In this lesson we show how Linux IP table processing packet outbound to internet on the outer firewall. Any packet outbound to internet will be sent in from the demilitarized subnet to the either one in the face of the outer interface. Which we configure with 190 to 168.10.1 gateway address. If we would like to block a machines in internet with the IP address 10.1.2.3, from sending out any packet to the Internet can insert an IP table rule. To the forward chain of the outer firewall with the classify as -s 10.1.2.3 and with the action as -j REJECT. Showing in the middle of this view graph, the packet come from the machine will then be block and send back ICMP echo packet. Remember that security path in number three, try to restrict certain Internet subnet from connecting to the Internet. Here we're just showing you how to use the IP table rule. To implement thus security policy, we simply replace -s option with a specific internet subnet address. For all Internet traffic that goes to Internet we insert an IP table rule to the port routing chain. Which classify is a zero which matching any traffic try to come out to the Internet through the either zero interface. [COUGH] And with action -j MASQUERADE. MASQUERADE specify an operation call Snapped. So then work address and port translation. It substitutes a source IP address with typically all private land address in our system configuration. To the one of the share public IP address. For example one of those 128.198.60.11 to 14, those 4 IP address and potentially with different port number. It also insert an IP address and TCP port translation entry into mapping table maintained in the outer firewall. So that the future return traffic or the future outbound traffic of the same session can be translated. For example a packet with source IP address 10.0.1.2 and TCP source port 2000, and also TCP destination port 80. We'll be modify a source IP 128.190.60-13. 13 is used for the outgoing public IP address. And source port will be chosen by the system r squared [INAUDIBLE] When it's a HTTP respond messages coming back from the web server, it's destination address will be transferred back through the mapping table lookup to 10.0.1.2 and destination poll 2000 or original poll and sent back to the inside. Based on the mapping table entries saved in the outer firewall. Note that another packet with a source IP address 1 92 160 10.3 and the TCP source IP address 2000. Also 2000. Maybe a sign with MASQUERADE with the source of IP address. The same IP address 128.198.16.13 but here the poll number will be assigned with 4444 and that's the previous post 3333 has been reclaimed and when the session terminate. To protect traffic to the servers inside the outer Firewall, incoming packet will first go through the t-net translation similar to before. Here we assume the management server is running on port 8000. In the outer firewall, the IP table rule will perform the nat translation by modifying the IP address from 128.198.60.11 which is specific design for outer Firewall to 192.168.10.1. Routing module is then routing the packet upward to the application layer. The packet sends upward to the local processes will be examined by the IPA table rule in the input channels. It's not in the forward channels. Input channel. Here we insert two IP table rules. One drop packet incoming from any machine in Internet except 1381696.1. It is perhaps the system administrations home IP address. The other one reject all packet except the one from Internet machine 10.0.1.2. Know that here we use and negate operator in the -s, source IP address options. And that edges maybe the system is through Office. Once all the IP table rules in the input chain are processed and the packet is handed over back to the corresponding local process based on the port number. Note that here we may want to open additional connections. To certain machines in the internet so that we can bring in service patch. Here we show the outgoing packets from local out of firewall. Can be regulated by inserting IP table rule to guard against their final destinations. Perhaps the evaluation should be logged try to add the rules like minus j log dash dash log dash prefix via a code variation access rule before reject and drop.
