Sie sind auf Seite 1von 76

Stateless firewalls 3-1

Intrusion Detection and Firewall Security


Stateless firewalls
Hrek Haugerud, A. Professor & Senior Lecturer
harek.haugerud@hioa.no
Paal Engelstad, Professor
paal.engelstad@hioa.no
Stateless firewalls 3-2
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
Stateless firewalls 3-3
Network firewall filters traffic going between networks
Personal/host/local firewall filters traffic between host and network
A firewall filters network traffic going
over a computer interface
PosL neLwork
llrewall
neLwork A neLwork 8
llrewall
!" $"%&'%()*+,
Stateless firewalls 3-4
Firewall assumptions
All traffic between outside and inside should pass through
the firewall
inside and outside often defined by different levels of trust
Only authorized traffic should be allowed to pass
Authorized traffic is defined by local security policy
The firewall itself should ideally be immune to penetration
However, any software might have bugs and vulnerabilities
lnslde"
(hlgher level of LrusL)
ouLslde"
(lower level of LrusL)
llrewall
Stateless firewalls 3-5
Different Types of Firewalls
A firewall can be in the form of a:
Stateless packet filter (lecture 3 this lecture)
Stateful packet filter
Connection tracking (lecture 4)
Contain NAT functionality (lecture 5)
Application gateway (not covered in this course)
ALG, proxy, etc
Stateless firewalls 3-6
Firewall as a packet filter
Inspects packets as they transverse
Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session #
Performs actions (like accept, drop, etc) based on a rule
defined by you (e.g. with the iptables command on a Linux system)
Accept
Drop
Stateless firewalls 3-7
Filtering can be based on:
Packet header info
source IP address
destination IP address
source port
destination port
protocol & flags
TCP
SYN bit
ACK bit
... etc...
UDP
ICMP
icmp-type flag
Direction /interfaces
Is the datagram leaving
or entering the internal
network?
decisions can be
different for different
interfaces
State (for stateful
firewalls)
NEW, ESTABLISHED,
RELATED, INVALID
Stateless firewalls 3-8
filter: IP and UDP Header (RECAP)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload ...
3-Luple"
Stateless firewalls 3-9
filter: IP and TCP Header (RECAP)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|HLEN | Reserved | | Window |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options (if any) | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload ...
!
"
#
%
&
'
(
)
*
"
)
+
)
,
-
.
/
-
1C-
ags
3-Luple"
(1C
sockeL)
Stateless firewalls 3-10
Src l sorL
usL l dorL
proL
b
22
a
1338
Lcp
4800
1201
S?n+ACk Seq
Ack 1C ags
RECAP: TCP flags & 3-way handshake
CllenL Server
CllenL ume
Server ume
1
2
3
Src l sorL
usL l dorL
proL
a
1338
b
22
Lcp
1200
0
S?n
Seq
Ack
1C ags
Src l sorL
usL l dorL
proL
a
1338
b
22
Lcp
1201
4801
ACk
Seq
Ack
1C ags
(uaLa)
(ayload)
Stateless firewalls 3-11
TCP/IP Recap:
TCP 3-way Handshake
Client
Server
SYN (1200)
SYN (4800), ACK (1201)
ACK (4801)
ACK, [DATA]
ACK (4900), FIN (1300)
ACK (1301)
ACK (1301), FIN (4900)
ACK (4901)
Passive
Open
Connection
Established
Server
Close
Active
Open
Connection
Established
Client
Close
Stateless firewalls 3-12
filter: IP and ICMP Header (RECAP)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type/code-specific header fields |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ICMP data (Type/code-specific format/length) ...
Stateless firewalls 3-13
RECAP: Some ICMP Message types
Q: Which types/codes seen in your traceroute assignment?
!"#$
0 Lcho reply
1-2 8eserved
3 uesunauon unreachable
4 Source quench
3 8edlrecL
8 Lcho requesL
9 8ouLer adverusemenL
10 8ouLer sollclLauon
11 1lme exceeded
12 arameLer problem
13/14 1lmesLamp requesL / reply
13/16 lnformauon requesL / reply
17/18 Addr. mask requesL/ reply
eLc.
