Firewall & IP Tables

1
Firewall
Firewall

IP
IPTables
Tables

2
32-4 FIREWALLS

All previous security measures cannot prevent Eve

from sending a harmful message to a system. To
control access to a system, we need firewalls. A
firewall is a device installed between the internal
network of an organization and the rest of the
Internet. It is designed to forward some packets and
filter (not forward) others.

Topics discussed in this section:

Packet-Filter Firewall
Proxy Firewall
3
 What Is Firewall?

a choke point of control and monitoring

interconnects networks with differing trust
imposes restrictions on network services
only authorized traffic is allowed
auditing and controlling access
can implement alarms for abnormal behavior
is itself immune to penetration
provides perimeter defence

4
 What Is Firewall?

cannot protect from attacks bypassing it

Eg. sneaker net, utility modems, trusted organisations, trusted services
(eg SSL/SSH)
cannot protect against internal threats
Eg. disgruntled employee
cannot protect against transfer of all virus infected programs or files
Because of huge range of O/S & file types

5
Figure 32.22 Firewall

6
 Types of Firewalls

Packet Filters

Application – Level Gateways

Circuit – Level Gateways

7
There is a Packet
Filter in the front

8
Packet Filters

9
Note

A packet-filter firewall filters at the

network or transport layer.

10
 Packet Filters
simplest of components
foundation of any firewall system
examine each IP packet (no context) and permit or deny according to rules
hence restrict access to services (ports)
possible default policies
that not expressly permitted is prohibited
that not expressly prohibited is permitted

11
Packet-filter firewall

12
Packet Filters

13
 Attacks on Packet Filters
IP address spoofing
fake source address to be trusted
add filters on router to block
source routing attacks
attacker sets a route other than default
block source routed packets
tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check

14
 IP Table Stateful Packet Filters

examine each IP packet in context

keeps tracks of client-server sessions
checks each packet validly belongs to one
better able to detect bogus packets out of context

15
 Question - 1

1. Can a stateless firewall block TCP connection

initiation requests from an external location to
any local host, but at the same time allow
returning traffic from connections initiated by
local hosts? Why or why not?

16
 Question - 1

1. Can a stateless firewall block TCP connection initiation

requests from an external location to any local host,
but at the same time allow returning traffic from
connections initiated by local hosts? Why or why not?

Answer:

Yes. The firewall filters out SYN-packets to a local

host, but allows SYNACK and other packets to flow
through.

17
What is a proxy
honey?

18
Application Level Gateway (or Proxy)

19
Note

A proxy firewall filters at the

application layer.

20
Proxy firewall

21
 Proxy Firewall

What is the function of the proxy sever in security context?

In computer networks, a proxy server is a server (a computer system

or an application program) which services the requests of its clients
by forwarding requests to other servers. A client connects to the
proxy server, requesting some service, such as a file, connection, web
page, or other resource, available from a different server. The proxy
server provides the resource by connecting to the specified server
and requesting the service on behalf of the client. A proxy server may
optionally alter the client's request or the server's response, and
sometimes it may serve the request without contacting the specified
server. In this case, it would 'cache' the first request to the remote
server, so it could save the information for later, and make everything
as fast as possible.

22
 Firewalls - Application Level Gateway (or Proxy)

use an application specific gateway / proxy

has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
need separate proxies for each service
some services naturally support proxying
others are more problematic
custom services generally not supported

23
 Question - 2

2. What is an application-level gateway?

24
 Question - 2

2. What is an application-level gateway?

Answer:

An application-level gateway, also called a proxy server, acts as a relay

of application-level traffic.

25
 Question - 3

3. Explain the difference between packet filters and application layer

proxies.

26
 Question - 3

3. Explain the difference between packet filters and application layer

proxies.

Answer:

Packet filters look at packets one at a time, while application-layer

proxies reconstruct application layer entities, such as email
messages, files, and web pages.

27
 Firewalls - Circuit Level Gateway

Circuit Level What is a gateway that we

Gateway need to across?

28
Firewalls - Circuit Level Gateway

29
 Circuit Level Gateway

relays two TCP connections

imposes security by limiting which such connections are allowed
once created usually relays traffic without examining contents
typically used when trust internal users by allowing general outbound
connections
SOCKS commonly used for this

30
 Question - 4

4. What is a circuit-level gateway?

Answer:

A circuit-level gateway does not permit an end-to-end TCP connection;

rather, the gateway sets up two TCP connections, one between itself
and a TCP user on an inner host and one between itself and a TCP
user on an outside host. Once the two connections are established, the
gateway typically relays TCP segments from one connection to the
other without examining the contents. The security function consists of
determining which connections will be allowed.

