3.1.iptables

advertisement
Firewalls
Implementation
IPTables Firewall Implementation
Taken from
Red Hat Linux Firewalls, Bill McCarty
Copyright Red Hat and Bill McCarty
Scripting
Intro
• Brief introduction to shell scripts in Unix
– Shell script is a command interpreter
– Standard in
– Standard out
– Standard error
– Redirection “ > “, “<”
– “>|” forced overwrite
– “>>” append
Scripts
Start
• Create a firewall file
– Make it executable
– Chmod 777 acklers_firewall
• All scripts will start with
#!/bin/bash - will execute the remaining lines as
commands except comments
Comments start with a #
Variables are defined before using
IP=”172.16.1.2”
Variables are referenced with $name
$IP does a lexical substitution for IP def.
Scripts
Control flow
If-then-else
if [ condition ]
then
“do something”
else
“something to do goes here”
fi
if – fi act as parentheses
exit 1 exits the script
[ ] - needs white space around the condition
Control flow
example
if [ ! -x /sbin/iptables ]
then
echo “Firewall: can't execute
iptables”
exit 1
fi
Which iptables gets th path to iptables.
Scripts
Control flow
for loop
for var in list: do
stuff to do
done
var a variable that takes on each value in turn in
list
list is a list of values that var takes on
BADIPS=”10.0.0.0/8 172.16.0.0/12”
for ip in $BADIPS; do
iptables -A INPUT -s $ip -j DROP
done
Firewall Construction
Plan
•
•
•
•
Firewall policies
High level design
Detailed design
Test
Firewall Policies
Egress filtering
Restrictive: Only explicitly authorized packets
may exit the protected host.
Ingress filtering
Restrictive: Only explicitly authorized packets
may enter the protected host.
Hostile hosts
Hostile hosts may be shunned.
Special IPs
Traffic from special IPs are blocked,
e.g. RFC 1918
Firewall Policies
cont'd
Inbound services
Remote clients can access SSH and HTTP
services provided by the protected host. All
other services are blocked.
Outbound services
Local clients can access only these remote services:
DNS, FTP, HTTP, HTTPS, RSYNC, SMTP, SSH,
and WHOIS servers. All other services are block
to local clients
Firewall Policies
cont'd
Inbound ICMP
Only dest unreachable, parameter problem,
source quench, and time exceeded are the only
authorized ICMP messages.
Outbound ICMP
Only dest unreachable, fragmentation needed,
parameter problem, and source quench are the
only authorized ICMP messages.
Logging
All blocked packets are logged via the
Syslog facility
Firewall Policies
cont'd
Ping
Only specified hosts can ping, or be pinged,
by the protected host.
SYN Flood
The firewall will block SYNs when their rate of
arrival exceeds a specified threshold.
TCP Flags
TCP flags are validated, blocking
certain types of TCP scans.
Packet Path
with NAT and MANGLE
Network
mangle
PREROUTING
filter
INPUT
filter
OUTPUT
nat
PREROUTING
Local
Process
nat
POSTROUTING
route
Mangle
OUTPUT
Network
filter
FORWARD
Our Firewall
no NAT, no MANGLE, no FORWARD
• Firewall for a single-homed protected
host
• No FORWARD chain in the FILTER table
• No NAT table
• No MANGLE table
• Only INPUT and OUTPUT chains in the FILTER
table
Our Packet Path
Network
filter
INPUT
filter
OUTPUT
Setup Some Assignments
# Abreviation for iptables
IPT=/sbin/iptables
# Loop back address
LO= “127.0.0.1”
# Ip address of firewall host
IP=”xxx.xxx.xxx.xxx”
/sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'
http://www.cyberciti.biz/faq/how-to-find-out-the-ip-address-assigned-to-eth0-and-display-ip-only/
Setting Up the Chains & Tables
Ensure that iptables is installed.
Set default policy to protect system
while rules are installed.
Flush and delete all user chains.
Flush and delete all built-in chains.
Reset all counters.