&'($ )$*+,-#.'/
0 uesunauon neLwork unreachable
1 uesunauon hosL unreachable
2 uesunauon proLocol unreachable
3 uesunauon porL unreachable
4 lragmenLauon requlred, and ul ag seL
3 Source rouLe falled
6 uesunauon neLwork unknown
7 uesunauon hosL unknown
8 Source hosL lsolaLed
9 neLwork admlnlsLrauvely prohlblLed
10 PosL admlnlsLrauvely prohlblLed
11 neLwork unreachable for 1CS
12 PosL unreachable for 1CS
13 Communlcauon admlnlsLrauvely prohlblLed
14 PosL recedence vlolauon
13 recedence cuLo ln eecL
&'($ )$*+,-#.'/
0 11L explred ln LranslL
1 lragmenL reassembly ume exceeded
Stateless firewalls 3-14
Filtering a packet
The usual reaction to a packet is:
Accept it
Drop it (silently discard it)
Reject it (discard and send ICMP notification)
Log it
Change header information (e.g. NAT)
Drop or reject?
Stateless firewalls 3-15
Why would you need a firewall?
Increased network security
First line of defense
Access Control (Network/Transport Level)
Logging
Stateless firewalls 3-16
Firewall Basics:
What is NOT a Firewall?
A firewall is NOT:
The only thing for security
Does not solves other aspect of information security (e.g. human,
insiders, mis-configuration)
You still have to let traffic in and out
install and leave it
Need to manage it for the ever-changing network environment
Need to monitor it. Stay on guard!
100% safe
Any software might have bugs and vulnerabilities, so does any firewall
Stateless firewalls 3-17
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
Stateless firewalls 3-18
Firewall/Gateway: For subnets without
public services
Often combined with NAT
several hosts on the LAN can share one public IP address and a single
broadband connection to the ISP.
Typical for
home/ small
networks (i.e.
no webserver
or SSH access)
Using restrictive
policy
E.g. no incoming
connection
requests at all.
lnLernal rlvaLe
neLwork/ 012
CusLomer
Packer
LxLernal ubllc
neLwork/ 32!4524!
Packer
llrewall
(CaLeway)
nA1?
Server
CllenL
CllenL
Stateless firewalls 3-19
DMZ (De-Militarized Zone): For
subnets with public services
Typical for larger organizations
The network is split into two zones:
1. DMZ: Containing servers accessible from the Internet
e.g. Web servers
2. LAN: Network with a more restrictive rule-set
in case DMZ-servers get compromised
Different levels of trust between LAN and DMZ
Needs a firewall in between
Let us look at two different models of network with a
DMZ...
Stateless firewalls 3-20
DMZ: Example 1
DMZ= A part your LAN with other restrictions, e.g. allowing
publicly available services (web servers, mail etc.)
lnLernal rlvaLe
neLwork/ 012 )67
llrewall
(Choke)
Web
Server
CusLomer
Packer
LxLernal ubllc
neLwork/ 32!4524!
p
Server
Packer
llrewall
(CaLeway)
Server
CllenL
CllenL
Stateless firewalls 3-21
DMZ : Example 1I
Often combined with local firewalls on hosts within LAN, to
protect against other possibly infected hosts on LAN
lnLernal rlvaLe neLwork/ 012
)67
Web
Server
CusLomer
Packer
Server CllenL CllenL
LxLernal ubllc
neLwork/ 32!4524!
p
Server
Packer
llrewall
lf1
lf2
Stateless firewalls 3-22
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
Stateless firewalls 3-23
Firewalls with Linux
netfilter: The actual firewall
Operates in Kernel space
iptables: The configuration tool
Operates in user space
Note: iptables is only a tool for the managing and setting
of rules. It won't work without packet filtering (netfilter)
support in the kernel.
