Lab 6: Building Your Own Firewall

Similar documents
Linux Firewall Lab. 1 Overview. 2 Lab Tasks. 2.1 Task 1: Firewall Policies. Laboratory for Computer Security Education 1

Linux LKM Firewall v 0.95 (2/5/2010)

Linux Firewall Exploration Lab

Lab Objectives & Turn In

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Lab 7: Software Defined Networking

Operating Systems Design 16. Networking: Sockets

Using Virtual Machines

User-level processes (clients) request services from the kernel (server) via special protected procedure calls

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Basic Firewall Lab. Lab Objectives. Configuration

Tutorial. Reference for more thorough Mininet walkthrough if desired

Basic Exchange Setup Guide

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Protecting and controlling Virtual LANs by Linux router-firewall

CS Computer and Network Security: Firewalls

Linux Firewalls (Ubuntu IPTables) II

CS Computer and Network Security: Firewalls

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

Network packet capture in Linux kernelspace

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

Guideline for setting up a functional VPN

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

CSC574 - Computer and Network Security Module: Firewalls

Microsegmentation Using NSX Distributed Firewall: Getting Started

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Firewalls. Chien-Chung Shen

Packet Sniffing and Spoofing Lab

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

Configuring PA Firewalls for a Layer 3 Deployment

Linux MDS Firewall Supplement

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls and Software Updates

F-Secure Messaging Security Gateway. Deployment Guide

Microsoft Labs Online

F-SECURE MESSAGING SECURITY GATEWAY

Introduction. What is a Remote Console? What is the Server Service? A Remote Control Enabled (RCE) Console

Basic Exchange Setup Guide

1 Download & Installation Usernames and... Passwords

Intego Enterprise Software Deployment Guide

Remote ESL On A Mac With OS-X Using SSH Tunneling & Port Forwarding

Manage a Firewall Using your Plesk Control Panel Contents

Remote Desktop Administration

Network provider filter lab

Parallels Plesk Panel

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Virtual Private Network (VPN) Lab

Laboration 3 - Administration

CSE543 - Computer and Network Security Module: Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Netfilter s connection tracking system

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

How To Install Openstack On Ubuntu (Amd64)

freesshd SFTP Server on Windows

Lab 1: Packet Sniffing and Wireshark

Setting up VPN Access for Remote Diagnostics Support

Firewall Implementation

SonicWALL SRA Virtual Appliance Getting Started Guide

FTP Peach Pit Data Sheet

How to deploy console cable to connect WIAS-3200N and PC, to reset setting or check status via console

Lab Configuring Access Policies and DMZ Settings

athenahealth Interface Connectivity SSH Implementation Guide

Virtual Appliance Setup Guide

Linux: 20 Iptables Examples For New SysAdmins

Microsoft Labs Online

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

How To - Implement Clientless Single Sign On Authentication with Active Directory

VHA Innovations Program Future Technology Laboratory. Linux Workstation Remote Desktop Connection Manual

Introduction to Network Security Lab 1 - Wireshark

VMware vcloud Air Networking Guide

Chapter 7. Firewalls

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

EXPLORER. TFT Filter CONFIGURATION

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Setting up Remote Desktop

How to gain direct access to SQL Server at Garching via SSH

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Adafruit's Raspberry Pi Lesson 5. Using a Console Cable

XIA Configuration Server

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

SI455 Advanced Computer Networking. Lab2: Adding DNS and Servers (v1.0) Due 6 Feb by start of class

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

REAL TIME OPERATING SYSTEM PROGRAMMING-II: II: Windows CE, OSEK and Real time Linux. Lesson-12: Real Time Linux

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Analyze Traffic with Monitoring Interfaces and Packet Forwarding

Deploy the ExtraHop Discover Appliance with Hyper-V

Connecting to Remote Desktop Windows Users

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

Lab Exercise Configure the PIX Firewall and a Cisco Router

Using RADIUS Agent for Transparent User Identification

Building your own Terminal server.

Local Caching Servers (LCS): User Manual

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

INASP: Effective Network Management Workshops

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Transcription:

CS498 Systems and Networking Lab Spring 2012 Lab 6: Building Your Own Firewall Instructor: Matthew Caesar Due: Firewalls are widely deployed technologies for protecting networks from unauthorized access while permitting legitimate communications to pass. In this lab, you will learn about how to build a firewall of your own using the power of Linux kernel modules and Netfilter, which is a packet filtering subsystem in the Linux kernel stack. The techniques you learn on kernel module and filter/manipulating network packets can be an extremely useful tool for developing other cool network applicaitons. Anyway, writing code in the kernel means you are writing code in a place where you are limited only by your imagination. 1 Initial Setup This section will help you get your environment setup for writing your own kernel module in vsphere. The procedures for accessing the virutal machine is the same as what we did in the Lab 3. 1.1 Accessing the Virtual Machine We have access to a service called vsphere, which will provide us with a number of local Virtual Machines for you to use (easy to recover from kernel panic). It is recommended to use the vsphere for your convenience, since the lab has been tested and will be graded by running your program in the Ubuntu VM in the vsphere. If you have your own VM setup, or even a personal computer with the same kernel version, you may use that as well. To access your VM that we have setup for you, please follow these instructions. Speak with the TA to get permissions to a VM setup. If you are on a Windows machine, and you are on campus, you can download the vsphere client from https://csilvcenter.ad.uiuc.edu/. If you are not on a Windows machine, you can still use vsphere. The campus Windows Terminal servers already have vsphere installed. The remote desktop host is ews-windows-ts.ews.illinois.edu. Your usename will be UofI\NetID. Be careful of the UofI domain name...it is the only one that will work. (I have no idea why...) If you are using Linux, you can use the rdesktop command from the command line to remote into the windows terminal server. rdesktop ews-windows-ts.ews.illinois.edu. Launch the vsphere client and connect to csil-vcenter.ad.uiuc.edu. You username and password should be your Netid and AD password. If you see a home screen, click the VMs and Templates icon. This will show you all the VMs you have access to. Start your VM with the green arrow at the top. You can pull up an X-console using the icon that looks like a computer with an arrow pointing out of it. 1

