Transcript ipchains

Linux Firewall
For the Office and Home
Nov 17, 2001
Matthew Tam, CISSP
Today’s Agenda
•
•
•
•
•
•
•
•
Introduction
TCP/IP Recap
Firewall Basics
ipchains, iptables (Netfilter)
Implementation for home use
Implementation for business use
Firewall Management
Demo
Introduction
• Why need a firewall?
– Increased network security
– Access Control (Network/Transport Level)
– Logging
• Why Linux?
–
–
–
–
–
It’s FREE
Not difficult to use!?
Low hardware cost
Flexible
Lots of features compared with commercial
counterpart
– Lots of Support!?
– Always evolving and improving (thanks to the open
source community)
TCP/IP Recap:
General Info
• Essentials for configuring a firewall
• A suite of network protocols that
runs on the internet
• Layered Concept
• Lower layers provide means of
communications for upper layers
• Key Terms
– TCP, UDP, IP, ICMP
TCP/IP Recap:
Layered Concept
Application
Application
Application
TCP
ICMP
UDP
IP
Device
Driver
Application
• http, ftp,
dns, telnet,
netbios
• Ports
• src, dst
Device
Driver
• eth0, eth1
TCP/IP Recap:
Layered Communication
Client
Server
Application
Application
TCP/UDP
TCP/UDP
IP
IP
Device
Driver
Device
Driver
TCP/IP Recap:
Layered Concept
http
ftp
80
Netbios-ns
20,21
TCP
eth0
137
53
UDP
IP
Device
Driver
dns
192.168.0.166
202.252.123.1
Device
Driver
eth1
TCP/IP Recap:
TCP 3-way Handshake
Client
Server
SYN (1000)
Active
Open
SYN (2000), ACK (1001)
Passive
Open
ACK (2001)
ACK, [DATA]
Connection
Established
ACK (2300), FIN (1500)
Connection
Established
ACK (1501)
ACK (1501), FIN (2400)
Client
Close
ACK (2401)
Server
Close
TCP/IP Recap:
TCP, UDP, IP, ICMP
• TCP
– Stateful communication (Session, Reliable)
• UDP
– Stateless communication (no session, Less
reliable, fast)
• IP
– Addressing, routing (best effort)
• ICMP
– Diagnostic (dangerous?)
Firewall Basics:
What is a Firewall?
In simple term, a firewall is:
– A device filtering network traffic
between 2 (or more) networks
Network A
Network B
Firewall Basics:
What is NOT a Firewall?
A firewall is NOT:
– The only thing for security
• Does not solves other aspect of infosec (eg.
human, insiders, mis-configuration)
• You still have to let traffic in and out
– “install and leave it”
• Need to manage it for the ever-changing network
environment
• Need to monitor it
– 100% safe
• Any software has bugs and vulnerabilities, so
does any firewall
Firewall Basics:
Different Types of Firewalls
A firewall can be in the form of:
– Packet-Filtering Gateway (Today’s
focus)
– Application Gateway (http proxy,
socks server)
Firewall Basics:
How does it work?
• Packet filter
• Inspect packets as they transverse
• Checks Src-addr, dst-addr, src-ports, dstports, flags, session #
• Perform action (accept, drop) based on a
rule (defined by you)
Accept
Drop
ipchains: What is it?
• A loadable kernel module that
performs packet filtering
• Comes with most Linux distribution
• Concept of chain:
– Input, output, and forward
• Command or Script (up to you)
• No Port-forward
• Port-forward: use with “ipmasqadm
portfw”
iptables (a.k.a. Netfilter):
What is it?
•
•
•
•
Also a loadable kernel module
Since kernel 2.4.x
Comes with recent distribution
Everything of ipchains plus:
– Stateful inspection
– Port forward (for servers behind
firewall)
– More customized logging
– Improved matching (rate, string matching)
• More features = more difficult to use
ipchains or iptables:
Before we begin
• Make sure the linux O/S is
hardened (Not covered here)
• Applied the latest patch from the
distribution you selected
• Use the most recent version of
ipchains or iptables
ipchains: Basic Usage I
Command Syntax:
ipchains –A|I [chain] [-i interface]
[-p protocol] [-y] [-s address [port[:port]]
[-d address [port[:port]] –j [action] -l
Useful Option:
• ! Means “NOT”
• -l means “log to syslog”
• -y means “SYN set & ACK clear -> connection
initiation”
• ! –y means “ACK set ->response to
initiation, established connection”
TCP/IP Recap:
TCP 3-way Handshake
Client
Server
SYN (1000)
Active
Open
SYN (2000), ACK (1001)
Passive
Open
ACK (2001)
ACK, [DATA]
Connection
Established
ACK (2300), FIN (1500)
Connection
Established
ACK (1501)
ACK (1501), FIN (2400)
Client
Close
ACK (2401)
Server
Close
ipchains: The basic concept
• Control the input, output, and
forward behavior of the interfaces
output
input
forward
input
eth0
eth1
output
ipchains: Using Script
• Put the script in /etc/rc.d/rc.firewall
(just as if you type it on command line)
• In some distribution, a file is put in
/etc/sysconfig/firewall (Note: the syntax
is not exactly the same as the command
line)
• Run when firewall boots
• Good practices:
– Only enable ip forward inside the script and after
all the rules are defined (ie. At the very end)
– run the script before interfaces goes up
– make sure the script is owned by root and with
mode 700
ipchains Tips:
Writing Script
• Use deny for default chain, “-P”
– “ipchains –P forward deny”
– “ipchains –P input deny”
– “ipchains –P output deny”
• Remember to allow localhost traffic
• Use variables to assist you:
– LOCALNET_1="10.0.0.0/24“
– LOCAL_INTERFACE_1="eth1“
– “ipchains -A output -i $LOCAL_INTERFACE_1 -j
ACCEPT”
ipchains Tips:
REJECT vs. DENY
• Two choice when blocking packet
“REJECT” or “DENY”
• If “REJECT”, a “ICMP port
unreachable” is sent back to the srcaddr
• IF “DENY”, then the packet is just
dropped
Implementation Tips:
• Use common Linux distributions
– PC with >1 NIC card, hard disk for the O/S
– Install and harden O/S
– Load module (usually already loaded for default
installation
– Run script
• Some Unique Linux distribution
–
–
–
–
PC without hard disk (use RAM as disk)
Floppyfw, LEAF
Trinux (hardened)
Store your script on floppy or cdrom
Implementation for Home:
Typical Setup
1 or more
PC’s
Internet
Firewall
Cable,
ADSL, or
Dial-up
Modem
Aim:
•Masquerade all out going traffic
•Allow all outgoing traffic
•Filter in-coming traffic
Home use: firewall-config
• Use GUI to
help you
• Based on
ipchains
• Most
distribution
Home use: firestarter
• Use GUI to
help you
• Rpm
package
available
• Based on
iptables
Home use: firestarter
• Wizard
Home Use:
Cable vs. ADSL modem
Cable Connection:
• Use Standard DHCP for external interface
• Straight forward
• Set up LAN interfaces using “linuxconf” or
“/etc/sysconfig/network-script/ifcfg-eth0”
• “pump” or “dhcpcd”
• “pump” has to be fixed by “initscripts6.22-1” or the IP address will disappear
after the dhcp leasing period
• Choose “pump” or “dhcpcd” in the script
“/etc/sysconfig/network-script/ifup”
Home Use:
Cable vs. ADSL modem
ADSL Connection:
• NOT Standard DHCP for external interface
• Usually PPP over Ethernet (pppoE)
• Use package rp-pppoe to assist you
• http://www.roaringpenguin.com/pppoe/
• Most ADSL connection requires user account
• Configure the account in “/etc/ppp/pppoe.conf “
• When filtering, refer to “pppO” rather than “eth0”
• Step-by-Step guide for rp-pppoe at
• http://www.roaringpenguin.com/pppoe/how-toconnect.txt
Home Use:
Step-by-Step Setup - Step 1
• Lay down some essential variables
• Internet connected interface:
If Cable: EXTERNAL_INTERFACE="eth0“
IF ADSL: EXTERNAL_INTERFACE=“ppp0“
• Loopback interface:
LOOPBACK_INTERFACE="lo“
• Internal interface:
LOCAL_INTERFACE_1="eth1"
• Local Network Address:
LOCALNET_1="10.0.0.0/24"
Home Use:
Step-by-Step Setup - Step 2
• Flush any chain that is running:
ipchains -F
• Apply the Default Filter:
ipchains -P forward DENY
ipchains -P input DENY
• Masquerade all out-going traffic:
ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE
• Allow all traffic for internal and loopback
interface:
ipchains
ipchains
ipchains
ipchains
-A
-A
-A
-A
input -i $LOCAL_INTERFACE_1 -j ACCEPT
output -i $LOCAL_INTERFACE_1 -j ACCEPT
input -i $LOOPBACK_INTERFACE -j ACCEPT
output -i $LOOPBACK_INTERFACE -j ACCEPT
Home Use:
Step-by-Step Setup - Step 3
• Filter incoming traffic towards external
interface
• Done by the default chain “ipchains -P
input DENY”
• But that will disallow all input
• Need to allow TCP high port traffic that is
NOT “connection initiation” (SYN bit not
set!)
• ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y
--destination-port 1024:65535 -j ACCEPT
What is “! –y” ???
