Linux Firewall. Linux workshop #2. www.burningnode.com



Similar documents
Intro to Linux Kernel Firewall

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewalls. Chien-Chung Shen

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

+ iptables. packet filtering && firewall

Linux Firewall Wizardry. By Nemus

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Linux Routers and Community Networks

Linux Networking: IP Packet Filter Firewalling

Main functions of Linux Netfilter

Network Security Exercise 10 How to build a wall of fire

Netfilter / IPtables

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Linux Firewalls (Ubuntu IPTables) II

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

ipchains and iptables for Firewalling and Routing

How To Understand A Firewall

CS Computer and Network Security: Firewalls

Chapter 7. Firewalls

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Protecting and controlling Virtual LANs by Linux router-firewall

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

TECHNICAL NOTES. Security Firewall IP Tables

Linux: 20 Iptables Examples For New SysAdmins

CS Computer and Network Security: Firewalls

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Load Balancing SIP Quick Reference Guide v1.3.1

Fault tolerant stateful firewalling with GNU/Linux. Pablo Neira Ayuso Proyecto Netfilter University of Sevilla

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Packet filtering with Linux

Vuurmuur - iptables manager

VENKATAMOHAN, BALAJI. Automated Implementation of Stateful Firewalls in Linux. (Under the direction of Ting Yu.)

How to Turn a Unix Computer into a Router and Firewall Using IPTables

CSC574 - Computer and Network Security Module: Firewalls

Focus on Security. Keeping the bad guys out

Definition of firewall

IP Address: the per-network unique identifier used to find you on a network

Secure use of iptables and connection tracking helpers

Firewalls. October 23, 2015

Load Balancing Clearswift Secure Web Gateway

Load Balancing Sophos Web Gateway. Deployment Guide

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Load Balancing Trend Micro InterScan Web Gateway

ClusterLoad ESX Virtual Appliance quick start guide v6.3

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

10.4. Multiple Connections to the Internet

Stateful Connection Tracking & Stateful NAT

Firewalld, netfilter and nftables

Load Balancing Bloxx Web Filter. Deployment Guide

CSE543 - Computer and Network Security Module: Firewalls

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Matthew Rossmiller 11/25/03

Assignment 3 Firewalls

CIS 433/533 - Computer and Network Security Firewalls

Bridgewalling - Using Netfilter in Bridge Mode

Load Balancing McAfee Web Gateway. Deployment Guide

Netfilter s connection tracking system

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Home Networking In Linux

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Linux Networking Basics

Smoothwall Web Filter Deployment Guide

Load Balancing - Single Multipath Route HOWTO

Packet Filtering Firewall

Appliance Quick Start Guide. v7.6

Load Balancing Smoothwall Secure Web Gateway

Ulogd2, Advanced firewall logging

AFW: Automating host-based firewalls with Chef

iptables: The Linux Firewall Administration Program

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

TCP Session Load-balancing in Active-Active HA Cluster

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Linux Home Networking II Websites At Home

Appliance Quick Start Guide v6.21

Loadbalancer.org. Loadbalancer.org appliance quick setup guide. v6.6

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Open Source Firewall

Network Security Management

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Firewall Configuration and Assessment

CIT 480: Securing Computer Systems. Firewalls

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Linux as an IPv6 dual stack Firewall

Firewalls. Pehr Söderman KTH-CSC

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Linux Network Security

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

McAfee Web Filter Deployment Guide

Transcription:

Linux Firewall Linux workshop #2

Summary Introduction to firewalls Introduction to the linux firewall Basic rules Advanced rules Scripting Redundancy Extensions Distributions Links 2

Introduction to firewalls What is a firewall? A firewall is a device that acheives network security features. Generally it keeps an internal network secured by filtering, analyzing and blocking undesirable traffic. Where is a firewall placed? A firewall is placed between two or more networks, that have different purposes, levels of security, and access rules. Stateless, stateful and application A stateless firewall is a simple firewall that evaluates packets against defined rules. It takes packets one by one. Can be bypassed. A stateful firewall monitors connections state and is able to take decisions based on it. Application firewalls provides advanced features to examine payloads (DPI, IPS ) 3

