Specifications
4
SuSE Live CD for Firewall
Subsequent Treatment of Packets (Targets)
After a packet has been successfully identified, a rule must know what it
should do with the packet. It is essential that all the following “targets” are
written in UPPERCASE.
ACCEPT Pass the packet to the next control point in the diagram.
DROP Drop the packet without generating a return message to the sender.
This is a good target for remote packets that you do not want to accept.
LOG Log the path of the packet.
REJECT Reject the packet as with DROP. Normally with REJECT, an “ICMP
port unreachable” error message is generated, so the sender does not
have to wait for a time-out.
RETURN Pass the packet to the default policy.
QUEUE Activate handling by user processes.
MASQUERADE This target is used to masquerade an Internet connection.
REDIRECT Rewrite the packet header. This is mainly used with transparent
proxies.
SNAT Changes the source address of the packet.
DNAT Changes the destination address of the packet.
Some of these targets require additional parameters be configured completely.
In case of doubt, refer to the man page for iptables (man 8 iptables).
FreeS/WAN
All data sent over the Internet is routed through unknown computers and
networks. If the data is not encypted, anybody could read it.
Protection against Eavesdropping
There are several approaches to secure the data transfer between companies,
subsidiaries, or private persons. At the application layer, this can be achieved
with gpg, at the transfer layer with SSL, and at the network layer with IPSec.
The advantage of an implementation at the network layer with IPSec is that
the encryption is transparent for the applications. This way every access to
121SuSE Linux – Firewall on CD2