Ubuntu: iptables & netfilter are installed by default
TinyCore: Use ab iptables command to install it
By default netfilter allows all traffic, so you wont notice its
presence, before you start using iptables to configure netfilter
Stateless firewalls 3-24
iptables usage
iptables [-t table] {-A|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] {-L|-F|-Z} [chain] [options]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default
No table specified, means that filtering is implied
Stateless firewalls 3-25
iptables usage for packet filtering (I)
iptables -t filter {-A|-D} chain rule-specification
iptables -t filter -I chain [rulenum] rule-specification
iptables -t filter -R chain rulenum rule-specification
iptables -t filter -D chain rulenum
iptables -t filter {-L|-F|-Z} [chain] [options]
iptables -t filter -N chain
iptables -t filter -X [chain]
iptables -t filter -P chain target
iptables -t filter -E old-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default
No table specified, means that filtering is implied
Stateless firewalls 3-26
iptables usage for packet filtering (II)
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default
No table specified, means that filtering is implied
Stateless firewalls 3-27
iptables usage for packet filtering (III)
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
Let us go through this in detail...
Stateless firewalls 3-28
iptables is simply the linux command
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
The command takes different input parameters and
switches
Stateless firewalls 3-29
iptables command is primarily used to
add/remove packet filtering rules
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
target = -j targetname
targetname = {DROP|REJECT|ACCEPT|LOG}
Simple examples of rule-specifications:
-i eth0 -j DROP
Drop packets passing the eth0 interface
-s 128.39.13.6 p tcp -j ACCEPT
Accept tcp packets with source ip-address 128.39.13.6
So what is chain and what is rulenum...?
Stateless firewalls 3-30
iptables commands to add/remove
rules into these lists (chains)
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
-A, --append : Append one or more rules to end of chain.
-D, --delete : Delete rule from chain.
-I, --insert : Insert rule into chain (default rulenum = 1)
-R, --replace : Replace a rule in the chain with another one.
-L, --list : List out all rules in the chain (default = all chains).
-F, --flush : Flush (delete all) rules from a chain
-Z, --zero : Zero packet and byte counter of a chain (or all chains)
Stateless firewalls 3-31
Example: Append new packet filtering
rules to a chain
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
rule-specification = [matches...] [-j {DROP|REJECT|ACCEPT|LOG}]
Simple examples of rule-specifications:
iptables A OUTPUT -o eth0 -j DROP
Drop outgoing packets passing the eth0 interface
iptables A INPUT -s 128.39.13.6 p tcp -j ACCEPT
Accept incoming tcp packets with source ip-address 128.39.13.6
Stateless firewalls 3-32
Rules are organized into numbered lists
of rules. These lists are called chains
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
Rules are numbered starting at one (i.e. rulenum=1)
When appended/inserted, each rule obtains a rule number,
according to its order in the chain
Displayed by the --list (-L) command, for example:
iptables -L -v - - line-numbers
Stateless firewalls 3-33
Default chains for packet filtering:
INPUT, OUTPUT, FORWARD
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
Built-in chains (= non-user-defined chains):
INPUT chain: These rules apply to all packets destined to firewall
OUTPUT chain: Applies to all packets originating from firewall
FORWARD chain: Applies to all packets passing through firewall-router
Next week.
+ User-defined chains with user-defined names
Stateless firewalls 3-34
More on rule-specification (matches)
[!] -p, --protocol protocol
(The "! inverts the test, e.g.:
iptables A INPUT ! p tcp j DROP )
[!] -s, --source, --src address[/mask]
[!] -d, --destination, --dst address[/mask]
[!] --sport port[:port]
[!] --dport port[:port]
[!] -i, --in-interface name
[!] -o, --out-interface name
-m, --match match
The protocol of the packet, e.g. tcp, udp,
udplite, icmp, esp, ah, sctp, or it can be a
numeric value, see /etc/protocols.
Address is typically a network IP address
(with /mask), or a plain IP address.
