FIREWALL
1
Konsep Firewall salah satu lapisan pertahanan yang mengatur hubungan komputer dengan dunia luar melalui interogasi setiap traffic, packet, dan port-port yang diatur dengan rule-rule yang ada Dilakukan dengan cara : Menyaring membatasi menolak
hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya
2
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Konfigurasi Sederhana pc (jaringan local) <==> firewall <==> internet (jaringan lain)
Boleh lewat mbak ? Nih surat-suratnya Anak kecil ga boleh keluar.. sudah malam
Firewall
3
Firewall Topologi : Basic Two-interface Firewall (no DMZ) Connects to ISP using DSL, Cable Modem, ISDN, Dial-up, Provides for “Internet Connection Sharing” of a single public IP address for a local network using SNAT/Masquerading
4
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Firewall Topologi : Three-interface Firewall (with DMZ) Provides internet connection sharing of one or more public IP addresses. Had a DMZ containing servers that are exposed to the internet. If a server is hacked, the Firewall and the Local network aren’t compromised.
5
Tipe Firewall Berdasarkan mekanisme cara kerja : Packet Filtering –
Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number
Application Level –
Biasa disebut proxy firewall, filter bisa berdasarkan content paket
Circuit Level Gateway – –
Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake. Terdapat sesi NEW/ESTABLISH
Statefull Multilayer Inspection Firewall –
Kombinasi dari ketiga tipe firewall diatas
6
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Circuit Level / Stateful Inspection Firewalls Default Behavior Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL For DMZ Implementation
Automatically Accept Connection Attempt Router
Internet
Automatically Deny Connection Attempt 7
DMZ Configuration Place web servers in the “DMZ” network Only allow web ports (TCP ports 80 and 443)
internet Firewall
Web Server
8
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DMZ Configuration Don’t allow web servers access to your network Allow local network to manage web servers (SSH) Don’t allow servers to connect to the Internet Mas ..yang merah gak boleh lewat lho
Patching is not convenient
internet
Firewall
Web Server
9
IPTABLES
10
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
IPTABLES iptables is a networking administration command-line tool on Linux which interfaces to the kernel-provided Netfilter modules. This allows for stateless and stateful firewalls and NAT. It is useful to think of IPtables as being a specialised firewall-creation programming language.
11
Prinsip Kerja iptables Paket masuk diproses berdasarkan tujuan : –
Destination IP untuk Firewall
–
Destination IP bukan untuk firewall tapi diteruskan FORWARD
masuk proses input masuk proses
Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall apakah di-accept atau di-drop
12
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Prinsip Kerja Firewall Firewall Machine
13
Sintaks IPTABLES Opsi 1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir iptables –A INPUT 1. -D, menghapus rule iptables –D INPUT 1 iptables –D –s 202.154.178.2 2. -I, menambah aturan baru penempatan bisa disisipkan sesuai nomor iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT 3. -R, mengganti rule iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT 4. -F, menghapus seluruh rule iptables –F 5. -L, melihat Rule iptables -L 14
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Parameter -p [!] protocol, protokol yang akan dicek Iptables –A INPUT –p tcp -
-s [!] address/[mask], memeriksa kecocokan sumber paket Iptables –A INPUT –s 10.252.44.145 -
-d [!] address/[mask], memerika kecocokan tujuan paket Iptables –A INPUT –d 202.154.178.2 -
-j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT Iptables –A INPUT –d 202.154.178 –j DROP
-i [!] interface_name, identifikasi kartu jaringan tempat masuknya data Iptables –A INPUT –i etho -.
-o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket Iptables –A OUTPUT –o eth1 -.