Lab Matthew Caesar 2 The default user account if cs498class and the password is cs498class. Please change this password Immediately!. This account has sudo access. From this console, you can use this machine as you would any other. Please keep in mind that vsphere and your VM will only be accessible inside the UIUC network, or via VPN. 1.2 Setting Up the Ubuntu Build Environment In order to to build kernel modules, we need to setting up the Ubuntu build environment using module assistant. sudo apt-get install module-assistant sudo m-a prepare 2 The Netfilter Netfilter is the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Netfilter essentially defines a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack. Although this lab deals with IPv4 packets, most of the IPv4 content can be applied to the other protocols as well. 2.1 The Netfilter hooks for IPv4 Netfilter defines five hooks for IPv4. The declaration of the symbols for these can be found in linux/netfilter ipv4.h. These hooks are displayed in the Table 6.1 Hook NF INET PRE ROUTING NF INET LOCAL IN NF INET FORWARD NF INET LOCAL OUT NF INET POST ROUTING Called After sanity checks, before routing decisions After routing decisions if packet is for this host If the packet is destined for another interface For packets coming from local processes on their way out Just before outbound packets hit the wire Table 6.1: IPv4 hooks After hook functions have done whatever processing they need to do with a packet, they must return one of the predefined Netfilter return codes as shown in Table 6.2. Return Code NF DROP NF ACCEPT NF STOLEN NF QUEUE NF REPEAT NF STOP Meaning Discard the packet Keep the packet, and execute the remaining hooks Forget about the packet Queue packet for userspace Call this hook function again Keep the packet, and skip the remaining hooks Table 6.2: Netfilter return codes

Lab Matthew Caesar 3 The NF DROP return code means that this packet should be dropped completely and any resources allocated for it should be released. NF ACCEPT tells Netfilter that so far the packet is still acceptable and that it should move to the next stage of the network stack. These two return codes are used in this lab. 2.2 Registering and unregistering Netfilter hooks Registration of a hook function is a simple process with the use of the nf hook ops structure as defined in linux/netfilter.h. The definition of this structure is as follows: struct nf_hook_ops { struct list_head list; }; /* User fills in from here down. */ nf_hookfn *hook; struct module *owner; u_int8_t pf; unsigned int hooknum; /* Hooks are ordered in ascending priority. */ int priority; Let us explain some data fields that will be used for this lab. hook is a pointer to a nf hookfn function. This is the function that will be called for the hook. nf hookfn is defined in linux/netfilter.h as well. The pf field specifies a protocol family. Valid protocol families are available from linux/socket.h, but for IPv4 we want to use PF INET. The hooknum field specifies the particular hook to install this function for and is one of the values listed in Table 6.1. Finally, the priority field specifies where in the order of execution this hook function should be placed. For IPv4, acceptable values are defined in linux/netfilter ipv4.h in the nf ip hook priorities enumeration. In this lab, we will be using NF IP PRI FIRST. 2.3 The Very First Firewall Kernel Module Now we are ready to write our first netfilter kernel module. The module simply drops all the incoming packets like what is configured as the default rule in many modern firewalls. 2.3.1 Writing the Netfilter Hook To create a simple Netfilter hook requires several steps. We first write a function named hook func incoming(), which is called whenever a packet comes in that meets the conditions of nf hook ops. This function performs the appropriate logic, which in our case is to drop all incoming packets. We fill in the nf hook ops structure which defines the particular Netfilter hook to target, the priority of it, and gives the type of packet to target (in this case IPV4), and bind hook func incoming() to it. We also need to define the methods init module() and cleanup module(). For the Netfilter module, init module() should now contain the code to set up the nf hook ops structure and register the hook with Netfilter. In cleanup module() we put any code required to clean up. In this case, it corresponds to the code to unregister the hook from Netfilter. Below is the sample code of the drop-all-packet firewall.

