Firewalls
• A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules
• The “device”– Needs at least two nic cards (to be a ‘true’ firewall)
– The OS running the firewall needs to be “Hardened”
– Sometimes called a Bastion Host
• The “network traffic” is the packets of data between a trusted network and an un-trusted network– Trusted – Your LAN
– Un-trusted – The internet
Firewall Rules• There are 4 types of firewalls
– Packet-Filtering• Works on the network layer (IP, ICMP, IGMP)• Looks at the source, destination, and service fields of the packets• If the packet doesn’t adhere to the set of rules the packet can be
dropped or denied.– Dropped
» Delete the packet with no response to the sender– Denied
» Delete the packet but send an ICMP error back to the sender
• Doesn’t reassemble a packet into it original message to enact a rule• FAST!• Quite secure if configured correctly
– Often a firewall will “drift” open as time and changes occur
• Subject to packet spoofing
Firewall Rules
• There are 4 types of firewalls– Stateful-Inspection
• Can work on all layers of the OSI model
• It adds port, and state to the list of rules to be used
• State keeps track of tcp transactions.– Adds a port to a list of “open” ports when a connection starts
from the inside.
– Removes a port from the list when the tcp connection is terminated
• Reassembles the packets to get the original message BEFORE making an assessment against the rules
• Can be slow, because of the reassemble, full message analysis, and the open port lookup.
Firewall Rules
• There are 4 types of firewalls– Proxy-Based
• A connection to the internet is always handled by an intermediary – the proxy server
• The client connects to the proxy server which then connects to the actual server
• No actual connection takes place to any machines outside of the network. The proxy does the connection on our behalf.
• Very slow because all connections are store and forward.
• Easy to identify – they have MANY ports open
• They can cache data and serve it directly without contacting the actual server.
Firewall Rules• There are 4 types of firewalls
– Circuit-Level (Virtual Private Network)• When data is routed to another network, the data is
– Encoded– Sent to the other network– Decoded– Sent inside the network to the correct machine
• Connects two secure networks via the insecure internet• All communications between the two side takes place via the VPN• No other network traffic is allowed to pass.• Usually used between two office sites• Can be used with telecommuters
– Problem is the home user may not be secure.– VPN’s assume the remote network is secure– A hacker can gain access to the remote network then access the corporate
network using the VPN connection.
Network Address Translation (NAT)
• Many firewalls also provide network address translation (NAT)
• On one side of the firewall is a legal ip address and on the other is an internal ip scheme
• NAT does a reconfiguration of the TCP/IP header as it passes through the firewall from the internal scheme to a legal ip address.
• It can open a standard port and forward packets it receives to an internal machine with a different port number
Firewall Architecture
• Single-Homed– The Firewall has one nic
– The firewall is actually just software
– Sandwiches it self between the nic and the packet generating/receiving software
– Lets packet pass to/from the packet software if the rules are met
– Difficult to manage with more then just a few hosts
– Usually used in home systems
– Can be used to do application firewalling
Firewall Architecture
• Dual-Homed– The Firewall has two nic cards.
– One connected to the trusted, one to the untrusted network
– Packets are passed from one nic to the next if the rules are met
– Well know services are within your trusted network which can be compromised
– Used where money is an issue, or where there are no well know services being provided.
Firewall Architecture
• Segmented (single firewall)– The firewall has 3 nic cards– One connected to the trusted network , one to the
untrusted network, and one to a network of machines providing well know services.
– The network providing well know services is called the Demilitarized Zone (DMZ).
– If the firewall is configured correctly, if a well know service machine is compromised, the internal network should still be fine.
– Still leaves one system to compromise to gain access to the trusted network
Firewall Architecture
• Segmented (multiple firewalls)– At lease 2 firewalls
– One firewall is connected to the untrusted network and the other to the DMZ
– The next firewall connects the DMZ to the trusted network
150.5.5
150.4.4
150.3.3
150.2.2
150.1.1
150.4.4.1150.5.5.1
148.61.162.181
IP Tables
• IPtables is a built in firewall in linux
• It is part of the kernel. (at least it has kernel modules)– The kernel portion of iptables is called Netfilter.