If [ ! -x $IPT ]
then
echo “Firewall: Can't find iptables”
exit 1
fi
$IPT
$IPT
$IPT
$IPT
$IPT
-P INPUT
-P OUTPUT
-P FORWARD
-F
-X
DROP
#Set default policy to DROP
DROP
#Set default policy to DROP
DROP
#Set default policy to DROP
#Flush all chains
#Delete all user chains
for table in filter nat mangle
do
$IPT -t $table
-F
#Flush table's rules
$IPT -t $table
-X
#Delete table's chains
$IPT -t $table
-Z
#Zero the table's counters
done
INPUT Chain Policy
filter table
• Loopback OK
» Accept
• Bad IP
» Log and drop
• Shunned IPs
» Log and drop
• Branches
» ICMP or TCP/UDP?
• Logs and drops the rest
INPUT Chain
Network
$IPT
-A INPUT -i lo
-j ACCEPT
BAD_IP
$IPT
-A INPUT
-j BAD_IP
SHUN_IP
$IPT
-A INPUT
-j SHUN_IP
$IPT
$IPT
-A INPUT -p ! icmp
-A INPUT -p
icmp
-j IN_TCP_UDP
-j IN_ICMP
$IPT
-A INPUT
-j LOG_DROP
Loopback?
ACCEPT
ICMP?
IN_TCP_UDP
LOG_DROP
IN_ICMP
OUTPUT Chain Policy
filter table
• Loopback OK
» Accept
• Bad IP
» Log and drop
• Shunned IPs
» Log and drop
• Branches
» ICMP or TCP/UDP?
• Logs and drops the rest
OUTPUT Chain
$IPT
-A OUTPUT -o lo
-j ACCEPT
BAD_IP
$IPT
-A OUTPUT
-j BAD_IP
SHUN_IP
$IPT
-A OUTPUT
-j SHUN_IP
$IPT
$IPT
-A OUTPUT -p ! icmp
-A OUTPUT -p
icmp
-j OUT_TCP_UDP
-j OUT_ICMP
$IPT
-A OUTPUT
-j LOG_DROP
Loopback?
ACCEPT
ICMP?
OUT_TCP_UDP
LOG_DROP
OUT_ICMP
User chains
User chains:
IN_TCP_UDP
Further filters TCP & UDP datagrams
IN_ICMP
Further filters ICMP datagrams
OUT_TCP_UDP
Further filters TCP & UDP datagrams
OUT_ICMP
Further filters ICMP datagrams
FLOOD
Stops SYN flood attacks
FLAGS
Drops packets with incorrect tcp flags set
BAD_IP
Drops packets from bad IP addresses
SHUN_IP
Drops packets from IP addresses that
have been identified as hostile
User logging chains
Logging chains:
LOG_DROP
Logs and drops various packets
selected to be dropped
LOG_BAD_IP
Logs and drops various packets
coming from or going to bad IP
addresses
LOG_FLOOD
Logs and drops various packets
judged to be a SYN flood
LOG_SHUN_IP
Logs and drops various packets
coming from or going to IP addresses
that are to be sunned
LOG_FLAGS
Logs and drops various packets
judged to have incorrect TCP
flags set
IN_TCP_UDP User Chain
Remote clients can access SSH and HTTP
services provided by the protected host.
All other services are blocked.
$IPT -N IN_TCP_UDP
Invalid
state?
Yes
LOG_DROP
ACCEPT
$IPT -A IN_TCP_UDP -m state –-state INVALID -j LOG_DROP
No
$IPT -A IN_TCP_UDP -p tcp –-syn -j FLOOD
FLOOD
$IPT -A IN_TCP_UDP -p tcp
FLAGS
Established or
related state?
Yes
ACCEPT
No
Source IP
spoofed?
No
Yes
LOG_DROP
-j FLAGS
$IPT -A IN_TCP_UDP -m state –-state ESTABLISHED,RELATED /
-j ACCEPT
$IPT -A IN_TCP_UDP -s $IP -j LOG_DROP
IN_TCP_UDP User Chain
cont'd
SSH=”my_IP_addr your_IP_addr”
WWW=”my_IP_addr your_IP_addr”
Authorized
service?
Yes
ACCEPT
No
for sip in $SSH; do
$IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 22 -m state /
–-state NEW -j ACCEPT
done
for sip in $WWW; do
$IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 80 -m state /
–-state NEW -j ACCEPT
done
AUTH
request?
