Introduction to FIREWALL

Room C2-17
Email: [email protected]
Tel: 01204 903558
Linux Packet Filtering:
iptables
 User based command line interface
 Syntax
– iptables rule-action table name
conditions action
 Very rich set of conditions and
actions
 Extensible modular actions
 More complicated in concept than
ipfw or pf
 hierarchy: tables -> chains -> rules
 three default tables with default
iptables
3/9/2017

 Actually, iptables is a user-level program that

controls the kernel-level network module called
netfilter.

iptables Manipulations
Netfilter Internal
command Structure

Linux Kernel

CSC4430 - LAB ON IPTABLES Page 3

3/9/2017

iptables – Tables and Chains

netfilter

Tables filter nat mangle

This table is in charge of This table is in charge of This table is in charge of

filtering packets. translating IP addresses changing packet
of the packets. content.

 Each function provided by the netfilter

architecture is presented as a table.
CSC4430 - LAB ON IPTABLES Page 4
iptables – Tables and Chains

Under each table, there are a set of chains.

– Under each chain, you can assign a set of rules.
netfilter

Tables filter nat mangle

Chains
INPUT PREROUTING INPUT PREROUTING

OUTPUT POSTROUTING OUTPUT POSTROUTING

FORWARD OUTPUT FORWARD

CSC4430 - LAB ON IPTABLES Page 5

3/9/2017

iptables – Tables and Chains

Table name: filter The command: list
Chain name: INPUT

[csci4430@vm-a]$ sudo iptables –t filter –L

Chain INPUT (policy ACCEPT)
target prot opt source destination
There is one DROP icmp -- anywhere anywhere
rule set in the
INPUT chain. Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)

The other target prot opt source destination
two chains. [csci4430@vm-a]$ _

The rule in the INPUT chain means:

When a packet with ICMP payload passes through the INPUT hook,
DROP that packets, no matter it is from anywhere and to anywhere.

CSC4430 - LAB ON IPTABLES Page 6

 3/9/2017
iptables – Tables and Chains

• Example actions are:

– DROP – delete a packet immediately and
terminate
– ACCEPT – the packet is good and
terminate
– REJECT – delete the packet and
terminate, but send back an ICMP
message to the sender
– LOG – print to syslog a message and
move onto the next rule.
CSC4430 - LAB ON IPTABLES Page 7
Some tests:

 Is this TCP ? -p tcp

 Is this from 10.0.0.5? -s 10.0.0.5
 Is this from port 22? --sport 22
 Is this going to port 23? --dport
23
 Is this going to ip 50.0.0.1? -d
50.0.0.1
 Is this going out on eth0? -o eth0
 Is this coming in from eth0? -i eth0
Setting the policy

$ iptables –P INPUT ACCEPT

$ iptables –P OUTPUT ACCEPT
$ iptables –P FORWARD DROP

 This is a typical unsecured machine

configuration. Typical machines only
have 1 eth device, so don’t forward.
Otherwise, all packets are allowed.
Basic client machine

 Allow local machine to ssh and telnet

out:

# Standard INGRESS FILTER RULES, then

iptables –t FILTER –A INPUT –p tcp --sport 22
–j ACCEPT
iptables –A INPUT –p tcp --sport 23 –j
ACCEPT
sport or dport

Server End
$ iptables –A INPUT –p tcp --dport 22 –j ACCEPT
Your End
$ iptables –A INPUT –p tcp --sport 22 –j ACCEPT
SSH on 22
Local Port:
33123

SSH client

SSH Server
Basic client machine

 Allow local machine to ssh only to 10.0.0.1

# Standard INGRESS FILTER RULES, then

iptables –A INPUT –p tcp --sport ssh –s
10.0.0.1
–j ACCEPT
Add a rule to permit ping

 Anyone can ping this machine:

# Add to the end of the file

iptables –A INPUT –p icmp
--icmp-type echo-request –j
ACCEPT
Add a rule to permit safe ping

 Anyone can ping this machine, but I will only

respond if the ping requests are slower than 2
per second:

# Add to the end of the file

iptables –A INPUT –p icmp
--icmp-type echo-request
-m limit --limit 2/second –j ACCEPT

 Would protect a system from a “ping of death”.