31
 Question - 5

5. What is the main security benefit of NAT and why is it useful to

combine NAT with a firewall, instead of using separate NAT and
firewall devices?

32
 Question - 5

5. What is the main security benefit of NAT and why is it useful to

combine NAT with a firewall, instead of using separate NAT and
firewall devices?

Answer:

NAT hides the addresses of devices behind the NAT device and
prevents attacks that use knowledge of internal network
addresses behind the NAT device. Some firewall policies, such as
allowing traffic to high-numbered ports only if there was a
matching outgoing request, require port numbers and internal
addresses. This is easier to determine the firewall also knows the
NAT translation table.

33
 Question - 6
6. In a distributed firewall, an administrator ships out firewall rules to
hosts over an authenticated channel, and each host enforces its
own policy. Give one advantage and one disadvantage of a
distributed firewall, in comparison with a centralized firewall.

34
 Question - 6
6. In a distributed firewall, an administrator ships out firewall rules to
hosts over an authenticated channel, and each host enforces its
own policy. Give one advantage and one disadvantage of a
distributed firewall, in comparison with a centralized firewall.

Answer:

Advantage: Can filter traffic between internal hosts on the local

network.

For example, prevent ssh connections from certain internal hosts,

avoiding possible attacks if they are compromised. Disadvantage:
Cannot protect against external flooding of an internal network –
in a DoS attack, the links between local hosts will be flooded,
whereas this could be prevented by throttling incoming traffic at a
gateway firewall.
35
Firewall
Firewall

IP
IPTables
Tables

36
37
 What is netfilter/iptables?

Netfilter and iptables are building blocks of a framework inside the

Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering,
network address [and port] translation (NA[P]T) and other packet
mangling. It is the re-designed and heavily improved successor of the
previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

38
 Packet Processing in IP Tables

All packets inspected by iptables pass through a sequence of built-in

tables (queues) for processing. Each of these queues is dedicated to a
particular type of packet activity and is controlled by an associated
packet transformation/filtering chain.

There are three tables in total. The first is the mangle table which is
responsible for the alteration of quality of service bits in the TCP
header. This is hardly used in a home or SOHO environment.

The second table is the filter queue which is responsible for packet
filtering. It has three built-in chains in which you can place your
firewall policy rules.

The third table is the nat queue which is responsible for network
address translation. It has two built-in chain

39
 Processing For Packets Routed By The Firewall 1/2

You need to specify the table and the chain for each firewall rule you
create. There is an exception: Most rules are related to filtering, so
iptables assumes that any chain that's defined without an associated
table will be a part of the filter table. The filter table is therefore the
default.

40
Processing For Packets Routed By The Firewall 1/2

41
 Processing For Packets Routed By The Firewall 2/2

To help understand iptables, take a look at the way packets are handled by
iptables. In figure a TCP packet from the Internet arrives at the firewall's
interface on Network A to create a data connection.

The packet is first examined by your rules in the mangle table's PREROUTING
chain, if any. It is then inspected by the rules in the nat table's PREROUTING
chain to see whether the packet requires DNAT. It is then routed.

If the packet is destined for a protected network, then it is filtered by the rules in
the FORWARD chain of the filter table and, if necessary, the packet undergoes
SNAT before arriving at Network B. When the destination server decides to
reply, the packet undergoes the same sequence of steps.

If the packet is destined for the firewall itself, then it is filtered by the rules in the
INPUT chain of the filter table before being processed by the intended
application on the firewall. At some point, the firewall needs to reply. This reply
is inspected by your rules in the OUTPUT chain of the mangle table, if any. The
rules in the OUTPUT chain of the nat table determine whether address
translation is required and the rules in the OUTPUT chain of the filter table are
then inspected before the packet is routed back to the Internet.

42
 Targets & Jumps
Each firewall rule inspects each IP packet and then tries to identify it as the
target of some sort of operation. Once a target is identified, the packet needs to
jump over to it for further processing.