Anyone
SYN (1000)
Active
Open
Your
firewall
SYN (2000), ACK (1001)
ACK (2001)
ACK, [DATA]
Connection
Established
ACK (2300), FIN (1500)
Connection
Established
ACK (1501)
ACK (1501), FIN (2400)
Client
Close
ACK (2401)
Server
Close
Home Use:
Step-by-Step Setup - Step 4
• Some ports that you have to open
• DNS Replies
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT
• FTP data
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT
• ICMP Replies
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT
Home Use:
Step-by-Step Setup - Final Step
• Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
Office Use
•
•
•
•
•
Don’t rely on GUI
GUI may not be flexible enough for you
Commands gives you more control
Learn it (you or your net admin staff)
Put together a firewall script
Implementation for Office:
Typical Setup 1
Internal
LAN
Internet
Firewall
router
DMZ
(servers)
Aim:
•Masquerade all out going traffic
•Filter both in-coming and out-going traffic
•Port forward incoming traffic for your servers
Implementation for Office:
Typical Setup 2
Internal
LAN 1
Firewall
Aim:
•Filter traffic between two networks
Internal
LAN 2
Office Use:
Step-by-Step Setup - Step 1
• Lay down some essential variables
• Internet connected interface:
EXTERNAL_INTERFACE="eth0“
• Loopback interface:
LOOPBACK_INTERFACE="lo“
• Internal interface:
LOCAL_INTERFACE_1="eth1“
LOCAL_INTERFACE_2=“eth2”
• Network Addresses and servers:
LOCALNET_1="10.0.0.0/24“
MAIL_SERVER=“a.a.a.a”
WEB_SERVER=“b.b.b.b”
Office Use:
Step-by-Step Setup - Step 2
• Flush any chain that is running:
ipchains -F
• Apply the Default Filter:
ipchains -P forward DENY
ipchains -P input DENY
Ipchains –P output DENY
• Masquerade all out-going traffic:
ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE
• Allow all traffic for loopback interface:
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
Office Use:
Step-by-Step Setup - Step 3
• Filter traffic for LOCAL_INTERFACE_1 and
EXTERNAL_INTERFACE base on EACH service you allow:
• Example http and dns service:
ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i
$LOCAL_INTERFACE_1 -j ACCEPT
ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 j ACCEPT
ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE j ACCEPT
ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i
$EXTERNAL_INTERFACE -j ACCEPT
ipchains -A
ipchains -A
ipchains -A
ipchains -A
ACCEPT
input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT
output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT
input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT
output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j
Office Use:
Step-by-Step Setup - Step 4
• Port forwarding to your servers
• Need “ipmasqadm”
• Example, web server:
ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80
ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp -destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT
ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j
ACCEPT
ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port
80 -i $LOCAL_INTERFACE_2 -j ACCEPT
ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j
ACCEPT
Office Use:
Step-by-Step Setup - Final Step
• Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
Troubleshooting Tips
•
•
•
•
Don’t panic when it doesn’t work
Use “-l” (logging) to help you
Logs are logged in syslog
Location:
– /var/log/messages
• Use this command to view traffic as they
pass along:
– #tail –f /var/log/messages
• Can also use tcpdump or snoop to help you
Firewall Management:
Building Rules
• gfcc
• For ipchains
• Provides good
rules
management
Firewall Management:
View Current MASQ sessions
• gfcc
• View current
masquerading
sessions
Firewall Management:
Build your rules online!
http://www.linux-firewalltools.com/linux/firewal
l/index.html
Firewall Management:
Viewing Logs
• Firestarter
• Real-time “hitlist” showing the
blocked traffic
Firewall Management:
Log Analyzer
• fwlogwatch
• http://cert.unistuttgart.de/project
s/fwlogwatch/
• Generate html report
• Real time reporting
• Some customization
work
Firewall Management:
What’s missing?
• Enterprise level – multiple firewall
• Rules building, use:
– Scp (secure copy)
– X-window (need proper access control)
• Log management, use:
– Various syslog tools
Good References: Books
• TCP/IP Illustrated (All time classic)
– By W. Richard Stevens
• Firewall and Internet Security (All time
classic)
– By William R. Cheswick, Steven M. Bellovin
• Linux Firewall
– By Robert L. Ziegler
Good References: Sites
•
•
•
•
•
•
•
•
•
•
•
SANS: Choosing a firewall
http://www.sans.org/infosecFAQ/firewall/best.htm
Robert L. Ziegler Site:
http://www.linux-firewalltools.com/linux/firewall/index.html
ipchains HOW-TO:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
Netfilter project and iptables HOW-TO:
http://netfilter.samba.org/
http://netfilter.samba.org/unreliable-guides/packetfiltering-HOWTO/index.html
Robert Graham, analyzing firewall logs:
http://www.robertgraham.com/pubs/firewall-seen.html
END of
Linux Firewall
For the Office and Home
Thank You!
Email: [email protected]