• Iptables only understands TCP/IP, UDP/IP, IGMP, ICMP, ARP, and RARP. It doesn’t handle appletalk, IPX, netBios, etc…– Make sure your kernel does not except anything besides what the
firewall can understand.
– Make sure your kernel does not have the fast switch option enables as it routes packes at a lower level then iptables, thus bypassing the firewall all together.
• The iptable command manipulates the firewall rules
IP Tables
• There are three tables within iptables– Each packet is evaluated by all three tables
• Each table has chains associated with it– Each packet is evaluated by ONLY ONE chain in the
table
– Every rule in the chain will be applied to the packet until a match is found or there are no more rules.
IP Tables - Tables
• Filter table– The basic packet-filter and state-full inspection filter
– There are 3 chains inside the table• INPUT
– This rule chain is evaluated ONLY if the packet’s destination is the local machine
• OUTPUT– This is chain is evaluated ONLY if the packet’s source is the
local machine
• FORWARD– This is chain is evaluated is the packet is being forwarded
through the machine
IP Tables - Tables
• Nat table– Performs network address translation
– It also has 3 built in chains• PREROUTING
– Alters packets as soon as they come in
– Used for packets originating from the unsecured network
• POSTROUTING– Alters packets just before they leave
– Used for packets originating from the secure network
• OUTPUT– Alters locally generated packets before routing
Table/Chain Order• For a packet not generated by the computer:
Incoming PREROUTING routing
INPUT computer
FORWARD POSTROUTING out
Table/Chain Order• For a packet generated by the computer:
Computer OUTPUT(nat)
OUTPUT(filter) POSTROUTING out
IP Tables – Rules
• Chains are made of rules• Rules are the tests each packet must pass to
determine the packets outcome• Think of the rules as a series of if/then statements• Order of the rules matters• Generally the more specific rules are at the top
and the more general rules are at the bottom• There is a default rule, which is a catch all. I.e. no
rule above caught the packet.
IP Tables – Commands
• Default Policy– iptables [–t table] –P Chain Target
Where table is filter, nat, or mangle (filter is the default)Chain is INPUT, OUTPUT, FORWARD, PREROUTING or
POSTROUTING (The chain must exist for the table)Target is ACCEPT or DROP
– It is a generally excepted practice to drop anything that makes it through the firewall rule set.
– You should also log any packet that makes it to the default policy
– Example:iptables –t filter –P INPUT DROP
IP Tables – Commands
• Listing rulesiptables [–t filter] –L [chain] [options]– If the chain is not specified all the chains are displayed– Options include:
-v More verbose on the output--line-numbers Display line numbers next to
each rule– Example
iptables –t filter –L INPUT - -line-numbers
IP Tables – Commands
• Removing all rules from a chain (flush)iptables [-t filter] –F chain
• Delete one rule from a chainiptables [-t filter] –D chain rule_number
rule_number is the location of the rule in the chain
• Insert a rule in a chainiptables [-t filter] –I chain [rule_number] rule
If the rule_number is specified, the rule is inserted at that location.If it is not given the rule is inserted at the top of the rule set.
IP Tables – Commands
• Append a rule to the chainiptables [-t filter] –A chain rule
Adds the rule to end of the rule set
• Zero the packet/byte countiptables [-t filter] -Z
IP Tables - Protocol Rules• Most argument to the rules take a “!” to invert the condition• -p tcp|udp|icmp|all
– Match a packet with a protocol as stated– May be a comma separated list
• -p major rules takes sub rules:--destination-port port-- dport port
or--source-port port-- sport
where port is a number or service name (from /etc/services) and a number range using a “:” to separate the ranges.
