Netfilter And Iptables; Basic Firewall Configuration - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
Method Description
Proxy Proxy firewalls filter all
requests of a certain
protocol or type from LAN
clients to a proxy machine,
which then makes those
requests to the Internet on
behalf of the local client. A
proxy machine acts as a
buffer between malicious
remote users and the
internal network client
machines.
Table 43.2. Firewall Types

43.8.1. Netfilter and IPTables

The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem
provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter
also has the ability to mangle IP header information for advanced routing and connection state
management. Netfilter is controlled using the iptables tool.
43.8.1.1. IPTables Overview
The power and flexibility of Netfilter is implemented using the iptables administration tool, a
command line tool similar in syntax to its predecessor, ipchains.
A similar syntax does not mean similar implementation, however. ipchains requires intricate rule
sets for: filtering source paths; filtering destination paths; and filtering both source and destination
connection ports.
By contrast, iptables uses the Netfilter subsystem to enhance network connection, inspection, and
processing. iptables features advanced logging, pre- and post-routing actions, network address
translation, and port forwarding, all in one command line interface.
This section provides an overview of iptables. For more detailed information, refer to
"IPTables".

43.8.2. Basic Firewall Configuration

Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts
to prevent malicious software from spreading to your computer. It also helps to prevent unauthorized
users from accessing your computer.
In a default Red Hat Enterprise Linux installation, a firewall exists between your computer or network
and any untrusted networks, for example the Internet. It determines which services on your computer
698
Advantages
· Gives administrators
control over what
applications and protocols
function outside of the LAN
· Some proxy servers can
cache frequently-accessed
data locally rather than
having to use the Internet
connection to request it. This
helps to reduce bandwidth
consumption
· Proxy services can be
logged and monitored
closely, allowing tighter
control over resource
utilization on the network
Disadvantages
· Proxies are often
application-specific (HTTP,
Telnet, etc.), or protocol-
restricted (most proxies
work with TCP-connected
services only)
· Application services cannot
run behind a proxy, so your
application servers must use
a separate form of network
security
· Proxies can become a
network bottleneck, as all
requests and transmissions
are passed through one
source rather than directly
from a client to a remote
service
Section 43.9,