Same syntax as for the -s (source) flag
Match on source port (or port-range)
Match on destination port (or port-range)
name = eth0, eth1, lo etc...
name = eth0, eth1, lo etc...
Use extension module to tests for specific property
Stateless firewalls 3-35
Examples: Manipulating rules in chains
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
iptables F
flushing (deleting) all rules in all chains (OUTPUT, INPUT, FORWARD)
iptables F OUTPUT
flushing (deleting) all rules in the OUTPUT chain
iptables D INPUT 3
deleting rule number 3 in the INPUT chain
iptables L FORWARD
list out all rules in the FORWARD chain
iptables L
list out all rules in all chains
Stateless firewalls 3-36
Manipulating the chains
iptables {-A|-D} chain rule-specification
iptables -I chain [rulenum] rule-specification
iptables -R chain rulenum rule-specification
iptables -D chain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target
iptables -E old-chain-name new-chain-name
-N, --new-chain : Create a new user-defined chain by the given name.
-X, --delete-chain : Delete user-defined chain (must be empty, i.e. rules flushed).
Default=all user-defined chains.
-P, --policy : Set the policy for built-in chain.
(No policy can be set for user-defined chains)
-E, --rename-chain : Rename user-defined chain
Stateless firewalls 3-37
Example: Setting the policy
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
OR:
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
The policy specifies what will happen (e.g DROP or ACCEPT) to packet
that do not find any match in a built-in chain.
In iptables -P chain target, the target-part refers to e.g. DROP or ACCEPT
More about target later
Stateless firewalls 3-38
Personal firewall (One interface)
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
All outgoing packets are
filtered by the rules in
the OUTPUT chain
All incoming packets are
filtered by the rules in
the INPUT chain
eLh0
drop drop
Appllcauons
(e.g. Apache, ssh, ...)
-*./)01.%2 nlC
Stateless firewalls 3-39
Personal firewall (One interface)
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
All outgoing packets are
filtered by the rules in
the OUTPUT chain
All incoming packets are
filtered by the rules in
the INPUT chain
eLh0
drop drop
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
-*./)01.%2 nlC
Stateless firewalls 3-40
Troubleshooting using tcpdump
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
tcpdump is capturing
outgoing packets just
before they go to NIC
(after filtering etc.)
tcpdump is capturing
incoming packets just after
they come from NIC
(before filtering etc.)
eLh0
drop drop
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
nlC

"
#
$
%
&
'
$
3'45.1
6'718%.
94"7: )*$";
Stateless firewalls 3-41
Personal firewall w/ loopback-interface
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
Also including the
loopback interface
first OUTPUT
then INPUT
loopback (lo)
eLh0
drop drop
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
-*./)01.%2 nlC
Stateless firewalls 3-42
Personal firewall w/ loopback-interface
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
Drawing it a little
more conveniently
(Of course, lo is
not a part of
netfilter)
loopback (lo)
eLh0
drop drop
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
-*./)01.%2 nlC
Stateless firewalls 3-43
Example: Accepting loopback traffic
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
Appllcauons
(e.g. Apache, ssh...)
Llnux llrewall eLh0
kLs lo
iptables A INPUT i lo j ACCEPT
iptables A OUTPUT o lo j ACCEPT
Stateless firewalls 3-44
Network firewall (router): Left to right
All packets passing
through are filtered
by the rules in the
FORWARD chain
Routing decision:
dest.IP = local_IP
Send to INPUT
dest.IP != local_IP
Send to FORWARD
lC8WA8u
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns
eLh1
loopback (lo)
eLh0
8ouung
declslon
drop
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
lC8WA8u
drop drop
-*./)01.%2 nlC nlC
Stateless firewalls 3-45
Network firewall (router): Both ways
lC8WA8u
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
lLer chalns eLh1
loopback (lo)
eLh0
8ouung
declslon
8ouung
declslon
Appllcauons
(e.g. Apache, ssh, ...)
