Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Similar documents
Linux Routers and Community Networks

Firewalls. Chien-Chung Shen

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

+ iptables. packet filtering && firewall

TECHNICAL NOTES. Security Firewall IP Tables

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Linux Firewall Wizardry. By Nemus

Linux Firewall. Linux workshop #2.

Linux Networking: IP Packet Filter Firewalling

Network Security Exercise 10 How to build a wall of fire

ipchains and iptables for Firewalling and Routing

Linux: 20 Iptables Examples For New SysAdmins

Main functions of Linux Netfilter

How to Turn a Unix Computer into a Router and Firewall Using IPTables

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Linux Firewalls (Ubuntu IPTables) II

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

How To Understand A Firewall

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Intro to Linux Kernel Firewall

Chapter 7. Firewalls

Protecting and controlling Virtual LANs by Linux router-firewall

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Definition of firewall

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Architecture. Dual homed box Internet /8

Assignment 3 Firewalls

Packet filtering with Linux

Network Security Management

Netfilter / IPtables

CS Computer and Network Security: Firewalls

iptables: The Linux Firewall Administration Program

Packet Filtering Firewall

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Matthew Rossmiller 11/25/03

CSC574 - Computer and Network Security Module: Firewalls

Focus on Security. Keeping the bad guys out

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

CS Computer and Network Security: Firewalls

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Lab Objectives & Turn In

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

VENKATAMOHAN, BALAJI. Automated Implementation of Stateful Firewalls in Linux. (Under the direction of Ting Yu.)

CSE543 - Computer and Network Security Module: Firewalls

Vuurmuur - iptables manager

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

CIT 480: Securing Computer Systems. Firewalls

Manuale Turtle Firewall

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Firewalls. October 23, 2015

Firewall Configuration and Assessment

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Firewalls (IPTABLES)

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Firewall Firewall August, 2003

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Load Balancing Bloxx Web Filter. Deployment Guide

FIREWALL AND NAT Lecture 7a

Firewall implementation and testing

Load Balancing Trend Micro InterScan Web Gateway

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CIS 433/533 - Computer and Network Security Firewalls

Managing Multiple Internet Connections with Shorewall

Firewall and Shaping on Broadband SoHo Routers using Linux

How To Configure Virtual Host with Load Balancing and Health Checking

Load Balancing Sophos Web Gateway. Deployment Guide

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

IP Firewalls. an overview of the principles

Linux Home Networking II Websites At Home

Firewalls. Pehr Söderman KTH-CSC

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Linux MDS Firewall Supplement

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Topics NS HS12 2 CINS/F1-01

LECTURE 4 NETWORK INFRASTRUCTURE

Linux Networking Basics

Load Balancing McAfee Web Gateway. Deployment Guide

Figure 41-1 IP Filter Rules

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

10.4. Multiple Connections to the Internet

CIT 480: Securing Computer Systems. Firewalls

Load Balancing Clearswift Secure Web Gateway

Development of an Educational Data Acquisition System to Profile Cyber Attacks

Sicurezza nelle reti

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

IP Address: the per-network unique identifier used to find you on a network

OpenBSD in the wild...a personal journey

Background General Firewall setup Iptables Introduction Iptables commands Limit Function Explanation with icmp and syn floods Zone Alarm

Smoothwall Web Filter Deployment Guide

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Networking Basics and Network Security

Transcription:

Firewall IPTables and its use in a realistic scenario FEUP MIEIC SSIN José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137

Topics 1- Firewall 1.1 - How they work? 1.2 - Why use them? 1.3 - NAT and Firewall. 1.4 - Requirement analysis. 1.4.1 - Servers and services. 1.4.2 - Ports.

Topics (cont) 2 - Iptables 2.1 - Background History. 2.2 - What is iptables? 2.3 - Basic concepts and commands

Topics (cont) 3 - A case study 3.1 - Topology of the network. 3.2 - The Requirements analysis.

1 - Firewall Security system that control in/out network traffic by analysing data packets. Based on rules, the Firewall lets the packet get in or not. Basically, it filters incoming and outgoing traffic.

1.1 - How they work There are 4 types of firewalls.. 1. Circuit-filter 2. Application Gateway

1.1 - How they work (2) 3. Packet-filtering 4. Stateful Inspection

1.2 - Why use them? Pros Cons 1. Allows for definition of NATs. 2. Can block malicious connections to system/network. 3. Allows separation between accessible hosts and private hosts. 1. Can be hard to configure all the rules. Conclusion: Taking the time to configure it can GREATLY improve security. Don t use it at your own risk

1.3 - NAT and Firewall WAN Network Address Translation (NAT) is a mechanism that allows for internal hosts of a network communicate with the outside networks using a single, common ip address. 1.1.1.1 The Firewall standing at the edge can support this by masquerading outgoing connections and translating incoming connections. 192.168.1.1 It is used to protect the internal network from direct access from the outside, since internal IPs are not public. 192.168.1.10 192.168.1.2 Web Server

1.4 - Requirements Analysis Why? What? Who? When? Where?

