Add to collection(s) Add to saved
  1. Science
Uploaded by Cyber Devil

firewall

advertisement 
COMP475
System Administration and Security
FIREWALL
Linux Firewall
In Linux systems FIREWALL function is performed using a packet filter.
Packet filter is a special kind of software being part of Linux kernel (in a
form of loadable modules) and making possible a very thorough analysis of
network packets
.
There have been 3 main packet filters throughout the whole Linux history:
• ipfwadm - packet filter for kernel series 2.0.X,
• ipchains - packet filter for kernel series 2.2.X,
• iptables - packet filter for kernel series > 2.4.X.
In CentOS 6.3 there is iptables in version 1.4.7 installed whilst the latest
available version to be downloaded from iptables.org is 1.4.18.
Linux Firewall
As one can see, similarly to other versions of software for Linux OS also the
iptables filter is being released in versions. Depending on the version number
iptables offers various options and support for more configuration modules.
The website where one can find everything about iptables (including
installation packages, source packages and documentation) may be found at
www.netfilter.org (alternatively www.iptables.org – the same website).
Which is important, iptables version has to match the kernel version in the
sense that too new iptables version would not install or properly work on an
older kernel version as the filtering features MUST be supported bye the
kernel. In case they are not, the kernel needs to be patched. Patches are also
available on the iptables home page.
Linux Firewall
Linux Firewall
Linux Firewall
From the point of view of packets filtering every single packet has to be
qualified either as:
• incoming packet- this is the packet addressed to the firewall
computer (its IP address is the destination address)
• outgoing packet - this is the packet send from the firewall computer (its
IP address is the source address)
• forwarded packets - this is the packet being forwarded from one subnet
to another (neither source nor destination IP address is the firewall
computer)
Qualifying packets is crucial thing because once a packet gets qualified it is
passed to the ppropriate rule chain within the filtering options are
specified. Once a packet gets qualified to a rule chain it will be either…
Linux Firewall
The iptables command is using three predefined chains that are related to the events (packets)
the Firewall is supposed to decide about what to do:
• INPUT
- used to define what to do with incoming packets,
• OUTPUT - used to define what to do with outgoing packets ,
• FORWARD - used to define what to do with forwarded packets.
Chain are sets of packets filtering rules, each of the rules is built of:
• packet distinguisher (match) allowing to specify exactly which packets are subject of the rule
(based for example on the IP number, port number, etc),
• packet destination (target) allowing to specify what to do with packets that match the rule
specification,
There are three main packet destinations:
–
–
–
ACCEPT
- accepts the packet,
REJECT
- rejects the packet givin posiibility to return a ICMP messsage (e.g. host unreachable)
DROP - rejects the packet and no information is returned.
Linux Firewall
PACKET
INPUT
OUTPUT
FORWARD
rule1: match -> target
rule1: match -> target
rule1: match -> target
rule2: match -> target
rule2: match -> target
rule2: match -> target
...
...
...
rule N: match -> target
ruleN: match -> target
ruleN: match -> target
DEFAULT POLICY
DEFAULT POLICY
DEFAULT POLICY
Linux Firewall
Each iptables rule (command) is of the following structure:
iptables [-t table] COMMAND CHAIN MATCH –j TARGET
where:
table
- allows to specify what the rule refers to (e.g. if this is a filtering
rule, NAT
rule, etc.); iptables handles four tables:
- filter - default table (no need to specify –t filter),
- nat - destined to deal with NAT, MASQUERADING, tunelling,
- mangle - destined to modify packets (e.g. TTL) and also marking packets,
- raw
- non-standard table, only for advanced applications (e.g. allows to
bypass filtering mechanism for selected packets).
COMMAND – used to handle rules chains:
- -A - adds rule to a chain,
- -D - removes rule from a chain,
Linux Firewall
- -R - replaces a given rule,
- -I - inserts a rule onto a specified position in a chain,
- -F - flushes rule chain (no rules remain, only DEFAULT POLICY applies)
- -Z - zeroes packets counters,
- -N - creates a new (custom) rule chain,
- -X - deletes a custom rule chain,
- -P - specifies a default policy for a chain,
- -L - lists rules in a chain,
- CHAIN - a predefine built-in name (can be used out of the box) or user-define name
identifying a rule chain; built-in chains names are:
- INPUT
- used to gather rules applying to incoming packets,
- OUTPUT
- used to gather rules applying to outgoing packets,
- FORWARD - used to gather rules applying to forwarded packets.