Local
processes
lC8WA8u
drop drop drop
-*./)01.%2 nlC nlC
Stateless firewalls 3-46
lLer chalns
iptables used to configure netfilter
lC8WA8u
Cu1u1
lnu1
CS-kernel
(1C/l sLack)
eLh1
loopback (lo)
eLh0
8ouung
declslon
8ouung
declslon
lC8WA8u
drop drop drop
-*./)01.%2
Appllcauons
(e.g. www, ssh, ...)
-#89:;$*
!"#$%&'()"#
+,-.(/012 3"44(#526
nlC nlC
Stateless firewalls 3-47
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
Stateless firewalls 3-48
Firewall design
A word of caution /Disclaimer: There are almost as many
opinions about network administration as there are network
administrators.
Things are done differently almost everywhere
Often decisions regarding infrastructure and equipment are already
taken
Then, you have to customize and make the best out of what you've got.
The following section is an approach to gain insight into the traffic
flow of a network. It is not meant as a disclosure of the topic.
We will concentrate on traffic-shaping and filtering, since that is
central in this course. Other courses have this topic from their
point of view.
Stateless firewalls 3-49
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-50
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-51
Defining host, servers and services
What services should the network offer to the Internet? Most usual
here are HTTP, FTP, SMTP to name some. I addition comes special
systems used by the organization which communicate with external
nodes.
Some services should also run on the intranet, like a local DNS
server, NFS, netbios, database and so on.
Finally, what services should the hosts on your network be allowed
to access on the Internet? Some would restrict these to a bare
minimum. Others would allow everything out.
An important point in the specification is how well the different
solutions will scale or be reconfigured. This is actually quite
important for all the following steps too. You should always think
about the future.
Stateless firewalls 3-52
Defining hosts, servers and services
(example)
Hosts and servers
Class "Internet" = All non-local machines
Class "Webserver" = Our local webserver (192.168.1.2)
Class "Workstations" = Workstations (192.168.1.16/29)
Class "Nameserver" = "Our local nameserver (192.168.1.3)
Class "Mailserver = "Our local mailserver (192.168.1.4)
Services
Class "WWW" = "http, https"
Class "DNS" = "dns"
Class "SSH" " = "ssh"
Class "MAIL" = "pop3, smtp"
Stateless firewalls 3-53
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-54
Defining privileges
Not all machines on your network are entitled to
use all services offered in your network.
Perhaps the web server is the only one with access to
the database or mail can only be sent from the
workstations.
These privileges can be displayed with a table.
In the following example, we use the term
"Internet" of all machines except the ones on our
network. Granting WWW to the Internet does
not include WWW to local machines. It can be
useful to define such classes for simplicity.
Stateless firewalls 3-55
Defining privileges (example)
Such a listing is useful regardless of what filtering technology you choose
to use later on. The principles of filtering are always the same.
<'*8 =$,>-+$ =$,>$,
WorksLauons WWW lnLerneL
WorksLauons WWW Webserver
WorksLauons SSP Webserver
WorksLauons SSP nameserver
WorksLauons unS nameserver
WorksLauons MAlL Mallserver
Webserver unS nameserver
nameserver unS lnLerneL
Mallserver unS nameserver
Mallserver MAlL lnLerneL
Stateless firewalls 3-56
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-57
Translate services into port numbers
For every service to allow (SSH, WWW, FTP ...)
identify ports and protocol
In order to define your ruleset
iptables does not know anything about web surfing,
but can identify TCP packets heading for port 80.
Some services are a bit tricky, e.g.:
FTP works with several ports
Non-standard applications (gaming, chat) that use
undocumented ports
Network analysis to figure it out.
You should finally have a list of port which should
be open on every host. This will make it easier for
you when you shall construct the actual rule-set.
Stateless firewalls 3-58
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-59
Drawing cases
The table with the privileges did not take into account
the route those connections actually take through your
network. Which route they choose outside your
domain is not in your hands.
