Book Image

Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter

By : Lucian Gheorghe
Book Image

Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter

By: Lucian Gheorghe

Overview of this book

Firewalls are used to protect your network from the outside world. Using a Linux firewall, you can do a lot more than just filtering packets. This book shows you how to implement Linux firewalls and Quality of Service using practical examples from very small to very large networks. After giving us a background of network security, the book moves on to explain the basic technologies we will work with, namely netfilter, iproute2, NAT and l7-filter. These form the crux of building Linux firewalls and QOS. The later part of the book covers 5 real-world networks for which we design the security policies, build the firewall, setup the script, and verify our installation. Providing only necessary theoretical background, the book takes a practical approach, presenting case studies and plenty of illustrative examples.
Table of Contents (14 chapters)
Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT, and L7-filter
Credits
About the Author
About the Reviewer
Preface
Index

How Does L7-filter Work?


What L7-filter does is provides a way for iptables to match packets based on the application they belong to.

The TCP/IP model contains four layers and, before the L7-filter project, netfilter could match data by the first three layers:

  • Network access layer: iptables -A CHAIN - m mac --mac-source "

  • Internet: iptables -A CHAIN -s IP_ADDRESS "

  • Transport: iptables -A CHAIN - p tcp --dport 80

At the network access layer, netfilter uses -m mac to match packets from or to a MAC address in the network. At the layer above, the Internet layer, we have the IP protocol; netfilter matches packets from or to an IP address, regardless of the transport protocol, port number, or application the packet uses. At the transport layer, we have TCP or UDP, and netfilter can match packets by protocol, and more specifically, by port number within the protocol.

Any combination of the three lower layers is permitted; for instance:

iptables –A FORWARD –s 192.168.0.2 –p tcp -–dport 80 –m mac...