Vuurmuur - iptables manager

Size: px

Start display at page:

Download "Vuurmuur - iptables manager"

Harvey Caldwell
8 years ago
Views:

1 Vuurmuur - iptables manager Victor Julien July 7, 2014 Victor Julien Vuurmuur - iptables manager July 7, / 23

2 About me Vuurmuur founder and lead developer of Vuurmuur Open Source Suricata IDS/IPS ModSecurity, libhtp, modsec2sguil, sguil, snort_inline Victor Julien Vuurmuur - iptables manager July 7, / 23

3 iptables Powerful, but complex Packet processing happens in several tables: mangle, filter, nat, raw Default chains: INPUT, OUTPUT, FORWARD and several others Also, define your own chains Don t get me started on traffic shaping Victor Julien Vuurmuur - iptables manager July 7, / 23

and several others Also, define your own chains Don t get me started on

4 Rule Example Example of a rule: i p t a b l e s t f i l t e r A FORWARD i eth1 o ppp0 \ p tcp m tcp syn \ s / s p o r t 1024:65535 \ d / dport 4070 \ m l i m i t l i m i t 5/ sec l i m i t b u r s t 10 \ m conntrack c t s t a t e NEW \ j NFLOG nflog p r e f i x "ACCEPT " nflog group 9 Rather complex, right? Victor Julien Vuurmuur - iptables manager July 7, / 23

$0. 0. 0 / 0. 0. 0. 0 dport 4070 \ m l i m i t l i m i t 5/ sec l i m i t b u r s t 10 \ m conntrack c t$

5 Vuurmuur Started in 2002 as a project to learn programming Born out of frustration with managing iptables scripts Mature, free-time project Therefore, slow moving project :) Victor Julien Vuurmuur - iptables manager July 7, / 23

Mature, free-time project Therefore, slow moving project

6 Vuurmuur Goal Allow users to easily setup and manage a secure and efficient firewall, without needing iptables specific knowledge. Victor Julien Vuurmuur - iptables manager July 7, / 23

7 Vuurmuur Features Ncurses GUI manage over SSH Target is gateway firewalls Log viewer, connection viewer Easy way to setup NAT, portforwarding NFQUEUE support for integrating with Suricata IPS Basic traffic shaping and prioritization support Basic IPv6 support Keeps an audit log of all changes Victor Julien Vuurmuur - iptables manager July 7, / 23

with Suricata IPS Basic traffic shaping and prioritization support Basic IPv6 support

8 Ncurses Victor Julien Vuurmuur - iptables manager July 7, / 23

9 Vuurmuur Concepts One or more zones : in/out, lan/wan, red/green Within each zone: one or more networks Within each network: one or more hosts (optional) Interface mapping with local interfaces Interfaces are connected to a network Services define protocols and ports Victor Julien Vuurmuur - iptables manager July 7, / 23

mapping with local interfaces Interfaces are connected to a network Services

10 Concepts Victor Julien Vuurmuur - iptables manager July 7, / 23

11 Rules Rule Example accept service http from local.lan to world snat service http from local.lan to world About the names Zone names have a fixed structure "local.lan" means: zone "lan" and within that network "local" In "server.local.lan", "server" is the host This way it s always clear what part of your network a rule applies to Victor Julien Vuurmuur - iptables manager July 7, / 23

lan" means: zone "lan" and within that network "local"

12 Rules Port forwarding rule Example portfw service ssh from world to myserver.servers.dmz Port forwarding rule example, with NFQUEUE nfqueue service smtp from world to mailserver.servers.dmz dnat service smtp from world to mailserver.servers.dmz Victor Julien Vuurmuur - iptables manager July 7, / 23

dmz Port forwarding rule example, with NFQUEUE nfqueue service smtp from

13 Rules Victor Julien Vuurmuur - iptables manager July 7, / 23

14 Rules Traffic Shaping Rule Example accept s e r v i c e any from voip. l o c a l. lan to world. i n e t \ options log, l o g l i m i t = " 1 ", \ in_min= " 50kbps ", out_min= " 50kbps ", p r i o = " 1 " Victor Julien Vuurmuur - iptables manager July 7, / 23

$i n e t \ options log, l o g l i m i t = " 1 ", \ in_min= " 50kbps$

15 Vuurmuur How it works Read rules, zones, etc Turn into iptables and tc rulesets Feeds ruleset to iptables-restore Enable/disable ip forwarding if necessary Helpful command: vuuurmuur -b (bash out) Victor Julien Vuurmuur - iptables manager July 7, / 23

ip forwarding if necessary Helpful command: vuuurmuur -b (bash

16 Log Viewer Victor Julien Vuurmuur - iptables manager July 7, / 23

17 Connection Viewer Victor Julien Vuurmuur - iptables manager July 7, / 23

18 Applying Changes Victor Julien Vuurmuur - iptables manager July 7, / 23

19 Ulogd2 Vuurmuur to JSON logging stack=log1 :NFLOG, base1 :BASE, i f i 1 : IFINDEX, \ i p 2 s t r 1 : IP2STR, mac2str1 :HWHDR, json1 :JSON [ log1 ] group=9 [ json1 ] sync=1 f i l e = " / var / log / ulogd. json " Victor Julien Vuurmuur - iptables manager July 7, / 23

:JSON [ log1 ] group=9 [ json1 ] sync=1 f i l e = " / var / log /

20 Ulogd2 PCAP Logging stack=log2 :NFLOG, base1 :BASE, pcap1 :PCAP [ log2 ] group=7 [ pcap1 ] f i l e = " / var / log / vuurmuur. pcap " sync=1 Victor Julien Vuurmuur - iptables manager July 7, / 23

21 Coming Soon In Development NFLOG / IDS target: support Suricata s NFLOG input (git master) Use Ulogd2 to replace vuurmuur_log Victor Julien Vuurmuur - iptables manager July 7, / 23

22 Coming soon? Future Work Nftables support ipset support SYNPROXY Real GUI? Web GUI? Victor Julien Vuurmuur - iptables manager July 7, / 23

23 Finally Get Involved! Open Source: GPLv2+ #vuurmuur on freenode Victor Julien Vuurmuur - iptables manager July 7, / 23

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN Firewall IPTables and its use in a realistic scenario FEUP MIEIC SSIN José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 Topics 1- Firewall 1.1 - How they work? 1.2 - Why use them? 1.3 - NAT