1
00:00:00,000 --> 00:00:17,760
Hey guys and welcome back. So what I want to talk to you about in this nugget right

2
00:00:17,760 --> 00:00:25,560
here is all around the concept of firewalls. Now the general user of a computer is pretty

3
00:00:25,559 --> 00:00:31,399
much familiar with this term a firewall but us as Linux engineers we have to understand

4
00:00:31,399 --> 00:00:38,000
the very specifics of how firewalling is invoked within Linux and as usual we have to understand

5
00:00:38,000 --> 00:00:43,840
some of the basic commands that we must know to be able to configure our firewall as well

6
00:00:43,840 --> 00:00:50,120
as the basic components that make up the firewall architecture. So with that said how about

7
00:00:50,120 --> 00:00:55,239
we dig in and begin talking about them. So the first thing that I just want to point

8
00:00:55,240 --> 00:01:01,320
out straight away is that if you happen to be using a new computer or a new Linux machine

9
00:01:01,320 --> 00:01:07,760
should I say you might actually be familiar with something called firewall D. Now all

10
00:01:07,760 --> 00:01:13,920
firewall D is it is the newer implementation of the firewall daemon that can be used to

11
00:01:13,920 --> 00:01:20,320
invoke this action to protect your network using a firewall but for the purposes of the

12
00:01:20,319 --> 00:01:25,559
examination like so often we're actually not going to be focused on the newer technology

13
00:01:25,559 --> 00:01:30,639
instead we're going to be focused on the older technology and that happens to be something

14
00:01:30,639 --> 00:01:40,000
called IP tables. Now IP tables really can cause a lot of frustration for a lot of people

15
00:01:40,000 --> 00:01:45,399
that is due to maybe the architecture of IP tables can be a little bit intimidating if

16
00:01:45,400 --> 00:01:50,400
you do not understand all of the separate components and how those components actually

17
00:01:50,400 --> 00:01:55,800
relate together. The good news is is that within this skill we're going to dig into

18
00:01:55,800 --> 00:02:00,680
those components and really try to make sense of it so hopefully by the end of this this

19
00:02:00,680 --> 00:02:06,080
should all be a lot lot clearer. Okay so now we have the very basics about what we're going

20
00:02:06,080 --> 00:02:11,080
to do let's talk about a little bit about what a firewall actually is and what it actually

21
00:02:11,080 --> 00:02:17,880
provides for us just in case you are a little bit unsure. Now really at its core firewalls

22
00:02:17,880 --> 00:02:24,760
are going to allow us to invoke some type of rules that can effectively control our network.

23
00:02:24,760 --> 00:02:29,840
Now what do I actually mean when I say controller network? Well we're going to be able to specify

24
00:02:29,840 --> 00:02:35,960
particular things such as should particular network traffic should that traffic be allowed

25
00:02:36,040 --> 00:02:42,600
or should that particular traffic be denied. So maybe let's say you happen to have a web

26
00:02:42,600 --> 00:02:49,719
server on your network and you wanted to allow traffic to that network. Well you could set

27
00:02:49,719 --> 00:02:54,840
up a particular rule within your firewall that means that if a particular IP packet comes

28
00:02:54,840 --> 00:03:01,240
in that is destined for the IP address of that particular server you want to allow it.

29
00:03:01,240 --> 00:03:07,400
However let's maybe say some other packet comes in some unknown packet that is not destined

30
00:03:07,400 --> 00:03:14,200
for that particular server. You might decide hey we don't actually want you instead we are going to

31
00:03:14,200 --> 00:03:21,160
create a rule to deny that action in the way we can actually specify those rules as again

32
00:03:21,160 --> 00:03:30,439
by using IP tables. Now IP tables does not just simply filter particular traffic i.e block traffic

33
00:03:30,439 --> 00:03:37,879
or forward traffic it can also do other things such as perform something called NAT. This is

34
00:03:37,879 --> 00:03:44,039
network address translation. Now this is a very important feature of IP tables in fact it is a

35
00:03:44,039 --> 00:03:49,800
very important part of the internet at least in the IPv4 world but for this scale right here we're