ACCEPT
iptables stops further processing.
The packet is handed over to the end application or the operating system for
processing
DROP
iptables stops further processing.
The packet is blocked.
LOG
The packet information is sent to the syslog daemon for logging.
iptables continues processing with the next rule in the table.
You can't log and drop at the same time ->use two rules.
--log-prefix ”reason"
REJECT
Works like the DROP target, but will also return an error message to the
host sending the packet that the packet was blocked
--reject-with qualifier Qualifier is an ICMP message 43
 Targets & Jumps

SNAT
Used to do source network address translation rewriting the source IP
address of the packet
The source IP address is user defined
--to-source <address>[-<address>][:<port>-<port>]

DNAT
Used to do destination network address translation. ie. rewriting the
destination IP address of the packet
--to-destination ipaddress

MASQUERADE
Used to do Source Network Address Translation.
By default the source IP address is the same as that used by the firewall's
interface

[--to-ports <port>[-<port>]]

44
 Important Iptables Command Switch Operations

Firewall rules is stored in scripts or databases, most common is

scripts.
One row example:
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1  -p TCP -j ACCEPT

Each line of an iptables script not only has a jump, but they also have
a number of command line options that are used to append rules to
chains that match your defined packet characteristics, such the
source IP address and TCP port. There are also options that can be
used to just clear a chain so you can start all over again.

iptables is being configured to allow the firewall to accept TCP

packets coming in on interface eth0 from any IP address destined for
the firewall's IP address of 192.168.1.1. The 0/0 representation of an IP
address means any.

45
Important Iptables Command Switch Operations

46
Common TCP and UDP Match Criteria

47
 Common TCP and UDP Match Criteria

Example:
 
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
         --sport 1024:65535 --dport 80 -j ACCEPT

iptables is being configured to allow the firewall to accept TCP packets

for routing when they enter on interface eth0 from any IP address and are
destined for an IP address of 192.168.1.58 that is reachable via interface
eth1. The source port is in the range 1024 to 65535 and the destination port
is port 80 (www/http).

48
 Defense for SYN flood attacks

You can expand on the limit feature of iptables to reduce your

vulnerability to certain types of denial of service attack. Here a
defense for SYN flood attacks was created by limiting the acceptance
of TCP segments with the SYN bit set to no more than five per second.

–m limit sets maximum number of SYN packets

iptables is being configured to allow the firewall to accept maxim 5 TCP/SYN
packeds per second on interface eth0.

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

If more than 5 SYN packets per second, the packets are dropped.
If source/destination sence dropped packets, it will resend three times
If drops continue after 3 reset packets, source will reduce packet speed.

49
 Saving Your iptables Scripts

For RedHat based distrubutions:

The service iptables save command permanently saves the iptables
configuration in the /etc/sysconfig/iptables file. When the system reboots, the
iptables-restore program reads the configuration and makes it the active
configuration.
The format of the /etc/sysconfig/iptables file is slightly different from that of
the scripts shown in this chapter. The initialization of built-in chains is automatic and
the string "iptables" is omitted from the rule statements.

Fedora comes with a program called lokkit that you can use to generate a very
rudimentary firewall rule set. It prompts for the level of security and then gives you the
option of doing simple customizations. It is a good place for beginners to start on a
test system so that they can see a general rule structure.
Like the service iptables save command, lokkit saves the firewall rules in a
new /etc/sysconfig/iptables file for use on the next reboot.
Once you have become familiar with the iptables syntax, it's best to write scripts
that you can comment and then save it to /etc/sysconfig/iptables. It makes
them much more manageable and readable.

50
 Loading Kernel Modules Needed By iptables
The iptables application requires you to load certain kernel modules to activate
some of its functions. Whenever any type of NAT is required, the iptable_nat
module needs to be loaded. The ip_conntrack_ftp module needs to be added for
FTP support and should always be loaded with the ip_conntrack module which
tracks TCP connection states. As most scripts probably will keep track of connection
states, the ip_conntrack module will be needed in any case. The ip_nat_ftp
module also needs to be loaded for FTP servers behind a NAT firewall.

Loading kernel modules extends it functionallity

Generally kernel modules is like plugins, they add functionallity:
/lib/modules/2.4.20-30.9/kernel/net/

Manually loading/unloading modules

modprobe <module> (search for module and dependencies)
insmod <module> (force load module, dont care)
rmmod <module> (remove module)
lsmod (List modules loaded)

Load some common modules:

modprobe ip_conntrack (tracking connections)
modprobe ip_conntrack_ftp (transparent proxy for active ftp)
modprobe iptable_nat (for all kind of NAT operations)
modprobe ip_nat_ftp (for ftp server behind nat)
51
 Basic Firewall settings

Most basic firewall settings

Everything from inside is allowed to pass out
Everything from outside is denied to pass in

Optionally firewalls directly offer security levels

More or less protocols are accepted, most common is
SSH SMTP WWW VPN
FTP DHCP SMB TELNET

Optionally firewalls directly offer security levels

Levels are usally 3:
No security Medium High

No Security=Firewall is passing everything or is disables

Medium=SMTP, SSH, DHCP, FTP
HIGH=SSH

52
 Summary

have considered:
firewalls
types of firewalls
IP Tables

53
How Do You Want Protect Your Network System

Thank You

54