l30 - statelesss firewalls
TRANSCRIPT
-
8/10/2019 L30 - Statelesss Firewalls
1/76
Stateless firewalls 3-1
Intrusion Detection and Firewall Security
Stateless firewallsHrek Haugerud, A. Professor & Senior [email protected]
Paal Engelstad, [email protected]
-
8/10/2019 L30 - Statelesss Firewalls
2/76
Stateless firewalls 3-2
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
-
8/10/2019 L30 - Statelesss Firewalls
3/76
Stateless firewalls 3-3
Network firewall filters traffic going between networks
Personal/host/local firewall filters traffic between host and network
A firewall filters network traffic goingover a computer interface
!"#$ &'$(")*
+,)'(-..
&'$(")* / &'$(")* 0
+,)'(-..
!" $"%&'%()*+,
-
8/10/2019 L30 - Statelesss Firewalls
4/76
Stateless firewalls 3-4
Firewall assumptions
All traffic between outside and inside should pass throughthe firewall
inside and outside often defined by different levels of trust
Only authorized traffic should be allowed to pass Authorized traffic is defined by local security policy
The firewall itself should ideally be immune to penetration
However, any software might have bugs and vulnerabilities
1,2#,3'4
56,76') .'8'. "9 $):#$;
1":$#,3'4
5."(') .'8'. "9 $):#$;+,)'(-..
-
8/10/2019 L30 - Statelesss Firewalls
5/76
-
8/10/2019 L30 - Statelesss Firewalls
6/76
Stateless firewalls 3-6
Firewall as a packet filter
Inspects packets as they transverse
Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session #
Performs actions (like accept, drop, etc) based on a rule
defined by you (e.g. with the iptables command on a Linux system)
Accept
Drop
-
8/10/2019 L30 - Statelesss Firewalls
7/76
Stateless firewalls 3-7
Filtering can be based on:
Packet header info source IP address
destination IP address
source port
destination port
protocol & flags TCP
SYN bit
ACK bit
... etc...
UDP
ICMP icmp-type flag
Direction /interfaces Is the datagram leaving
or entering the internalnetwork?
decisions can bedifferent for differentinterfaces
State (for stateful
firewalls) NEW, ESTABLISHED,
RELATED, INVALID
-
8/10/2019 L30 - Statelesss Firewalls
8/76
Stateless firewalls 3-8
filter: IPand UDPHeader (RECAP)+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Length | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Payload ...
1.'4
-
8/10/2019 L30 - Statelesss Firewalls
9/76
Stateless firewalls 3-9
filter: IPand TCPHeader (RECAP)+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Acknowledgment Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|HLEN | Reserved | | Window |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent pointer |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options (if any) | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Payload ...
!"#
%&'
()*
")+
),-
./-
?@A=B-7#
1.'4
5?@A#"C*'$;
-
8/10/2019 L30 - Statelesss Firewalls
10/76
-
8/10/2019 L30 - Statelesss Firewalls
11/76
Stateless firewalls 3-11
TCP/IP Recap:TCP 3-way Handshake
Client ServerSYN (1200)
SYN (4800), ACK (1201)
ACK (4801)
ACK, [DATA]
ACK (4900), FIN (1300)
ACK (1301)
ACK (1301), FIN (4900)
ACK (4901)
PassiveOpen
ConnectionEstablished
ServerClose
ActiveOpen
ConnectionEstablished
ClientClose
-
8/10/2019 L30 - Statelesss Firewalls
12/76
Stateless firewalls 3-12
filter: IPand ICMPHeader (RECAP)+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Type/code-specific header fields |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| ICMP data (Type/code-specific format/length) ...
-
8/10/2019 L30 - Statelesss Firewalls
13/76
Stateless firewalls 3-13
RECAP: Some ICMP Message types
Q: Which types/codes seen in your traceroute assignment?
!"#$
L UC6" )'>.T
I=H V'#')8'3
S F'#Q2-Q"2 :2)'-C6-G.'
K D":)C' P:'2C6
< V'3,)'C$
J UC6" )'P:'#$
W V":$') -38')Q#'R'2$
IL V":$') #".,C,$-Q"2
II ?,R' 'XC''3'3
IH A-)-R'$') >)"G.'R
ISYIK ?,R'#$-R> )'P:'#$ Y )'>.T
I.T
'$C]
&'($ )$*+,-#.'/
L F'#Q2-Q"2 2'$(")* :2)'-C6-G.'
