You are previewing Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter.
O'Reilly logo
Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter

Book Description

Learn how to secure your system and implement QoS using real-world scenarios for networks of all sizes

  • Implementing Packet filtering, NAT, bandwidth shaping, packet prioritization using netfilter/iptables, iproute2, Class Based Queuing (CBQ) and Hierarchical Token Bucket (HTB)

  • Designing and implementing 5 real-world firewalls and QoS scenarios ranging from small SOHO offices to a large scale ISP network that spans many cities

  • Building intelligent networks by marking, queuing, and prioritizing different types of traffic

In Detail

Firewalls are used to protect your network from the outside world. Using a Linux firewall, you can do a lot more than just filtering packets. This book shows you how to implement Linux firewalls and Quality of Service using practical examples from very small to very large networks.

After giving us a background of network security, the book moves on to explain the basic technologies we will work with, namely netfilter, iproute2, NAT and l7-filter. These form the crux of building Linux firewalls and QOS. The later part of the book covers 5 real-world networks for which we design the security policies, build the firewall, setup the script, and verify our installation.

Providing only necessary theoretical background, the book takes a practical approach, presenting case studies and plenty of illustrative examples.

This practical guide teaches you how to implement effective network protection by using your own customized firewall solution. Based on extensive practical experience, this book distills a unique set of scenario based scripts and guidelines for a proven firewall solution, into one succinct and precise book.

