Netfilter / IPtables

Similar documents
Intro to Linux Kernel Firewall

+ iptables. packet filtering && firewall

Firewalls. Chien-Chung Shen

Main functions of Linux Netfilter

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Linux Routers and Community Networks

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Linux Firewall Wizardry. By Nemus

Chapter 7. Firewalls

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Linux Firewalls (Ubuntu IPTables) II

CS Computer and Network Security: Firewalls

Protecting and controlling Virtual LANs by Linux router-firewall

Linux Firewall. Linux workshop #2.

CS Computer and Network Security: Firewalls

TECHNICAL NOTES. Security Firewall IP Tables

CSC574 - Computer and Network Security Module: Firewalls

Linux Networking: IP Packet Filter Firewalling

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Network security Exercise 9 How to build a wall of fire Linux Netfilter

How To Understand A Firewall

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Linux: 20 Iptables Examples For New SysAdmins

Firewalls. Pehr Söderman KTH-CSC

Network Security Exercise 10 How to build a wall of fire

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Packet filtering with Linux

How to Turn a Unix Computer into a Router and Firewall Using IPTables

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

ipchains and iptables for Firewalling and Routing

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Packet Filtering Firewall

Managing Multiple Internet Connections with Shorewall

CSE543 - Computer and Network Security Module: Firewalls

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Definition of firewall

Load Balancing Trend Micro InterScan Web Gateway

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

VENKATAMOHAN, BALAJI. Automated Implementation of Stateful Firewalls in Linux. (Under the direction of Ting Yu.)

Linux Networking Basics

Компјутерски Мрежи NAT & ICMP

Load Balancing Sophos Web Gateway. Deployment Guide

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Stateful Firewalls. Hank and Foo

CIS 433/533 - Computer and Network Security Firewalls

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Load Balancing Bloxx Web Filter. Deployment Guide

21.4 Network Address Translation (NAT) NAT concept

Firewalls (IPTABLES)

Netfilter s connection tracking system

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

IP Address: the per-network unique identifier used to find you on a network

Load Balancing McAfee Web Gateway. Deployment Guide

Bridgewalling - Using Netfilter in Bridge Mode

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

About Firewall Protection

Firewall Configuration and Assessment

GregSowell.com. Mikrotik Security

Firewalls. October 23, 2015

IPv6 Security from point of view firewalls

Firewall implementation and testing

LECTURE 4 NETWORK INFRASTRUCTURE

How to protect your home/office network?

FIREWALL AND NAT Lecture 7a

CIT 480: Securing Computer Systems. Firewalls

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Fault tolerant stateful firewalling with GNU/Linux. Pablo Neira Ayuso Proyecto Netfilter University of Sevilla

Load Balancing Smoothwall Secure Web Gateway

Load Balancing Clearswift Secure Web Gateway

Linux Network Security

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Linux 2.4 stateful firewall design

iptables: The Linux Firewall Administration Program

10.4. Multiple Connections to the Internet

CIT 480: Securing Computer Systems. Firewalls

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Linux as an IPv6 dual stack Firewall

Network and Services Discovery

Chapter 13 Internet Protocol (IP)

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Focus on Security. Keeping the bad guys out

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

OpenBSD in the wild...a personal journey

Transcription:

Netfilter / IPtables Stateful packet filter firewalling with Linux Antony Stone Antony.Stone@Open.Source.IT

Netfilter / IPtables Quick review of TCP/IP networking & firewalls Netfilter & IPtables components How packets pass through the system Netfilter matches & targets Standard security policy Network Address Translation + problems New & interesting netfilter matches & targets What can go wrong / debugging

Review of TCP/IP & Firewalls HTTP requests and responses Packaged into TCP packet, with TCP header Source & destination port numbers TCP flags Sequence & acknowledgement numbers TCP packaged into IP packet with IP header Source & destination IP addresses IP packets travel across the Internet Routed by destination address

Review of TCP/IP & Firewalls Early Internet - everyone trusted - no firewalls Public access - firewalls restrict: External access to internal resources Internal access to external services Internal access to sensitive data Basic principle: Keep the engineers out of the personnel database Firewalls are routers which can say no. Firewall rules based on organisation's security policy

Types of firewalls Packet filters vs. proxy firewalls Packet filters look at IP addresses, TCP/UDP port numbers - header information only Proxies look at IP addresses, TCP/UDP port numbers, plus content of datastream Stateful vs. non-stateful Stateful packet filters understand 'connections' Reply packets can be handled securely Rulesets are simpler and easier to understand

Netfilter & iptables Netfilter is the kernel component which processes the packets IPtables is the userspace application which manages the ruleset Netfilter terminology: Chains - eg: INPUT, FORWARD, OUTPUT Tables - eg: filter, nat, mangle, raw Rule matches - eg: protocol, address, port etc. Rule targets - eg: ACCEPT, REJECT, LOG etc.

Netfilter chains & tables PREROUTING chain all packets entering an interface (eg: eth, lo, ppp...) INPUT chain all packets addressed to the firewall FORWARD chain all packets being routed through the firewall OUTPUT chain all packets generated from the firewall POSTROUTING chain all packets leaving an interface (eg: eth, lo, ppp...)

Netfilter chains & tables filter table nat table Filtering operations :-) ACCEPT, REJECT, DROP Also LOG Network Address Translation SNAT, DNAT, MASQUERADE Also ACCEPT can be useful for exceptions

Netfilter chains & tables mangle table raw table Packet (header) mangling Change TTL Change TOS / DSCP Set MARKs Change routing (interfaces, gateway) access to packets before connection tracking

Path of packets PREROUTING POSTROUTING R FORWARD R INPUT OUTPUT

Path of packets PREROUTING POSTROUTING In to THIS system R FORWARD R From THIS system INPUT OUTPUT

Path of packets PREROUTING Routed through this system POSTROUTING R FORWARD R INPUT OUTPUT

Path of packets - even more detail PREROUTING chain raw ---> mangle ---> nat POSTROUTING chain mangle ---> nat INPUT & FORWARD chains mangle ---> filter OUTPUT chain raw ---> mangle ---> nat ---> filter

Netfilter rule matches Match means which packets does this rule apply to? -p tcp - all TCP packets -d a.b.c.d/n - destination address = a.b.c.d/n --dport x - destination port number = x --length - number of bytes in packet --mac-source - MAC address of sending device -i, -o - input / output interface for packet

Netfilter rule targets Target means what happens to the packets which match? ACCEPT - packet is accepted DROP - packet is dropped / discarded DNAT - destination address is changed LOG - packet is logged to syslog (processing continues) REJECT - packet is dropped, reject returned MARK - mark a packet, useful in later processing MIRROR - reverse source & destination :-) UKUUG Leeds 2004 Netfilter / IPtables Antony Stone

User-defined chains User-defined chains can be created in addition to the five built-in chains iptables -N mychain iptables -A INPUT -p tcp --dport 22 -j mychain iptables -A mychain -s 192.168.0.10 -j LOG iptables -A mychain -j ACCEPT RETURN target returns from user-defined chain to the calling chain (useful for exceptions)

Standard security policy Everything is blocked, except that which is explicitly allowed Default DROP policy on filter tables (NEVER set default DROP on nat or mangle!) Individual rules allow packets which are wanted LOG packets which get blocked?

Example ruleset 1 iptables -P INPUT DROP iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT

Stateful filtering What does this mean? -m state --state ESTABLISHED,RELATED ESTABLISHED matches any packets with source/destination addresses/ports matching an entry in the connection tracking table Source/destination match forward & reverse Conntrack table entries are automatically created when a packet is ACCEPTed

Stateful filtering RELATED matches packets which netfilter identifies as being related to an entry in the conntrack table FTP data channel is RELATED to the control channel ICMP responses (eg: host unreachable, TTL exceeded) are RELATED to the packets they're in response to

Network Address Translation SNAT / MASQUERADE Changes the source address of packets leaving a network - usually so that the reply packets can get back again DNAT Changes the destination address of packets so that they go to a different machine than they were originally addressed to

Network Address Translation SNAT / MASQUERADE Usually used to 'hide' a network of machines using private (RFC1918) internal addresses behind one or more publicly routable IP addresses DNAT Usually used to provide publicly-accessible services from machines on a privately-addressed network

Network Address Translation Some people regard NAT as evil - because it breaks protocols such as FTP, H.323 Some people regard protocols such as FTP, H.323 as evil - because they embed IP addresses and port numbers in application layer communications NAT also breaks IPsec transport mode (AH), which has a checksum involving the addresses

Example ruleset 2 iptables -P INPUT DROP iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

Network Address Translation I have DNAT working fine from the Internet to a machine on my network, but why can't clients on my network access its public IP address? Request goes through firewall (NAT) Reply goes directly across network (no NAT) Client sends to a.b.c.d, gets reply from w.x.y.z I would be very happy if nobody ever asked this question again on the netfilter mailing list!

More netfilter matches & targets Recent versions of netfilter (currently 1.2.11) have introduced many interesting and less-often used (less-often explained?) matches and targets No longer just packet header information Also netfilter internal information eg: MARK, CONNMARK, rate limits, helpers Also external packet characteristics eg: owner, route, time, random matches

Interesting new rule matches addrtype condition connmark UNICAST, LOCAL, BROADCAST, ANYCAST, MULTICAST, BLACKHOLE, UNREACHABLE, PROHIBIT, THROW, NAT, XRESOLVE checks content of / proc/net/ipt_condition/filename matches packets in marked connections like the mark match, but applies to replies too

Interesting new rule matches conntrack dstlimit allows detailed matching of packet against connection tracking table data: original source/destination address reply source/destination address internal conntrack state (EXPECTED, SEEN_REPLY, ASSURED etc) expiry time remaining allows rate limiting per IP address like the limit match, but per IP

Interesting new rule matches helper owner physdev matches packets according to a particular connection tracking helper module (eg: FTP, IRC) for locally-generated packets, match for the process which generated the packet: UID, GID, PID, SID, command name allows matching of interfaces when bridging

Interesting new rule targets BALANCE CLASSIFY DNAT to several addresses using round-robin set priority value for classifying packets into CBQ (Class-Based-Queuing) classes CBQ is used for allocating bandwidth pools CLUSTERIP distributes connections to a cluster of machines sharing IP & MAC addresses

Interesting new rule targets CONNMARK NETMAP NOTRACK Assign a numeric mark to packets, for later matching, but match on reply packets too map a range of addresses to a second range of addresses (can be 1:1, can map to a smaller range using a mask) (SNAT & DNAT) Disables connection tracking for selected packets (good for avoiding DoS attacks)

Interesting new rule targets ROUTE TCPMSS Changes routing information about a packet input interface name output interface name next hop gateway address Control Maximum Segment Size of TCP packets (usually to match the Maximum Transmission Unit of a particular link) TTL Change the Time To Live value of a packet

Extensions to netfilter Patch-o-matic Various experimental, unofficial or esoteric extensions to netfilter Applies patches to netfilter (in the kernel source code) and iptables (userspace application) - need to recompile both Currently still stabilising after being adapted to kernel 2.6 (as well as kernel 2.4)

Extensions to netfilter OSF Operating System Fingerprinting Adapted from BSD pf code PSD Port Scan Detection TARPIT Accepts incoming TCP connections, causing the remote system to get stuck in a 12-24 minute timeout, without allowing connection closure

Extensions to netfilter XOR Simplistic encryption of TCP / UDP packet contents using XOR operation COMMENT Allows comments to be added to netfilter rules connbytes CuSeeMe Matches against number of bytes transferred NAT helper for CuSeeMe protocol

Extensions to netfilter drop table (and DROPPED chain) Adds a new table for packets which are being dropped, enabling them to be logged goto Alternative to jump, returns to parent chain QUAKE3 instead of this chain Adds conntracking & nat support for Quake III

Conntrack technical details Connection tracking table ~300 bytes of RAM needed per conntrack entry Default conntrack table size = RAM (Mbytes) x 64 (min 128, max 65536) eg: 256Mbyte machine: 16384 connections This allocates 2% of system RAM for conntrack Dedicated firewall has not much use for most of the remaining 98% RAM Manually adjust: /proc/sys/net/ipv4/netfilter/ip_conntrack_max

Conntrack technical details Connection tracking table can fill up! No more new connections will be accepted Common causes: Solution: SYN flood (DoS attack) Worm-infected PC on internal network Add rule to block offending IP (or unplug PC) Increase conntrack table size Wait for old connections to timeout

Conntrack technical details Connection tracking is entirely based on: Source & destination IP addresses Source & destination TDP/UDP ports Connection tracking does not use: TCP sequence / acknowledgement numbers /proc/net/ip_conntrack lists current entries useful first indication of a worm on your network

Firewall debugging Client cannot connect when firewall ruleset is in place; client can connect with no ruleset How to debug? ACCEPT packets which are wanted DROP packets which are known and unwanted LOG packets which get this far DROP remainder using default policy iptables -L -nvx Shows packet & byte counters for each rule

Traps for the unwary iptables -L does not list all the rules The filter table is assumed by default If you want the nat or mangle tables, you must specify them: iptables -L -t nat DNAT is not working ensure that the FORWARD rule allows the new (translated) address, not the original address LOG logs to the console, not /var/log/messages use -j LOG --log-level=6 and check /etc/syslogd.conf

Traps for the unwary DNAT sends packets to my server, but nobody can connect check return route from server - must go through firewall for reverse NAT Passive FTP works fine, but not active FTP When doing NAT, active FTP requires the FTP NAT helper module loaded, or compiled into kernel Looks for the FTP PORT command in the datastream and adds a RELATED conntrack table entry

Traps for the unwary LOG in the nat table records almost no packets Only the first packet of a connection goes through the rules in the nat tables - all subsequent packets (both ways) are processed automagically in the background DNAT works fine for packets routed through the firewall, but not for packets originating on the firewall machine itself PREROUTING is only for packets entering the machine The OUTPUT chain has a nat table for DNATting locallygenerated packets

Netfilter tricks Rules do not have to have a target iptables -A FORWARD -p tcp --dport 22 is a perfectly valid rule Useful for packet counting! can be used to mean anything except... iptables -A FORWARD -p tcp --dport! 22 -j LOG Will LOG all packets except SSH (TCP 22)

Netfilter tricks How to handle two (or more) exceptions? User-defined chain iptables -N mychain iptables -A mychain -d a.b.c.d -j RETURN iptables -A mychain -d w.x.y.z -j RETURN iptables -A mychain -j LOG User-defined chains can also have nat and mangle table rules eg: SNAT all packets except from these three IP addresses

Networking words of wisdom 90% of all networking problems are routing problems. 9 of the remaining 10% are routing problems, but in the other direction. The final 1% might be something else, but check the routing anyway.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information