15
Match iptables --mac address, matching paket berdasarkan nomor MAC Address Iptables –m mac –mac-address 44:45:53:54:00:FF
Multiport, mendifinisikan banyak port Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT
State, mendefinisikan state dari koneksi Iptables –A INPUT –m state –state NEW, ESTABLISH –j ACCEPT
16
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Target/Jump iptables ACCEPT, setiap paket langsung diterima Iptables –A INPUT –p tcp –dport 80 –j ACCEPT
DROP, paket datang langsung dibuang Iptables –A INPUT –p tcp –dport 21 –j DROP
REJECT, paket yang ditolak akan dikirimi pesan ICMP error Iptables –A INPUT –p tcp –dport 21 –j REJECT
SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2
DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal, supaya internet bisa tetap akses diubah ke publik Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –todestination 192.168.1.1
MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai mapping ip lokal ke publik Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE
REDIRECT, sigunakan untuk transparent proxy Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080
LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa dibuka /etc/syslog.conf Iptables –A FORWARD –j LOG –log-level-debug Iptables –A FORWARD –j LOG –log-tcp-options 17
Firewall Option # Mengeluarkan Modul-modul Iptables /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc
18
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Menghapus Rule iptables # Menghapus aturan iptables $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F
# Menghapus nama kolom yg dibuat manual $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X
19
Packet Filtering Firewall
20
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Packet Filtering Firewall
21
Circuit Level Gateway
22
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Forward iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j MASQUERADE #iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT Iptables –A INPUT –p imcp –s 0/0 –j DROP #iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d 192.168.108.5 –j ACCEPT #iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j REJECT
23
Studi Kasus 1 Bangun Jaringan sendiri Install web server dan FTP Server pada jaringan Internet (10.252.105.xxx) Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP
24
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Setting Komputer Router PC1 Setting Ip_forward #echo 1> /proc/sys/net/ipv4/ip_forward
Setting menggunakan NAT iptables –t nat –A POSTROUTING –o eth0 –s IP_number
-d 0/0 –j
MASQUERADE
Setting IP Eth0 Eth0:1
192.168.105.109
Bcast:192.168.105.255
192.168.108.1 Bcast:192.168.108.255
Mask:255.255.255.0 Mask:255.255.255.0
Setting Routing # route add default gw 192.168.105.1
25
Setting Setiap Client PC2 Setting IP inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0
PC3 Setting IP inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0
PC4 Setting IP inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0
Setting Gateway untuk PC2, PC3 & PC4 route add default gw 192.168.108.1
26
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Test Konektifitas Router PC 1 ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4
PC 2 ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4
PC 3 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4
PC 4 ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5, ping 192.168.105.1, ping 202.154.187.4
27
Rule Firewall Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport www, -j REJECT #iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport ftp, -j REJECT #iptables –restore, iptables save
28
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Studi Kasus 2 - DMZ eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system eth1 with 202.54.1.1 public IP address - WAN connected to ISP router eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers
29
Routing traffic between public and DMZ server
To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination. This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):
30
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Routing traffic between public and DMZ server
### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic between DMZ and WAN servers SMTP, Mail etc iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2 # Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3 # Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###
31
Where, -i eth1 : Wan network interface -d 202.54.1.1 : Wan public IP address --dport 25 : SMTP Traffic -j DNAT : DNAT target used set the destination address of the packet with --to-destination --to-destination 192.168.2.2: Mail server ip address (private IP)
32
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Multi port redirection You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3: iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3
33
Studi Kasus 3 - Tugas
DMZ Server
Internet
` Internal Network
IDS + Firewall
Router
34
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SHOREWALL
35
Shorewall
36
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Shorewall Shorewall tools for building a firewall variable : interfaces, zones, rules
Konfigurasi Shorewall terdapat pada direktori /etc/shorewall, yang minimal terdiri dari zone, interfaces, rule, policy, dan shorewall.conf.
37
Topologi Shorewall
38
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Zone Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan di /etc/shorewall/zones diibaratkan komputer terdiri dari dua interfaces maka akan kita buat menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones sbb: #ZONE TYPE OPTIONS IN OUT # fw
firewall
OPTIONS
net loc
ipv4 ipv4
OPTIONS
– Zone net adalah zona internet – zone loc adalah zona lokal – Zona fw mendeskripsikan mesin firewall itu sendiri.
Penamaan zona terserah kepada kita. 39
40
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Interfaces Kemudian kita definisikan interfaces apa saja yang akan kita terapkan zona tadi pada /etc/shorewall/interfaces, konfigurasinya kira-kira seperti : #ZONE
INTERFACE
BROADCAST
net
eth0
detect
loc
eth1
detect
OPTIONS norfc1918
41
42
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Rules Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh konfigurasi /etc/shorewall/rules : #ACTION Ping/ACCEPT ACCEPT
SOURCE loc:192.168.0.1 $FW
Web/ACCEPT
all
SSH/ACCEPT
loc:192.168.0.1
DEST
PROTO
DEST PORT(S)
$FW all
icmp
$FW $FW
43
44
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Policy Policy adalah kebijakan umum yang diterapkan untuk hubungan masingmasing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan : #SOURCE
DEST
POLICY
LOG LEVEL
loc
net
ACCEPT
net
all
DROP
info
all
all
REJECT
info
LIMIT:BURST
45
46
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Untuk instalasi berbasis debian biasanya file /etc/shorewall kosong, file-file rule default dapat di copy dari /usr/share/doc/shorewall/default-config serta contoh-contoh konfigurasi juga ada pada /usr/share/doc/shorewall/examples
47
Installation Remove :~# apt-get remove portmap :~# apt-get remove nfs-common :~# apt-get remove pidentd
48
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
49
Installation Install Shorewall :~# apt-get install shorewall Install documentation :~# apt-get install shorewall-doc
50
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Configuration goto shorewall directory :~# cd /etc/shorewall
look inside :/etc/shorewall# ls
51
Configuration Change /etc/default/shorewall from startup=0
to startup=1 # vim /etc/default/shorewall
change the startup
52
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Activate the firewall do this # /etc/init.d/shorewall start watch your firewall # iptables –nL | less
53
Configure shorewall dari webmin
54
Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr