nftables and ips - moutane

Nftables and IPS

Éric Leblond

Stamus Networks

July 8, 2014

Éric Leblond (Stamus Networks) Nftables and IPS July 8, 2014 1 / 23

1 Introduction

2 Iptables

3 Nftables

4 Conclusion


Eric Leblond a.k.a Regit

FrenchNetwork security expertFree Software enthousiastNuFW project creator (Now ufwi), EdenWall co-founderNetfilter developer:

Maintainer of ulogd2: Netfilter logging daemonMisc contributions:

NFQUEUE library and associatesPort of some features iptables to nftables

Currently:co-founder of Stamus Networks, a company providing Suricatabased network probe appliances.Suricata IDS/IPS funded developer


IPS implementation

Network Intrusion Detection SystemAnalyse traffic to detect event and anomalyDetect known alertGenerate events after protocol analysis

Intrusion Prevention SystemA NIDS blocking attacks before they reach targetsMade with Netfilter using NFQUEUE target

NFQUEUE must send all needed packets


Constraints of IPS implementation

Constraints1 Get all packets for a studied flow2 Get only accepted packets

Dropped packets are not a threatTreating them will result in heavy ressource usage

The challengeGet an IPS implementation without impact on rulesetmanagement solutionChanging firewall rules management software should be possible

Without modification of IPS rulesetWithout change on ruleset management


1 Introduction

2 Iptables

3 Nftables

4 Conclusion


How to fail miserabily

First try

i p t a b l e s −A FORWARD − j NFQUEUEi p t a b l e s −A FORWARD \

−m conntrack −−c t s t a t e ESTABLISHED \− j ACCEPT

# your f i r e w a l l r u l es here

NFQUEUE is a terminal targetNFQUEUE rule send packet to IDSIDS decide if packet is accepted and droppedpacket leave current primary chain and go for next one


Simple iptables implementation

Using user chainTransform ACCEPT decision in a function

Implementation

i p t a b l e s −N ips−accepti p t a b l e s −A ips−accept − j NFQUEUE −−queue−balance 1−4

i p t a b l e s −A FORWARD \−m conntrack −−c t s t a t e ESTABLISHED \− j ips−accept

# your f i r e w a l l r u l es herei p t a b l e s −A FORWARD \

−m conntrack −−c t s t a t e NEW \−p tcp −−dpor t 22 \− j ips−accept


Iptables implementation using mangle

Use a chain different from FORWARDLet’s find a unused table to dedicate to IPSWe can use PREROUTING mangle

Implementation

i p t a b l e s −A PREROUTING − t mangle − j NFQUEUEi p t a b l e s −A FORWARD \

−m conntrack −−c t s t a t e ESTABLISHED− j ACCEPT

# your f i r e w a l l r u l es here

ContraWe don’t see NAT transformation in IPSMangle can be used by other software


Complex integration: repeat mode (1/2)

NFQUEUE hardcoreAlternate decision

NF_REPEAT : send the packet back to the start of the tableNF_QUEUE : send the packet to another queue (chain softwareusing NFQUEUE)

Packet marking: userspace can take decision and mark packet

Algorithm1 NFQUEUE packet as first rule if they have no mark2 IPS mark packet (take one bit of the mark)3 IPS verdict with with NF_REPEAT4 If accepted packet get back to queuing rule but marked



Ruleset

i p t a b l e s − I FORWARD −m mark ! −−mark $MARK/$MASK − j NFQUEUE

Suricata configurationnfq:

mode: repeatrepeat_mark: 1repeat_mask: 1

Snort cookbook



Ruleset

i p t a b l e s − I FORWARD −m mark ! −−mark $MARK/$MASK − j NFQUEUE

Suricata configurationnfq:mode: repeatrepeat_mark: 1repeat_mask: 1

Snort cookbook


You need to stop that!


1 Introduction

2 Iptables

3 Nftables

4 Conclusion


What’s new with nftables ?

Nftables and queueNo change needed onuserspace softwareNo new features in kernelJust a syntax update

Nftables and chainNo chain by defaultAll chains have to becreated by user


Nftables chain

PrincipleUser chain

accessible via jumpPrimary chain

Type: filtering, nat, routeHook: point of attachementPriority: ordering of chain

Syntax

n f t > add chain f i l t e r i npu t { type f i l t e r hook i npu t p r i o r i t y 0 ; }


Solution: dedicate a nftables chain to IPS

Create one chain for filteringCreate on IPS chainPut IPS chain after the filtering chain


Building the perfect IPS ruleset (1/2)

ImplementationWe name chains accordingly to functionWe set a higher priority to IPS chain

Creating the chains

n f t − in f t > add tab le f i l t e rn f t > add chain f i l t e r f i r e w a l l { type f i l t e r hook forward p r i o r i t y 0 ; }n f t > add chain f i l t e r IPS { type f i l t e r hook forward p r i o r i t y 10 ; }


Building the perfect IPS ruleset (2/2)

Firewall rules

n f t > add r u l e f i l t e r f i r e w a l l c t s t a t e es tab l i shed acceptn f t > add r u l e f i l t e r f i r e w a l l tcp dpor t ssh counter acceptn f t > add r u l e f i l t e r f i r e w a l l tcp dpor t 443 acceptn f t > add r u l e f i l t e r f i r e w a l l counter log drop

IPS rule

n f t > add r u l e f i l t e r IPS queue


queue target detail

Syntax

n f t add r u l e t e s t i npu t queue num 1−3 bypass fanout

Optionsnum: queue num to use, interval is load balancingbypass: accept packet if noone is listeningfanout: accept new packets if userspace queue length is too long


Nftables brings a fully compliant solution

Nftables solutionIPS filtering are fullyindependant of filteringNeed only to fix priority Ifruleset is managed by asoftware

Nftables flexibilityPowerful and bringssolutionTools will have to be welldesigned


nftables chain priority

Priority and iptablesIptables compatibility predefined chainPriority has to be chosen accordingly

List of chain prioritiesNF_IP_PRI_CONNTRACK_DEFRAG (-400): priority of defragmentationNF_IP_PRI_RAW (-300): traditional priority of the raw table placed before connection tracking operationNF_IP_PRI_SELINUX_FIRST (-225): SELinux operationsNF_IP_PRI_CONNTRACK (-200): Connection tracking operationsNF_IP_PRI_MANGLE (-150): mangle operationNF_IP_PRI_NAT_DST (-100): destination NATNF_IP_PRI_FILTER (0): filtering operation, the filter tableNF_IP_PRI_SECURITY (50): Place of security table where secmark can be set for exampleNF_IP_PRI_NAT_SRC (100): source NATNF_IP_PRI_SELINUX_LAST (225): SELInux at packet exitNF_IP_PRI_CONNTRACK_HELPER (300): connection tracking at exit


1 Introduction

2 Iptables

3 Nftables

4 Conclusion


Questions ?

Simple is beautifulFrom over complex to a natural way of doing things

Thanks toPatrick McHardy to have started nftablesPablo Neira Ayuso and the others to have continued the work

More informationNetfilter: http://www.netfilter.org/My blog: https://home.regit.org/Stamus Networks: https://www.stamus-networks.com/


http://www.netfilter.org/

https://home.regit.org/

https://www.stamus-networks.com/

nftables and ips - moutane

Documents