Editing firewalls
 iptable does allow you to edit firewalls
dynamically.
 However, this is very problematic and difficult.
 Instead, I recommend putting all your rules in a
file and running that file to change the firewall.
 This allows you to use your favourite editor to
write the firewall.
 At the start of the file, delete all current firewall
rules in each table using “-F”.
Editing firewalls

$ touch firewall
$ chmod +x firewall
$ nano firewall
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD

# Set the default policies for the chains

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
Editing firewalls
 To load these rules do
$ ./firewall
 However, don’t do that yet. The default is
DROP for INPUT. Without more rules you
will be kicked out of the server never to
return…
 This is bad if the server is 5 minutes walk
away. But if it is 500miles away you are in
trouble!
 This type of firewall is INGRESS ONLY. No
rules for going out (OUTPUT/EGRESS).
NAT Options

 SNAT
– Used to do source network address translation rewriting the
source IP address of the packet
– The source IP address is user defined
--to-source <address>[-<address>][:<port>-<port>]
 DNAT
– Used to do destination network address translation. ie. rewriting
the destination IP address of the packet
--to-destination ipaddress
 MASQUERADE
– Used to do Source Network Address Translation.
– By default the source IP address is the same as that used by the
firewall's interface
[--to-ports <port>[-<port>]]
INPUT ACCEPT

 To be clear, a policy of ACCEPT is seriously

silly…
 Good to learn on but wide open to attack.
 ACCEPT policy means you need rules to block.
Anything you didn’t think about is accepted.
 DROP policy means you need rules to allow.
Anything you didn’t think about is dropped.
 Security relies on a good policy, and that
must be DROP.
Stateful Firewalls
Stateful Rules
 You can add iptables rules to detect
what state a packet is in.
 This is REALLY useful for FORWARD
tables.
 It also, in general, makes your firewall
rules more reliable and much smaller,
even in INPUT and OUTPUT.
Established: Stateful Firewall

• In TCP/IP, TCP goes through a number of states:

Closed Listen
SYN-SEND SYN-RECEIVED
Flags: SYN
SEQ:100

Flags: SYN,ACK
SEQ:300, ACK:100

Flags: SYN,ACK
ESTABLISHED SEQ:101, ACK:300
ESTABLISHED
Rules based on network state

 Packets can be in a number of different

states:
– NEW – a packet which starts a new connection
– RELATED – new connection, but part of an old
session
– ESTABLISHED – connection already running
– INVALID – something else (?)

> iptables –A INPUT –i eth+ -m state --state

RELATED,ESTABLISHED –j ACCEPT
Basic Stateful FORWARDING

 You are running your firewall machine

with 2 network cards, eth0 and eth1.
 Eth0 connects to the internet, Eth1 to
the intranet.
 In this regard Eth1 is a gateway for
your local network.
Basic Stateful
FORWARDING
 Eth0 is 10.0.1.1/24, Eth1 is
10.0.2.254/24
 You have two servers in your intranet.
– M1 is 10.0.2.1/24, running an ssh server
– M2 is 10.0.2.2/24, running an http server
 GW Firewall FORWARD would be:
Basic Stateful
FORWARDING

iptables -F FORWARD
iptables -P FORWARD DROP
iptables –A FORWARD –m state --state
RELATED,ESTABLISHED –j ACCEPT
iptables –A FORWARD –p tcp –i eth0 --
dport ssh –d 10.0.2.1 –j ACCEPT
iptables –A FORWARD –p tcp –i eth0 --
dport http –d 10.0.2.2 –j ACCEPT
Egress filtering

 So far it is normal to see ACCEPT as the default

policy for OUTPUT.
 However, this is not as secure as having a DROP
policy.
 DROP as the policy in OUTPUT is called egress
filtering.
 Although easy to completely mess up it is no harder
than INPUT DROP policy.
 It limits OUTPUT packets to only those which you
explicitly define.
 It could help reduce hacking attempts, and the
spread of viruses.
Complete EGRESS Example

 Configure a non-routing server firewall which runs

telnet and http servers. Users on the server can
ssh out. Use EGRESS filtering.