Linux Firewall
- POSTROUTING - available within nat and mangle table, used to
determine what to do with packets after the route to a
target
destination has been identified,
- PREROUTING
- available within nat and mangle table, used to
determine what to do with packets before the route to a
target
destinatio has been identified,
- FORWARD - used to gather rules applying to forwarded packets,
- MATCH - allows to specify features of a packet that would distinguish this specific
packet(s) out of all the other packets so that if it matches a rule, this rule may
determine its destination (target); the typical rule matches are:
- -p - protocol (e.g. tcp, udp, ip, icmp, all)
iptables –A INPUT –p tcp …
- -s - source address
iptables –A INPUT -p tcp –s 192.168.1.1 …
Linux Firewall
- -d - destination address
iptables -A INPUT -p tcp –d 192.168.1.1 …
- -i - input interface (not available in the OUTPUT chain)
iptables -A INPUT -i eth0 …
- -o - output interface (not available in the INPUT chain)
iptables -A OUTPUT -o eth1 …
- --sport - source port
iptables -A INPUT -p tcp --dport 80 …
- --dport - destination port
iptables -A FORWARD -p udp --dport 67 …
- --tcp-flags - named tcp flag (ACK, SYN, FIN, RST, …)
iptables -A INPUT -p tcp --tcp-flags SYN …
Linux Firewall
- --tcp-option - tcp option
iptables -A INPUT -p tcp --tcp-option 16 …
- --icmp-type - type of ICMP message
iptables -A INPUT -p icmp --icmp-type echo-request …
Bore rules matches may be specified if extension modules are used. There are plenty
of additional extensions modules, the most popular include:
- state - allows to refere to a connection state (ESTABLISHED,
RELATED, NEW) using ip_conntrack kernel module,
iptables -A INPUT -p tcp --dport 80 -m state ESTABLISHED, RELATED …
- limit
- allows to specify frequency of packets per rule during a
given period of time (rule may be used only strictly
specified number of
times during the time)
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 5/second -j ACCEPT
Linux Firewall
- multiport- allows to specify comma-separeted ports,
iptables ... -m multiport --dport 25,110 ...
- mac
- allows using MAC addresses in rules
iptables ... -m mac --mac-source ADRES_MAC ...
- mark - allows to refer to a marked packet in the rule
iptables -A FORWARD -m mark --mark 6 ...
- owner - available in OUTPUT chain, allows refer to packets generated by a
given user
iptables -A OUTPUT -m owner --uid-owner 500 ...
- ttl - allows to refer to a packet with given TTL number
iptables -A INPUT -m ttl –ttl 15 ...
- string - allows refer to packets containing given string
iptables –A FORWARD –p tcp --dport 80 -m string --string ”kazaa” ...
Linux Firewall
- time
- allows to activate rules within a given time frame
iptables -A INPUT –p tcp --dport 80 –m time --timestart 6:00 --timestop \ 23:00 –
days Tue ...
- p2p
- allows to select p2p packets
iptables -A FORWARD –m p2p ...
