book

Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition

Name: Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition
Author: Steve Suehring
ISBN: 9780134000206

by Steve Suehring

January 2015

Intermediate to advanced

432 pages

13h 23m

English

Addison-Wesley Professional

Read now

Unlock full access

About This eBook
Title Page
Copyright Page
Dedication Page
Contents at a Glance
Contents
Preface
Acknowledgments
About the Author
I. Packet Filtering and Basic Security Measures
1. Preliminary Concepts Underlying Packet-Filtering Firewalls
The OSI Networking ModelConnectionless versus Connection-Oriented ProtocolsNext StepsThe Internet ProtocolIP Addressing and SubnettingIP FragmentationBroadcasting and MulticastingICMPTransport MechanismsUDPTCPDon’t Forget Address Resolution ProtocolHostnames and IP AddressesIP Addresses and Ethernet AddressesRouting: Getting a Packet from Here to ThereService Ports: The Door to the Programs on Your SystemA Typical TCP Connection: Visiting a Remote WebsiteSummary

2. Packet-Filtering Concepts
A Packet-Filtering FirewallChoosing a Default Packet-Filtering PolicyRejecting versus Denying a PacketFiltering Incoming PacketsRemote Source Address FilteringLocal Destination Address FilteringRemote Source Port FilteringLocal Destination Port FilteringIncoming TCP Connection State FilteringProbes and ScansDenial-of-Service AttacksSource-Routed PacketsFiltering Outgoing PacketsLocal Source Address FilteringRemote Destination Address FilteringLocal Source Port FilteringRemote Destination Port FilteringOutgoing TCP Connection State FilteringPrivate versus Public Network ServicesProtecting Nonsecure Local ServicesSelecting Services to RunSummary
3. iptables: The Legacy Linux Firewall Administration Program
Differences between IPFW and Netfilter Firewall MechanismsIPFW Packet TraversalNetfilter Packet TraversalBasic iptables Syntaxiptables FeaturesNAT Table Featuresmangle Table Featuresiptables Syntaxfilter Table Commandsfilter Table Target Extensionsfilter Table Match Extensionsnat Table Target Extensionsmangle Table CommandsSummary
4. nftables: The Linux Firewall Administration Program
Differences between iptables and nftablesBasic nftables Syntaxnftables Featuresnftables SyntaxTable SyntaxChain SyntaxRule SyntaxBasic nftables Operationsnftables File SyntaxSummary
5. Building and Installing a Standalone Firewall
The Linux Firewall Administration ProgramsBuild versus Buy: The Linux KernelSource and Destination Addressing OptionsInitializing the FirewallSymbolic Constants Used in the Firewall ExamplesEnabling Kernel-Monitoring SupportRemoving Any Preexisting RulesResetting Default Policies and Stopping the FirewallEnabling the Loopback InterfaceDefining the Default PolicyUsing Connection State to Bypass Rule CheckingSource Address Spoofing and Other Bad AddressesProtecting Services on Assigned Unprivileged PortsCommon Local TCP Services Assigned to Unprivileged PortsCommon Local UDP Services Assigned to Unprivileged PortsEnabling Basic, Required Internet ServicesAllowing DNS (UDP/TCP Port 53)Enabling Common TCP ServicesEmail (TCP SMTP Port 25, POP Port 110, IMAP Port 143)SSH (TCP Port 22)FTP (TCP Ports 21, 20)Generic TCP ServiceEnabling Common UDP ServicesAccessing Your ISP’s DHCP Server (UDP Ports 67, 68)Accessing Remote Network Time Servers (UDP Port 123)Logging Dropped Incoming PacketsLogging Dropped Outgoing PacketsInstalling the FirewallTips for Debugging the Firewall ScriptStarting the Firewall on Boot with Red Hat and SUSEStarting the Firewall on Boot with DebianInstalling a Firewall with a Dynamic IP AddressSummary
II. Advanced Issues, Multiple Firewalls, and Perimeter Networks
6. Firewall Optimization
Rule OrganizationBegin with Rules That Block Traffic on High PortsUse the State Module for ESTABLISHED and RELATED MatchesConsider the Transport ProtocolPlace Firewall Rules for Heavily Used Services as Early as PossibleUse Traffic Flow to Determine Where to Place Rules for Multiple Network InterfacesUser-Defined ChainsOptimized ExamplesThe Optimized iptables ScriptFirewall InitializationInstalling the ChainsBuilding the User-Defined EXT-input and EXT-output Chainstcp-state-flagsconnection-trackinglocal-dhcp-client-query and remote-dhcp-server-responsesource-address-checkdestination-address-checkLogging Dropped Packets with iptablesThe Optimized nftables ScriptFirewall InitializationBuilding the Rules FilesLogging Dropped Packets with nftablesWhat Did Optimization Buy?iptables Optimizationnftables OptimizationSummary
7. Packet Forwarding