I F'#Q2-Q"2 6"#$ :2)'-C6-G.'
H F'#Q2-Q"2 >)"$"C". :2)'-C6-G.'
S F'#Q2-Q"2 >")$ :2)'-C6-G.'
K +)-7R'2$-Q"2 )'P:,)'3^ -23 F+ B-7#'$
< D":)C' )":$' 9-,.'3
Z F'#Q2-Q"2 2'$(")* :2*2"(2
[ F'#Q2-Q"2 6"#$ :2*2"(2J D":)C' 6"#$ ,#".-$'3
W &'$(")* -3R,2,#$)-Q8'.T >)"6,G,$'3
IL !"#$ -3R,2,#$)-Q8'.T >)"6,G,$'3
II &'$(")* :2)'-C6-G.' 9") ?_D
IH !"#$ :2)'-C6-G.' 9") ?_D
IS @"RR:2,C-Q"2 -3R,2,#$)-Q8'.T >)"6,G,$'3
IK !"#$ A)'C'3'2C' `,".-Q"2
I< A)'C'3'2C' C:$"a ,2 'a'C$
&'($ )$*+,-#.'/
L ??b 'X>,)'3 ,2 $)-2#,$
I +)-7R'2$ )'-##'RG.T QR' 'XC''3'3
-
8/10/2019 L30 - Statelesss Firewalls
14/76
Stateless firewalls 3-14
Filtering a packet
The usual reaction to a packet is: Accept it
Drop it (silently discard it)
Reject it (discard and send ICMP notification)
Log it
Change header information (e.g. NAT)
Drop or reject?
-
8/10/2019 L30 - Statelesss Firewalls
15/76
Stateless firewalls 3-15
Why would you need a firewall?
Increased network security First line of defense
Access Control (Network/Transport Level)
Logging
-
8/10/2019 L30 - Statelesss Firewalls
16/76
Stateless firewalls 3-16
Firewall Basics:
What is NOT a Firewall?A firewall is NOT:
The only thing for security
Does not solves other aspect of information security (e.g. human,insiders, mis-configuration)
You still have to let traffic in and out
install and leave it Need to manage it for the ever-changing network environment
Need to monitor it. Stay on guard!
100% safe
Any software might have bugs and vulnerabilities, so does any firewall
-
8/10/2019 L30 - Statelesss Firewalls
17/76
Stateless firewalls 3-17
Outline
Firewall overview:
What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
-
8/10/2019 L30 - Statelesss Firewalls
18/76
Stateless firewalls 3-18
Firewall/Gateway: For subnets withoutpublic services
Often combined with NAT
several hosts on the LAN can share one public IP address and a singlebroadband connection to the ISP.
Typical for
home/ smallnetworks (i.e.
no webserveror SSH access)
Using restrictive
policy
E.g. no incoming
connection
requests at all.
E2$')2-. A),8-$'
&'$(")*Y 012
@:#$"R')
!-C*')
UX$')2-. A:G.,C
&'$(")*Y 32!4524!
!-C*')
+,)'(-..
5c-$'(-T;
&/?d
D')8')
@.,'2$
@.,'2$
-
8/10/2019 L30 - Statelesss Firewalls
19/76
Stateless firewalls 3-19
DMZ (De-Militarized Zone): Forsubnets with public services
Typical for larger organizations
The network is split into two zones:
1. DMZ: Containing servers accessible from the Internet
e.g. Web servers
2.
LAN: Network with a more restrictive rule-set
in case DMZ-servers get compromised
Different levels of trust between LAN and DMZ
Needs a firewall in between
Let us look at two different models of network with aDMZ...
-
8/10/2019 L30 - Statelesss Firewalls
20/76
Stateless firewalls 3-20
DMZ: Example 1
DMZ= A part your LAN with other restrictions, e.g. allowing
publicly available services (web servers, mail etc.)
E2$')2-. A),8-$'
&'$(")*Y 012 )67
+,)'(-..
5@6"*';
e'G
D')8')@:#$"R')
!-C*')
UX$')2-. A:G.,C
&'$(")*Y 32!4524!
f>
D')8')
!-C*')+,)'(-..