Lab Matthew Caesar 4 #include <linux/kernel.h> #include <linux/module.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> static struct nf_hook_ops nfho; //struct holding set of hook function options //function to be called by hook unsigned int hook_func_incoming( unsigned int hooknum, struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff *)) { return NF_DROP; /* Drop ALL packets */ } //Called when module loaded using insmod int init_module() { //function to call when conditions below met nfho.hook = hook_func_incoming; } //called right after packet recieved, first hook in Netfilter nfho.hooknum = NF_INET_PRE_ROUTING; //IPV4 packets nfho.pf = PF_INET; //set to highest priority over all other hook functions nfho.priority = NF_IP_PRI_FIRST; //register hook nf_register_hook(&nfho); printk(kern_info "simple firewall loaded\n"); return 0; //Called when module unloaded using rmmod void cleanup_module() { printk("simple firewall unloaded\n"); nf_unregister_hook(&nfho); } //cleanup and unregister hook 2.3.2 Writing the Makefile In order to compile the module, we create an associated Makefile, like the following:

Lab Matthew Caesar 5 obj-m += simple_firewall.o KDIR := /lib/modules/$(shell uname -r)/build PWD := $(shell pwd) clean: $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) clean default: $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules 2.3.3 Loading and Unloading a basic Netfilter Kernel Module To install the module, type sudo insmod simple_firewall.ko To remove the module, type: sudo rmmod simple_firewall To verify the module is actually loaded or unloaded, type: dmesg tail Now the system will drop any incoming packets. You can test the result by pinging the machine or pinging outside world, both should not work. If you are using ssh to remotely log into the machine, your ssh session will be broken. :) Note You can download the template of the deny-all firewall as well as the makefile from Piassa. The template can serve as a good starting point for the rest of your work in this lab. printk is a very useful tool for debuging purpose 3 Building your own Light-weighted Firewall The light-weighted firewall provides three basic options for dropping packets. These are, in the order of processing: Source interface Source IP address Destination TCP port First let us look at what data gets passed into hook functions (e.g. the hook func incoming() in the simple firewall.c ) and how that data can be used to make filtering decisions. The first argument to nf hookfn functions is a value specifying one of the hook types given in Table 6.1. The second argument is a pointer to a pointer to a sk buff structure, the structure used by the network stack to describe packets,

Lab Matthew Caesar 6 such as network header, transport headers, packet length, data, etc. You will need to know this struct for accessing the necessary information in a packet for this lab. This structure is defined in linux/skbuff.h. The two arguments that come after skb are pointers to net device structures. net device structures are what the Linux kernel uses to describe network interfaces of all sorts. The first of these structures, in, is used to describe the interface the packet arrived on. Not surprisingly, the out structure describes the interface the packet is leaving on. It is important to realise that usually only one of the two structures will be provided. For instance, in will only be provided for the NF INET PRE ROUTING and NF INET LOCAL IN hooks. out will only be provided for the NF IP LOCAL OUT and NF IP POST ROUTING hooks. 3.1 Filtering by Interface First, we would like to filter any INCOMING packets to the interface lo. Remember those net device structures our hook function received? Using the name field from the relevant net device structure allows us to drop packets depending on their source interface or destination interface. To drop all packets that arrive on interface lo all one has to do is compare the value of in- name with lo. If the names match then the hook function simply returns NF DROP and the packet is destroyed. You can test your program by pinging the localhost and pinging some well-known website, such as google.com 3.2 Filtering by IP Address Now we want to filter any OUTGOING packet with the destination IP address 130.126.31.10. This time we are interested in the sk buff structure. Now remember that the skb argument is a pointer to a pointer to a sk buff structure. Obtaining the IP header for a packet is done using the network layer header from the the sk buff structure. Note that the value of the destination IP should be stored in Network Byte Order (Big-endian, opposite of Intel). Also it is a good practice to check if skb and ip header you get is NULL pointer though it is unlikely the case, and return NF ACCEPT if so. You can test your program with tools like ping, ssh, iperf or anything at your choice. 3.3 Filtering by Destination TCP Port Now we want to filter any INCOMING tcp packets with the destination port 8888. This is only one more step more than checking IP addresses because we need to create a pointer to the TCP header ourselves. Getting pointer to the TCP header is about of allocating a pointer to a struct tcphdr (define in linux/tcp.h) and pointing after the IP header in our packet data. Don t forget that for this function to work, the tcp destination port to deny should be in network byte order. You can test your program by opening a iperf tcp server listening to port 8888 at host running the firewall kernel module and try to connect it from another machine. Note: The Linux cross reference is a very handy tool when dealing with code base in such scale. http://lxr.free-electrons.com/

Lab Matthew Caesar 7 4 The Report Please submit the following materials through the compass. 1. Copy your code done in the Section 3 as well as the makefile. Make sure the makefile is runnable, since your generated executable will be used for testing and grading. Please name the executable as firewall in your makefile. 2. Create a NetFilter kernel module based on (beyond) what we learn in this lab. (e.g. more complicate firewall filtering rules; password sniffer; selectively dropping tcp packets and measure change in congestion window size... anything at your choice). Please include the following in the report (1) Description of your module (2) Well-commented code body of your hook(s) (3) Runnable code and the make file (4) The instruction of how to run your code or any experimental results you collected from your code if it is hard to demo or for TA to reproduce your testing scenarios 3. Please submit the lab report in pdf or MS Word format

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information