Table of Contents

  1. Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter
    1. Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter
    2. Credits
    3. About the Author
    4. About the Reviewer
    5. Preface
      1. What This Book Covers
      2. Conventions
      3. Reader Feedback
      4. Customer Support
        1. Downloading the Example Code for the Book
        2. Errata
        3. Questions
    6. 1. Networking Fundamentals
      1. The OSI Model
        1. OSI Layer 7: Application
        2. OSI Layer 6: Presentation
        3. OSI Layer 5: Session
        4. OSI Layer 4: Transport
        5. OSI Layer 3: Network
        6. OSI Layer 2: Data Link
        7. OSI Layer 1: Physical
        8. OSI Functionality Example and Benefits
      2. The TCP/IP Model
        1. The TCP/IP Application Layer
        2. The TCP/IP Transport Layer
          1. The Transmission Control Protocol (TCP)
          2. The User Datagram Protocol (UDP)
        3. The TCP/IP Internet Layer
        4. The TCP/IP Network Access Layer
        5. TCP/IP Protocol Suite Summary
      3. OSI versus TCP/IP
      4. IP Addressing, IP Subnetting, and IP Supernetting
        1. Obtaining an IP Address
        2. IP Classes
          1. Reserved IP Addresses
          2. Public and Private IP Addresses
        3. IP Subnetting
          1. The Subnet Mask
          2. Everything Divided in Two
          3. A Different Approach
        4. IP Supernetting or CIDR
      5. How the Internet Works
      6. Summary
    7. 2. Security Threats
      1. Layer 1 Security Threats
      2. Layer 2 Security Threats
        1. MAC Attacks
        2. DHCP Attacks
        3. ARP Attacks
        4. STP and VLAN-Related Attacks
      3. Layer 3 Security Threats
        1. Packet Sniffing
        2. IP Spoofing
        3. Routing Protocols Attacks
        4. ICMP Attacks
        5. Teardrop Attacks
      4. Layer 4 Security Threats
        1. TCP Attacks
        2. UDP Attacks
        3. TCP and UDP Port Scan Attacks
      5. Layer 5, 6, and 7 Security Threats
        1. BIND Domain Name System (DNS)
        2. Apache Web Server
        3. Version Control Systems
        4. Mail Transport Agents (MTA)
        5. Simple Network Management Protocol (SNMP)
        6. Open Secure Sockets Layer (OpenSSL)
        7. Protect Running Services—General Discussion
      6. Summary
    8. 3. Prerequisites: netfilter and iproute2
      1. netfilter/iptables
        1. Iptables — Operations
          1. Filtering Specifications
          2. Target Specifications
          3. A Basic Firewall Script—Linux as a Workstation
      2. iproute2 and Traffic Control
        1. Network Configuration: "ip" Tool
        2. Traffic Control: tc
          1. Queuing Packets
            1. Classless Queuing Disciplines (Classless qdiscs)
            2. Classful Queuing Disciplines
        3. tc qdisc, tc class, and tc filter
          1. A Real Example
      3. Summary
    9. 4. NAT and Packet Mangling with iptables
      1. A Short Introduction to NAT and PAT (NAPT)
        1. SNAT and Masquerade
        2. DNAT
        3. Full NAT (aka Full Cone NAT)
        4. PAT or NAPT
      2. NAT Using iptables
        1. Setting Up the Kernel
        2. The netfilter nat Table
        3. SNAT with iptables
        4. DNAT with iptables
        5. Transparent Proxy
        6. Setting Up the Script
        7. Verifying the Configuration
        8. A Less Normal Situation: Double NAT
      3. Packet Mangling with iptables
        1. The netfilter mangle Table
      4. Summary
    10. 5. Layer 7 Filtering
      1. When to Use L7-filter
      2. How Does L7-filter Work?
      3. Installing L7-filter
        1. Applying the Kernel Patch
        2. Applying the iptables Patch
        3. Protocol Definitions
        4. Testing the Installation
      4. L7-filter Applications
        1. Filtering Application Data
        2. Application Bandwidth Limiting
        3. Accounting with L7-filter
      5. IPP2P: A P2P Match Option
        1. Installing IPP2P
        2. Using IPP2P
      6. IPP2P versus L7-filter
      7. Summary
    11. 6. Small Networks Case Studies
      1. Linux as SOHO Router
        1. Setting Up the Network
        2. Defining the Security Policy
        3. Building the Firewall
        4. Setting Up the Firewall Script
        5. Verifying the Firewall Configuration
        6. QoS—Bandwidth Allocation
          1. The QoS Script
          2. Verifying the QoS Configuration
      2. Linux as Router for a Typical Small to Medium Company
        1. Setting Up the Router
        2. Defining the Security Policy
        3. A Few Words on Applications
        4. Creating the Firewall Rules
        5. Setting Up the Firewall Script
        6. QoS—Bandwidth Allocation
          1. The QoS Script
      3. Summary
    12. 7. Medium Networks Case Studies
      1. Example 1: A Company with Remote Locations
        1. The Network
        2. Building the Network Configuration
        3. Designing the Firewalls
        4. Building the Firewalls
          1. Sites B and C
          2. Site A
          3. Headquarters
        5. Make the Network Intelligent by Adding QoS
      2. Example 2: A Typical Small ISP
        1. The Network
        2. Building the Network Configuration
        3. Designing and Implementing the Firewalls
          1. The Intranet Server: 1.2.3.10
          2. The Wireless Server: 1.2.3.130
          3. The AAA Server: 1.2.3.1
          4. The Database Server: 1.2.3.2
          5. The Email Server: 1.2.3.3
          6. The Web Server: 1.2.3.4
          7. A Few Words on the Access Server: 1.2.3.131
          8. The Core Router—First Line of Defense
        4. QoS for This Network
          1. QoS on the Wireless Server for Long-Range Wireless Users
          2. QoS on the Intranet Server for the Internal Departments
          3. QoS on the Core Router
      3. Summary
    13. 8. Large Networks Case Studies
      1. Thinking Large, Thinking Layered Models
      2. A Real Large Network Example
        1. A Brief Network Overview
          1. City-1
          2. City-2
          3. City-3 and City-4
        2. The Core Network Configuration
          1. Core-2
          2. Core-1, Core-3, and Core-4
        3. Security Threats
          1. Core Routers INPUT Firewalls
          2. Protecting the Networks behind the Core Routers
          3. Denial of Service Attacks
        4. City-1 Firewall for Business-Critical Voice Equipment
          1. Securing the Voice Network
        5. QoS Implementation
          1. Traffic Shaping for Clients
      3. Summary