Where *nix and security meet the general public
How do IP Filtering firewalls work?
This is the hard part of todays most common firewalls. The basic understanding on HOW they work. First we must think simple, think of a factory work flow, raw material goes in on one end and is processed towards the other. Well it is KIND OF the same thing. Basically you get network traffic package in and thent he firewall compares it to a certain list of criteria, these are the actual firewall rules. The packet is compard to the criteria all the way until it reaches a rule that matches. If none is found the default policy is applied. This means that if the packet has no business in your network, according to the rules you specified, it will (should) be discarded, thrown away.
A simple example we see in the following graphic. A packet arrives from the address 192.168.10.2 and from port 80 and tries to get to the address 10.0.0.3 port 8080 by using the TCP protocol.
The IP 10.0.0.30 is within your network and there are 4 really simple rules (this is just for illustration purposes since these rules wouldn’t make MUCH sense in any real-world scenario). There are basically 2 “main rules” and 1 sub rule in each. In our scenario the first rule does not mach the packet description, Since the rule says “IF the packet is destined for port 808 then we check the subrul here”, but it is destined for 8080 so it jumps directly to the next MAIN rule. The next Main rule says “If the packet is from 192.168.10.2 then we go to the subrule here”, which we do since that address is the actual source. The subrule however says “If the protocol is UDP then we let it in”. The protocol used in this case however was TCP so the packet would be sent to the next subrule but there is none so it is sent to the next MAIN rule. There is no next MAIN rule either which means it is then processed with the MAIN POLICY which states: “If nothing matches, DENY the packet”. Well in our scenario the packet would have been denied.
so, Based on this we can see that all traffic in todays IP filtering firewalls follow this structure. There should ALWAYS be a default policy of DENY since you don’t want any traffic coming INTO your network. Once you have very large Firewall rulesets this whole structure makes actually a lot of sense since you can really finegrain the traffic flow.
As previously discussed you can now apply the logic to building good IPTables firewalls.
No Tags
Popularity: 5% [?]
[…] iptables is a IP filtering firewall that is based on matching IP traffic based on rules that you specify. The objective is that you match traffic with specific groups of rules, called tables. You can have as many tables as you want but notice that performance might get a hit on slow machines if you have a lot of complex filters. […]
[…] Now, if you went through the IP filtering firewalls tutorial, you know how the rules work, however with the next graphic I would like to explain how the process with IP Tables works. Basically it works the same way, except that IP Tables gives you the option to make groups of rules for specific things. These groups are called tables. It goes so that you have the normal chains (INPUT; OUTPUT etc.) and you can attach small rulesets to each main chain. These rulesets only get checked IF a certain characteristic is seen in the traffic. say, if you get traffic to a port 80 (www) to one of your machines, and you have a table that has all the allowed traffic for port 80, then the packet will get checked if it matches anything in the port 80 ruleset. If the traffic is destined for port 22 (ssh) the port 80 ruleset will be ignored. This approach gives you a LOT of flexibility of creating VERY complex and tight firewall rulesets WITHOUT taking a performance hit in any sense. […]