WEBVTT 00:00.960 --> 00:06.470 In the last lecture we've discussed about stateful firewalls and how do they work? 00:07.680 --> 00:15.660 Let's go to the terminal and create a stateful all from scratch, which is very good for a desktop operating 00:15.660 --> 00:16.140 system. 00:16.560 --> 00:21.060 This is the kind of firewall I am using on my personal laptop. 00:21.240 --> 00:24.980 And I can see that I haven't had any problems in years. 00:26.370 --> 00:31.340 I'm going to create a better script that contains all IP tables Hughleys. 00:37.050 --> 00:45.210 At the beginning of the script, I'm flashing the filter table of all James IP tables minus F. 00:47.180 --> 00:56.120 When I allow Lubeck, traffic always allow Lubeck traffic on input and output change IP tables minus 00:56.120 --> 01:07.740 the input minus I, the incoming interface, allow me A.J. accept and the same for the output chain. 01:08.840 --> 01:13.250 Now we have the outgoing interface, which is. 01:13.550 --> 01:15.470 Allow me, A.J., except. 01:17.360 --> 01:24.050 The Lubeck traffic is permitted, the rules until this point could be part of any final. 01:25.150 --> 01:32.380 I'm starting the stateful final part, as I said earlier, it's a good idea to drop invite based on 01:32.380 --> 01:33.920 input and output. 01:34.870 --> 01:39.850 These are the packets that cannot be identified in any state. 01:41.220 --> 01:48.390 IP table is minus a import minus state, minus minus state invalid. 01:49.790 --> 01:54.790 Minus G drop and the same for the output chain. 01:57.860 --> 02:02.600 This kind of firewall is very good for a desktop operating system. 02:02.840 --> 02:09.270 This means that there are no services running or no one connects to them from the outside. 02:09.530 --> 02:14.140 The host communicates to any destination and uses any protocol. 02:14.270 --> 02:19.730 So all outgoing traffic is permitted, but only the return traffic is allowed. 02:20.540 --> 02:28.460 This means that I should accept on the input chain only the packets that are in the established or related 02:28.460 --> 02:29.030 stakes. 02:29.180 --> 02:37.220 This is the return traffic and on the output chain I'll allow packets of attack info established and 02:37.220 --> 02:37.840 related. 02:39.140 --> 02:44.720 It means all traffic, including packets that initialize new connections. 02:45.640 --> 02:59.500 IP table is minus a import minus state, minus minus state established, comp related, minus J accept 03:01.090 --> 03:10.360 always write the state in uppercase letters and the rule for the output chain for outgoing traffic IP 03:10.360 --> 03:17.230 tables minus a output minus some state, minus minus state. 03:18.010 --> 03:29.290 And we have new basics that establish new connections established and related minus J. 03:29.290 --> 03:29.800 Except. 03:32.830 --> 03:40.150 And finally, I set the policy to drop on input and output changes, all traffic that was not primarily 03:40.150 --> 03:41.830 permitted will be dropped. 03:43.440 --> 03:50.760 IP table is minus B input drop and IP table is minus B output drop. 03:53.030 --> 03:58.940 That's all I'm saving the script and then make it executable and run it. 04:08.630 --> 04:13.280 Let's test outgoing traffic being a 2.8, 2.8, 2.8. 04:16.590 --> 04:18.090 And Pink is working. 04:19.830 --> 04:23.070 Let's test HTP or ETOPS. 04:26.400 --> 04:35.550 He is working and I also test is I think I'm going to connect to Linux to. 04:41.500 --> 04:43.480 And SSX is working. 04:44.780 --> 04:45.390 Perfect. 04:45.720 --> 04:55.430 Now let's test new incoming connections from Linux to helping Linux, one being and the IP address of 04:55.430 --> 04:56.000 Linux one. 04:57.400 --> 05:01.330 And Pink is not talking, bigwigs are dropped on the input chain. 05:03.610 --> 05:14.380 Let's test S.H. if this is not working, all packets that initialise new connections are dropped on 05:14.380 --> 05:15.340 the input chain. 05:17.070 --> 05:21.150 No new incoming connections are allowed and this is secure. 05:23.160 --> 05:24.690 Let's list the viral. 05:27.260 --> 05:31.460 And we see packets dropped by the policy on the input chain. 05:32.040 --> 05:36.020 There's also an invalid packet that has been dropped. 05:37.250 --> 05:43.790 This is very good, but however, there are cases when we want to allow new incoming connections from 05:43.790 --> 05:51.290 a specific IP address or protocol, for example, we want to allow incoming SSX connections only from 05:51.290 --> 05:52.600 a management station. 05:52.760 --> 05:56.580 So from a given IP address, how could we do that? 05:57.290 --> 05:58.460 It's very simple. 05:58.760 --> 06:07.490 At the beginning of the script, we add a rule that permits incoming DCP packets which are in the new 06:07.490 --> 06:08.080 state. 06:08.090 --> 06:13.130 If the protocol is SSX in the source IP address the given one. 06:14.440 --> 06:18.920 In the same script somewhere at the beginning, I led a new rule. 06:19.930 --> 06:27.370 In fact, it doesn't matter where I end the rule, but it's better to be at the beginning because I 06:27.370 --> 06:29.500 want to permit the pick it fast. 06:29.690 --> 06:32.920 No, after many other rules have been checked. 06:34.100 --> 06:41.520 So I bet plus minus A import minus BTC, B minus minus deport 22. 06:41.990 --> 06:46.350 And now the new state minus some state minus minus state. 06:46.350 --> 06:53.330 The new minus is the given IP address, the IP address that is allowed. 06:53.750 --> 06:59.120 And it's Linux to minus J accept. 07:00.770 --> 07:04.150 I'm saving the script and then test it again. 07:06.610 --> 07:16.710 I'm writing the script and from Linux, too, I'll try to connect using SSX to Linux one and now SSX 07:16.720 --> 07:17.530 is working. 07:25.490 --> 07:27.740 Let's at least the firewall again. 07:29.960 --> 07:33.970 And Lisa, there is one packet that has been accepted by the new.