IPTables and its use in a Realistic Scenario

Transcription

1 IPTables and its use in a Realistic Scenario Mini-project Report Segurança em Sistemas Informáticos 16 de Dezembro de 2013 ei10133@fe.up.pt ei05064@fe.up.pt ei09137@fe.up.pt José Lage Bateira Pedro Rui Figueiredo da Cunha Pedro Fernando Vaz de Sousa Grilo

2 Index 1 Firewalls 2 IPTables 1.1 How do they work 1.2 Why use them? 1.3 Nat and Firewall 1.4 Requirement analysis Servers and Services Ports 2.1. Background History 2.2 What is iptables? 2.3 Basic concepts and commands 3 Case study 3.1 Topology of the network 3.2 Requirements analysis 4 Conclusion 5 Bibliography 2

3 Prologue The work presented in this report was designed as part of the course Computer Security FEUP and aims to study in depth firewall system and the iptables firewall because it is an essential software for a Linux system administrator. Previously the group had proposed to do a job that consisted of a safety audit of FEUP network but CICA did not grant us permission. 3

4 1 Firewall Since the first computer networks appeared, computers were no longer isolated machines. With the arrival of the internet, there was a need to create a mechanism to protect our systems from external threats such as hackers or offensive websites. A firewall is a system that was designed for that purpose and functions as a barrier that protects our systems and allows nothing offensive go on the computer. The firewall is able to protect systems by controlling in and out network traffic by analysing the data packets. To determinate if a packet is offensive or not, the firewall uses rules that specify the way a packet should be treated. Basically, it filters incoming and outgoing traffic according to a set of predefined rules. 1.1 How do they work There are 4 types of firewalls. In each type, the packet is analysed with different standards. Circuit-filter - a type of firewall system that analysed only the new connections made and operates at the session layer of the OSI model. In this case, the firewall handles all the new TCP and UDP connections by giving a green or red flag accordingly to the rules previously defined. With this kind of filter, the firewall can check if for an example a TCP handshaking is legit or not and the legitimacy of a session information used in establishing the connection. To do this, it checks if the SYN flags, ACK flags and sequence numbers involved in the TCP handshaking are correct and logic. It allows all traffic on that connection afterwards, not even looking into it. Application Gateway - a type of software that runs in a firewall that acts as a proxy server for the application. The client that is trying to connect to the server behind the firewall actually connects to the firewall itself. It is the firewall that simulates the client and connects with the hosts inside the network, making all the packet-forwarding decisions itself. While this type of firewall is considered to be very secure, it is very heavy on the system resources and can be quite slow. Packet-filtering - a simple type of firewall that simply allows or blocks packets based on ip address rules. While it s light and fast, it can be severely compromised by IP-spoofing. Stateful Inspection - Also referred to as dynamic packet filtering. Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to 4

5 determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested. 1.2 Why use Firewalls Pros Allows for definition of NATs. Can block malicious connections to system/network. Allows separation between accessible hosts and private hosts. Cons Can be hard to configure all the rules 1.3 Nat and Firewall Network Address Translation (NAT) is a mechanism that allows for internal hosts of a network communicate with the outside networks using a single, common ip address. The Firewall standing at the edge can support this by masquerading outgoing connections and translating incoming connections. It is used to protect the internal network from direct access from the outside, since internal IPs are not public. 5

6 1.4 Requirements Analysis Servers and Services Identification of what servers/hosts are running in our network and in which sub-network. For each server/host, identify if it s running a service (and which one), if it s allowed to access a service (and where) and who is allowed to access the service it s providing Ports For each service running in our network, identify which port is it running on. Normal ports: HTTPS: We could make them run on different ports though. If so, which ports and we have to consider this in the rules specification (port-forwarding). 6

