Chapter 18. Firewalls176Method Description Advantages Disadvantagesclients to a proxy machine,which then makes thoserequests to the Internet onbehalf of the local client. Aproxy machine acts as abuffer between maliciousremote users and theinternal network clientmachines.applications and protocolsfunction outside of the LAN· Some proxy servers cancache frequently-accesseddata locally rather thanhaving to use the Internetconnection to request it. Thishelps to reduce bandwidthconsumption· Proxy services can belogged and monitoredclosely, allowing tightercontrol over resourceutilization on the networkrestricted (most proxieswork with TCP-connectedservices only)· Application services cannotrun behind a proxy, so yourapplication servers must usea separate form of networksecurity· Proxies can become anetwork bottleneck, as allrequests and transmissionsare passed through onesource rather than directlyfrom a client to a remoteserviceTable 18.1. Firewall Types18.1. Netfilter and IPTablesThe Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystemprovides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilteralso has the ability to mangle IP header information for advanced routing and connection statemanagement. Netfilter is controlled using the iptables tool.18.1.1. IPTables OverviewThe power and flexibility of Netfilter is implemented using the iptables administration tool, acommand line tool similar in syntax to its predecessor, ipchains.A similar syntax does not mean similar implementation, however. ipchains requires intricate rulesets for: filtering source paths; filtering destination paths; and filtering both source and destinationconnection ports.By contrast, iptables uses the Netfilter subsystem to enhance network connection, inspection, andprocessing. iptables features advanced logging, pre- and post-routing actions, network addresstranslation, and port forwarding, all in one command line interface.This section provides an overview of iptables.18.2. Basic Firewall ConfigurationJust as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attemptsto prevent malicious software from spreading to your computer. It also helps to prevent unauthorizedusers from accessing your computer.In a default Red Hat Enterprise Linux installation, a firewall exists between your computer or networkand any untrusted networks, for example the Internet. It determines which services on your computerremote users can access. A properly configured firewall can greatly increase the security of yoursystem. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system withan Internet connection.