5c-$'(-T;
D')8')
@.,'2$
@.,'2$
-
8/10/2019 L30 - Statelesss Firewalls
21/76
Stateless firewalls 3-21
DMZ : Example 1I
Often combined with local firewalls on hosts within LAN, to
protect against other possibly infected hosts on LAN
E2$')2-. A),8-$' &'$(")*Y 012
)67
e'G
D')8')@:#$"R')
!-C*')D')8')@.,'2$@.,'2$
UX$')2-. A:G.,C
&'$(")*Y 32!4524!
f>
D')8')
!-C*')
+,)'(-..
,9I
,9H
-
8/10/2019 L30 - Statelesss Firewalls
22/76
Stateless firewalls 3-22
Outline
Firewall overview: What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
-
8/10/2019 L30 - Statelesss Firewalls
23/76
Stateless firewalls 3-23
Firewalls with Linux
netfilter: The actual firewall Operates in Kernel space
iptables: The configuration tool
Operates in user space
Note: iptablesis only a tool for the managing and setting
of rules. It won't work without packet filtering (netfilter)support in the kernel.
Ubuntu: iptables& netfilterare installed by default
TinyCore: Use ab iptables command to install it
By default netfilter allows all traffic, so you wont notice itspresence, before you start using iptablesto configure netfilter
-
8/10/2019 L30 - Statelesss Firewalls
24/76
Stateless firewalls 3-24
iptables usage
iptables [-t table] {-A|-D} chain rule-specificationiptables [-t table] -Ichain [rulenum] rule-specification
iptables [-t table] -Rchain rulenum rule-specification
iptables [-t table] -Dchain rulenum
iptables [-t table] {-L|-F|-Z} [chain] [options]
iptables [-t table] -Nchain
iptables [-t table] -X[chain]
iptables [-t table] -Pchain target
iptables [-t table] -Eold-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default No table specified, means that filtering is implied
-
8/10/2019 L30 - Statelesss Firewalls
25/76
Stateless firewalls 3-25
iptables usage for packet filtering (I)
iptables -t filter {-A|-D} chain rule-specificationiptables -t filter -Ichain [rulenum] rule-specification
iptables -t filter -Rchain rulenum rule-specification
iptables -t filter -Dchain rulenum
iptables -t filter {-L|-F|-Z} [chain] [options]
iptables -t filter -Nchain
iptables -t filter -X[chain]
iptables -t filter -Pchain target
iptables -t filter -Eold-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default No table specified, means that filtering is implied
-
8/10/2019 L30 - Statelesss Firewalls
26/76
Stateless firewalls 3-26
iptables usage for packet filtering (II)
iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
First, let us consider packet filtering (firewall) usage
Then, we must set table=filter
Or we can omit it all together, because filter is default No table specified, means that filtering is implied
-
8/10/2019 L30 - Statelesss Firewalls
27/76
-
8/10/2019 L30 - Statelesss Firewalls
28/76
Stateless firewalls 3-28
iptablesis simply the linux command
iptables{-A|-D} chain rule-specificationiptables-Ichain [rulenum] rule-specification
iptables-Rchain rulenum rule-specification
iptables-Dchain rulenum
iptables{-L|-F|-Z} [chain] [options]
iptables-Nchain
iptables-X[chain]
iptables-Pchain target
iptables-Eold-chain-name new-chain-name
The command takes different input parameters andswitches
-
8/10/2019 L30 - Statelesss Firewalls
29/76
Stateless firewalls 3-29
iptables command is primarily used toadd/remove packet filtering rules
iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
rule-specification = [matches...] [target] target = -j targetname
targetname = {DROP|REJECT|ACCEPT|LOG}
Simple examples of rule-specifications: -i eth0 -j DROP
Drop packets passing the eth0 interface -s 128.39.13.6 p tcp -j ACCEPT
Accept tcp packets with source ip-address 128.39.13.6
So what is chain and what is rulenum...?
-
8/10/2019 L30 - Statelesss Firewalls
30/76
Stateless firewalls 3-30
iptables commands to add/removerules into these lists (chains)
iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
-A, --append : Append one or more rules to end of chain.
-D, --delete : Delete rule from chain.