36
00:03:49,800 --> 00:03:57,639
not going to focus on this part too much. Another thing that IP tables can also do it can also

37
00:03:57,639 --> 00:04:04,359
not just block or forward packets it can actually modify particular packets. So with that said how

38
00:04:04,359 --> 00:04:11,559
about we try to demystify some of the complexities of the IP tables architecture and begin looking at

39
00:04:11,559 --> 00:04:16,919
those individual components. So the very first thing that we have to understand here are the

40
00:04:16,919 --> 00:04:23,719
main components that comprise this architecture. So what we have here is we have something called

41
00:04:23,720 --> 00:04:32,760
tables okay that is the first component the next thing is something called chains and the third

42
00:04:32,760 --> 00:04:39,400
thing that is going to tie everything together is called rules. So we have our tables we have our

43
00:04:39,400 --> 00:04:45,880
chains and we have our rules each of these components is going to come together so that we can actually

44
00:04:45,880 --> 00:04:52,200
control our traffic. So the very first thing we shall actually talk about here is this concept

45
00:04:52,199 --> 00:04:59,000
of tables. So let's first talk about our tables then now in basic terms really basic terms

46
00:04:59,800 --> 00:05:06,599
all a table is going to do it's going to specify what you want to do. So let's say you wanted to

47
00:05:06,599 --> 00:05:14,360
maybe filter particular traffic that would be what you want to do what if you wanted to modify

48
00:05:14,360 --> 00:05:19,959
particular traffic these can be actually specified within particular tables. So the very first table

49
00:05:19,959 --> 00:05:28,039
we have is that filter table. So suppose you want to filter particular traffic well no surprises

50
00:05:28,039 --> 00:05:35,000
it would be the filter table indeed that you would use. Now it should actually be noted that if we

51
00:05:35,000 --> 00:05:41,240
do not specify a particular table the filter table is going to be the default table so that will be

52
00:05:41,240 --> 00:05:48,599
the one that is assumed to be used to try to remember that filter is the default. The second table

53
00:05:48,600 --> 00:05:56,680
we have is the NAT table and this is as we know just as I said relating to something called

54
00:05:56,680 --> 00:06:01,800
network address translation. Now again you don't have to be too concerned about what network address

55
00:06:01,800 --> 00:06:07,320
translation is quite just yet since we are going to talk about it very very shortly but just conceptualize

56
00:06:07,320 --> 00:06:13,640
in your mind that if you're happened to be asked on a question what type of table would you use to

57
00:06:13,639 --> 00:06:20,279
perform the translating of network addresses well you know it would be the NAT table and the third

58
00:06:20,279 --> 00:06:27,719
one is the quite comically named at least in my opinion it's called the mangle table which sounds

59
00:06:27,719 --> 00:06:35,000
way more violent than it does have to be all this relates to is the modification of particular packets.

60
00:06:35,000 --> 00:06:41,959
So if you want to modify the headers of a particular packet you would do so using the mangle table so

61
00:06:41,959 --> 00:06:46,759
maybe let's say you wanted to change something like I don't know the time to live value something

62
00:06:46,759 --> 00:06:53,000
we've seen earlier on within this course and these are the three main tables that you have to be

63
00:06:53,000 --> 00:06:59,319
concerned about. Now there are two more but they're not quite so common I will mention them just for

64
00:06:59,319 --> 00:07:07,000
posterity we also have the raw table and we also have what's called the security table but really

65
00:07:07,000 --> 00:07:12,839
for the purposes of the LPIC2 examination it is the first three tables that we want to be really

66
00:07:12,839 --> 00:07:18,600
focusing on so like I say these tables tell us what we want to do whether we want to filter

67
00:07:18,600 --> 00:07:25,560
traffic or modify the IP headers of a traffic or maybe invoke network address translation now we

68
00:07:25,560 --> 00:07:34,360
want to specify whereabouts in the path do we actually want to invoke this behavior so this

69
00:07:34,439 --> 00:07:40,680
might be a little bit confusing let's say imagine that we happen to have our router here or our Linux

70
00:07:40,680 --> 00:07:48,199
server which is acting as a router and we have an interface here this could be maybe say eth0

