1

Firewall & IP Tables

2

FirewallFirewall

IP TablesIP Tables

3

32-4 FIREWALLS32-4 FIREWALLS

All previous security measures cannot prevent Eve All previous security measures cannot prevent Eve from sending a harmful message to a system. To from sending a harmful message to a system. To control access to a system, we need firewalls. A control access to a system, we need firewalls. A firewall is a device installed between the internal firewall is a device installed between the internal network of an organization and the rest of the network of an organization and the rest of the Internet. It is designed to forward some packets and Internet. It is designed to forward some packets and filter (not forward) others.filter (not forward) others.

Packet-Filter FirewallProxy Firewall

Topics discussed in this section:Topics discussed in this section:

4

a choke point of control and monitoring

interconnects networks with differing trust

imposes restrictions on network services

only authorized traffic is allowed

auditing and controlling access

can implement alarms for abnormal behavior

is itself immune to penetration

provides perimeter defence

What Is Firewall?

5

cannot protect from attacks bypassing it

Eg. sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH)

cannot protect against internal threats

Eg. disgruntled employee

cannot protect against transfer of all virus infected programs or files

Because of huge range of O/S & file types

What Is Firewall?

6

Figure 32.22 Firewall

7

Types of Firewalls

Packet Filters

Application – Level Gateways

Circuit – Level Gateways

8

There is a Packet Filter in the front

9

Packet Filters

10

A packet-filter firewall filters at the network or transport layer.

Note

11

Packet Filters

simplest of components

foundation of any firewall system

examine each IP packet (no context) and permit or deny according to rules

hence restrict access to services (ports)

possible default policies

that not expressly permitted is prohibited

that not expressly prohibited is permitted

12

Packet-filter firewall

13

Packet Filters

14

Attacks on Packet Filters

IP address spoofingfake source address to be trustedadd filters on router to block

source routing attacksattacker sets a route other than defaultblock source routed packets

tiny fragment attackssplit header info over several tiny packetseither discard or reassemble before check

15

IP Table Stateful Packet Filters

examine each IP packet in context

keeps tracks of client-server sessions

checks each packet validly belongs to one

better able to detect bogus packets out of context

16

Question - 1

1. Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not?

17

Question - 1

1. Can a stateless firewall block TCP connection initiation requests from an external location to any local host, but at the same time allow returning traffic from connections initiated by local hosts? Why or why not?

Answer:

Yes. The firewall filters out SYN-packets to a local host, but allows SYNACK and other packets to flow through.

18

What is a proxy honey?

19

Application Level Gateway (or Proxy)

20

A proxy firewall filters at the application layer.

Note

21

Proxy firewall

22

What is the function of the proxy sever in security context?

In computer networks, a proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server provides the resource by connecting to the specified server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it would 'cache' the first request to the remote server, so it could save the information for later, and make everything as fast as possible.

Proxy Firewall

23

Firewalls - Application Level Gateway (or Proxy)

use an application specific gateway / proxy has full access to protocol

user requests service from proxy proxy validates request as legal then actions request and returns result to user

need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported

24

Question - 2

2. What is an application-level gateway?

25

Question - 2

2. What is an application-level gateway?

Answer:

An application-level gateway, also called a proxy server, acts as a relay

of application-level traffic.

26

Question - 3

3. Explain the difference between packet filters and application layer

proxies.

27

Question - 3

3. Explain the difference between packet filters and application layer proxies. Answer:

Packet filters look at packets one at a time, while application-layer proxies reconstruct application layer entities, such as email messages, files, and web pages.

28

Firewalls - Circuit Level Gateway

What is a gateway that we need to

across?

Circuit Level Gateway

29

Firewalls - Circuit Level Gateway

30

Circuit Level Gateway

relays two TCP connections

imposes security by limiting which such connections are allowed

once created usually relays traffic without examining contents

typically used when trust internal users by allowing general outbound connections

SOCKS commonly used for this

31

Question - 4

4. What is a circuit-level gateway?

Answer:

A circuit-level gateway does not permit an end-to-end TCP connection;

rather, the gateway sets up two TCP connections, one between itself

and a TCP user on an inner host and one between itself and a TCP

user on an outside host. Once the two connections are established, the

gateway typically relays TCP segments from one connection to the

other without examining the contents. The security function consists of

determining which connections will be allowed.

32

Question - 5

5. What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices?

33

Question - 5

5. What is the main security benefit of NAT and why is it useful to combine NAT with a firewall, instead of using separate NAT and firewall devices?

Answer:

NAT hides the addresses of devices behind the NAT device and prevents attacks that use knowledge of internal network addresses behind the NAT device. Some firewall policies, such as allowing traffic to high-numbered ports only if there was a matching outgoing request, require port numbers and internal addresses. This is easier to determine the firewall also knows the NAT translation table.

34

Question - 6

6. In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall.

35

Question - 6

6. In a distributed firewall, an administrator ships out firewall rules to hosts over an authenticated channel, and each host enforces its own policy. Give one advantage and one disadvantage of a distributed firewall, in comparison with a centralized firewall.

Answer:

Advantage: Can filter traffic between internal hosts on the local network.

For example, prevent ssh connections from certain internal hosts, avoiding possible attacks if they are compromised. Disadvantage: Cannot protect against external flooding of an internal network – in a DoS attack, the links between local hosts will be flooded, whereas this could be prevented by throttling incoming traffic at a gateway firewall.

36

FirewallFirewall

IP TablesIP Tables

37

38

Netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

What is netfilter/iptables?

39

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules.

