s 137.44.0.0/16 –j ACCEPT –P INPUT DROP Incoming Packet Matching DROP

  7. Example Traversal Source: 137.44.195.83 –A INPUT –s 137.44.10.0/24 –j DROP –A INPUT –s 137.44.0.0/16 –j ACCEPT –P INPUT DROP Incoming Packet Matching Not Matched Matching ACCEPT

  8. Example Traversal Source: 64.233.183.104 –A INPUT –s 137.44.10.0/24 –j DROP –A INPUT –s 137.44.0.0/16 –j ACCEPT –P INPUT DROP Policy Incoming Packet Matching Not Matched Matching Not Matched DROP

  9. Connection Tracking • Detects replies to sent packets • Matching module • NEW is starting a new connection • ESTABLISHED is for existing connections • RELATED is for new connections related to existing ones

  10. Masquerade • Used in the prerouting chain of the nat table • Makes NAT work • Changes destination and source addressed as appropriate

  11. Example Masq Code • Internal interface is eth1 • External interface is eth0 • Example configuration: iptables –P INPUT DROP iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables –A FORWARD -i eth1 -j ACCEPT iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward

  12. Useful Bits • iptables-save stores the configuration in a file • iptables-restore restores the configuration from a file • Easily write scripts to restore it • iptables has a good manual page

  13. Any Questions?

Recommend

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

470 views • 14 slides
Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

Talks outline iptables versus ipchains The goal (or: my goal) The packets way through

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

785 views • 31 slides
netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte

netfilter/iptables training Nov 05/06/07, 2007 Day 1 by Harald Welte <laforge@netfilter.org> 1 netfilter/iptables tutorial Contents Day 1 Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP

342 views • 20 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19

Some SSH tips & tricks you may enjoy (plus, iptables) D. H. van Dok (Nikhef) 2014-05-19 getting the most (security) out of your openssh The users perspective: least amount of hassle tradeoff between anxiety, angst and

559 views • 19 slides
RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted

https://res212.telecom-paristech.fr TP02v1 2018/05/31 RES212 Lab #2 Netfilter/iptables Firewall The goal of this lab is to let you become acquainted with the design, configuration and testing of firewalls. Given the limited amount of time,

736 views • 14 slides
Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch &

Reflections on data plane performance, iptables and ipsets Neil Jerram Metaswitch & Project Calico @neiljerram www.projectcalico.org Who am I? Free software hacker since 1990s ; line+.el ; ; version 1.1 ; ; This has not (yet)

534 views • 24 slides
Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com

Cyber@UC Meeting 72 Firewalls/IPTables If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with

737 views • 27 slides
Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch

Tired of iptables based security groups? Here's how to gain tremendous speed with Open vSwitch instead! Who we are? Jakub Libosvar Software Engineer at Red Hat libosvar@redhat.com Rodolfo Alonso Software Engineer

397 views • 29 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security

Project 4 - Linux iptables CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Project

481 views • 15 slides
How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux December 4, 2014 Blacklist in practice The backbone of security ! Traffic analysis : Firewall : iptables , netfilter IDS : l7-filter

319 views • 15 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case study: Linux iptables

778 views • 46 slides
Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan

Network Policy Controller in Weave Net Blocking unwanted network traffic in Kubernetes Bryan Boreham @bboreham Who knows... Kubernetes Docker Linux iptables Ancient wisdom For survival, your group needs: Leadership

675 views • 21 slides
XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides

More recommend