Introduction to linux firewall Linux Firewall : Netfilter: packet filtering framework for linux kernel (> 2.4) ip(6)tables: userspace CLI tool used to configure filtering rulesets. Other related tools arptables: CLI tool used for arp packet filtering ebtables: ethernet bridging table firewall tool http://www.netfilter.org/ http://ebtables.sourceforge.net/ 4

Introduction to linux firewall OSI Layers Physical Datalink Network Transport Session Presentation Application TCP/IP model Network interface Internet Transport Linux Link + NIC Driver Kernel TCP/IP stack (netfilter ) Actions Check the data integrity, pass the information to the datalink layer Check if the frame is intended to this host with the MAC address Based on source/destination IP address, the packet is either routed or passed to the next layer Based on the port the data are delivered to the right application Application Applications Applications 5

Introduction to linux firewall TCP connection tracking based on states Achieve with conntrack module. UDP connection tracking based on time window Images iptables.info 6

Introduction to linux firewall Chains are categories: INPUT: packet received and intended to the local host OUTPUT: packet sent by the host PREROUTING: packet received FORWARD: routing, forwarding packet from a network to another POSTROUTING: apply rules after the routing/forwarding decision iptables P INPUT DROP iptables A INPUT p tcp --dport 22 j ACCEPT It is possible to create custom chains: iptables N custom_chain 7

Introduction to linux firewall Chains continued 8

Introduction to linux firewall Netfilter provide connection tracking system (conntrack, stateful firewalling) States: NEW: new connection, new session ESTABLISHED: established transport session (successfull SYN-SYN/ACK- ACK for TCP) RELATED: the session is related to another (e.g.: FTP) INVALID: session is invalid and does not match any of the previous cases. Other TCP states: SYN_SENT, SYN_RECV, FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE iptables A INPUT m state --state RELATED,ESTABLISHED j ACCEPT iptables A OUTPUT m state --state RELATED,ESTABLISHED j ACCEPT iptables A FORWARD m state --state RELATED,ESTABLISHED j ACCEPT 9

Introduction to linux firewall iptables store its information in tables! Each table is dedicated to a specific use. Each of them contain can use a set of chains, and a set of targets. FILTER: filtering operations, the most common table. NAT: network address translation purposes. Only concerned by NEW state. MANGLE: advanced packet alteration operations RAW: used to prevent connection tracking iptables t filter L -n 10

Introduction to linux firewall In the netfilter terminology, actions are called TARGETS: There are terminating and non-terminating targets. ACCEPT: accept the packet DROP: drop the packet without notifying the source REJECT: drop the packet and notify the source with TCP RST (--reject-withtcp-rst) LOG: event logging DNAT: used to change the destination IP/port (NAT) SNAT: used to change the source IP/port (NAT) MASQUERADE: used on gateways to setup NAT overloading Actions continued: TOS, TTL, RETURN, MARK, QUEUE/NFQUEUE, ULOG/NFLOG, MIRROR, REDIRECT 11

Introduction to linux firewall Introduction to linux firewall In a chain the order of the statements is important. The first to match will be taken in account Consequently, be sure to set the most precise statements first. SSH connection accepted: iptables A INPUT p tcp --dport 22 j ACCEPT iptables A INPUT p tcp j DROP SSH connection denied iptables A INPUT p tcp j DROP iptables A INPUT p tcp --dport 22 j ACCEPT 12

Introduction to linux firewall Delete a rule iptables -D INPUT p tcp s 1.2.3.4 --dport 22 j ACCEPT iptables D INPUT 1 Introduction to linux firewall Flush all chains / a chain iptables F iptables t INPUT F Delete a chain iptables t INPUT X 13

Basic Rules Define policy actions iptables P INPUT DROP iptables P OUTPUT DROP iptables P FORWARD DROP Open a port iptables A INPUT p tcp s 1.2.3.4 --dport 22 j ACCEPT iptables A OUTPUT p tcp d 1.2.3.4 --dport 22 j ACCEPT Accept ESTABLISHED and RELATED sessions iptables A INPUT m state --state RELATED,ESTABLISHED j ACCEPT iptables A OUTPUT m state --state RELATED,ESTABLISHED j ACCEPT 14

