Beruflich Dokumente
Kultur Dokumente
1
Project Report on Implementation of Firewall on Linux Platform
2
Project Report on Implementation of Firewall on Linux Platform
In the past ten years , the internet's growth has exploded.In 1985
the internet included only 1961 host computers . The growth of
internet has been phenomenal and by 1999 there has been nearly
300,000 computers.The internet has continued to grow at
exponential rates.
More important than the increase in the number of hosts
connected to the internet is the increase in the number of internet
users. The internet has essentially doubled in size. Today the
number of internet users increases at a rate of nearly 200,000 new
logins each month.
Security in Internet
3
Project Report on Implementation of Firewall on Linux Platform
however was the first networking worm that brought down many of
the world's leading Unix-based computer installations. Though the
Morris worm caused little damage, it nevertheless ushered in a new
significant era of security consciousness as it revealed the
internet's vulnerability. It gave rise to a new era of "Cyber -
terrorism".
Corporate losses due to computer security were also on the rise. A
survey showed that there was a significant increase in the number
of intrusions and data corruptions and also in the number of
companies that percieved the internet as a source of danger.
Packet switching is the root of many transmission security
problems. In packet switching the network server forwards the
packet in the wire that is immediately available. In LAN this may
not be problem but in case of internet it is possible for a packet
sent from home computer to the computer in the office to travel
through the server of the company's major competitor who simply
destroy the essential data.
Security Experts :
Most security experts are capable of hacking,but decline from
doing so for moral or economic reasons.Computer security
experts have found that there's more money in preventing
hacking than in perpetrating it.A number of large internet
service companies employ ethical hackers to test their
security systems.
Student Hackers :
These hackers belong to junior high, high school or college.
Their social position is Student. They usually perform joy-
4
Project Report on Implementation of Firewall on Linux Platform
Criminal Hackers :
They hack for revenge or to perpetrate theft.These are the
persons who compromise internet servers to steal credit card
numbers or hack the internet banking mechanism to steal
money. They regarded as real criminals
Spies:
These are hackers employed by Foreign Governments against
high technology businesses. Many high technology
businesses are naïve about security, making them easy
targets for the experienced intelligence agencies of foreign
governments.
The main purpose is to extract technology that give their own
corporations an edge.
Disgruntled Employees:
They pose the most dangerous threat.They are the most
difficult to detect. An employee who is constantly picked by
an employer may become an hacker. As he is aware of the
security details in the company.
Hacking stages can be classified into the following areas:
Eavesdropping and snooping
Denial-of-service
Impersonation
Man-in-the-middle
Hijacking
5
Project Report on Implementation of Firewall on Linux Platform
6
Project Report on Implementation of Firewall on Linux Platform
Denial of Service:
The next thing a hacker can do is to disable some aspect of
the network or to bring the network down. Methods hacker
can use to disable computer services are:
Ping of Death: In this a specially constructed ICMP packet
that violates the construction rules is sent by the hacker to
crash the computer if the computer's networking software
does not check for invalid ICMP packets.
SYN Attacks and ICMP flooding : This is another method
used by the Hackers.The initial IP packet of a TCP Connection
attempt is simple and easy to generate and responding to this
takes more time and memory space as the receiving computer
must record information about the new connection. The
Hacker can send one SYN packet after another to the target
computer and then the target computer will be unable to
process legitimate connection attempts as its memory and
time is wasted processing SYN requests.
In ICMP flooding ,the Hacker sends a constant stream of
ICMP echo requests to the target computer.The target
computer then spends most of its time responding to the echo
requests instead of processing legitimate network traffic.
Impersonation:
This is the next step the Hacker takes. By impersonating
another computer that the computers on a given network
trust, the hacker's computer may be able to trick the
computers in revealing enough information for the hacker to
get into the security. The tactic that a hacker uses is :
Source routed Attacks: Source routing is the route the packet
takes as it crosses the TCP/IP based network.This makes it
possible for the hacker to send data from one computer and
make it look like it comes from a trusted source.The Hacker
can use source routing to impersonate an already connected
user and inject additional information into an otherwise
benign communication between server and authorised client
computer.
