Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP Todays Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? Its FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community) TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMP TCP/IP Recap: Layered Concept Application TCPUDP IP Device Driver Device Driver Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMP TCP/IP Recap: Layered Communication Application TCP/UDP IP Device Driver Device Driver IP Application ClientServer TCP/IP Recap: Layered Concept http TCPUDP IP Device Driver Device Driver ftpNetbios-nsdns 8020, eth0eth1 TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?) Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network ANetwork B Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out install and leave it Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Todays focus) Application Gateway (http proxy, socks server) Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst- ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Drop ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with ipmasqadm portfw iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables ipchains: Basic Usage I Command Syntax: ipchains A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] j [action] -l Useful Option: ! Means NOT -l means log to syslog -y means SYN set & ACK clear -> connection initiation ! y means ACK set ->response to initiation, established connection TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close ipchains: The basic concept Control the input, output, and forward behavior of the interfaces inputeth0 output input eth1output forward ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700 ipchains Tips: Writing Script Use deny for default chain, -P ipchains P forward deny ipchains P input deny ipchains P output deny Remember to allow localhost traffic Use variables to assist you: LOCALNET_1=" /24 LOCAL_INTERFACE_1="eth1 ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains Tips: REJECT vs. DENY Two choice when blocking packet REJECT or DENY If REJECT, a ICMP port unreachable is sent back to the src- addr IF DENY, then the packet is just dropped Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom Implementation for Home: Typical Setup Internet Firewall 1 or more PCs Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic Home use: firewall-config Use GUI to help you Based on ipchains Most distribution Home use: firestarter Use GUI to help you Rpm package available Based on iptables Home use: firestarter Wizard Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using linuxconf or /etc/sysconfig/network-script/ifcfg-eth0 pump or dhcpcd pump has to be fixed by initscripts or the IP address will disappear after the dhcp leasing period Choose pump or dhcpcd in the script /etc/sysconfig/network-script/ifup Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist youMost ADSL connection requires user account Configure the account in /etc/ppp/pppoe.conf When filtering, refer to pppO rather than eth0 Step-by-Step guide for rp-pppoe atconnect.txthttp://www.roaringpenguin.com/pppoe/how-to- connect.txt Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0 IF ADSL: EXTERNAL_INTERFACE=ppp0 Loopback interface: LOOPBACK_INTERFACE="lo Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1=" /24" Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain ipchains -P input DENY But that will disallow all input Need to allow TCP high port traffic that is NOT connection initiation (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024: j ACCEPT What is ! y ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client Close Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward Office Use Dont rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers) Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2 Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0 Loopback interface: LOOPBACK_INTERFACE="lo Internal interface: LOCAL_INTERFACE_1="eth1 LOCAL_INTERFACE_2=eth2 Network Addresses and servers: LOCALNET_1=" /24 MAIL_SERVER=a.a.a.a WEB_SERVER=b.b.b.b Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 - j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE - j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need ipmasqadm Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE d $EXTERNAL_WEB_IP -p tcp -- destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward Troubleshooting Tips Dont panic when it doesnt work Use -l (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail f /var/log/messages Can also use tcpdump or snoop to help you Firewall Management: Building Rules gfcc For ipchains Provides good rules management Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions Firewall Management: Build your rules online!tools.com/linux/firewal l/index.html Firewall Management: Viewing Logs Firestarter Real-time hit- list showing the blocked traffic Firewall Management: Log Analyzer fwlogwatchstuttgart.de/project s/fwlogwatch/http://cert.uni- stuttgart.de/project s/fwlogwatch/ Generate html report Real time reporting Some customization work Firewall Management: Whats missing? Enterprise level multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler Good References: Sites SANS: Choosing a firewallRobert L. Ziegler Site:tools.com/linux/firewall/index.htmlhttp://www.linux-firewall- tools.com/linux/firewall/index.html ipchains HOW-TO:Netfilter project and iptables HOW-TO: filtering-HOWTO/index.htmlhttp://netfilter.samba.org/unreliable-guides/packet- filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: END of Linux Firewall For the Office and Home Thank You!