71
00:07:48,199 --> 00:07:56,199
and we have an interface here this could be eth1 and we have some ethernet connection connecting to

72
00:07:56,199 --> 00:08:00,840
another device here this could be another server and let's just maybe say we are also connected to

73
00:08:00,839 --> 00:08:10,759
another server so this can be server z this can be server x and we actually operate server y so

74
00:08:10,759 --> 00:08:18,120
let's imagine that server x was sending in a packet okay so the packet is coming this way so really

75
00:08:18,120 --> 00:08:25,159
the packet is coming inbound on our ethernet zero interface you see that it's coming into it and then

76
00:08:25,160 --> 00:08:32,840
within our server we're going to process this particular traffic and if we want to send it

77
00:08:32,840 --> 00:08:41,160
forward towards another machine i.e. in this case machine number z it would actually go outbound

78
00:08:41,160 --> 00:08:49,399
of ethernet one you see that it comes in ethernet zero and it leaves ethernet one so we could

79
00:08:49,399 --> 00:08:56,759
perform a particular action using a table such as filtering this traffic but the question is

80
00:08:56,759 --> 00:09:03,079
whereabouts would we want to perform this type of action and this is where the second component

81
00:09:03,079 --> 00:09:09,720
comes in this is going to be the chains component of the architecture now there are five different

82
00:09:09,720 --> 00:09:18,120
routing chains that we have to know about the very first chain this one is called the pre-routing chain

83
00:09:18,120 --> 00:09:25,799
now this is before any route calculation is taken so basically no decisions have been made yet

84
00:09:26,440 --> 00:09:34,039
the next chain is called the input chain and this chain is going to be invoked when a particular

85
00:09:34,039 --> 00:09:41,799
packet is destined for the local machine so this machine right here the next chain is called the

86
00:09:41,879 --> 00:09:49,159
forward chain this is invoked when packets are routed to other networks or other devices

87
00:09:49,159 --> 00:09:55,319
so basically when the packet is not destined for the local system we want to forward that traffic

88
00:09:55,959 --> 00:10:03,639
the next chain is the output chain this is for packets going outbound this could actually be

89
00:10:03,639 --> 00:10:09,240
locally generated packets i.e. packets which were generated meaning that they were sourced

90
00:10:09,240 --> 00:10:15,720
from our server or it can be packets passing through our server going outbound from our server

91
00:10:16,440 --> 00:10:23,240
and the last one is known as the post-routing chain and this is ultimately after the routing

92
00:10:23,240 --> 00:10:31,480
calculation so we now know about tables we now know about chains the third component the rules

93
00:10:31,480 --> 00:10:38,279
so really the rules are going to tie in and pull together what we want to do via the tables

94
00:10:38,279 --> 00:10:45,639
and whereabouts we actually want to invoke this particular behavior so if we want to construct

95
00:10:45,639 --> 00:10:52,600
a particular rule that is made up of particular tables reference in particular chains we have to

96
00:10:52,600 --> 00:10:59,319
know which tables can be used with which chains because as it transpires not all tables and chains

97
00:10:59,319 --> 00:11:05,079
can be used together so let's briefly talk about which tables and chains can be used together and

98
00:11:05,080 --> 00:11:12,040
then begin discussing the path order for particular types of traffic if we happen to be using the

99
00:11:12,040 --> 00:11:21,800
filter table that can be used with the input chain and the forward chain as well as the output chain

100
00:11:22,440 --> 00:11:30,280
whereas if we happen to be using the NAT table that can use the pre-routing chain

101
00:11:30,279 --> 00:11:37,159
as well as the output chain and the post-routing chain and then if we are talking about our

102
00:11:38,199 --> 00:11:44,120
mangle table well the mangle table can use all the chains it can use the pre-routing chain

103
00:11:44,120 --> 00:11:51,879
it can use the input as well as the forward output as well as the post-routing chain so the

104
00:11:51,879 --> 00:11:58,759
modification of packets can basically happen absolutely anywhere whereas filtering as well as

105
00:11:58,759 --> 00:12:04,519
the invocation of network address translation they happen to be a little bit more specific about