Advanced rules Advanced rules Rate limit iptables -A INPUT p TCP --syn -m limit --limit 5/second -j ACCEPT iptables -A INPUT -s 1.2.3.4 -m limit --limit 1/minute j LOG Logging iptables -N LOGCHAIN iptables -A LOGCHAIN -j LOG --log-prefix "fwlog:" iptables -A LOGCHAIN -j DROP Blacklist iptables -N blacklist iptables -A blacklist -s 10.0.0.0/8 -j DROP iptables -A INPUT -j blacklist iptables -A OUTPUT -j blacklist iptables -A FORWARD -j blacklist 15

Advanced rules cont d Dynamic NAT overload (eth0 external) iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE IPv6 filtering ip6tables P INPUT j DROP ip6tables P OUTPUT j DROP ip6tables P FORWARD j DROP ip6tables A INPUT p icmpv6 --icmpv6-type 136/0 j DROP ip6tables A OUTPUT p icmpv6 --icmpv6-type 136/0 j DROP Quality of Service iptables -t MANGLE -A PREROUTING -p tcp -m tcp --sport 3389 -j MARK --set-mark 0xe iptables -t MANGLE -A PREROUTING -p tcp -m tcp --sport 3389 -j RETURN iptables -t MANGLE -A PREROUTING -j MARK --set-mark 0x6 16

Troubleshooting commands Show all current rules iptables L n iptables L Show all current rules in the CLI format iptables --list-rules Netfiler loaded module lsmod grep nf Connection information (conntrack package) conntrack L conntrack -E 17

Scripting Necessity to script iptables to be reboot persistent Bash script (Bourne again shell) Start / Stop actions LSB tags Placed in /etc/init.d/ touch /etc/init.d/firewall.sh chmod a+x /etc/init.d/firewall.sh 18

Scripting Scripting cont d Write down all your iptables rules # Clear everything iptables -t filter -F # Deny all iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # Allow ICMP iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT # Allow SSH iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT # Connections iptables A INPUT m state --state RELATED,ESTABLISHED j ACCEPT iptables A OUTPUT m state --state RELATED,ESTABLISHED j ACCEPT 19

Scripting cont d Add some code to implement actions case $1 in start) ## PUT RULES HERE## ;; stop) # Clear everything and allow all iptables -t filter -F iptables -t filter -P INPUT ACCEPT iptables -t filter -P FORWARD ACCEPT iptables -t filter -P OUTPUT ACCEPT ;; esac 20

Scripting cont d Install the script to start during the OS boot sequence #!/bin/sh ### BEGIN INIT INFO # Provides: firewall.sh # Required-Start: # X-Start-Before: # Default-Start: 2 3 4 5 # Required-Stop: # Default-Stop: 0 1 6 # Short-Description: Start the ip(6)tables firewall. # Description: Start the ip(6)tables firewall. ### END INIT INFO update-rc.d firewall.sh remove update-rc.d firewall.sh defaults 21

Redundancy Two things needed : A redundancy mechanism (VRRP, keepalive) A state table synchronization system (conntrackd) 22

Extensions Advanced logging with Ulogd2 + PostgreSQL + nf3d http://2009.rmll.info/img/pdf/ulogd2-2.pdf Nulog web interface NuFW identity based firewall L7 filter enables application level firewall http://l7-filter.sourceforge.net/ Advanced manipulations with Nfqueue libraries 23

Firewall oriented distributions Software and physical appliances: IPcop Astaro security (acquired by Sophos) Shorewall NuFW EdenWall Exosec 24

Questions? 25

Linux firewall experts No more afraid of iptables Linux firewall experts No more afraid of a large number of rules No more afraid of redundancy Just more pratical works before becoming linux firewall experts! 26

Links Netfilter/ IPtables: http://www.netfilter.org/ http://ipset.netfilter.org/iptables.man.html http://doc.ubuntu-fr.org/iptables https://help.ubuntu.com/community/iptableshowto http://centoshelp.org/networking/iptables-advanced/ http://linuxgazette.net/108/odonovan.html http://www.techrepublic.com/article/utilizing-the-advanced-firewall-techniquesin-iptables/1031075 https://home.regit.org/ (Eric Leblond) http://2008.rmll.info/img/pdf/rmll-2008.pdf (Pablo Neira Ayuso) http://www.lartc.org/howto/ 27

Thank you