-I, --insert : Insert rule into chain (default rulenum = 1)
-R, --replace : Replace a rule in the chain with another one.
-L, --list : List out all rules in the chain (default = all chains).
-F, --flush : Flush (delete all) rules from a chain
-Z, --zero : Zero packet and byte counter of a chain (or all chains)
-
8/10/2019 L30 - Statelesss Firewalls
31/76
Stateless firewalls 3-31
Example: Append new packet filteringrules to a chain
iptables{-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
rule-specification = [matches...] [-j {DROP|REJECT|ACCEPT|LOG}]
Simple examples of rule-specifications: iptables A OUTPUT -o eth0 -j DROP
Drop outgoing packets passing the eth0 interface
iptables A INPUT -s 128.39.13.6 p tcp -j ACCEPT Accept incoming tcp packets with source ip-address 128.39.13.6
-
8/10/2019 L30 - Statelesss Firewalls
32/76
Stateless firewalls 3-32
Rules are organized into numbered listsof rules. These lists are called chains
iptables {-A|-D} chainrule-specificationiptables -Ichain[rulenum] rule-specification
iptables -Rchainrulenumrule-specification
iptables -Dchainrulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
Rules are numbered starting at one (i.e. rulenum=1)
When appended/inserted, each rule obtains a rule number,according to its order in the chain
Displayed by the --list (-L) command, for example: iptables -L -v - - line-numbers
-
8/10/2019 L30 - Statelesss Firewalls
33/76
Stateless firewalls 3-33
Default chains for packet filtering:INPUT, OUTPUT, FORWARD
iptables {-A|-D} chainrule-specificationiptables -Ichain[rulenum] rule-specification
iptables -Rchainrulenumrule-specification
iptables -Dchainrulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
Built-in chains (= non-user-defined chains):
INPUTchain: These rules apply to all packets destined to firewall
OUTPUTchain: Applies to all packets originating from firewall
FORWARDchain: Applies to all packets passing through firewall-router Next week.
+ User-defined chains with user-defined names
-
8/10/2019 L30 - Statelesss Firewalls
34/76
Stateless firewalls 3-34
More on rule-specification (matches)
[!] -p, --protocolprotocol
(The "! inverts the test, e.g.:iptables A INPUT ! p tcp j DROP )
[!] -s, --source, --srcaddress[/mask]
[!] -d, --destination, --dstaddress[/mask]
[!] --sport port[:port]
[!] --dport port[:port]
[!] -i, --in-interfacename
[!] -o, --out-interfacename
-m, --matchmatch
The protocol of the packet, e.g. tcp, udp,
udplite, icmp, esp, ah, sctp, or it can be anumeric value, see /etc/protocols.
Addressis typically a network IP address
(with /mask), or a plain IP address.
Same syntax as for the -s(source) flag
Match on source port (or port-range)
Match on destination port (or port-range)
name = eth0, eth1, lo etc...
name = eth0, eth1, lo etc...
Use extension module to tests for specific property
-
8/10/2019 L30 - Statelesss Firewalls
35/76
Stateless firewalls 3-35
Examples: Manipulating rules in chains
iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
iptables F flushing (deleting) all rules in all chains (OUTPUT, INPUT, FORWARD)
iptables F OUTPUT flushing (deleting) all rules in the OUTPUT chain
iptables D INPUT 3 deleting rule number 3 in the INPUT chain
iptables L FORWARD list out all rules in the FORWARD chain
iptables L list out all rules in all chains
-
8/10/2019 L30 - Statelesss Firewalls
36/76
Stateless firewalls 3-36
Manipulating the chains
iptables {-A|-D} chain rule-specificationiptables -Ichain [rulenum] rule-specification
iptables -Rchain rulenum rule-specification
iptables -Dchain rulenum
iptables {-L|-F|-Z} [chain] [options]
iptables -Nchain
iptables -X[chain]
iptables -Pchain target
iptables -Eold-chain-name new-chain-name
-N, --new-chain : Create a new user-defined chain by the given name.
-X, --delete-chain : Delete user-defined chain (must be empty, i.e. rules flushed).Default=all user-defined chains.
