Home » Tutorials » WEB and server administration tutorials

Understanding NAT and Firewalls

2025-07-04 WEB and server administration tutorials kleskby 0 61
Author: Strife

What Is NAT?

NAT (Network Address Translation) is a method that allows devices on a local network to access the internet using a single public IP address.

Here’s how it works:

  • When a device in your local network sends a request to the internet, your router replaces the device’s private IP with its own public IP.
  • When the reply comes back, the router translates it back and sends it to the original device.

This process makes it look like all your local devices are using one IP — the router’s.

Hardware NAT

The most common NAT hardware is a router. Home and small business networks typically use routers for NAT. Most routers today run a lightweight version of Linux and come with a simple web interface.

To set up a basic home router:

  1. Plug your ISP cable into the WAN port.
  2. Choose your connection type (DHCP, PPPoE, etc.).
  3. Enter your username and password (if needed).
  4. Set a Wi-Fi name (SSID) and a strong password.

Setting Up NAT on Linux

To set up NAT manually on Linux, follow these steps:

  1. Enable IP forwarding:
    echo 1 > /proc/sys/net/ipv4/ip_forward
  2. Set up NAT using iptables:
    iptables -t nat -A POSTROUTING -o -j MASQUERADE

Replace with something like eth0 or wlan0.  

Tip: Add these to startup scripts so they persist after reboot.

Do You Need to Filter Traffic?

Yes — allowing internet access is only half the story. You also need to protect your devices from hackers. Each computer should be protected by a firewall.

If you deal with sensitive data (e.g., government or confidential info), you must protect both the endpoints and every node in the network.

What Is a DMZ?

DMZ stands for Demilitarized Zone — a part of your network that’s exposed to the internet. Servers in a DMZ can be accessed externally, while internal devices are kept hidden.

Today, DMZs are less common. Modern security practice focuses on securing every device, not just a segment.

What Is a Firewall?

A firewall (also called a software or hardware firewall) filters incoming and outgoing network traffic based on rules.

Firewalls can:

  • Allow or block packets.
  • Redirect traffic.
  • Apply advanced filtering based on states (e.g., NEW, ESTABLISHED).

Firewalls can run:

  • On routers (Linux-based, using iptables)
  • On Windows PCs (using Windows Firewall)

Choosing a Firewall

There are two main types:

  • Hardware firewalls — usually dedicated devices with filtering software (often Linux-based, or Cisco IOS).
  • Software firewalls — installed on PCs or servers. Examples:
  • iptables on Linux
  • Windows Firewall on Windows

Most home routers already include basic firewall features:

  • Packet filtering
  • NAT
  • VPN support
  • DMZ options
  • DHCP server

For handling sensitive data, consider certified firewalls.

Enterprise-level security depends on required protection levels. These are defined by organizations like FSTEC in Russia (or NIST, CIS in other countries).

IDS and IPS Systems

A basic firewall can't detect every attack. For advanced threats, use:

  • IDS (Intrusion Detection System) – detects suspicious activity.
  • IPS (Intrusion Prevention System) – blocks it in real time.

IPS can detect DDoS attempts, exploit payloads, and more. Be aware, enabling IPS may reduce network performance — even Cisco warns about this.

Configuring Windows Firewall

Advanced settings are available via Group Policy:

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall

Here, you can adjust rules for domain and public profiles.

Linux Firewall (iptables)

Most Linux systems use iptables for firewall functionality. It's a command-line tool built into almost every distro.

To start/stop it:

service iptables start
service iptables stop

Basic Actions:

  • ACCEPT – allow the packet
  • DROP – discard it silently

Main Chains:

  • INPUT – incoming packets
  • OUTPUT – outgoing packets
  • FORWARD – packets routed through the system

Other Common Targets:

  • MASQUERADE – hides original IP (used in NAT)

Example: Universal iptables Script

Here's a basic script for setting up NAT and securing your Linux system with iptables:

#!/bin/bash
IPT="/sbin/iptables"
UPORTS="1024:65535"
INET="eth0"

# Enable IPv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush old rules
$IPT -F
$IPT -X

# Default policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT

# Allow localhost
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Drop invalid packets
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP

# Allow established connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Basic SYN flood protection
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# DNS access
$IPT -A OUTPUT -p udp --dport 53 --sport $UPORTS -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 --sport $UPORTS -j ACCEPT
$IPT -A INPUT  -p udp --sport 53 --dport $UPORTS -j ACCEPT
$IPT -A INPUT  -p tcp --sport 53 --dport $UPORTS -j ACCEPT

# Allow SSH
$IPT -A OUTPUT -p tcp --dport 22 --sport $UPORTS -j ACCEPT
$IPT -A INPUT  -p tcp --sport 22 --dport $UPORTS -j ACCEPT

# Allow DHCP (if using dynamic IP)
$IPT -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT  -p udp --dport 68 --sport 67 -j ACCEPT



Tags: web, http, html, server, vps, ddos
Owned by kleskby#1837
Telegram
Close

You have no new notifications.


You have no new messages.