IP Tables – Source/Destination Rules
-s address
-d address– Matches a packet with the source or destination
set to the address– Multiple address can be set up:
• As a comma separated list
• As a range using the “-” between the start and end ip addresses
• Using a mask (see the man page for details)
IP Tables – icmp Rules
-p icmp
Major rule takes
--icmp-type type
Where type is an icmp type. The types can be listed using the command
iptables –p icmp –h
IP Tables – Interface Rules
-i interface-o interface– Matches a packet that came from or is going to a
particular interface (eth0, lo, ppp)– May also be a comma separated list– Adding a suffix of “+” to the interface name, matches
all interfaces that start with the name• Ie: eth+ matches eth0, eth1, eth2,…
– The –i rule is only valid in a INPUT, FORWARD, or PREROUTING chain.
– The –o rule is only valid is an OUTPUT, FORWARD, or POSTROUTING chain.
IP Tables – State Rules
-m state
--state NEW|ESTABLISHED|RELATED|INVALID
NEW: The packet has the syn flag only
ESTABLISHED: The packet belong to an existing connection, or part 2 of the 3-way
hand shake
RELATED: the packet is related to another established connection (side
communication)
INVALID: the packet is not a valid tcp/ip flag combination
IP Tables – Targets• Targets are the “then” section of the rule. They
determine what happens to a packet if the packet matches the rule
• Argument-j target
• The target can be ACCEPT, DROP, LOG, REJECT, MIRROR, SNAT or DNAT.
• All targets except LOG terminate the chain• ACCEPT – accept the packet and sends it to the
application• DROP – discard the packet. The source of the packet is
not notified of the failure
IP Tables – Targets
• LOG – Log much of the header info to the system log.
– A useful sub-option is --log-prefix prefix which adds the prefix to the log which makes it easier to find in the system logs
– The LOG target logs then continues down chain.
IP Tables – Targets• REJECT – discards the packet but also sends a message
back to the source of the packet.– Valid only in the INPUT, OUTPUT, FORWARD chains– Takes the sub-option --reject-with type– Type can be:
icmp-net-unreachableicmp-host-unreachableicmp-port-unreachableicmp-proto-unreachableicmp-net-prohibitedicmp-host-prohibitedand if the packet is a tcp packet tcp-reset.
icmp-port-unreachable is the default.
IP Tables – Targets
• MIRROR – swaps the source and destination addresses and sends the packet back to the source.
– Only valid in the INPUT, FORWARD, and PREROUTING chains
– The outgoing packet from this rule will not be evaluated by the filter or nat table, nor any rule using the match state option.
– Use with caution. You maybe attacking an innocent machine (hacked by someone else)
IP Tables – Targets
• SNAT --to-source address– Valid only in the nat table POSTROUTING chain
– Converts the source address of the packet to the address specified
– Once the first packet is snatted, the returning packets have the destination address changed to the original source address of the first packet.
– The address may be a range to give a simple distribution across multiple addresses
– State is implied
IP Tables – Targets
• DNAT –to-destination address– Valid only in the net table, PREROUTING and
OUTPUT chains
– Functions like the SNAT but with the destination address
– If a range of addresses are given, a basic load sharing can be achieved.
Example
• A server runs a web server on port 80. The server has a single homed firewall. What rules needs to be added to allow outside machines to access the web server? No other services should be made available. The server should not be able to connect to any outside service.
Example• iptables –t filter –P INPUT DROP• iptables –t filter –P OUTPUT DROP• iptables –t filter –A INPUT –p tcp --dport 80
–j ACCEPT• iptables –t filter –A OUTPUT –p tcp --sport 80
-m state --state ESTABLISHED –j ACCEPT• iptables –t filter –A INPUT –j LOG --log-prefix
“iptables INPUT rule default”• iptables –t filter –A OUTPUT –j LOG --log-prefix
“iptables OUTPUT rule default”