May 10, 2016

What are the advantage and disadvantage of firewalls with iptables ?

Answer to the question

To answer this question, you need to know firewall details and what it can do.

Check this tutorial to see what firewall like iptables can do.

Linux iptables firewall

You also need to know that most of the modern firewalls are build on top of iptables, so it's the mother of modern firewalls.

Good luck.

Like  (0 likes)

Answer to the question

To make it clear for everyone: Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.

Like  (0 likes)

Answer to the question

<p>Enter a short description...</p>

<p>Iptables&nbsp;is a generic table structure that defines rules and commands as part of the netfilter framework that facilitates Network Address Translation (NAT), packet filtering, and packet mangling in the Linux 2.4 and later operating systems. (Margaret, 2005)</p>

<p>To describe it briefly Iptables is an interface of typing a command directly on the computer’s operating system utilising the firewall policy chains which either accepts or rejects the traffic. Whenever connection is established on system, Iptables finds the ideal rule to match up and if it is not matching the rule, default actions is performed. Iptables are comes almost inbuilt on any Linux distribution. To install Iptables package following command is given.</p>

<p><img height="66" src="file:///C:/Users/Jasdeep/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg" width="307" /></p>

<p><strong>Advantages</strong></p>

<ul>
<li>The connection-tracking characteristic of IP Table is advantageous that can be utilized to limit TCP hijackings for non-IP Masqueraded clients with bad TCP sequence in number randomization, such as Windows systems, some IBM system configurations, and various older systems. Equivalently, this functionality can be helpful to block UDP packet hijacking which shields attackers from injecting bogus ICMP packets for cracking and penetrating.</li>
<li>Matching packets is now on the basis of MAC address, local techniques of UID, Time to Live (TTL), or the rate at which class of packets being send. These allow improved detection and rejection of intruders who try to inject unwanted packets or scan a system for their personal gain.</li>
<li>Mostly in organisations incoming packets initiating TCP connections to servers are randomly distributed within various servers to share the load. With the help of IP Tables, one can figure out why a packet was logged much easier by specifying a text string to anticipate the logged message.</li>
<li>IP Tables are competent to redirect packets like IP Chains does; along with this it also has an established DNAT component that accepts arbitrary manipulation of destination IP address and port number. Therefore, one can actually camouflage positions of packets of provided service. This has utilizes all around from Honey Pots and Tarpits to implementing the utilization of a given intermediary server for web reserving.</li>
</ul>

<p><strong>Disadvantages</strong></p>

<ul>
<li>The "- l" flag from IP Chains is currently gone from the objective determined by "- j". To elaborate further for logging, there were two rules, one to match &amp; LOG and second to match &amp; DROP. The disadvantage of this “-l” flag that it cannot not log the rule number which initiated the logging.</li>
<li>Packets being routed through the system only via FORWARD and NAT chains and not by either of the INPUT or OUTPUT chains. Thus a different set of rules for packets were introduced for sending and receiving the fire wall which later being forwarded.</li>
<li>IP Proxy or Masquerading (NAT) for distinct applications that are not supported in IP Tables. Whereas it was supported in IP Chains .These includes games &amp; services like Quake, Unreal Tournament, Real Audio and ICQ.</li>
<li>The case of IP Chains' default chains was edited (from lower-case to upper-case).</li>
</ul>

<p>&nbsp;"If I had a packet with this protocol, source and destination IP, and ports, and these choice, would it be accepted, denied, or rejected?"This command no longer exists in IP Tables on the contrary this "-C" command in IP Chains was allowed.</p>

Like  (2 likes)
Click Here!