No
RETURN
Yes
REJECT
# Authentication request
$IPT -A IN_TCP_UDP -p tcp –-dport 113 -j REJECT
# Add rules for other required services, for example:
#
# services=”IP addresses”
#
# for sip in $services; do
#
$IPT -A IN_TCP_UDP -p proto -s $sip –dport port -m state /
#
–-state NEW -j ACCEPT
# done
OUT_TCP_UDP User Chain
Protected host can access
ftp, ssh, smtp, whois, DNS, http, https, rsync services.
All other services are blocked.
OUT_SERVICES=”21 22 25 43 53 80 443 873”
# Permitted outbound connections
# ftp, ssh, smtp, whois, DNS, http, https, rsync
$IPT -N OUT_TCP_UDP
FLAGS
Source IP
OK?
No
LOG_DROP
ACCEPT
$IPT -A OUT_TCP_UDP -p tcp
-j FLAGS
$IPT -A OUT_TCP_UDP -s ! $IP
-j LOG_DROP
Yes
Established or
related state?
Yes
ACCEPT
$IPT -A OUT_TCP_UDP -m state –-state ESTABLISHED,RELATED /
-j ACCEPT
No
Authorized
service?
No
RETURN
Yes
ACCEPT
for dpt in $OUT_SERVICES; do
$IPT -A OUT_TCP_UDP -m state –-state NEW -p tcp /
–-dport $dpt -j ACCEPT
done
$IPT -A OUT_TCP_UDP -m state –-state NEW -p udp /
–-dport 53 -j ACCEPT
IN_ICMP User Chain
Only dest unreachable, parameter problem, source quench, and time exceeded
are the only authorized ICMP messages.
Authorized
ping?
Yes
ACCEPT
No
Destination
unreachable?
Yes
ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type destination-unreachable -j
ACCEPT
ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type source-quench -j ACCEPT
ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type time-exceeded -j ACCEPT
ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type parameter-problem -j
ACCEPT
No
Source
quench?
Yes
PING=”my_IP_addr your_IP_addr”
$IPT -N IN_ICMP
for sip in $PING; do
$IPT -A IN_ICMP -p icmp –-icmp-type echo-request /
-s $sip -d $IP -j ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type echo-reply /
-s $sip -d $IP -j ACCEPT
done
No
Time
exceeded?
Yes
No
Parameter
problem?
RETURN
Yes
# default is to return on pass through
OUT_ICMP User Chain
Only dest unreachable, parameter problem, source quench, and time exceeded
are the only authorized ICMP messages.
Authorized
ping?
Yes
ACCEPT
No
Destination
unreachable?
Yes
ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type destination-unreachable
-j ACCEPT
ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type fragmentation-needed -j
ACCEPT
ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type source-quench -j ACCEPT
ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type parameter-problem -j
ACCEPT
No
Fragmentation
needed?
Yes
No
Source
quench?
Yes
$IPT -N OUT_ICMP
for sip in $PING; do
$IPT -A OUT_ICMP -p icmp –-icmp-type echo-request /
-s $sip -d $IP -j ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type echo-reply /
-s $sip -d $IP -j ACCEPT
done
No
Parameter
problem?
Yes
# default is to return on pass through
RETURN
Bad IP User Chain
Traffic from special IPs are blocked, e.g. RFC 1918
# Broadcast addresses
BAD_IPS=”0.0.0.0/8 255.255.255.255”
# RFC 1918 addresses
BAD_IPS=”$BAD_IPS 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16”
”
# Loop back address
BAD_IPS=”$BAD_IPS 127.0.0.0/4”
# Multicast addresses
BAD_IPS=”$BAD_IPS 224.0.0.0/4 240.0.0.0/5”
Bad source
IP?
Yes
LOG_BAD_IP
No
Bad dest
IP?
No
RETURN
Yes
LOG_BAD_IP
$IPT -N BAD_IP
for ip in $BAD_IPS; do
$IPT
-A BAD_IP
done
for ip in $BAD_IPS; do
$IPT
-A BAD_IP
done
-s $ip
-j LOG_BAD_IP
-d $ip
-j LOG_BAD_IP
# Returns to the calling chain by default
Hostile Hosts User Chain
Hostil hosts may be shunned – inbound and outbound can be blocked
# Hostile ips starts out empty
SHUN_IPS=””
# To add an address to the list
# iptables -S SHUN_IP
-s address
# To delete an address from the list
# iptables -D SHUN_IP
-s address
# To clear the list
# iptables -F SHUN_IP
Hostile source
IP?
