1. Chain & Action
- Firewall filter rules are organized in chains
- There are default and user-defined chains
- There are three default chains :
- input – processes packets sent to the router
- output – processes packets sent by the router
- forward – processes packets sent through the router
2. Chain Input
Protecting the router – allowing only necessaryservices from reliable source addresses with agreeable load.
Protecting the router – allowing only necessaryservices from reliable source addresses with agreeable load.
• To deny access to router to the router via Telnet (TCP port 23)
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
3. Chain Forward
Protecting the customers from viruses and protecting the Internet from the customers
Protecting the customers from viruses and protecting the Internet from the customers
Protecting Your Customer
• Block IP addreses called “bogons”:
• Block IP addreses called “bogons”:
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
4. Condition: Connection State
- Connection state is a status assigned to each packet by conntrack system:
- New – packet is opening a new connection
- Related – packet is also opening a new connection, but it is in some kind of relation to an already established connection
- Established – packet belongs to an already known connection
- Invalid – packet does not belong to any of the known connections
- Connection state ≠ TCP state
5. Address List
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.
The address list records could be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT mangle and filter facilities.
The following example creates an address list of people thet are connecting to port 23 (telnet) on the router and drops all further traffic from them. Additionaly, the address list will contain one static entry of address=192.0.34.166/32 (www.example.com):
/ip firewall address-list add list=drop_traffic address=192.0.34.166/32
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 action=add-src-to-address-list address-list=drop_traffic
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 action=add-src-to-address-list address-list=drop_traffic
/ip firewall filter add action=drop chain=input src-address-list=drop_traffic
6. NAT Type
As there are 2 IP addresses and ports in an IP packet header, there are 2 types of NAT .
As there are 2 IP addresses and ports in an IP packet header, there are 2 types of NAT .
1. which rewrites source IP address and/or port is called source NAT (src-nat)
- performed on packet that are originated from natted network
- a NAT router replace the private source address of an IP packet with anew public IP Address as it travel trough the router.
2. which rewrites destination IP address and/or port is called destination NAT (dst-nat)
- performed on packet that a destined to the natted network,
- it’s most commonly used to make ahost on private network to be accessible from internet
7. Firewall NAT Structure
Firewall NAT rules are organized in chains, There are two default chains :
Firewall NAT rules are organized in chains, There are two default chains :
- dstnat – processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter.
- srcnat – processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall filter.
There are also user-defined chains, Firewall NAT rules process only the first packet of each connection (connection state “new” packets)
8. NAT Action (6 specific action NAT)
- dst-nat and redirect
- src-nat and masquarade
- netmap
- same
9. Source NAT Action
- Action “src-nat” changes packet’s source address and/or port to specified address and/or Port
- This action can take place only in chain srcnat
- Typical application: hide specific LAN resources behind specific public IP address
10. Masquerade Action
- Action “masquerade” changes packet’s source address router’s address and specified port
- This action can take place only in chain srcnat
- Typical application: hide specific LAN resources behind one dynamic public IP address
11. Destination NAT Action
- Action “dst-nat” changes packet’s destination address and port to specified address and port
- This action can take place only in chain dstnat
- Typical application: ensure access to local network services from public network
12. Redirect NAT Action
- Action “redirect” changes packet’s destination address to router’s address and specified port
- This action can take place only in chain dstnat
- Typical application: transparent proxying of network services (DNS,HTTP)
13. Netmap & Same
- Netmap – creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
- Same – gives a particular client the same source/destination IP address from the supplied range for any connection. Used for services that expect constant IP address for multiple connections from the same client
No comments:
Post a Comment