7 2 IPTables Linux kernels have had packet filtering since the 1.1 series. ipfw - incorporated into the kernel 1.1. ipfwadm and ipchains - userspace tool used in kernel 2.0 and 2.2. Iptables - the fourth-generation tool used since kernel What is IPTables In Linux, the packet filter framework is divided in 2 parts: Netfilter - implemented in kernel space. Iptables - the user space module. When we talk about Iptables, commonly its means both parts. Iptables in an application that allow administrators manage the netfilter configuration. 7

8 Main characteristic: Filtering considering/regardless of the state of the package. Support for Nat, addresses and ports. Plugins. 2.3 Basic Concepts and commands Rules - What the firewall must do. Chain - Group of rules that are store. The rules are executed in order. Every chain have a standard rule. If any rule isn't applied, the standard rule will be used. Tables - iptables organizes its flow in tables, each with a set of predefined chains. There are 4 kind of tables: Filter Table - for doing the actual packet filtering. Default table INPUT -All packets destined for the host computer. OUTPUT - All packets originating from the host computer. FOWARD - Packets that are not addressed to the host but are routed by. NAT Table - rewrite packet source and/or destination. PREROUTING - Packets will enter this chain before a routing decision is made. OUTPUT POSTROUTING - Packets enter this chain just before handing them off to the hardware. MANGLE Table - allow packet change like header and content. PREROUTING INPUT OUTPUT FOWARD POSTROUTING RAW Table - for avoiding connection tracking 8

9 . Commands Save and restore We can use a script file and/or use iptables commands. $ sudo iptables-save > FileWithRules $ sudo iptables-restore < FileWithRules We can also save counters with -C plan IPTables command $ iptables <table> <add insert delete> <CHAIN> <PKT_MATCHING_CRITERIA> <ACTION> 9

10 <TABLE> -t filter ( DEFAULT) -t nat -t mangle -t raw <Add/Insert/Delete> -A (ADD AT THE BOTTOM OF THE CHAIN) -I (PUT IN THE BEGINNING OF THE CHAIN) -D ( DELETE RULE) <CHAIN> PREROUTING INPUT FORWARD OUTPUT POSTROUTING USER_DEFINED_CHAIN Examples $ iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT $ iptables -D INPUT -p tcp --dport 22 -j ACCEPT <PKT_MATCHING_CRITERIA> OSI MODEL LAYER 2 -i INTERFACE -o INTERFACE -mac-source [!] <xx-xx-xx-xx-xx-xx> OSI MODEL -LAYER 3 -s or src SRC_IP -d or --destination DST_IP OSI MODEL -LAYER 4 -p (udp tcp icmp) --icmp-type [!] <icmp_type> /***UDP AND TCP*****/ --source-port or --sport PORT --destination-port or --dport PORT /*****TCP ONLY*******/ --tcp-flags (SYN ACK FIN RST URG PSH ALL NONE) 10

11 --syn --tcp-option [!] <tcp_option#> <ACTION> -j ACCEPT -j DROP DROP PACKET -j REJECT DROP AND NOTIFY -j USER_DEFINED_CHAIN START A CHAIN -j RETURN LEAVE THE CHAIN -j LOG CREATE LOGS NAT table specific -j SNAT REWRITE SOURCE IP -j MASQUERADE WHEN SNAT IS DYNAMIC -j DNAT REWRITE DESTINATION SOURCE -j REDIRECT MANGLE table specific -j ROUTE ADD A ROUTE -j TOS SET IP HEADER TYPE OF SERVICE -j TTL TIME TO LIVE 11

12 3 Case Study To aid with the understanding of IPTables, let s apply it to a fictional but realistic scenario. We will decide what rules apply in which firewall, which traffic goes in, out, to where and from where. The scenario consists in the following setting: our enterprise is connected to the Internet using an IP address conceded by the ISP (Internet Service Provider), generically defined here as It connects to the Internet through a firewall that has three interfaces, one connected to the Internet, one to the DMZ and one to the protected section. It provides NAT to all the hosts inside. The DMZ has three servers (it could have more, for instance, a SMTP if we were providing ), a web server for the enterprise's website, a DNS server to manage its domain and a VPN server to allow employees to connect to the enterprise's resources from the outside. The Internal Network is has on its border another firewall that is controlling the access to it. Inside we have a sub-network of servers (again, we could have more, i.e. LDAP). A mail server, a file server running FTP and the Administrative Server. This last one is the only one allowed access to all hosts to be able to manage them, using SSH. The internal network also has another sub-network for the personal computers. 12