1.4.1 - Servers and Services Identification of what servers/hosts are running in our network and in which subnetwork. For each server/host, identify if it s running a service (and which one), if it s allowed to access a service (and where) and who is allowed to access the service it s providing.

1.4.2 - Ports For each service running in our network, identify which port is it running on. Normal ports: HTTP:80, HTTPS: 8080. We could make them run on different ports though. If so, which ports and we have to consider this in the rules specification (port-forwarding).

2.1 - Iptables: Background History Linux kernels have had packet filtering since the 1.1 series. ipfw - incorporated into the kernel 1.1. ipfwadm and ipchains - userspace tool used in kernel 2.0 and 2.2. Iptables - the fourth-generation tool used since kernel 2.4

ipchains Input Routing Forward Output Receive Process Send Process iptables Routing Forward input Output Receive Process Send Process

2.2 - What is iptables? In Linux, the packet filter framework is divided in 2 parts: Netfilter - implemented in kernel space. Iptables - the user space module. When we talk about Iptables, commonly its means booths parts.

2.2 - What is iptables? Iptables in an application that allow administrators manage the netfilter configuration. Main characteristic: Filtering considering/regardless of the state of the package. Support for nat, addresses and ports. Plugins.

2.3 - Basic concepts. Rules - What the firewall must do. Chain - Group of rules that are store. The rules are executed in order.every chain have a standard rule. If any rule isn't applied, the standard rule will be used. Tables - iptables organizes its flow in tables, each with a set of predefined chains.

2.3 - Basic concepts. There are 4 kind of tables: Filter Table - for doing the actual packet filtering. Default table INPUT OUTPUT FOWARD NAT Table - rewrite packet source and/or destination. PREROUTING OUTPUT POSTROUTING

2.3 - Basic concepts. MANGLE Table - allow packet change like header and content. PREROUTING INPUT OUTPUT FOWARD POSTROUTING RAW Table - for avoiding connection tracking.

NETWORK PREROUTING MANGLE NAT (DNAT) local IP? YES NO INPUT MANGLE FILTER FORWARD MANGLE FILTER LOCAL PROCESS OUTPUT MANGLE NAT (DNAT) FILTER POSTROUTING MANGLE NAT (SNAT/MASQUERADE) NETWORK

2.3 - Basic concepts - commands Save and restore We can use a script file and/or use iptables commands. # sudo iptables-save > FileWithRules # sudo iptables-restore < FileWithRules We can also save counters with -C plan

2.3 - Basic concepts - commands # iptables <table> <Add/Insert/Delete> <CHAIN> <PKT_MATCHING_CRITERIA> <ACTION>

2.3 - Basic concepts - commands <table> -t filter ( DEFAULT) -t nat -t mangle <Add/Insert/Delete> -A (ADD AT THE BOTTOM OF THE CHAIN) -I (PUT IN THE BEGINNING OF THE CHAIN) -D ( DELETE RULE)

2.3 - Basic concepts - commands <CHAIN> PREROUTING INPUT FORWARD OUTPUT POSTROUTING USER_DEFINED_CHAIN Exemples iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -D INPUT -p tcp --dport 22 -j ACCEPT

2.3 - Basic concepts - commands <PKT_MATCHING_CRITERIA> OSI MODEL LAYER 2 -i INTERFACE -o INTERFACE -mac-source [!] <xx-xx-xx-xx-xx-xx> OSI MODEL LAYER 3 -s or --src SRC_IP -d or --destination DST_IP

2.3 - Basic concepts - commands OSI MODEL LAYER 4 -p (udp tcp icmp) --icmp-type [!] <icmp_type> /***UDP AND TCP*****/ --source-port or --sport PORT --destination-port or --dport PORT /*****TCP ONLY*******/S --tcp-flags (SYN ACK FIN RST URG PSH ALL NONE) --syn --tcp-option [!] <tcp_option#>

2.3 - Basic concepts - commands <ACTION> -j ACCEPT -j DROP DROP PACKET -j REJECT DROP AND NOTIFY -j USER_DEFINED_CHAIN START A CHAIN -j RETURN LEAVE THE CHAIN -j LOG CREATE LOGS

2.3 - Basic concepts - commands NAT table specific -j SNAT REWRITE SOURCE IP -j MASQUERADE WHEN SNAT IS DYNAMIC -j DNAT REWRITE DESTINATION SOURCE -j REDIRECT MANGLE table specific -j ROUTE ADD A ROUTE -j TOS SET IP HEADER TYPE OF SERVICE -j TTL TIME TO LIVE

3 - Case study To aid with the understanding of IPTables, let s apply it to a fictional but realistic scenario. We will decide what rules apply in which firewall, which traffic goes in, out, to where and from where.