The third table is the nat queue which is responsible for network address translation. It has two built-in chain

Packet Processing in IP Tables

40

You need to specify the table and the chain for each firewall rule you create. There is an exception: Most rules are related to filtering, so iptables assumes that any chain that's defined without an associated table will be a part of the filter table. The filter table is therefore the default.

Processing For Packets Routed By The Firewall 1/2

41

Processing For Packets Routed By The Firewall 1/2

42

To help understand iptables, take a look at the way packets are handled by iptables. In figure a TCP packet from the Internet arrives at the firewall's interface on Network A to create a data connection.

The packet is first examined by your rules in the mangle table's PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.

If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT before arriving at Network B. When the destination server decides to reply, the packet undergoes the same sequence of steps.

If the packet is destined for the firewall itself, then it is filtered by the rules in the INPUT chain of the filter table before being processed by the intended application on the firewall. At some point, the firewall needs to reply. This reply is inspected by your rules in the OUTPUT chain of the mangle table, if any. The rules in the OUTPUT chain of the nat table determine whether address translation is required and the rules in the OUTPUT chain of the filter table are then inspected before the packet is routed back to the Internet.

Processing For Packets Routed By The Firewall 2/2

43

Each firewall rule inspects each IP packet and then tries to identify it as the target of some sort of operation. Once a target is identified, the packet needs to jump over to it for further processing.

ACCEPTiptables stops further processing.The packet is handed over to the end application or the operating system for processing

DROPiptables stops further processing. The packet is blocked.

LOGThe packet information is sent to the syslog daemon for logging.iptables continues processing with the next rule in the table.You can't log and drop at the same time ->use two rules.--log-prefix ”reason"

REJECTWorks like the DROP target, but will also return an error message to the host sending the packet that the packet was blocked --reject-with qualifierQualifier is an ICMP message

Targets & Jumps

44

SNATUsed to do source network address translation rewriting the source IP address of the packet

The source IP address is user defined

--to-source <address>[-<address>][:<port>-<port>]

DNATUsed to do destination network address translation. ie. rewriting the destination IP address of the packet

--to-destination ipaddress

MASQUERADE Used to do Source Network Address Translation.

By default the source IP address is the same as that used by the firewall's interface

[--to-ports <port>[-<port>]]

Targets & Jumps

45

Firewall rules is stored in scripts or databases, most common is scripts.

One row example:

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1  -p TCP -j ACCEPT

Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port. There are also options that can be used to just clear a chain so you can start all over again.

iptables is being configured to allow the firewall to accept TCP packets coming in on interface eth0 from any IP address destined for the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP address means any.

Important Iptables Command Switch Operations

46

Important Iptables Command Switch Operations

47

Common TCP and UDP Match Criteria

48

Example:

 

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

         --sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http).

Common TCP and UDP Match Criteria

49

You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.

–m limit sets maximum number of SYN packetsiptables is being configured to allow the firewall to accept maxim 5 TCP/SYN packeds per second on interface eth0.

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

If more than 5 SYN packets per second, the packets are dropped.

If source/destination sence dropped packets, it will resend three times

If drops continue after 3 reset packets, source will reduce packet speed.

Defense for SYN flood attacks

50

For RedHat based distrubutions:The service iptables save command permanently saves the iptables configuration in the /etc/sysconfig/iptables file. When the system reboots, the iptables-restore program reads the configuration and makes it the active configuration.The format of the /etc/sysconfig/iptables file is slightly different from that of the scripts shown in this chapter. The initialization of built-in chains is automatic and the string "iptables" is omitted from the rule statements.

Fedora comes with a program called lokkit that you can use to generate a very rudimentary firewall rule set. It prompts for the level of security and then gives you the option of doing simple customizations. It is a good place for beginners to start on a test system so that they can see a general rule structure.Like the service iptables save command, lokkit saves the firewall rules in a new /etc/sysconfig/iptables file for use on the next reboot.Once you have become familiar with the iptables syntax, it's best to write scripts that you can comment and then save it to /etc/sysconfig/iptables. It makes them much more manageable and readable.

Saving Your iptables Scripts

51

The iptables application requires you to load certain kernel modules to activate some of its functions. Whenever any type of NAT is required, the iptable_nat module needs to be loaded. The ip_conntrack_ftp module needs to be added for FTP support and should always be loaded with the ip_conntrack module which tracks TCP connection states. As most scripts probably will keep track of connection states, the ip_conntrack module will be needed in any case. The ip_nat_ftp module also needs to be loaded for FTP servers behind a NAT firewall.

Loading kernel modules extends it functionallityGenerally kernel modules is like plugins, they add functionallity:/lib/modules/2.4.20-30.9/kernel/net/

Manually loading/unloading modulesmodprobe <module> (search for module and dependencies)insmod <module> (force load module, dont care)rmmod <module> (remove module)lsmod (List modules loaded)

Load some common modules:modprobe ip_conntrack (tracking connections)modprobe ip_conntrack_ftp (transparent proxy for active ftp)modprobe iptable_nat (for all kind of NAT operations)modprobe ip_nat_ftp (for ftp server behind nat)

Loading Kernel Modules Needed By iptables

52

Most basic firewall settingsEverything from inside is allowed to pass out

Everything from outside is denied to pass in

Optionally firewalls directly offer security levelsMore or less protocols are accepted, most common is

SSH SMTP WWW VPN

FTP DHCP SMB TELNET

Optionally firewalls directly offer security levelsLevels are usally 3:

No securityMedium High

No Security=Firewall is passing everything or is disables

Medium=SMTP, SSH, DHCP, FTP

HIGH=SSH

Basic Firewall settings

53

Summary

have considered:

firewalls

types of firewalls

IP Tables

54

How Do You Want Protect Your Network System

Thank You