Man -in - the -Middle:
This is a special case of impersonation, where the hacker
operates between two computers on a network. When the
client computer opens a connection to the server
computer,the hacker's computer intercepts it. The hacker
computer opens a connection on behalf of the client computer
7
Project Report on Implementation of Firewall on Linux Platform
8
Project Report on Implementation of Firewall on Linux Platform
IPCHAINS USING C
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <linux/if.h>
#include <linux/ip_fwchains.h>
int setsockopt (int socket, IPPROTO_IP, int command, void
*data, int length)
DESCRIPTION
The IP firewall facilities in the Linux kernel provide mechanisms for
accounting IP packets, for building firewalls based on packet-level
filtering, for building firewalls using transparent proxy servers (by
redirecting packets to local sockets), and for masquerading
forwarded packets. The administration of these functions is
maintained in the kernel as a series of separated table (hereafter
referred to as chains) each containing zero or more rules. There are
three builtin chains which are called input, forward and output
which always exist. All other chains are user defined. A chain is a
sequence of rules; each rule contains specific information about
source and destination addresses, protocols, port numbers, and
some other characteristics. Information about what to do if a
packet matches the rule is also contained. A packet will match with
a rule when the characteristics of the rule match those of the IP
packet.
A packet always traverses a chain starting at rule number 1. Each
rule specifies what to do when a packet matches. If a packet does
not match a rule, the next rule in that chain is tried. If the end of a
builtin chain is reached the a default policy for that chain is
returned. If the end of a user defined chain is reached then the rule
after the rule which branched to that chain is tried. The purpose of
the three builtin chains are
Input firewall
9
Project Report on Implementation of Firewall on Linux Platform
10
Project Report on Implementation of Firewall on Linux Platform
11
Project Report on Implementation of Firewall on Linux Platform
12
Project Report on Implementation of Firewall on Linux Platform
COMMANDS
Command for changing and setting up chains and rules is
ipchains(8) Most commands require some additional data to be
passed. A pointer to this data and the length of the data are passed
as option value and option length arguments to setsockopt. The
following commands are available:
IP_FW_INSERT
This command allows a rule to be inserted in a chain at a
given position (where 1 is considered the start of the chain). If
there is already a rule in that position, it is moved one slot, as
are any preceding rules in that chain. The reference count of
any chains referenced by this inserted rule are incremented
appropriately. The data passed with this command is an
ip_fwnew structure, defining the position, chain and contents
of the new rule.
IP_FW_DELETE
Remove the first rule matching the specification from the
given chain. The data passed with this command is an
ip_fwchange structure, defining the rule to be deleted and its
chain. The reference count of any chains referenced by this
deleted rule are decremented appropriately. Note that the
fw_mark field is currently ignored in rule comparisons (see
the BUGS section).
IP_FW_DELETE_NUM
Remove a rule from one of the chains at a given rule number
(where 1 means the first rule). The data passed with this
command is an ip_fwdelnum structure, defining the rule
number of the rule to be deleted and its chain. The reference
count of any chains referenced by this deleted rule are
decremented appropriately.
IP_FW_ZERO
Reset the packet and byte counters in all rules of a chain. The
data passed with this command is an ip_chainlabel which
defines the chain which is to be operated on. See also the
description of the /proc/net files for a way to atomically list
and reset the counters.
IP_FW_FLUSH
13
Project Report on Implementation of Firewall on Linux Platform
Remove all rules from a chain. The data passed with this
command is a ip_chainlabel which defines the chain to be
operated on.
IP_FW_REPLACE
Replace a rule in a chain. The new rule overwrites the rule in
the given position. Any chains referenced by the new rule are
incremented and chains referenced by the overwritten rule
are decremented. The data passed with this command is an
ip_fwnew structure, defining the contents of the new rule, the
the chain name and the position of the rule in that chain.
IP_FW_APPEND
Insert a rule at the end of one of the chains. The data passed
with this command is an ip_fwchange structure, defining the
contents of the new rule and the chain to which it is to be
appended. Any chains referenced by this new rule have their
refcount incremented.
IP_FW_MASQ_TIMEOUTS
Set the timeout values used for masquerading. The data
passed with this command is a structure containing 3 fields
of type int, representing the timeout values (in jiffies, 1/HZ
second) for TCP sessions, TCP sessions after receiving a FIN
packet, and UDP packets, respectively. A timeout value 0
means that the current timeout value of the corresponding
entry is preserved.
IP_FW_CHECK
Check whether a packet would be accepted, denied, rejected,
redirected or masqueraded by a chain. The data passed with
this command is an ip_fwtest structure, defining the packet
to be tested and the chain which it is to be test on. Both
builtin and user defined chains can be tested.