/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
iptables -A INPUT –m state --state
RELATED,ESTABLISHED –j ACCEPT
iptables –A INPUT –m state --state NEW –p
tcp --dport telnet –j ACCEPT
iptables –A INPUT –m state --state NEW –p
tcp --dport http –j ACCEPT
iptables -A OUTPUT –m state --state
RELATED,ESTABLISHED –j ACCEPT
iptables –A OUTPUT state --state NEW -p tcp
--dport ssh -j ACCEPT
Examples

 sudo iptables -t nat -A POSTROUTING -s

10.0.1.0/24 -d 137.189.88.145 -j
MASQUERADE
 iptables -t nat -A PREROUTING -d
10.10.20.99 -j DNAT --to-destination
192.168.1.200
 all packets arriving on the router with a
destination of 10.10.20.99 will depart
from the router with a destination of
192.168.1.200.
Examples

 # iptables -t nat -A PREROUTING -d

205.254.211.17 -j DNAT --to-
destination 192.168.100.17
 # iptables -t nat -A POSTROUTING -s
192.168.100.17 -j SNAT --to-
destination 205.254.211.17
The mangle table

When a host wants to make a new

connection with your machine, it sends
your machine a SYN packet.
To block all such packets that not following
these rules, we could use a rule very similar
to what we have shown so far. But, just to
add an interesting twist to the syntax, we
will use the mangle table for the purpose.
So go ahead
and execute the following command line as
root:

sudo iptables -t mangle -A PREROUTING -p

iptables examples
 Drop all www traffic from a network
• iptables -A FORWARD -p tcp –dport 80 -s 12.12.12.0/24
-d www.ubc.ca -j DROP
 Drop all telnet traffic from a bad host
• iptables -A INPUT -p tcp -s bad.host.com -d my.host.com
–-dport 23 -j DROP
 Throw away RFC 1918 networks from inside
• iptables -A FORWARD -s 10.0.0.0/8 -i eth0 -j DROP
• iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
• iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -i eth0
-j DROP
 Allow ssh and keep state
• iptables -A FORWARD -p tcp –dport 22 -i fxp0 -m state -–
state NEW,ESTABLISHED -j ACCEPT
iptables examples

 To prevent anyone from “pinging” to your

machine:
• sudo iptables -A INPUT -p icmp --icmp-type echo-req
uest -j DROP
 allow others to ssh into your machine, but block
it for every other access.
sudo iptables -A INPUT -p tcp --destination-port 22 -j
ACCEPT
sudo iptables -A INPUT -j REJECT
If we had used DROP instead of REJECT in the
second rule we entered with the iptables command, , you
will receive “Port Unreachable” error message.
FIREWALL PRACTICAL
GNS3 problems

 sudo systemctl start docker

 sudo systemctl enable docker
 sudu usermod -aG docker username
 user has to login again to pick up that
change
 sudo ln -s /usr/libexec/qemu-
kvm /usr/bin/qemu-kvm sort qemu
problem
The infrastructure
Configuring the IP addresses

sudo apt install net-tools

sudo ifconfig 192.168.1.11 netmask
255.255.255.0
sudo route add default gw
192.168.1.1
After configuring all the
appliance
Try to ping 200.1.1.1
Try to ping 200.1.1.2
Enable IP Forwarding on Ubuntu
(R1, R2)
sysctl net.ipv4.ip_forward
eg: the following shows where ip
forwarding is disabled
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
Enable the kernel option for IP
forwarding
sudo sysctl net.ipv4.ip_forward=1
To make these changes permanent
across reboots
sudo nano /etc/sysctl.conf
sudo iptables –t nat -L
Add rule to –t nat POSTROUTING
MASQUERADE
 sudo iptables –t nat –A
POSTROUTING –o ens4 –j
MASQUERADE
Can you ping from pc1 to pc3?

Any Questions
?