13 3.2 Requirements Analysis Each Server's Internal Firewall For each server, we start by defining its incoming and outgoing connections that are allowed. Then, we construct the iptables command accordingly to the information specified. Using the following one as an example, since we defined that, for a web server, we will receive connections from everywhere, we do not define allowed source addresses (it is all by default). HTTP runs on port 80 and runs over the TCP protocol. Hence, all incoming traffic (INPUT table), using protocol TCP (-p tcp) with port destination 80 (-dport 80) we accepted it (-j ACCEPT). Web Server ( ) Service Protocol Port Source Address HTTP TCP 80 All iptables -A INPUT -p tcp --dport 80 -j ACCEPT HTTPS TCP 443 All iptables -A INPUT -p tcp --dport 443 -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s dport 22 -j ACCEPT DNS Server ( ) Service Protocol Port Source Address DNS UDP 53 All iptables -A INPUT -p udp --dport domain -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s dport ssh -j ACCEPT 13

14 VPN Server ( ) Service Protocol Port Source Address OpenVPN/PPTP TCP 1194,1723 All iptables -A INPUT -p tcp -m multiport --destination-ports 1194,1723 -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s dport ssh -j ACCEPT Mail Server ( ) Service Protocol Port Source Address SMTP,POP,POPS, IMAP, IMAPS TCP 25,110,995,143,99 3 VPN Server, User Network iptables -A INPUT -p tcp -s m multiport --destination-ports smtp,pop,pops,imap,imaps -j ACCEPT iptables -A INPUT -p tcp -s /24 -m multiport --destination-ports smtp,pop,pops,imap,imaps -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s dport ssh -j ACCEPT Admin Server( ) Service Protocol Port Source Address SSH TCP 22 VPN Server, User Network iptables -A INPUT -p tcp -s dport ssh -j ACCEPT iptables -A INPUT -p tcp -s /24 --dport ssh -j ACCEPT 14

15 FTP Server ( ) Service Protocol Port Source Address FTP, SFTP TCP 22,21 VPN Server, User Network iptables -A INPUT -p tcp -s /24 -m multiport --destination-ports ftp,ssh -j ACCEPT iptables -A INPUT -p tcp -s m multiport --destination-ports ftp,ssh -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s dport ssh -j ACCEPT User Hosts ( /24) Service Protocol Port Source Address SSH TCP 22 VPN Server, Admin Server iptables -A INPUT -p tcp -s dport ssh -j ACCEPT iptables -A INPUT -p tcp -s dport ssh -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT All The All table applies to every server/host before mentioned. What it means is that, by default, all incoming packets are dropped, all forward packets are also dropped, all output packets are accepted but incoming packets that are related to existing 15

16 connections or established connections are allowed (for example, FTP data is passed in another TCP channel running on a port other than 21) Internal Firewall We then move on to the firewalls themselves. Starting with the internal firewall, we decide the traffic that is allowed in, out, to where and where from, protocols and ports included. This firewall does not provide NAT, but controls the access to the internal network, considering the VPN server as if inside said network. Internal Firewall Servers Services Ports File Server FTP,SFTP 21,22 Origin Network/Server User s Network, VPN Server, AdminServer iptables -A FORWARD -p tcp -d s /24 -m multiport --destination-port ssh,ftp -j ACCEPT iptables -A FORWARD -p tcp -d s m multiport --destination-port ssh,ftp -j ACCEPT iptables -A FORWARD -p tcp -d s dport ssh -j ACCEPT Admin Server SSH 22 User s Network, VPN Server iptables -A FORWARD -p tcp -d s /24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -d s dport ssh -j ACCEPT User's Computers SSH 22 User s Network, VPN Server, AdminServer iptables -A FORWARD -p tcp -s /24 -d /24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -s d /24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -s d /24 --dport ssh -j ACCEPT Mail Server SMTP,POP3,POP3S,I MAP,IMAPS 25,110,995,143, 993 User s Network, VPN Server, AdminServer iptables -A FORWARD -p tcp -s /24 -d m multiport 16