For monitoring later on, it could be useful to draw
some Cases which display actual traffic. These cases do
not have to follow a special standard. The aim is to
draw something that shows you what to expect where.
It also shows which firewall is responsible for what.
Stateless firewalls 3-60
Drawing cases (example)
Stateless firewalls 3-61
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-62
Setting up the firewall
The next task is to actually configure the
firewalls. If you already are familiar with the
filtering technology you wish to use and have
done solid groundwork in the previous steps,
this should be straight forward.
Stateless firewalls 3-63
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings
several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers
Drawing cases
Setting up firewalls
Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
Stateless firewalls 3-64
Re-evaluating rules
All system-policies change over time.
Changes in infrastructure and upgrades will
probably require adjustments in your
configurations.
How well does your system adapt to these
changes?
Do your solutions scale to more hosts on
your network?
Stateless firewalls 3-65
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
Stateless firewalls 3-66
Setting up a stateless personal firewall
from scratch
Assumptions/prerequisites:
A Linux system with one network interface.
The running kernel has netfilter support.
See how rules change as you add new rules.
It is very useful to learn some tricks early on. This line
shows a nice way to watch over your current rules and
which way the packets go:
watch -n 2 iptables -L v -n --line-numbers
watch: n <seconds>
iptables -L <listing-options>: -v = verbose, -n = numeric IP/ports
This command monitors the rules and additionally shows
what packets go where in the different chains.
Write all iptables commands to a script
Run the script
Stateless firewalls 3-67
Steps for stateless firewall setup
Steps (simplified) in your script
Define symbolic constants
Flush any pre-existing rules
Allow loopback traffic
Set policy on chains: DROP
Allowing in and out rules
for selected services:
DNS, Mail (SMTP, IMAP), WWW (http), SSH
etc...
Stateless firewalls 3-68
Define symbolic constants
Example:
The IP-address of the network interface is
stored in the variable: $MY_IP
MY_IP=192.168.10.10
Stateless firewalls 3-69
Flush any pre-existing rules
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
If there are any user-defined chains as well,
they should be removed too.
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
Stateless firewalls 3-70
Allow loopback traffic
The loopback device must not be filtered,
since it is for private use, and some software
systems depend on this for their functioning.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Stateless firewalls 3-71
Set policy on chains: DROP
The default policy for a chain shows what will
happen with packets that don't find any match.
Setting the policy to ACCEPT means that you
have to sort out singel-handedly every type of
traffic you want to drop. Setting it to DROP is a
more secure approach.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
Leave the nat and mangle without such a DROP-
policy!
All filtering done in filter
Stateless firewalls 3-72
Allowing in/out rules for selected
services
Examples:
WHAT IS THIS?
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT
If you want to allow ssh in, you also need to allow the reply-packets out.
... AND THIS?
iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful when
more than one card.
Stateless firewalls 3-73
Allowing in/out rules for selected
services
Examples:
Allowing ssh in
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT
If you want to allow ssh in, you also need to allow the reply-packets out.
... AND THIS?
iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful when
more than one card.
Stateless firewalls 3-74
Allowing in/out rules for selected
services
Examples:
Allowing ssh in
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT
If you want to allow ssh in, you also need to allow the reply-packets out.
Allowing DNS out
iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful when
more than one card.
Stateless firewalls 3-75
Filtering malformed packets
Until now, we have focused on the rules
regarding correct packages. But attacks and
scans often rely on malformed packages.
A firewall script has usually a set of rules in
the beginning to take care of everything that is
not according to protocol.
An extensive list can be found in Ziegler: Linux
Firewalls.
Stateless firewalls 3-76
Summary: stateless firewall setup
Steps (simplified) in your script
Define symbolic constants
Flush any pre-existing rules
Accept loopback traffic
Set policy on chains: DROP
Drop malformed packets (bad addresses,
common unprivileged ports, bad flags....)
Accept in and out traffic for selected
services:
DNS, Mail (smtp, imap), WWW (http), SSH, etc...