IP_FW_CREATECHAIN
Create a chain. The data passed with this command is an
ip_chainlabel defining the name of the chain to be created.
Two chains can not have the same name.
IP_FW_DELETECHAIN
Delete a chain. The data passed with this command is an
ip_chainlabel defining the name of the chain to be deleted.
The chain must not be referenced by any rule (ie. refcount
14
Project Report on Implementation of Firewall on Linux Platform
STRUCTURES
The ip_fw structure contains the following relevant fields to be filled
in for adding or replacing a rule:
struct in_addr fw_src, fw_dst
Source and destination IP addresses.
struct in_addr fw_smsk, fw_dmsk
Masks for the source and destination IP addresses. Note that
a mask of 0.0.0.0 will result in a match for all hosts.
char fw_vianame[IFNAMSIZ]
Name of the interface via which a packet is received by the
system or is going to be sent by the system. If the option
IP_FW_F_WILDIF is specified, then the fw_vianame need only
match the packet interface up to the first NUL character in
fw_vianame. This allows wildcard-like effects. The empty
string has a special meaning: it will match with all device
names.
__u16 fw_flg
Flags for this rule. The flags for the different options can be
bitwise or'ed with each other.
The options are: IP_FW_F_TCPSYN (only matches with TCP
packets when the SYN bit is set and both the ACK and RST
bits are cleared in the TCP header, invalid with other
protocols), The option IP_FW_F_MARKABS is described
under the fw_mark entry. The option IP_FW_F_PRN can be
used to list some information about a matching packet via
printk(). The option IP_FW_F_FRAG can be used to specify a
rule which applies only to second and succeeding fragments
(initial fragments can be treated like normal packets for the
sake of firewalling). Non-fragmented packets and initial
fragments will never match such a rule. Fragments do not
contain the complete information assumed for most firewall
rules, notably ICMP type and code, UDP/TCP port numbers,
15
Project Report on Implementation of Firewall on Linux Platform
16
Project Report on Implementation of Firewall on Linux Platform
17
Project Report on Implementation of Firewall on Linux Platform
The interface address via which the packet is pretended to be received or sent.
RETURN VALUE
On success (or a straightforward packet accept for the CHECK
options), zero is returned. On error, -1 is returned and errno is set
appropriately. See setsockopt(2) for a list of possible error values.
ENOENT indicates that given chain name doesn't exist. When the
check packet command is used, zero is returned when the packet
would be accepted without redirection or masquerading. Otherwise,
-1 is returned and errno is set to ECONNABORTED (packet would
be accepted using redirection), ECONNRESET (packet would be
accepted using masquerading), ETIMEDOUT (packet would be
denied), ECONNREFUSED (packet would be rejected), ELOOP
(packet got into a loop), ENFILE (packet fell off end of chain (only
occurs for used defined chains)).
18
Project Report on Implementation of Firewall on Linux Platform
FIREWALL
1. What is a firewall?
A firewall protects networked computers from intentional
hostile intrusion that could compromise confidentiality or
result in data corruption or denial of service. It may be a
hardware device or a software program running on a secure
host computer. In either case, it must have at least two
network interfaces, one for the network it is intended to
protect, and one for the network it is exposed to. A firewall
sits at the junction point or gateway between the two
networks, usually a private network and a public network
such as the Internet. The earliest firewalls were simply
routers. The term firewall comes from the fact that by
segmenting a network into different physical subnetworks,
they limited the damage that could spread from one subnet to
another just like firedoors or firewalls.
