firewall casero
DESCRIPTION
Slide del taller Firewall Casero con Software Libre presentado durante las actividades del 1er. Congreso de ISC New Technologies en el Instituto Tecnológico Superior de Villa La Venta, Huimanguillo, Tabasco, el día 20 de octubre de 2011TRANSCRIPT
![Page 1: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/1.jpg)
Your NameYour Title
Your Organization (Line #1)Your Organization (Line #2)
SEGURIDAD BASICA EN REDES "FIREWALL CASERO"
Remigio Salvador Sánchez
SEGURIDAD BASICA EN REDES "FIREWALL CASERO"
![Page 2: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/2.jpg)
Your NameYour Title
Your Organization (Line #1)Your Organization (Line #2)
“La generosidad más grande es no apegarte a las cosas o personas”
![Page 3: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/3.jpg)
Antes de comenzar...Servidor DHCPIPTablesSQUIDPreguntas
ContenidoContenido
![Page 4: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/4.jpg)
El problema que se plantea, es el de configurar
una conexión a Internet en un entorno de red
local LAN, mediante la cual todos los
ordenadores de la red (hosts) puedan
conectarse a través de un servidor, mismo que
a su vez realizará funciones de seguridad
(Firewall).
![Page 5: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/5.jpg)
![Page 6: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/6.jpg)
Necesitamos...
Un ordenador que tendrá la función de servidor con dos tarjetas de red Ethernet 10/100 Mbps con sistema operativo gnu/Linux (Distribución Fedora de preferencia)Una red de computadoras que podamos desbaratar.Una conexión contratada de acceso a Internet mediante modem ADSLUn pequeño hub o switch.Conocimientos básicos en redesConocimientos básicos en linux.Mucha paciencia
![Page 7: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/7.jpg)
Empezamos...
![Page 8: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/8.jpg)
![Page 9: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/9.jpg)
ANTES DE COMENZAR...
Deshabilitar Selinux– vi /etc/selinux/config
Parar servicios innecesarios– chkconfig ip6tables off– chkconfig sendmail off– chkconfig netfs off
Configurar nuestro hostname– vi /etc/sysconfig/network
![Page 10: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/10.jpg)
configurar tarjetas de red (eth0 y p1p1)– ETH0 LA TARJETA QUE VIENE DE NUESTRO
MODEM (ip dinámica)– P1P1P LA TARJETA QUE SE CONECTA AL SWITCH
(PUENTE) (ip estática 192.168.0.1)
less /etc/sysconfig/network-scripts/ifcfg-INTERNET less /etc/sysconfig/network-scripts/ifcfg-LAN
Habilitar desde el inicio:chkconfig network on
service network restart
Configurar la redConfigurar la red
![Page 11: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/11.jpg)
Configurar la redConfigurar la red
Activando el Router.Activando el bit de forwarding
– vi /etc/sysctl.conf
Ejecutar sysctl -p para que tome el cambio de inmediato
![Page 12: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/12.jpg)
Iptables -Fiptables -t nat -Fiptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
service iptables save
chkconfig iptables on
IPTABLESIPTABLES
![Page 13: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/13.jpg)
DHCPDHCP
yum install dhcp -y
Archivo de configuración:– vi /etc/dhcp/dhcpd.conf
![Page 14: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/14.jpg)
authoritative;ddns-update-style none;deny client-updates;
subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.100 192.168.0.120; default-lease-time 6000; max-lease-time 7200; option domain-name "pandora.com"; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option routers 192.168.0.1; option domain-name-server 192.168.1.254 option time-offset -18000;}
DHCPDHCP
![Page 15: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/15.jpg)
DHCP
/etc/sysconfig/dhcpd A configuración debe quedar así DHCPDARGS="p1p1"
service dhcpd restart
tail -100 /var/log/messages
chkconfig dhcpd on
![Page 16: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/16.jpg)
SQUID
yum install squid -y
vi /etc/squid/squid.conf– visible_hostname proxy.pandora.com– acl manager proto cache_object– acl localhost src 127.0.0.1/32 ::1– acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1– acl localnet src 10.0.0.0/8– acl localnet src 172.16.0.0/12– acl localnet src 192.168.0.0/16– acl localnet src fc00::/7 – acl localnet src fe80::/10
![Page 17: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/17.jpg)
SQUID
– acl SSL_ports port 443– acl Safe_ports port 80 # http– acl Safe_ports port 21 # ftp– acl Safe_ports port 443 # https– acl Safe_ports port 70 # gopher– acl Safe_ports port 210 # wais– acl Safe_ports port 1025-65535 # unregistered ports– acl Safe_ports port 280 # http-mgmt– acl Safe_ports port 488 # gss-http– acl Safe_ports port 591 # filemaker– acl Safe_ports port 777 # multiling http
![Page 18: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/18.jpg)
SQUID
– acl CONNECT method CONNECT– acl url_denegadas url_regex "/etc/squid/PNP" – acl url_denegadas "/etc/squid/exts" – http_access deny url_denegadas– http_access accept all– http_access allow manager localhost– http_access deny manager– http_access deny !Safe_ports– http_access deny CONNECT !SSL_ports– http_access allow localnet– http_access allow localhost
![Page 19: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/19.jpg)
SQUID
– http_access deny all– #http_port 3128 – http_port 192.168.0.1:3128 transparent– coredump_dir /var/spool/squid– refresh_pattern ^ftp: 1440 20% 10080– refresh_pattern ^gopher: 1440 0%1440– refresh_pattern -i (/cgi-bin/|\?) 0 0%0– refresh_pattern . 0 20% 4320
touch /etc/squid/PNPvi /etc/squid/PNP
touch /etc/squid/extsvi /etc/squid/exts
![Page 20: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/20.jpg)
SQUID
service squid restart
chkconfig squid on
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
service iptables save
tail /var/log/squid/access.logtail /var/log/messages
![Page 21: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/21.jpg)
PREGUNTAS
![Page 22: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/22.jpg)
PreguntasDudas
Comentarios
[email protected]@remitos
http://vkn-side.blogspot.comhttp://www.slideshare.net/remitos
![Page 23: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/23.jpg)
Dedicado:A mi familia
yamigos
![Page 24: Firewall casero](https://reader034.vdocuments.site/reader034/viewer/2022042510/55912c0d1a28aba9628b4603/html5/thumbnails/24.jpg)
Gracias:A los organizadores por las facilidades
ya ustedes por su atencion