Designing and Implementing Linux Firewalls and QoS using netfilter…电子书

Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter

Table of Contents

Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter

Credits

About the Author

About the Reviewer

Preface

What This Book Covers

Conventions

Reader Feedback

Customer Support

Downloading the Example Code for the Book

Errata

Questions

1. Networking Fundamentals

The OSI Model

OSI Layer 7: Application

OSI Layer 6: Presentation

OSI Layer 5: Session

OSI Layer 4: Transport

OSI Layer 3: Network

OSI Layer 2: Data Link

OSI Layer 1: Physical

OSI Functionality Example and Benefits

The TCP/IP Model

The TCP/IP Application Layer

The TCP/IP Transport Layer

The Transmission Control Protocol (TCP)

The User Datagram Protocol (UDP)

The TCP/IP Internet Layer

The TCP/IP Network Access Layer

TCP/IP Protocol Suite Summary

OSI versus TCP/IP

IP Addressing, IP Subnetting, and IP Supernetting

Obtaining an IP Address

IP Classes

Reserved IP Addresses

Public and Private IP Addresses

IP Subnetting

The Subnet Mask

Everything Divided in Two

A Different Approach

IP Supernetting or CIDR

How the Internet Works

Summary

2. Security Threats

Layer 1 Security Threats

Layer 2 Security Threats

MAC Attacks

DHCP Attacks

ARP Attacks

STP and VLAN-Related Attacks

Layer 3 Security Threats

Packet Sniffing

IP Spoofing

Routing Protocols Attacks

ICMP Attacks

Teardrop Attacks

Layer 4 Security Threats

TCP Attacks

UDP Attacks

TCP and UDP Port Scan Attacks

Layer 5, 6, and 7 Security Threats

BIND Domain Name System (DNS)

Apache Web Server

Version Control Systems

Mail Transport Agents (MTA)

Simple Network Management Protocol (SNMP)

Open Secure Sockets Layer (OpenSSL)

Protect Running Services—General Discussion

Summary

3. Prerequisites: netfilter and iproute2

netfilter/iptables

Iptables — Operations

Filtering Specifications

Target Specifications

A Basic Firewall Script—Linux as a Workstation

iproute2 and Traffic Control

Network Configuration: "ip" Tool

Traffic Control: tc

Queuing Packets

Classless Queuing Disciplines (Classless qdiscs)

Classful Queuing Disciplines

tc qdisc, tc class, and tc filter

A Real Example

Summary

4. NAT and Packet Mangling with iptables

A Short Introduction to NAT and PAT (NAPT)

SNAT and Masquerade

DNAT

Full NAT (aka Full Cone NAT)

PAT or NAPT

NAT Using iptables

Setting Up the Kernel

The netfilter nat Table

SNAT with iptables

DNAT with iptables

Transparent Proxy

Setting Up the Script

Verifying the Configuration

A Less Normal Situation: Double NAT

Packet Mangling with iptables

The netfilter mangle Table

Summary

5. Layer 7 Filtering

When to Use L7-filter

How Does L7-filter Work?

Installing L7-filter

Applying the Kernel Patch

Applying the iptables Patch

Protocol Definitions

Testing the Installation

L7-filter Applications

Filtering Application Data

Application Bandwidth Limiting

Accounting with L7-filter

IPP2P: A P2P Match Option

Installing IPP2P

Using IPP2P

IPP2P versus L7-filter

Summary

6. Small Networks Case Studies

Linux as SOHO Router

Setting Up the Network

Defining the Security Policy

Building the Firewall

Setting Up the Firewall Script

Verifying the Firewall Configuration

QoS—Bandwidth Allocation

The QoS Script

Verifying the QoS Configuration

Linux as Router for a Typical Small to Medium Company

Setting Up the Router

Defining the Security Policy

A Few Words on Applications

Creating the Firewall Rules

Setting Up the Firewall Script

QoS—Bandwidth Allocation

The QoS Script

Summary

7. Medium Networks Case Studies

Example 1: A Company with Remote Locations

The Network

Building the Network Configuration

Designing the Firewalls

Building the Firewalls

Sites B and C

Site A

Headquarters

Make the Network Intelligent by Adding QoS

Example 2: A Typical Small ISP

The Network

Building the Network Configuration

Designing and Implementing the Firewalls

The Intranet Server: 1.2.3.10

The Wireless Server: 1.2.3.130

The AAA Server: 1.2.3.1

The Database Server: 1.2.3.2

The Email Server: 1.2.3.3

The Web Server: 1.2.3.4

A Few Words on the Access Server: 1.2.3.131

The Core Router—First Line of Defense

QoS for This Network

QoS on the Wireless Server for Long-Range Wireless Users

QoS on the Intranet Server for the Internal Departments

QoS on the Core Router

Summary

8. Large Networks Case Studies

Thinking Large, Thinking Layered Models

A Real Large Network Example

A Brief Network Overview

City-1

City-2

City-3 and City-4

The Core Network Configuration

Core-2

Core-1, Core-3, and Core-4

Security Threats

Core Routers INPUT Firewalls

Protecting the Networks behind the Core Routers

Denial of Service Attacks

City-1 Firewall for Business-Critical Voice Equipment

Securing the Voice Network

QoS Implementation

Traffic Shaping for Clients

Summary

Index