19
Project Report on Implementation of Firewall on Linux Platform
20
Project Report on Implementation of Firewall on Linux Platform
21
Project Report on Implementation of Firewall on Linux Platform
22
Project Report on Implementation of Firewall on Linux Platform
23
Project Report on Implementation of Firewall on Linux Platform
24
Project Report on Implementation of Firewall on Linux Platform
Fwall.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/icmp.h>
#include <linux/if.h>
#include <linux/ip_fw.h>
#include <netdb.h>
#include <string.h>
#define MAXPORT 60000
struct ip_fwnew fwnew;
struct ip_fwchange fwappend;
struct ip_fwdelnum fwdelnum;
#define TOKENLEN 20
#define RULELEN 500
unsigned int lineno,src,dst,srcmsk,dstmsk,port,in_no,out_no,for_no,pos;
char token[TOKENLEN],rule[RULELEN];
struct protoent *proto;
struct servent *servent;
struct hostent *hostent;
struct ip_fwpolicy fwpolicy;
char protoname[20];
int getvalue(char *str,long *val)
{
char *endptr;
*val = strtol(str,&endptr,10);
if(*endptr != '\0')
return(0);
return(1);
}
int gettoken()
{
int i;
for(;rule[pos] == ' ' || rule[pos] == '\t';pos++);
if(rule[pos] == '\0' || rule[pos] == '\n')
return(0);
for(i = 0;rule[pos] != ' ' && rule[pos] != '\t' && rule[pos] != '\n'&& rule[pos] !=
'\0';pos++)
token[i++] = rule[pos];
token[i] = '\0';
return(1);
}
void initialise(void)
{
25
Project Report on Implementation of Firewall on Linux Platform
fwappend.fwc_rule.ipfw.fw_mark = 0;
fwappend.fwc_rule.ipfw.fw_flg = IP_FW_F_WILDIF;
fwappend.fwc_rule.ipfw.fw_invflg = 0;
fwappend.fwc_rule.ipfw.fw_vianame[0] = '\0';
fwappend.fwc_rule.ipfw.fw_tosand = 0xff;
fwappend.fwc_rule.ipfw.fw_tosxor = 0;
fwappend.fwc_rule.ipfw.fw_proto = 0;
fwappend.fwc_rule.ipfw.fw_outputsize = 0;
fwappend.fwc_rule.ipfw.fw_spts[0] = 0;
fwappend.fwc_rule.ipfw.fw_spts[1] = 0xffff;
fwappend.fwc_rule.ipfw.fw_dpts[0] = 0;
fwappend.fwc_rule.ipfw.fw_dpts[1] = 0xffff;
fwappend.fwc_rule.ipfw.fw_src.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_dst.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_smsk.s_addr = 0;
fwappend.fwc_rule.ipfw.fw_dmsk.s_addr = 0;
protoname[0] = '\0';
}
int getports(__u16 ports[2])
{
char *endptr;
int count;
gettoken();
if(token[0] >= 'a' && token[0] <= 'z'){
if(protoname[0] == '\0')
strcpy(protoname,"tcp");
servent = getservbyname(token,protoname);
if(servent == NULL){
printf("Invalid service name %s in line %d col
%d\n",token,lineno,pos);
return(0);
}
ports[0] = ports[1] = ntohs(servent->s_port);
return(1);
}
count = strtol(token,&endptr,10);
if(*endptr == '\0'){
ports[0] = ports[1] = count;
return(1);
}
else if(*endptr == '.' && endptr[1] == '.'){
endptr += 2;
ports[0] = count;
count = strtol(endptr,&endptr,10);
if(*endptr != '\0'){
printf("invalid range at line %d col %d",lineno,pos);
return(0);
}
ports[1] = count;
}
else{
printf(" Expected [!][port[..port]] in line %d col %d\n",lineno,pos);
return(0);
}
return(1);
26
Project Report on Implementation of Firewall on Linux Platform
}
int getsord(struct in_addr *sd,struct in_addr *sdmsk)
{
char src[20],msk[20];
int count,i;
__u32 flag;
char *endptr;
gettoken();
sdmsk->s_addr = 0xffffffff;
for(i = 0; token[i] != '/' && token[i] != '\0' ;i++)
src[i] = token[i];
src[i] = '\0';
hostent = gethostbyname(src);
if(hostent == NULL){
printf(" Host %s was not found in line %d \n",src,lineno);
return(0);
}
else{
sd->s_addr = hostent->h_addr_list[0];
}
if(token[i] == '/'){
i++;
strcpy(msk,&token[i]);
count = strtol(msk,&endptr,10);
if(*endptr == '\0'){
flag = 0x1;
sdmsk->s_addr = 0;
for( ; count >0;count--,flag <<= 1){
sdmsk->s_addr |= flag;
}
}
else{
if(inet_aton(msk,sdmsk) == 0){
printf(" Error in line no %d col %d invalid address
mask\n",lineno,pos);
perror("");
return(0);
}
}
}
return(1);
}
int appendrule(void)
{
gettoken();
strcpy(fwappend.fwc_label,token);
while(1){
if(gettoken() == 0) return(1);
