07/11/2012 ian/modules/com342/com342_l10.ppt l10/1/63 com342 networks and data communications ian...
TRANSCRIPT
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63
COM342Networks and Data Communications
Ian McCrum Room 5B18
Tel: 90 366364 voice mail on 6th ring
Email: [email protected]
Web site: http://www.eej.ulst.ac.uk
Lecture 10: Security; Firewalls
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/2/63
Routers
• Connecting two Local Area Networks together.• Connecting a Local Area Network to the internet, e.g via an
ADSL modem, A Cable modem or a slow dialup modem.• Connecting a LAN to a coporate network, e,g within a building.
• Other uses; Masquerading to allow a number or private IP numbered machines to use the net, pretending to have an IP number that is allowed to traverse the internet
• Restrict certain traffic while routing other traffic; useful for security…. Firewall (see also bastion hosts and DMZ )
• As well as restricting traffic we can reform packets to provide security. Either a ip/port to ip/port connection that is encrypted or a complete IP <-> IP connection that is encrypted. (see SSH tunnels and VPNs ( also CIPE, IPsec and others…)
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/3/63
Firewalls (Linux Iptables software)
• We have seen how TCP/IP ( “internet”) data transport across the network involves – An IP number (or a name that gets converted into a number)
– A port number (e.g port 80 for outgoing web pages)
– The packet type, TCP or UDP.
• To block unwanted traffic, we must specify what gets through the firewall and what doesn’t
• Each installation varies; We might allow all outgoing traffic but block all incoming traffic. This won’t work since some of it may be in response to an outgoing request.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/4/63
The Netfilter software ( “Iptables)
• The way that the linux netfilter software operates is to have the following…– Rules; decisions are based on rules that we create. A rule
specifies the criteria necessary for a packet to match it.
– Targets; this is usually ACCEPT, DROP or REJECT
– Chains; Rules are grouped into chains which in turn are in…
– Tables; three default tables are INPUT, OUTPUT and FORWARD (two others are NAT and MANGLE)
– States; used for stateful packet filtering… subtle but useful, you can create rules based on whether a packet exists in any of the following states; NEW, ESTABLISHED, RELATED and INVALID.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/5/63
Creating and Storing Rules
• Rules can be appended to the chains with –A option. Also available are –I to insert, -R to replace, there is also a –D to delete a rule.
– $iptables –A INPUT –s0/0 –d 193.61.142.121
–m state - -state NEW –p tcp –dport 80 –i eth0 –j ACCEPT
• The rule above allows any source IP to access your port 80, so anyone can access the webserver running at .121
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/6/63
Complete example ( no forwarding)*filter
# The default targets for the three chains are setINPUT DROP [0:0]FORWARD DROP [0:0]OUTPUT DROP [0:0]
# need to allow “loopback” to work-A INPUT –i lo –j ACCEPT
# need to drop invalid conenctions-A INPUT –m state - -state INVALID –j DROP-A OUTPUT –m state - -state INVALID –j DROP-A FORWARD –m state - -state INVALID –j DROP
# allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPTCOMMIT
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/7/63
Another Complete Example
*filter# The default targets for the three chains are setINPUT DROP [0:0]FORWARD DROP [0:0]OUTPUT DROP [0:0]# need to allow “loopback” to work-A INPUT –i lo –j ACCEPT# need to drop invalid conenctions-A INPUT –m state - -state INVALID –j DROP-A OUTPUT –m state - -state INVALID –j DROP-A FORWARD –m state - -state INVALID –j DROP# allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT
#allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff-A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT-A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT#allow outgoing connections to webservers, my users can surf the world……. Continued on the next slide
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/8/63
…. Continued # allow all established and related connections that come in to me-A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT-A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT
# Allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff-A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT-A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT
# Allow outgoing connections to webservers, my users can surf the world…-A OUTPUT –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT-A FORWARD –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT# Actually safer to add a –s option above to explicitly only enable source ip numbers as well (with –s 192.168.0.3 etc)# this means repeating the line above, once for each IP source allowed to surf.
# Allow outgoing mail to my ISPs SMTP and POP2 server only-A OUTPUT –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT-A FORWARD –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT
# Log all other attempted outgoing connections, use this if you aren’t sure of what ports to allow…-A OUTPUT –o eth0 –j LOG-A FORWARD –j LOG
# default is to DROP outgoing connections so we should see this in the logsCOMMIT*nat# Set up IP forwarding and NAT-A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/9/63
More on NAT and FORWARDING# for static IP numbers you can use the line below-A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1
# for dynamic IP numbers use the line below instead-A POSTROUTING –o eth0 –j MASQUERADE# this is a special case, the source IP is changed to the IP of the outgoing interface (eth0)# this works with static as well, but the netfilter advice is to use the first version for static Ips.
# For ethernet (wired) networks that is ok, cards drivers are inserted into the kernel with # insmod or modprobe if needed (95% of cards autoinsert ok)# ifconfig sets IP numbers/netmasks for each card, the route command tells where gateways are# for wireless cards you use iwconfig to set the ESSID and MODE (ad-hoc or managed)
# The above slides allow any internal LAN machine to get out as required. To get outside traffic # to end up at a specific machine is a bit trickier. E.g if we run a web server on a PC, port 80. # port forwarding allows incoming traffic (port 80) on the firewall to be passed on to a internal PC# two types of NAT exist, source and destination (SNAT/DNAT). Each incoming port can only be # forwarded once so you cannot run two webservers at once, unless you use different ports
*nat-A POSTROUTING –o eth0 –j SNAT - -to 193.61.142.120-A PREROUTING –i eth0 –p tcp –d 193.61.142.120 - -dport 80 –j DNAT - -to 192.168.0.3:80COMMIT
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/10/63
Miscellaneous# Pings can be useful, to enable these-A INPUT -p icmp - -icmp-type echo-request –j ACCEPT# it might be a good idea to limit pings to certain machines only ( -s option)
OTHER THINGS…We have not looked at The MANGLE table for altering packetsThe string module, allows rule matching based on strings anywhere in the data payloadTime based rulesQuote and bandwidth limitsTarpits ( catch and hold potential hacker packets, use up their resources and not your own)
MORE INFORMATION
These slides taken from a document “Firewalling with netfilter/iptables by Barry O’DonovanFrom UCD, Barry is a member of the Irish Linux Users Group.
See also http://www.netfilter.orgGoogle for “IPTABLES TUTORIALS”Read the “HOWTO” documents held at http://www.tldp.org (tldp stands for “The Linux Documentation Project”)