1

FIREWALL

Konsep Firewall

salah satu lapisan pertahanan yang mengatur

hubungan komputer dengan dunia luar melalui

interogasi setiap traffic, packet, dan port-port yang

diatur dengan rule-rule yang ada

Dilakukan dengan cara : Menyaring

membatasi menolak

hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya

3

Konfigurasi Sederhana

pc (jaringan local) <==> firewall <==> internet (jaringan lain)

Firewall Boleh lewat mbak ?

Nih surat-suratnya

Anak kecil ga boleh keluar.. sudah malam

Firewall Topologi :

Basic Two-interface Firewall (no DMZ)

Connects to ISP using DSL,

Cable Modem, ISDN, Dial-up,

-Provides for “Internet Connection Sharing” of a single public IP address for a local network using

5

Firewall Topologi :

Three-interface Firewall (with DMZ)

Provides internet connection sharing of one or more public IP addresses.

Had a DMZ containing servers that are exposed to the internet. If a server is hacked, the Firewall and the Local network aren’t compromised.

Tipe Firewall

Berdasarkan mekanisme cara kerja : Packet Filtering

– Memfilter paket berdasarkan sumber, tujuan dan atribut paket (filter berdasar IP dan Port). Yang difilter IP, TCP, UDP, and ICMP headers and port number

Application Level

– Biasa disebut proxy firewall, filter bisa berdasarkan content paket Circuit Level Gateway

– Filter berdasarkan sesi komunikasi, dengan pengawasan sesi handshake.

– Terdapat sesi NEW/ESTABLISH Statefull Multilayer Inspection Firewall

7

Circuit Level / Stateful Inspection Firewalls

Default Behavior

Permit connections initiated by an internal host Deny connections initiated by an external host Can change default behavior with ACL For DMZ Implementation

Internet

Automatically Accept Connection Attempt

Router

Automatically Deny Connection Attempt

DMZ Configuration

Place web servers in the “DMZ” network Only allow web ports (TCP ports 80 and 443)

internet

9

DMZ Configuration

Don’t allow web servers access to your network Allow local network to manage web servers (SSH) Don’t allow servers to connect to the Internet Patching is not convenient

Firewall Web Server internet Mas ..yang merah gak boleh lewat lho

IPTABLES

11

IPTABLES

iptables is a networking administration

command-line tool on Linux which

interfaces to the kernel-provided Netfilter

modules. This allows for stateless and

stateful firewalls and NAT. It is useful to

think of IPtables as being a specialised

firewall-creation programming language.

Prinsip Kerja iptables

Paket masuk diproses berdasarkan tujuan :

– Destination IP untuk Firewall masuk proses input

– Destination IP bukan untuk firewall tapi diteruskan masuk proses FORWARD

Selanjutnya dicocokkan berdasarkan tabel policy yang dipunyai firewall apakah di-accept atau di-drop

13

Prinsip Kerja Firewall

Firewall Machine

Sintaks IPTABLES

Opsi

1. -A, menambah satu aturan baru ditempatkan pada posisi terakhir iptables –A INPUT

-1. -D, menghapus rule iptables –D INPUT 1

iptables –D –s 202.154.178.2

-2. -I, menambah aturan baru penempatan bisa disisipkan sesuai nomor

iptables –I INPUT 3 –s 202.154.178.2 –j ACCEPT

3. -R, mengganti rule

iptables –R INPUT 2 –s –s 202.154.178.2 –j ACCEPT

4. -F, menghapus seluruh rule iptables –F

5. -L, melihat Rule iptables -L

15

Parameter

-p [!] protocol, protokol yang akan dicek

Iptables –A INPUT –p tcp

--s [!] address/[mask], memeriksa kecocokan sumber paket

Iptables –A INPUT –s 10.252.44.145

--d [!] address/[mask], memerika kecocokan tujuan paket

Iptables –A INPUT –d 202.154.178.2

--j target, menentukan nasib paket, target misal ACCEPT/DROP/REJECT

Iptables –A INPUT –d 202.154.178 –j DROP

-i [!] interface_name, identifikasi kartu jaringan tempat masuknya data

Iptables –A INPUT –i etho -.

-o [!] interface_name, identifikasi kartu jaringan tempat keluarnya paket

Iptables –A OUTPUT –o eth1 -.