-P, --policy : Set the policy for built-in chain.(No policy can be set for user-defined chains)
-E, --rename-chain : Rename user-defined chain
-
8/10/2019 L30 - Statelesss Firewalls
37/76
Stateless firewalls 3-37
Example: Setting the policy
iptables --policy INPUT ACCEPTiptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
OR:
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
The policy specifies what will happen (e.g DROP or ACCEPT) to packetthat do not find any match in a built-in chain. In iptables -P chain target, the target-part refers to e.g. DROP or ACCEPT
More about target later
-
8/10/2019 L30 - Statelesss Firewalls
38/76
Stateless firewalls 3-38
Personal firewall (One interface)
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#
All outgoing packets arefiltered by the rules inthe OUTPUT chain
All incoming packets arefiltered by the rules inthe INPUT chain
'$6L
3)"> 3)">
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
-*./)01.%2 &E@
-
8/10/2019 L30 - Statelesss Firewalls
39/76
Stateless firewalls 3-39
Personal firewall (One interface)
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#
All outgoing packets arefiltered by the rules inthe OUTPUT chain
All incoming packets arefiltered by the rules inthe INPUT chain
'$6L
3)"> 3)">
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
b"C-.>)"C'##'#
-*./)01.%2 &E@
-
8/10/2019 L30 - Statelesss Firewalls
40/76
Stateless firewalls 3-40
Troubleshooting using tcpdump
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#
tcpdump is capturing
outgoing packets justbefore they go to NIC
(after filtering etc.)
tcpdump is capturing
incoming packets just after
they come from NIC(before filtering etc.)
'$6L
3)"> 3)">
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
b"C-.
>)"C'##'#
&E@
"#$%&'$
3'45.1
6'718%.
94"7: )*$";
-
8/10/2019 L30 - Statelesss Firewalls
41/76
-
8/10/2019 L30 - Statelesss Firewalls
42/76
Stateless firewalls 3-42
Personal firewall w/ loopback-interface
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#
Drawing it a little
more conveniently (Of course, lois
not a part ofnetfilter)
."">G-C* 5.";
'$6L
3)"> 3)">
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
b"C-.
>)"C'##'#
-*./)01.%2 &E@
-
8/10/2019 L30 - Statelesss Firewalls
43/76
Stateless firewalls 3-43
Example: Accepting loopback traffic
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
/>>.,C-Q"2#5'\7\ />-C6'^ ##6\\\;
b,2:X +,)'(-.. '$6L
A*$#."
iptables A INPUT i lo j ACCEPT
iptables A OUTPUT o lo j ACCEPT
-
8/10/2019 L30 - Statelesss Firewalls
44/76
Stateless firewalls 3-44
Network firewall (router): Left to right
All packets passing
through are filteredby the rules in the
FORWARD chain
Routing decision:
dest.IP = local_IP Send to INPUT
dest.IP != local_IP
Send to FORWARD
+_Ve/VF
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#'$6I
."">G-C* 5.";
'$6L
V":Q27
3'C,#,"2
3)">
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
b"C-.
>)"C'##'#
+_Ve/VF
3)"> 3)">
-*./)01.%2 &E@&E@
-
8/10/2019 L30 - Statelesss Firewalls
45/76
Stateless firewalls 3-45
Network firewall (router): Both ways
+_Ve/VF
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
h.$') C6-,2#'$6I
."">G-C* 5.";
'$6L
V":Q27
3'C,#,"2V":Q27
3'C,#,"2
/>>.,C-Q"2#5'\7\ />-C6'^ ##6^ \\\;
b"C-.
>)"C'##'#
+_Ve/VF
3)"> 3)"> 3)">
-*./)01.%2 &E@&E@
-
8/10/2019 L30 - Statelesss Firewalls
46/76
Stateless firewalls 3-46
h.$') C6-,2#
iptablesused to configure netfilter
+_Ve/VF
_g?Ag?
E&Ag?
_D=*')2'.
5?@AYEA #$-C*;
'$6I
."">G-C* 5.";
'$6L
V":Q27
3'C,#,"2V":Q27
3'C,#,"2
+_Ve/VF
3)"> 3)"> 3)">
-*./)01.%2
/>>.,C-Q"2#5'\7\ (((^ ##6^ \\\;
-#89:;$*
!"#$%&'()"#
+,-.(/012 3"44(#526
&E@&E@
-
8/10/2019 L30 - Statelesss Firewalls
47/76
Stateless firewalls 3-47
Outline
Firewall overview: What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
-
8/10/2019 L30 - Statelesss Firewalls
48/76
Stateless firewalls 3-48
Firewall design
A word of caution /Disclaimer:There are almost as manyopinions about network administration as there are networkadministrators. Things are done differently almost everywhere
Often decisions regarding infrastructure and equipment are alreadytaken Then, you have to customize and make the best out of what you've got.