The Limitations of a Standalone FirewallBasic Gateway Firewall SetupsLAN Security IssuesConfiguration Options for a Trusted Home LANLAN Access to the Gateway FirewallLAN Access to Other LANs: Forwarding Local Traffic among Multiple LANsConfiguration Options for a Larger or Less Trusted LANDividing Address Space to Create Multiple NetworksSelective Internal Access by Host, Address Range, or PortSummary
8. NAT—Network Address Translation
The Conceptual Background of NATNAT Semantics with iptables and nftablesSource NATDestination NATExamples of SNAT and Private LANsMasquerading LAN Traffic to the InternetApplying Standard NAT to LAN Traffic to the InternetExamples of DNAT, LANs, and ProxiesHost ForwardingSummary
9. Debugging the Firewall Rules
General Firewall Development TipsListing the Firewall Rulesiptables Table Listing Examplenftables Table Listing ExampleInterpreting the System Logssyslog ConfigurationFirewall Log Messages: What Do They Mean?Checking for Open Portsnetstat -a [ -n -p -A inet ]Checking a Process Bound to a Particular Port with fuserNmapSummary
10. Virtual Private Networks
Overview of Virtual Private NetworksVPN ProtocolsPPTP and L2TPIPsecLinux and VPN ProductsOpenswan/LibreswanOpenVPNPPTPVPN and FirewallsSummary
III. Beyond iptables and nftables
11. Intrusion Detection and Response
Detecting IntrusionsSymptoms Suggesting That the System Might Be CompromisedSystem Log IndicationsSystem Configuration IndicationsFilesystem IndicationsUser Account IndicationsSecurity Audit Tool IndicationsSystem Performance IndicationsWhat to Do If Your System Is CompromisedIncident ReportingWhy Report an Incident?What Kinds of Incidents Might You Report?To Whom Do You Report an Incident?What Information Do You Supply?Summary
12. Intrusion Detection Tools
Intrusion Detection Toolkit: Network ToolsSwitches and Hubs and Why You CareARPWatchRootkit CheckersRunning ChkrootkitWhat If Chkrootkit Says the Computer Is Infected?Limitations of Chkrootkit and Similar ToolsUsing Chkrootkit SecurelyWhen Should Chkrootkit Be Run?Filesystem IntegrityLog MonitoringSwatchHow to Not Become CompromisedSecure OftenUpdate OftenTest OftenSummary
13. Network Monitoring and Attack Detection
Listening to the EtherThree Valuable ToolsTCPDump: A Simple OverviewObtaining and Installing TCPDumpTCPDump OptionsTCPDump ExpressionsBeyond the Basics with TCPDumpUsing TCPDump to Capture Specific ProtocolsUsing TCPDump in the Real WorldAttacks through the Eyes of TCPDumpRecording Traffic with TCPDumpAutomated Intrusion Monitoring with SnortObtaining and Installing SnortConfiguring SnortTesting SnortReceiving AlertsFinal Thoughts on SnortMonitoring with ARPWatchSummary
14. Filesystem Integrity
Filesystem Integrity DefinedPractical Filesystem IntegrityInstalling AIDEConfiguring AIDECreating an AIDE Configuration FileA Sample AIDE Configuration FileInitializing the AIDE DatabaseScheduling AIDE to Run AutomaticallyMonitoring AIDE for Bad ThingsCleaning Up the AIDE DatabaseChanging the Output of the AIDE ReportObtaining More Verbose OutputDefining Macros in AIDEThe Types of AIDE ChecksSummary
IV. Appendices
A. Security Resources
Security Information SourcesReference Papers and FAQs
B. Firewall Examples and Support Scripts
iptables Firewall for a Standalone System from Chapter 5nftables Firewall for a Standalone System from Chapter 5Optimized iptables Firewall from Chapter 6nftables Firewall from Chapter 6
C. Glossary
D. GNU Free Documentation License
0. Preamble1. Applicability and Definitions2. Verbatim Copying3. Copying in Quantity4. Modifications5. Combining Documents6. Collections of Documents7. Aggregation with Independent Works8. Translation9. Termination10. Future Revisions of this License11. Relicensing
Index
Code Snippets

Content preview from Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition

13. Network Monitoring and Attack Detection

This chapter uses the knowledge you’ve gained throughout the book and in the preceding couple of chapters specifically to show how you might use some of the tools for everyday monitoring and also for investigation.

The chapter begins with an overview of network monitoring, or sniffing. The information in the beginning of this chapter builds on what you’ve already seen in the first two chapters of the book. This chapter then continues with a look at TCPDump, a key tool in the network security analyst’s toolkit. Finally, the chapter also looks at two helpful security software packages: Snort and ARPWatch.

Listening to the Ether

Armed with the basic knowledge of some of the core protocols from the first ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Red Hat Certified System Administrator (RHCSA) RHEL 9

Publisher Resources

ISBN: 9780134000206Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition

by Steve Suehring