Match iptables

--mac address, matching paket berdasarkan nomor

MAC Address

Iptables –m mac –mac-address 44:45:53:54:00:FF

Multiport, mendifinisikan banyak port

Iptables –m multiport –source-port 22,25,110,80 –j ACCEPT

State, mendefinisikan state dari koneksi

Iptables –A INPUT –m state –state NEW, ESTABLISH –j ACCEPT

17

Target/Jump iptables

ACCEPT, setiap paket langsung diterima

Iptables –A INPUT –p tcp –dport 80 –j ACCEPT

DROP, paket datang langsung dibuang

Iptables –A INPUT –p tcp –dport 21 –j DROP

REJECT, paket yang ditolak akan dikirimi pesan ICMP error

Iptables –A INPUT –p tcp –dport 21 –j REJECT

SNAT, sumber paket dirubah, biasanya yang memiliki koneksi internet

Iptables –t nat –A POSROUTING –p tcp –o eth0 –j SNAT –to-source 202.154.178.2

DNAT, merubah tujuan alamat paket. Biasanya jika server alamat Ipnya lokal, supaya internet bisa tetap akses diubah ke publik

Iptables –t nat –A PREPROUTING –p tcp –d 202.154.178.2 –dport 80 –j DNAT –to-destination 192.168.1.1

MASQUERADE, untuk berbagi koneksi internet dimana no_ipnya terbatas, sebagai mapping ip lokal ke publik

Iptables –t nat –A POSTROUTING –o eth0 –dport 80 –j MASQUERADE

REDIRECT, sigunakan untuk transparent proxy

Ipatbles –t nat –A PREROUTING –p tcp –d 0/0 –dport 80 –j REDIRECT –to-port 8080

LOG, melakukan pencatatan terhadap aktifitas firewall kita, untuk melihat bisa dibuka /etc/syslog.conf

Iptables –A FORWARD –j LOG –log-level-debug Iptables –A FORWARD –j LOG –log-tcp-options

Firewall Option

# Mengeluarkan Modul-modul Iptables /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc

19

Menghapus Rule iptables

# Menghapus aturan iptables

$IPTABLES -F

$IPTABLES -t nat -F $IPTABLES -t mangle -F

# Menghapus nama kolom yg dibuat manual

$IPTABLES -X

$IPTABLES -t nat -X $IPTABLES -t mangle -X

21

Packet Filtering Firewall

23

Forward

iptables –t nat –A POSTROUTING –s IP_number -d 0/0 –j MASQUERADE

#iptables –A FORWARD –p icmp –s 0/0 –d 0/0 –j ACCEPT Iptables –A INPUT –p imcp –s 0/0 –j DROP

#iptables –A FORWARD –i eth1 –o eth0 –p icmp –s 10.252.105.109 –d 192.168.108.5 –j ACCEPT

#iptables –A FORWARD –s 192.168.108.5/24 –d 0/0 –p tcp --dport ftp, -j REJECT

Studi Kasus 1

Bangun Jaringan sendiri

Install web server dan FTP Server pada jaringan Internet (10.252.105.xxx)

Setting memblok PC2 dan PC3 supaya tidak bisa mengakses web dan FTP

25

Setting Komputer Router

PC1

Setting Ip_forward

#echo 1> /proc/sys/net/ipv4/ip_forward

Setting menggunakan NAT

iptables –t nat –A POSTROUTING –o eth0 –s IP_number -d 0/0 –j MASQUERADE Setting IP

Eth0 192.168.105.109 Bcast:192.168.105.255 Mask:255.255.255.0 Eth0:1 192.168.108.1 Bcast:192.168.108.255 Mask:255.255.255.0

Setting Routing

# route add default gw 192.168.105.1

Setting Setiap Client

PC2 Setting IP

inet addr:192.168.108.10 Bcast:192.168.108.255 Mask:255.255.255.0 PC3

Setting IP

inet addr:192.168.108.5 Bcast:192.168.108.255 Mask:255.255.255.0 PC4

Setting IP

inet addr:192.168.108.20 Bcast:192.168.108.255 Mask:255.255.255.0

Setting Gateway untuk PC2, PC3 & PC4 route add default gw 192.168.108.1

27

Test Konektifitas

Router PC 1

ping 192.168.108.10, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

PC 2

ping 192.168.105.109, ping 192.168.108.5, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

PC 3

ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.20, ping 192.168.105.1, ping 202.154.187.4

PC 4

ping 192.168.105.109, ping 192.168.108.10, ping 192.168.108.5, ping 192.168.105.1, ping 202.154.187.4