The following section is an approach to gain insight into the trafficflow of a network. It is not meant as a disclosure of the topic.
We will concentrate on traffic-shaping and filtering, since that is
central in this course. Other courses have this topic from theirpoint of view.
-
8/10/2019 L30 - Statelesss Firewalls
49/76
Stateless firewalls 3-49
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services
Define privileges
Translate services into port numbers Drawing cases
Setting up firewalls Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
-
8/10/2019 L30 - Statelesss Firewalls
50/76
Stateless firewalls 3-50
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services Define privileges
Translate services into port numbers Drawing cases
Setting up firewalls Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
-
8/10/2019 L30 - Statelesss Firewalls
51/76
-
8/10/2019 L30 - Statelesss Firewalls
52/76
Stateless firewalls 3-52
Defining hosts, servers and services(example)
Hosts and serversClass "Internet" = All non-local machinesClass "Webserver" = Our local webserver (192.168.1.2)Class "Workstations" = Workstations (192.168.1.16/29)Class "Nameserver" = "Our local nameserver (192.168.1.3)
Class "Mailserver = "Our local mailserver (192.168.1.4)
ServicesClass "WWW" = "http, https"Class "DNS" = "dns"Class "SSH" " = "ssh"
Class "MAIL" = "pop3, smtp"
-
8/10/2019 L30 - Statelesss Firewalls
53/76
Stateless firewalls 3-53
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services Define privileges
Translate services into port numbers Drawing cases
Setting up firewalls Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
-
8/10/2019 L30 - Statelesss Firewalls
54/76
Stateless firewalls 3-54
Defining privileges
Not all machines on your network are entitled touse all services offered in your network.
Perhaps the web server is the only one with access tothe database or mail can only be sent from theworkstations.
These privileges can be displayed with a table. In the following example, we use the term
"Internet" of all machines except the ones on ournetwork. Granting WWW to the Internet doesnot include WWW to local machines. It can be
useful to define such classes for simplicity.
-
8/10/2019 L30 - Statelesss Firewalls
55/76
-
8/10/2019 L30 - Statelesss Firewalls
56/76
Stateless firewalls 3-56
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services Define privileges
Translate services into port numbers Drawing cases
Setting up firewalls Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
-
8/10/2019 L30 - Statelesss Firewalls
57/76
Stateless firewalls 3-57
Translate services into port numbers
For every service to allow (SSH, WWW, FTP ...)identify ports and protocol
In order to define your ruleset
iptables does not know anything about web surfing,but can identify TCP packets heading for port 80.
Some services are a bit tricky, e.g.:
FTP works with several ports
Non-standard applications (gaming, chat) that useundocumented ports Network analysis to figure it out.
You should finally have a list of port which shouldbe open on every host. This will make it easier foryou when you shall construct the actual rule-set.
-
8/10/2019 L30 - Statelesss Firewalls
58/76
Stateless firewalls 3-58
System policy
Constitutes a detailed plan
A clear policy to avoid misunderstandings several people working on the firewall / network
others that need to understand
Defining the system policy
Define hosts, servers and services Define privileges
Translate services into port numbers Drawing cases
Setting up firewalls Install and configure surveillance tools
Test, test, test
Re-evaluate earlier decisions
-
8/10/2019 L30 - Statelesss Firewalls
59/76
Stateless firewalls 3-59
Drawing cases
The table with the privileges did not take into accountthe route those connections actually take through yournetwork. Which route they choose outside yourdomain is not in your hands.
For monitoring later on, it could be useful to drawsome Cases which display actual traffic. These cases donot have to follow a special standard. The aim is todraw something that shows you what to expect where.It also shows which firewall is responsible for what.
