07/11/2012 ian/modules/com342/com342_l10.ppt l10/1/63 com342 networks and data communications ian...

07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63

COM342Networks and Data Communications

Ian McCrum Room 5B18

Tel: 90 366364 voice mail on 6th ring

Email: [email protected]

Web site: http://www.eej.ulst.ac.uk

Lecture 10: Security; Firewalls


Routers

• Connecting two Local Area Networks together.• Connecting a Local Area Network to the internet, e.g via an

ADSL modem, A Cable modem or a slow dialup modem.• Connecting a LAN to a coporate network, e,g within a building.

• Other uses; Masquerading to allow a number or private IP numbered machines to use the net, pretending to have an IP number that is allowed to traverse the internet

• Restrict certain traffic while routing other traffic; useful for security…. Firewall (see also bastion hosts and DMZ )

• As well as restricting traffic we can reform packets to provide security. Either a ip/port to ip/port connection that is encrypted or a complete IP <-> IP connection that is encrypted. (see SSH tunnels and VPNs ( also CIPE, IPsec and others…)


Firewalls (Linux Iptables software)

• We have seen how TCP/IP ( “internet”) data transport across the network involves – An IP number (or a name that gets converted into a number)

– A port number (e.g port 80 for outgoing web pages)

– The packet type, TCP or UDP.

• To block unwanted traffic, we must specify what gets through the firewall and what doesn’t

• Each installation varies; We might allow all outgoing traffic but block all incoming traffic. This won’t work since some of it may be in response to an outgoing request.


The Netfilter software ( “Iptables)

• The way that the linux netfilter software operates is to have the following…– Rules; decisions are based on rules that we create. A rule

specifies the criteria necessary for a packet to match it.

– Targets; this is usually ACCEPT, DROP or REJECT

– Chains; Rules are grouped into chains which in turn are in…

– Tables; three default tables are INPUT, OUTPUT and FORWARD (two others are NAT and MANGLE)

– States; used for stateful packet filtering… subtle but useful, you can create rules based on whether a packet exists in any of the following states; NEW, ESTABLISHED, RELATED and INVALID.


Creating and Storing Rules

• Rules can be appended to the chains with –A option. Also available are –I to insert, -R to replace, there is also a –D to delete a rule.

– $iptables –A INPUT –s0/0 –d 193.61.142.121

–m state - -state NEW –p tcp –dport 80 –i eth0 –j ACCEPT

• The rule above allows any source IP to access your port 80, so anyone can access the webserver running at .121


Complete example ( no forwarding)*filter

# The default targets for the three chains are setINPUT DROP [0:0]FORWARD DROP [0:0]OUTPUT DROP [0:0]

# need to allow “loopback” to work-A INPUT –i lo –j ACCEPT

# need to drop invalid conenctions-A INPUT –m state - -state INVALID –j DROP-A OUTPUT –m state - -state INVALID –j DROP-A FORWARD –m state - -state INVALID –j DROP

# allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPTCOMMIT


Another Complete Example

*filter# The default targets for the three chains are setINPUT DROP [0:0]FORWARD DROP [0:0]OUTPUT DROP [0:0]# need to allow “loopback” to work-A INPUT –i lo –j ACCEPT# need to drop invalid conenctions-A INPUT –m state - -state INVALID –j DROP-A OUTPUT –m state - -state INVALID –j DROP-A FORWARD –m state - -state INVALID –j DROP# allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT

#allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff-A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT-A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT#allow outgoing connections to webservers, my users can surf the world……. Continued on the next slide


…. Continued # allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT

# Allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff-A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT-A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT

# Allow outgoing connections to webservers, my users can surf the world…-A OUTPUT –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT-A FORWARD –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT# Actually safer to add a –s option above to explicitly only enable source ip numbers as well (with –s 192.168.0.3 etc)# this means repeating the line above, once for each IP source allowed to surf.

# Allow outgoing mail to my ISPs SMTP and POP2 server only-A OUTPUT –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT-A FORWARD –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT

# Log all other attempted outgoing connections, use this if you aren’t sure of what ports to allow…-A OUTPUT –o eth0 –j LOG-A FORWARD –j LOG

# default is to DROP outgoing connections so we should see this in the logsCOMMIT*nat# Set up IP forwarding and NAT-A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1


More on NAT and FORWARDING# for static IP numbers you can use the line below-A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1

# for dynamic IP numbers use the line below instead-A POSTROUTING –o eth0 –j MASQUERADE# this is a special case, the source IP is changed to the IP of the outgoing interface (eth0)# this works with static as well, but the netfilter advice is to use the first version for static Ips.

# For ethernet (wired) networks that is ok, cards drivers are inserted into the kernel with # insmod or modprobe if needed (95% of cards autoinsert ok)# ifconfig sets IP numbers/netmasks for each card, the route command tells where gateways are# for wireless cards you use iwconfig to set the ESSID and MODE (ad-hoc or managed)

# The above slides allow any internal LAN machine to get out as required. To get outside traffic # to end up at a specific machine is a bit trickier. E.g if we run a web server on a PC, port 80. # port forwarding allows incoming traffic (port 80) on the firewall to be passed on to a internal PC# two types of NAT exist, source and destination (SNAT/DNAT). Each incoming port can only be # forwarded once so you cannot run two webservers at once, unless you use different ports

*nat-A POSTROUTING –o eth0 –j SNAT - -to 193.61.142.120-A PREROUTING –i eth0 –p tcp –d 193.61.142.120 - -dport 80 –j DNAT - -to 192.168.0.3:80COMMIT


Miscellaneous# Pings can be useful, to enable these-A INPUT -p icmp - -icmp-type echo-request –j ACCEPT# it might be a good idea to limit pings to certain machines only ( -s option)

OTHER THINGS…We have not looked at The MANGLE table for altering packetsThe string module, allows rule matching based on strings anywhere in the data payloadTime based rulesQuote and bandwidth limitsTarpits ( catch and hold potential hacker packets, use up their resources and not your own)

MORE INFORMATION

These slides taken from a document “Firewalling with netfilter/iptables by Barry O’DonovanFrom UCD, Barry is a member of the Irish Linux Users Group.

See also http://www.netfilter.orgGoogle for “IPTABLES TUTORIALS”Read the “HOWTO” documents held at http://www.tldp.org (tldp stands for “The Linux Documentation Project”)

http://www.netfilter.org/

http://www.tldp.org/

07/11/2012 ian/modules/com342/com342_l10.ppt l10/1/63 com342 networks and data communications ian...

Documents