Rule Firewall

Setting memblok PC2 dan PC3 supaya tidak bisa

mengakses web dan FTP

#iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport www, -j REJECT

#iptables –A FORWARD –m state –state NEW –m multiport –s 192.168.108.5/24 –d 0/0 –p tcp –dport ftp, -j REJECT

29

Studi Kasus 2 - DMZ

eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop system

eth1 with 202.54.1.1 public IP address - WAN connected to ISP router

eth2 with 192.168.2.1 private IP address - DMZ connected to Mail / Web / DNS and other private servers

Routing traffic between public and DMZ server

To set a rule for routing all incoming SMTP requests to a dedicated Mail server at IP address 192.168.2.2 and port 25, network address translation (NAT) calls a PREROUTING table to forward the packets to the proper destination.

This can be done with appropriate IPTABLES firewall rule to route traffic between LAN to DMZ and public interface to DMZ. For example, all incoming mail traffic from internet (202.54.1.1) can be send to DMZ mail server (192.168.2.2) with the following iptables prerouting rule (assuming default DROP all firewall policy):

31

Routing traffic between public and DMZ server

### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN

iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward traffic between DMZ and WAN servers SMTP, Mail etc

iptables -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2

# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer IP 192.168.2.3

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3

# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 ### End DMZ .. Add other rules ###

Where,

-i eth1 : Wan network interface

-d 202.54.1.1 : Wan public IP address

--dport 25 : SMTP Traffic

-j DNAT : DNAT target used set the destination address

of the packet with --to-destination

--to-destination 192.168.2.2: Mail server ip address

(private IP)

33

Multi port redirection

You can also use multiport iptables module to matches a set of source or destination ports. Up to 15 ports can be specified. For example, route incoming HTTP (port 80 ) and HTTPS ( port 443) traffic to WAN server load balancer IP 192.168.2.3:

iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 -m multiport --dport 80,443 -j DNAT --to-destination 192.168.2.3

Studi Kasus 3 - Tugas

DMZ Server

Internet

Router `

35

SHOREWALL

37

Shorewall

Shorewall

tools for building a firewall variable : interfaces, zones, rules

Konfigurasi Shorewall terdapat pada direktori

/etc/shorewall, yang minimal terdiri dari zone,

interfaces, rule, policy, dan shorewall.conf.

39

Zone

Shorewall membagi jaringan menjadi beberapa zone yang dideskripsikan di /etc/shorewall/zones

diibaratkan komputer terdiri dari dua interfaces maka akan kita buat menjadi zone net dan zone loc, sehingga konfigurasi /etc/shorewall/zones sbb:

#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall

net ipv4 loc ipv4

– Zone net adalah zona internet

– zone loc adalah zona lokal

– Zona fw mendeskripsikan mesin firewall itu sendiri. Penamaan zona terserah kepada kita.

41

Interfaces

Kemudian kita definisikan interfaces apa saja yang

akan kita terapkan zona tadi pada

/etc/shorewall/interfaces, konfigurasinya kira-kira

seperti :

#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918 loc eth1 detect

43

Rules

Rules dalah kebijakan yang akan mengatur setiap koneksi yang masuk ke firewall, contoh konfigurasi /etc/shorewall/rules :

#ACTION SOURCE DEST PROTO DEST PORT(S) Ping/ACCEPT loc:192.168.0.1 $FW

ACCEPT $FW all icmp Web/ACCEPT all $FW

45

Policy

Policy adalah kebijakan umum yang diterapkan untuk hubungan masing-masing zone jika nanti tidak ada rule yang mendeskripsikannya , misalkan :

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT

net all DROP info all all REJECT info

47

Untuk instalasi berbasis debian biasanya file

/etc/shorewall kosong, file-file rule default dapat di copy

dari /usr/share/doc/shorewall/default-config serta

contoh-contoh konfigurasi juga ada pada

/usr/share/doc/shorewall/examples

Installation

Remove

:~# apt-get remove portmap

:~# apt-get remove nfs-common

:~# apt-get remove pidentd

49

Installation

Install Shorewall

:~# apt-get install shorewall

Install documentation

51

Configuration

goto shorewall directory

:~# cd /etc/shorewall

look inside

:/etc/shorewall# ls

Configuration

Change /etc/default/shorewall from

startup=0

to

startup=1

# vim /etc/default/shorewall

change the startup

53

Activate the firewall

do this

# /etc/init.d/shorewall start

watch your firewall

# iptables –nL | less