if(strcmp(token,"-p") == 0){
gettoken();
strcpy(protoname,token);
proto = getprotobyname(token);
if(proto == NULL){
printf(" Error illegal protocol name in line %d col
%d\n",lineno,pos);
27
Project Report on Implementation of Firewall on Linux Platform
return(0);
}
fwappend.fwc_rule.ipfw.fw_proto = proto->p_proto;
}
else if(strcmp(token,"-s") == 0 || strcmp(token,"!-s") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SRCIP;
if( getsord(&fwappend.fwc_rule.ipfw.fw_src,
&fwappend.fwc_rule.ipfw.fw_smsk) == 0)
return(0);
}
else if(strcmp(token,"-sp") == 0 || strcmp(token,"!-sp") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SRCPT;
if(getports(&fwappend.fwc_rule.ipfw.fw_spts) == 0)
return(0);
}
else if(strcmp(token,"-d") == 0 || strcmp(token,"!-d") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_DSTIP;
if( getsord(&fwappend.fwc_rule.ipfw.fw_dst,
&fwappend.fwc_rule.ipfw.fw_dmsk) == 0)
return(0);
}
else if(strcmp(token,"-dp") == 0 || strcmp(token,"!-dp") == 0){
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_DSTPT;
if(getports(&fwappend.fwc_rule.ipfw.fw_dpts) == 0)
return(0);
}
else if(strcmp(token,"-j") == 0){
gettoken();
strcpy(fwappend.fwc_rule.label,token);
if(strcmp(token,"REDIRECT") == 0){
if(gettoken()){
getvalue(token,&fwappend.fwc_rule.ipfw.fw_redirpt);
}
}
}
else if(strcmp(token,"-f") == 0)
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_FRAG;
else if(strcmp(token,"!-f") == 0)
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_FRAG;
else if(strcmp(token,"-y") == 0)
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_TCPSYN;
else if(strcmp(token,"!-y") == 0)
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_SYN;
else if(strcmp(token,"-m") == 0){
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_mark) == 0){
printf(" Error in mark value in line %d col
%d\n",lineno,pos);
return(0);
}
28
Project Report on Implementation of Firewall on Linux Platform
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_MARKABS;
}
else if(strcmp(token,"-t") == 0){
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_tosand)==0){
printf(" Error in tos_and value in line %d col
%d\n",lineno,pos);
return(0);
}
gettoken();
if(getvalue(token,(long *)&fwappend.fwc_rule.ipfw.fw_tosxor)==0){
printf(" Error in tos_xor value in line %d col
%d\n",lineno,pos);
return(0);
}
}
else if(strcmp(token,"-i") == 0 || strcmp(token,"!-i") == 0 ){
int i;
if(token[0] == '!')
fwappend.fwc_rule.ipfw.fw_invflg |= IP_FW_INV_VIA;
gettoken();
for(i = 0; token[i] != '\0' || token[i] != '+';i++)
fwappend.fwc_rule.ipfw.fw_vianame[i] = token[i];
fwappend.fwc_rule.ipfw.fw_vianame[i] = '\0';
if(token[i] == '\0')
fwappend.fwc_rule.ipfw.fw_flg &= ~IP_FW_F_WILDIF;
}
else if(strcmp(token,"-l") == 0){
fwappend.fwc_rule.ipfw.fw_flg |= IP_FW_F_PRN;
}
else{
printf(" Invalid option %s in line %d col %d",token,lineno,pos);
return(0);
}
}
}
main(int argc,char *argv[])
{
int sockfd;
char c;
FILE *fp;
char fname[20];
if(argc > 2){
printf("USAGE : fwall [configuration file] \n");
exit(0);
}
if(argc == 2)
strcpy(fname,argv[1]);
else
strcpy(fname,"fw.conf");
lineno = 0;
in_no = 1;
out_no = 1;
for_no = 1;
sockfd = socket(AF_INET,SOCK_STREAM,0);
29
Project Report on Implementation of Firewall on Linux Platform
fp = fopen(fname,"r");
if(fp == NULL){
printf(" File %s not found \n",fname);
exit(0);
}
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"input",9);
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"output",9);
setsockopt(sockfd,IPPROTO_IP,IP_FW_FLUSH,"forward",9);
while(fgets(rule,RULELEN,fp) != NULL){
lineno++;
pos = 0;
initialise();
if(gettoken() == 0)
continue;
if(strcmp(token,"#") == 0)
continue;
if(strcmp(token,"-A") == 0){
if(appendrule() == 1){
30
Project Report on Implementation of Firewall on Linux Platform
fw.conf
31
Project Report on Implementation of Firewall on Linux Platform
32