Yes
LOG_SHUN_IP
No
Hostile dest
IP?
No
Yes
LOG_SHUN_IP
$IPT -N SHUN_IP
for ip in $SHUN_IPS; do
$IPT
-A SHUN_IP -s $ip
done
for ip in $SHUN_IPS; do
$IPT
-A SHUN_IP -d $ip
done
-j SHUN_IPS
-j SHUN_IPS
-j LOG_SHUN_IP
-j LOG_SHUN_IP
RETURN
# Returns to the calling chain by default
FLOOD
The firewall will block SYNs when their rate of
arrival exceeds a specified threshold.
SYN_OPT=”-m limit –-limit 5/second –-limit-burst 10”
$IPT -N FLOOD
SYN rate
exceeded?
No
RETURN
$IPT -A FLOOD $SYN_OPT -j RETURN
Yes
$IPT -A FLOOD
LOG_FLOOD
-j LOG_FLOOD
TCP Flags
TCP flags are validataed, blocking
certain types of TCP scans.
Bad TCP
flags?
Yes
LOG_FLAGS
No
$IPT -N FLAGS
RETURN
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
$IPT
-A
-A
-A
-A
-A
-A
-A
-A
-A
-A
-A
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
FLAGS
-p
-p
-p
-p
-p
-p
-p
-p
-p
-p
-p
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
–-tcp-flags
ACK,FIN FIN
-j LOG_FLAGS
ACK,PSH PSH
-j LOG_FLAGS
ACK,URG URG
-j LOG_FLAGS
FIN,RST FIN,RST
-j LOG_FLAGS
SYN,FIN SYN,FIN
-j LOG_FLAGS
SYN,RST SYN,RST
-j LOG_FLAGS
ALL ALL
-j LOG_FLAGS
ALL NONE
-j LOG_FLAGS
ALL FIN,PSH,URG
-j LOG_FLAGS
ALL SYN,FIN,PSH,URG
-j LOG_FLAGS
ALL SYN,RST,ACK,FIN,URG
-j LOG_FLAGS
Logging Chains
Log and drop all that is bad
LOG_OPT=”--log-level=3 -m limit –-limit 1/second –-limit-burst 10”
# This limits the rate of logging
$IPT -N LOG_DROP
$IPT -A LOG_DROP
$IPT -A LOG_DROP
-j LOG –-log-prefix “IPT Drop: “ $LOG_OPT
-j DROP
$IPT
$IPT
$IPT
$IPT
$IPT
-p
-p
-j
-j
-N
-A
-A
-A
-A
LOG_BAD_IP
LOG_BAD_IP
LOG_BAD_IP
LOG_BAD_IP
LOG_BAD_IP
tcp –-dport 137:139 -j DROP
udp –-dport 137:139 -j DROP
LOG –-log-prefix “IPT BAD_IP:
DROP
# MS Broadcast
# MS Broadcast
“
$IPT -N LOG_SHUN_IP
$IPT -A LOG_SHUN_IP
$IPT -A LOG_SHUN_IP
-j LOG –-log-prefix “IPT SHUN: “ $LOG_OPT
-j DROP
$IPT -N LOG_FLOOD
$IPT -A LOG_FLOOD
$IPT -A LOG_FLOOD
-j LOG –-log-prefix “IPT FLOOD: “ $LOG_OPT
-j DROP
$IPT -N LOG_FLAGS
$IPT -A LOG_FLAGS
$IPT -A LOG_FLAGS
-j LOG –-log-prefix “IPT FLAGS: “ $LOG_OPT
-j DROP
Configuring IPTables
– Configure IPTables to run on startup
chkconfig iptables on
– Disables IPTables at startup
chkconfig iptables off
– Starting and stopping IPTables
service
service
service
service
iptables
iptables
iptables
iptables
start
save
stop
restart
Assignment
• Using the example in these slides build a
script to install this firewall
•
•
•
•
•
•
Comment the script
List the rules and comment the listing
Install the firewall, i.e. run the script
ftp to an ftp server
Have some one run nmap against your IP address
Print and comment the log file
Download