3.1 - Topology Internet DMZ Web DNS VPN 192.168.1.0/24.1.2.3 eth2 180.93.1.2 eth0 eth1 Protected Servers SMTP Admin Server File Server External Firewall eth0 eth1 10.10.0.0/24.0.1.0.2.0.3 Internal Firewall eth2 Users 10.10.1.0/24 user 1 user 2 user 3 user 4 user 5

DMZ Web DNS VPN 3.2 - Requirements Analysis 192.168.1.0/24.1.2.3 For each server, we start by defining his incoming and outgoing connections that are allowed. Web Server (192.168.1.1) Service Protocol Port Source Address HTTP TCP 80 All iptables -A INPUT -p tcp --dport 80 -j ACCEPT HTTPS TCP 443 All iptables -A INPUT -p tcp --dport 443 -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s 10.10.0.2 --dport 22 -j ACCEPT

DMZ Web DNS VPN 3.2 - Requirements Analysis(2) 192.168.1.0/24.1.2.3 DNS Server (192.168.1.2) Service Protocol Port Source Address DNS UDP 53 All iptables -A INPUT -p udp --dport domain -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s 10.10.0.2 --dport ssh -j ACCEPT VPN Server (192.168.1.3) Service Protocol Port Source Address OpenVPN/PPTP TCP 1194,1723 All iptables -A INPUT -p tcp -m multiport --destination-ports 1194,1723 -j ACCEPT SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s 10.10.0.2 --dport ssh -j ACCEPT

Protected Servers SMTP Admin Server File Server 3.2 - Requirements Analysis(3) 10.10.0.0/24.0.1.0.2.0.3 Mail Server (10.10.0.1) Service Protocol Port Source Address SMTP,POP,POPS, IMAP, IMAPS TCP 25,110,995,143,993 VPN Server, User Network iptables -A INPUT -p tcp -s 192.168.1.3 -m multiport --destination-ports smtp, pop,pops,imap,imaps -j ACCEPT iptables -A INPUT -p tcp -s 10.10.1.0/24 -m multiport --destination-ports smtp, pop,pops,imap,imaps -j ACCEPT VPN 192.168.1.3 User 10.10.1.x SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s 10.10.0.2 --dport ssh -j ACCEPT

Protected Servers SMTP Admin Server File Server 3.2 - Requirements Analysis(4) 10.10.0.0/24.0.1.0.2.0.3 Admin Server(10.10.0.2) Service Protocol Port Source Address SSH TCP 22 VPN Server, User Network iptables -A INPUT -p tcp -s 192.168.1.3 --dport ssh -j ACCEPT iptables -A INPUT -p tcp -s 10.10.1.0/24 --dport ssh -j ACCEPT VPN 192.168.1.3 User 10.10.1.x

Protected Servers SMTP Admin Server File Server 3.2 - Requirements Analysis(5) 10.10.0.0/24.0.1.0.2.0.3 FTP Server (10.10.0.3) Service Protocol Port Source Address FTP, SFTP TCP 22,21 VPN Server, User Network iptables -A INPUT -p tcp -s 10.10.1.0/24 -m multiport --destination-ports ftp,ssh -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.3 -m multiport --destination-ports ftp,ssh -j ACCEPT User 10.10.1.x VPN 192.168.1.3 SSH TCP 22 Admin Server iptables -A INPUT -p tcp -s 10.10.0.2 --dport ssh -j ACCEPT

3.2 - Requirements Analysis(6) Users 10.10.1.0/24 user 1 user 2 user 3 user 4 user 5 User Hosts (10.10.1.0/24) Service Protocol Port Source Address SSH TCP 22 VPN Server, Admin Server iptables -A INPUT -p tcp -s 192.168.1.3 --dport ssh -j ACCEPT iptables -A INPUT -p tcp -s 10.10.0.2 --dport ssh -j ACCEPT VPN 192.168.1.3 Admin 10.10.0.2

3.2 - Requirements Analysis(7) All iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT By default, all other packets are dropped. But all connections that are made because of allowed connections are allowed (for instance, the transfer of a file using FTP).