17 --destination-port smtp,pop,pops,imap,imaps -j ACCEPT iptables -A FORWARD -p tcp -s d m multiport --destination-port smtp,pop,pops,imap,imaps -j ACCEPT iptables -A FORWARD -p tcp -s d dport ssh -j ACCEPT iptables -A FORWARD -i eth1 -s /24 -j ACCEPT iptables -A FORWARD -i eth2 -s /24 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P FORWARD DROP External Firewall On the external firewall, we implement NAT protocols, stop access to the internal network and allow access to the DMZ. The NAT protocol differentiates between two situations: DNAT (destination NAT) and SNAT (source NAT). SNAT is the commonly referred to NAT. It hides the IP's from the internal network from the outside, by changing the IP header from the packets that go outside, modifying the source IP from the host's one to the enterprise's one. That way, the IP that the host in the Internet sees is always the same (the one provided by the ISP). The DNAT sub-protocol is used to allow access to the DMZ servers inside the NAT. Because the servers are inside a NAT, if the external firewall receives a packet that is supposed to be forwarded to one of the servers, it cannot rely on the destination's IP on the header, because that IP will be the external one. In order to properly forward that packet, it need to do a PREROUTING operation, by changing the IP from the external one to the internal one, based on port number. Hence, an incoming packet with the header :80 will be changed to :80 and then be forwarded to the server. It also needs to allow incoming DNS traffic exchange and traffic for the DMZ servers. External Firewall Accepted INPUT traffic iptables -A INPUT -p udp -s sport domain -j ACCEPT iptables -A INPUT -i eth2 -p tcp -m multiport --destination-port http,https,domain,1194,1723 -j ACCEPT Servers Services Ports Origin Network/Server DNS DNS 53 No restrictions iptables -A FORWARD -p udp -d dport domain -j ACCEPT 17

18 iptables -A FORWARD -p tcp -d dport domain -j ACCEPT Web HTTP, HTTPS 80, 443 No restrictions iptables -A FORWARD -p tcp -d m multiport --destination-port http,https -j ACCEPT Servers Services Ports Origin Network/Server VPN Server OpenVPN/PPTP 1194, 1723 No restrictions iptables -A FORWARD -p tcp -d m multiport --destination-port 1194,1723 -j ACCEPT NAT mechanism Connection's Origin Protocols SNAT Internal Network No restrictions iptables -t NAT -A POSTROUTING -o eth2 -j MASQUERADE DNAT Outside (Internet) HTTP, DNS, OpenVPN, PPTP iptables -t NAT -A PREROUTING -i eth2 -p tcp -m multiport --destination-port http,https -j DNAT --to iptables -t NAT -A PREROUTING -i eth2 -p tcp --dport domain -j DNAT --to iptables -t NAT -A PREROUTING -i eth2 -p udp -m multiport --destination-port domain -j DNAT --to iptables -t NAT -A PREROUTING -i eth2 -p tcp -m multiport --destination-port 1194,1723 -j DNAT --to Default Policies iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP 18

19 4 Conclusion After a long investigation about the topics of firewalls and IPTABLE, we are very satisfied with the result of the presentation and report. We think that we created a good presentation to help other people learn more about IPTables' basic concepts and how to use it. This report will be public so if anyone got any question, you can send us an and we are very pleased to help. 19

20 5 Bibliography Gestão de Sistemas e Redes em Linux. ISBN: Autor: Jorge Granjal Understanding Linux Network Internals. Author: Christian Benvenuti Dominando Linux Firewall Iptables. Author: Urubatan Neto - source code iptables Author: Oskar Andreasson - Manual 20