-
8/10/2019 L30 - Statelesss Firewalls
60/76
Stateless firewalls 3-60
Drawing cases (example)
-
8/10/2019 L30 - Statelesss Firewalls
61/76
-
8/10/2019 L30 - Statelesss Firewalls
62/76
Stateless firewalls 3-62
Setting up the firewall
The next task is to actually configure thefirewalls. If you already are familiar with the
filtering technology you wish to use and havedone solid groundwork in the previous steps,
this should be straight forward.
-
8/10/2019 L30 - Statelesss Firewalls
63/76
-
8/10/2019 L30 - Statelesss Firewalls
64/76
-
8/10/2019 L30 - Statelesss Firewalls
65/76
Stateless firewalls 3-65
Outline
Firewall overview: What is it and why do we need it?
Some typical firewall network topologies
Linux firewalls
Overview
iptables
Firewall design and System policy
Setting up a stateless personal firewall from scratch
S l l f ll
-
8/10/2019 L30 - Statelesss Firewalls
66/76
Stateless firewalls 3-66
Setting up a stateless personal firewallfrom scratch
Assumptions/prerequisites: A Linux system with one network interface.
The running kernel has netfilter support.
See how rules change as you add new rules. It is very useful to learn some tricks early on. This line
shows a nice way to watch over your current rules andwhich way the packets go:
watch -n 2 iptables -L v -n --line-numbers
watch: n
iptables -L : -v = verbose, -n = numeric IP/ports
This command monitors the rules and additionally shows
what packets go where in the different chains. Write all iptables commands to a script
Run the script
-
8/10/2019 L30 - Statelesss Firewalls
67/76
Stateless firewalls 3-67
Steps for stateless firewall setup
Steps (simplified) in your script Define symbolic constants
Flush any pre-existing rules
Allow loopback traffic
Set policy on chains: DROP
Allowing in and out rules
for selected services:
DNS, Mail (SMTP, IMAP), WWW (http), SSH
etc...
-
8/10/2019 L30 - Statelesss Firewalls
68/76
Stateless firewalls 3-68
Define symbolic constants
Example:
The IP-address of the network interface is
stored in the variable: $MY_IP MY_IP=192.168.10.10
-
8/10/2019 L30 - Statelesss Firewalls
69/76
Stateless firewalls 3-69
Flush any pre-existing rules
iptables -t filter -F iptables -t nat -F
iptables -t mangle -F
If there are any user-defined chains as well,they should be removed too.
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
-
8/10/2019 L30 - Statelesss Firewalls
70/76
Stateless firewalls 3-70
Allow loopback traffic
The loopback device must not be filtered,since it is for private use, and some software
systems depend on this for their functioning.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
-
8/10/2019 L30 - Statelesss Firewalls
71/76
All i i / t l f l t d
-
8/10/2019 L30 - Statelesss Firewalls
72/76
Stateless firewalls 3-72
Allowing in/out rules for selectedservices
Examples:
WHAT IS THIS?
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out.
... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful whenmore than one card.
All i i / t l f l t d
-
8/10/2019 L30 - Statelesss Firewalls
73/76
Stateless firewalls 3-73
Allowing in/out rules for selectedservices
Examples:
Allowing ssh in
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out.
... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful whenmore than one card.
All i i / t l f l t d
-
8/10/2019 L30 - Statelesss Firewalls
74/76
Stateless firewalls 3-74
Allowing in/out rules for selectedservices
Examples:
Allowing ssh in
iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out.
Allowing DNS out iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT
For DNS, we have specified the interface card explicitly. This is useful whenmore than one card.
-
8/10/2019 L30 - Statelesss Firewalls
75/76
Stateless firewalls 3-75
Filtering malformed packets
Until now, we have focused on the rulesregarding correct packages. But attacks and
scans often rely on malformed packages.
A firewall script has usually a set of rules inthe beginning to take care of everything that is
not according to protocol.
An extensive list can be found in Ziegler: Linux
Firewalls.
-
8/10/2019 L30 - Statelesss Firewalls
76/76
Summary: stateless firewall setup
Steps (simplified) in your script Define symbolic constants
Flush any pre-existing rules
Accept loopback traffic
Set policy on chains: DROP
Drop malformed packets (bad addresses,common unprivileged ports, bad flags....)
Accept in and out traffic for selected
services: DNS, Mail (smtp, imap), WWW (http), SSH, etc...