3.2 - Requirements Analysis(8) We then move on to the firewalls themselves. Starting with the internal firewall, we decide the traffic that is allowed in, out, to where and where from, protocols and ports included. Internal Firewall Servers Services Ports File Server FTP,SFTP 21,22 Origin Network/Server User s Network, VPN Server, AdminServer iptables -A FORWARD -p tcp -d 10.10.0.3 -s 10.10.1.0/24 -m multiport --destination-port ssh,ftp -j ACCEPT iptables -A FORWARD -p tcp -d 10.10.0.3 -s 192.168.1.3 -m multiport --destination-port ssh,ftp -j ACCEPT iptables -A FORWARD -p tcp -d 10.10.0.3 -s 10.10.0.2 --dport ssh -j ACCEPT

3.2 - Requirements Analysis(9) Internal Firewall Servers Services Ports Admin Server SSH 22 Origin Network/Server User s Network, VPN Server iptables -A FORWARD -p tcp -d 10.10.0.2 -s 10.10.1.0/24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -d 10.10.0.2 -s 192.168.1.3 --dport ssh -j ACCEPT

3.2 - Requirements Analysis(10) Internal Firewall Servers Services Ports User s Computers SSH 22 Origin Network/Server User s Network, Admin Server, VPN Server iptables -A FORWARD -p tcp -s 10.10.1.0/24 -d 10.10.1.0/24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -s 10.10.0.2 -d 10.10.1.0/24 --dport ssh -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.1.3 -d 10.10.1.0/24 --dport ssh -j ACCEPT

3.2 - Requirements Analysis(11) Internal Firewall Servers Services Ports Origin Network/Server Mail Server SMTP,POP3,POP3S,IMAP, IMAPS 25,110,995,143,993 User s Network, Admin Server, VPN Server iptables -A FORWARD -p tcp -s 10.10.1.0/24 -d 10.10.0.1 -m multiport --destination-port smtp,pop,pops, imap,imaps -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.1.3 -d 10.10.0.1 -m multiport --destination-port smtp,pop,pops, imap,imaps -j ACCEPT iptables -A FORWARD -p tcp -s 10.10.0.2 -d 10.10.0.1 --dport ssh -j ACCEPT iptables -A FORWARD -i eth1 -s 10.10.0.0/24 -j ACCEPT iptables -A FORWARD -i eth2 -s 10.10.1.0/24 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P FORWARD DROP

3.2 - Requirements Analysis(12) On the external firewall, we implement NAT protocols, stop access to the internal network and allow access to the DMZ. External Firewall Accepted INPUT traffic iptables -A INPUT -p udp -s 192.168.1.2 --sport domain -j ACCEPT iptables -A INPUT -i eth2 -p tcp -m multiport --destination-port http,https,domain, 1194,1723 -j ACCEPT

3.2 - Requirements Analysis(13) External Firewall Servers Services Ports Origin Network/Server DNS DNS 53 No Restrictions iptables -A FORWARD -p udp -d 192.168.1.2 --dport domain -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.1.2 --dport domain -j ACCEPT Web HTTP,HTTPS 80, 443 No Restrictions iptables -A FORWARD -p tcp -d 192.168.1.1 -m multiport --destination-port http, https -j ACCEPT VPN Server OpenVPN/PPTP 1194,1723 No Restrictions iptables -A FORWARD -p tcp -d 192.168.1.3 -m multiport --destination-port 1194,1723 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

3.2 - Requirements Analysis(14) External Firewall NAT Mechanism Connection s Origin Protocols SNAT Users Network No Restrictions iptables -t NAT -A POSTROUTING -o eth2 -j MASQUERADE DNAT From outside (Internet) HTTP, DNS, OpenVPN, PPTP iptables -t NAT -A PREROUTING -i eth2 -p tcp -m multiport --destination-port http,https -j DNAT --to 192.168.1.1 iptables -t NAT -A PREROUTING -i eth2 -p tcp --dport domain -j DNAT --to 192.168.1.2 iptables -t NAT -A PREROUTING -i eth2 -p udp -m multiport --destination-port domain -j DNAT --to 192.168.1.2 iptables -t NAT -A PREROUTING -i eth2 -p tcp -m multiport --destination-port 1194,1723 -j DNAT --to 192.168.1.3

3.2 - Requirements Analysis(15) iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP External Firewall Default Policies

Thank you for your attention! Firewall IPTables and its use in a realistic scenario FEUP MIEIC SSIN Authors: José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information