106
00:12:04,519 --> 00:12:11,159
where they can be invoked so let's talk about some very simple traffic examples so imagine we have

107
00:12:11,159 --> 00:12:18,519
our little router here this can be our local server now let's imagine that a packet comes in

108
00:12:19,319 --> 00:12:25,159
to our device and in fact let me give my device an ip address such as imagine this was called

109
00:12:25,159 --> 00:12:34,519
1011 if the actual packet here which is coming in if that has a destination ip address of 10111

110
00:12:34,519 --> 00:12:42,199
i.e its final endpoint is destined for our particular server here the path order is going to be

111
00:12:42,919 --> 00:12:50,439
in fact let me just write this up here destined for local the actual path order of the chains

112
00:12:50,440 --> 00:12:58,120
would be the pre-routing chain and then the input chain because as it comes in it's going to invoke

113
00:12:58,120 --> 00:13:05,320
the pre-routing chain before any routing calculations have happened then once we determine that this

114
00:13:05,320 --> 00:13:12,120
packet is destined for our local machine see here's the packet here going for our local machine

115
00:13:12,760 --> 00:13:18,760
we don't want to forward that traffic we're just going to accept it via the input chain you see that

116
00:13:19,720 --> 00:13:27,399
whereas if i clear the screen let's imagine we had our server once again little linux server

117
00:13:27,399 --> 00:13:33,799
and we had a packet coming in and again let's keep our same ip address of 10111

118
00:13:34,679 --> 00:13:42,600
let's just maybe say this packet was somehow destined for 8.8.8.8 well that is not our local

119
00:13:42,600 --> 00:13:49,960
network therefore we would be expected to pass this on to another device along the way to its

120
00:13:49,960 --> 00:13:58,279
final destination of 8.8.8.8 so this time we want to forward that traffic so again i'll just say when

121
00:13:58,279 --> 00:14:06,519
it's destined another machine the actual path this time would be to use the pre-routing chain of

122
00:14:06,519 --> 00:14:13,639
course as it comes in before any routing decision is made we make the determination that this address

123
00:14:13,639 --> 00:14:21,240
is not our local address in fact it has a remote network that has to be forwarded so therefore we

124
00:14:21,240 --> 00:14:29,559
invoke the forward chain and then as it's going out we invoke the post-routing chain now the other

125
00:14:29,559 --> 00:14:37,159
example i would like to give is let's say that we have our local server once again and we can keep

126
00:14:37,159 --> 00:14:45,799
the same ip address of 10111 let's say that traffic does not actually come into us instead what if we

127
00:14:45,799 --> 00:14:52,359
happen to be the originator of that traffic ie we are the source the one who started and generated

128
00:14:52,359 --> 00:14:59,079
the packet so it doesn't come into us instead it's just generated by us and we send it out to

129
00:14:59,080 --> 00:15:06,200
another device well if this is locally generated the actual chain that we're going to invoke it's

130
00:15:06,200 --> 00:15:14,440
going to actually start with the output chain and then the post-routing chain so notice now because

131
00:15:14,440 --> 00:15:21,720
the packet was generated by us locally it did not come into us by virtue of it not coming into us

132
00:15:21,720 --> 00:15:29,399
we're not going to invoke the pre-routing chain and if the packet is destined for us locally ie we

133
00:15:29,399 --> 00:15:36,200
don't have to send it to anyone else we are not going to invoke the post-routing chain and if the

134
00:15:36,200 --> 00:15:43,320
packet is destined for us locally we will invoke the input chain whereas if it's destined for another

135
00:15:43,320 --> 00:15:50,040
machine we will invoke the forward chain so this is some of the basic architecture that we have to

136
00:15:50,039 --> 00:15:56,919
understand with respect to ip tables and our firewalling like i say we have our tables we have

137
00:15:56,919 --> 00:16:03,000
our chains and we have our rules now there is some more information that we have to actually understand

138
00:16:03,000 --> 00:16:07,959
with respect to our firewalling when writing our rules and well that's what we're going to be talking

139
00:16:07,960 --> 00:16:13,879
about in the very next nuggets i hope it's been informative for you and i'd like to thank you for viewing