-TARGET - target is used to decide what to do with a packet that matches the rule;
typical targets that may be used in rules:
- ACCEPT - this destinagion allows to accept packets matching a rule
- DROP - this destination allows to drop packets but do not allow to
specify any information to the requesting / source computer
(black hole
target)
- REJECT - this destination allows to drop packets but also alows to specify a
return message to the requesting / source computer
- LOG
- this destinatio allows
Linux Firewall
- LOG
- this destination allows to log a packet matching a rule (for audit
purposes); it is not a final destination and in the contrary to the
ACCEPT,
DROP and REJECT targets the packet is not removed from
a chain (this is not
final destination for the packet and after login it
is still necessary to specyfi what
to do with it)
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG \
-- log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP
- REDIRECT - available in nat table, allows to redirect a packet to a different
destination, to be used only with OUTPUT and PREROUTING chains
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT \
--to-port 8080
Linux Firewall
- SNAT - valiable in nat table, allows to replace original source address
with another one (can be used as a static version of NAT)
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 85.121.34.1
- DNAT - available in nat table, allows to redirect a packet to a different
destination, to be used only with OUTPUT and PREROUTING chains
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.10.0.5
- MASQUERADE – available in nat table, similarly to SNAT allows to replace
source address in a rule but it will use the out interface IP number
instead
of fixed IP address given in the rule (dynamic versino of
NAT)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
- MARK - available in the mangle table allows marking packets
iptables -t mangle -A PREROUTING -p tcp -s 195.122.131.0/24 \
-j MARK --set-mark 0xf510
Linux Firewall
iptables -A INPUT-m mark --mark 0xf510 -j ACCEPT
- TTL- available in the mangle table , allows to modify packets TTL
iptables -t mangle -A OUTPUT -j TTL --ttl-set 126
Linux Firewall – EXAMPLES - logging
Linux Firewall – EXAMPLES - logging
Linux Firewall – EXAMPLES – port
redirection
Linux Firewall – EXAMPLES - tunelling
Linux Firewall – EXAMPLES - tunelling
Linux Firewall – EXAMPLES - tunelling
CentOS 7.x - firewalld
In CentOS 7.x the firewall configuration should be done through
a dedicated tool – firewall-cmd. That tool works with firewalld
that is managing system firewall.
FirewallD uses services and zones instead of iptables rules and
chains. By default the following zones are available:
• drop – Drop all incoming network packets with no reply, only
outgoing network connections are available.
• block – Reject all incoming network packets with an icmphost-prohibited message, only outgoing network connections
are available.
CentOS 7.x - firewalld
• public – Only selected incoming connections are accepted, for use in
public areas
• external For external networks with masquerading enabled, only selected
incoming connections are accepted.
• dmz – DMZ demilitarized zone, publicly-accessible with limited access to
the internal network, only selected incoming connections are accepted.
• work – For computers in your home area, only selected incoming
connections are accepted.
• home – For computers in your home area, only selected incoming
connections are accepted.
• internal -For computers in your internal network, only selected incoming
connections are accepted.
• trusted – All network connections are accepted.
CentOS 7.x - firewalld
To list all available zones run:
To list the default zone:
To set the def
ault zone:
CentOS 7.x – firewalld – services
FirewallD services are xml configuration files, with information of
a service entry for firewalld. TO list all available services run:
XML configuration files are stored in the
/usr/lib/firewalld/services/ and /etc/firewalld/services/
directories.
CentOS 7.x – firewalld – services
FirewallD services are xml configuration files, with information of
a service entry for firewalld. TO list all available services run:
XML configuration files are stored in the
/usr/lib/firewalld/services/ and /etc/firewalld/services/
directories.
CentOS 7.x – firewalld – services
CentOS 7.x – firewalld – services
CentOS 7.x – firewalld – example
To implement any changes we need to reload the firewall with:
# firewall-cmd –reload
To list everyting (all rules):
CentOS 7.x – firewalld – example
The website opens when accessin as:
# lynx http://localhost
CentOS 7.x – firewalld – example
Fails to open from outside (firewall? – let’s stop it)
CentOS 7.x – firewalld – example
CentOS 7.x – firewalld – example
Fails to open from outside (firewall? – let’s stop it)
CentOS 7.x – firewalld – example
It is accessible now (after stopping firewalld)
CentOS 7.x – firewalld – example
Restarting firewalld
CentOS 7.x – firewalld – example
Restarting firewalld
CentOS 7.x – firewalld – example
Restarting firewalld
CentOS 7.x – firewalld – example
Added http service
CentOS 7.x – firewalld – example
It is accessible now (firewalld is working)
Related documents
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Fundamental Functions of the Internet 1
Fundamental Functions of the Internet 1
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Download
advertisement