firewalls implementation iptables firewall implementation taken from red hat linux firewalls, bill...
TRANSCRIPT
FirewallsImplementation
IPTables Firewall Implementation
Taken from
Red Hat Linux Firewalls, Bill McCartyCopyright Red Hat and Bill McCarty
ScriptingIntro
• Brief introduction to shell scripts in Unix– Shell script is a command interpreter– Standard in– Standard out– Standard error– Redirection “ > “, “<”
– “>|” forced overwrite– “>>” append
ScriptsStart
• Create a firewall file– Make it executable– Chmod 777 acklers_firewall
• All scripts will start with#!/bin/bash - will execute the remaining lines as
commands except commentsComments start with a #Variables are defined before using
IP=”172.16.1.2”
Variables are referenced with $name$IP does a lexical substitution for IP def.
ScriptsControl flow
If-then-elseif [ condition ]then
“do something”else
“something to do goes here”fi
if – fi act as parenthesesexit 1 exits the script[ ] - needs white space around the condition
Control flowexample
if [ ! -x /sbin/iptables ]
thenecho “Firewall: can't execute iptables”
exit 1fi
Which iptables gets th path to iptables.
ScriptsControl flow
for loopfor var in list: do
stuff to dodone
var a variable that takes on each value in turn in list
list is a list of values that var takes on
BADIPS=”10.0.0.0/8 172.16.0.0/12”
for ip in $BADIPS; doiptables -A INPUT -s $ip -j DROP
done
Firewall ConstructionPlan
• Firewall policies• High level design• Detailed design• Test
Firewall Policies
Egress filtering Restrictive: Only explicitly authorized packetsmay exit the protected host.
Ingress filtering Restrictive: Only explicitly authorized packetsmay enter the protected host.
Hostile hosts Hostile hosts may be shunned.
Special IPs Traffic from special IPs are blocked, e.g. RFC 1918
Firewall Policiescont'd
Inbound services Remote clients can access SSH and HTTPservices provided by the protected host. Allother services are blocked.
Outbound services Local clients can access only these remote services:DNS, FTP, HTTP, HTTPS, RSYNC, SMTP, SSH,and WHOIS servers. All other services are blockto local clients
Firewall Policiescont'd
Inbound ICMP Only dest unreachable, parameter problem,source quench, and time exceeded are the onlyauthorized ICMP messages.
Outbound ICMP Only dest unreachable, fragmentation needed,parameter problem, and source quench are theonly authorized ICMP messages.
Logging All blocked packets are logged via the Syslog facility
Firewall Policiescont'd
Ping Only specified hosts can ping, or be pinged, by the protected host.
SYN Flood The firewall will block SYNs when their rate of arrival exceeds a specified threshold.
TCP Flags TCP flags are validated, blocking certain types of TCP scans.
Packet Pathwith NAT and MANGLE
manglePREROUTING
natPREROUTING
filterINPUT
filterOUTPUT
natPOSTROUTING
filterFORWARD
MangleOUTPUT
route
LocalProcess
Network
Network
Our Firewallno NAT, no MANGLE, no FORWARD
• Firewall for a single-homed protected host
• No FORWARD chain in the FILTER table• No NAT table• No MANGLE table
• Only INPUT and OUTPUT chains in the FILTER table
Our Packet Path
filterINPUT
filterOUTPUT
Network
Setup Some Assignments
# Abreviation for iptablesIPT=/sbin/iptables
# Loop back addressLO= “127.0.0.1”
# Ip address of firewall hostIP=”xxx.xxx.xxx.xxx”/sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'
http://www.cyberciti.biz/faq/how-to-find-out-the-ip-address-assigned-to-eth0-and-display-ip-only/
Setting Up the Chains & Tables
Ensure that iptables is installed.
Set default policy to protect systemwhile rules are installed.
Flush and delete all user chains.
Flush and delete all built-in chains.
Reset all counters.
If [ ! -x $IPT ]then
echo “Firewall: Can't find iptables”exit 1
fi
$IPT -P INPUT DROP #Set default policy to DROP$IPT -P OUTPUT DROP #Set default policy to DROP$IPT -P FORWARD DROP #Set default policy to DROP$IPT -F #Flush all chains$IPT -X #Delete all user chains
for table in filter nat mangledo
$IPT -t $table -F #Flush table's rules$IPT -t $table -X #Delete table's chains$IPT -t $table -Z #Zero the table's counters
done
INPUT Chain Policyfilter table
• Loopback OK» Accept
• Bad IP» Log and drop
• Shunned IPs» Log and drop
• Branches» ICMP or TCP/UDP?
• Logs and drops the rest
INPUT ChainNetwork
LOG_DROP
IN_TCP_UDP IN_ICMP
ICMP?
SHUN_IP
BAD_IP
Loopback? ACCEPT $IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j BAD_IP
$IPT -A INPUT -j SHUN_IP
$IPT -A INPUT -p ! icmp -j IN_TCP_UDP$IPT -A INPUT -p icmp -j IN_ICMP
$IPT -A INPUT -j LOG_DROP
OUTPUT Chain Policyfilter table
• Loopback OK» Accept
• Bad IP» Log and drop
• Shunned IPs» Log and drop
• Branches» ICMP or TCP/UDP?
• Logs and drops the rest
OUTPUT Chain
LOG_DROP
OUT_TCP_UDP OUT_ICMP
ICMP?
SHUN_IP
BAD_IP
Loopback? ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j BAD_IP
$IPT -A OUTPUT -j SHUN_IP
$IPT -A OUTPUT -p ! icmp -j OUT_TCP_UDP$IPT -A OUTPUT -p icmp -j OUT_ICMP
$IPT -A OUTPUT -j LOG_DROP
User chains
User chains:
IN_TCP_UDPFurther filters TCP & UDP datagrams
IN_ICMPFurther filters ICMP datagrams
OUT_TCP_UDPFurther filters TCP & UDP datagrams
OUT_ICMPFurther filters ICMP datagrams
FLOODStops SYN flood attacks
FLAGSDrops packets with incorrect tcp flags set
BAD_IPDrops packets from bad IP addresses
SHUN_IPDrops packets from IP addresses thathave been identified as hostile
User logging chains
Logging chains:
LOG_DROPLogs and drops various packetsselected to be dropped
LOG_FLOODLogs and drops various packetsjudged to be a SYN flood
LOG_FLAGSLogs and drops various packetsjudged to have incorrect TCPflags set
LOG_BAD_IPLogs and drops various packetscoming from or going to bad IPaddresses
LOG_SHUN_IPLogs and drops various packetscoming from or going to IP addressesthat are to be sunned
IN_TCP_UDP User ChainRemote clients can access SSH and HTTPservices provided by the protected host.
All other services are blocked.
Source IPspoofed?
Established orrelated state?
FLAGS
FLOOD
Invalidstate?
ACCEPTLOG_DROP
LOG_DROP
ACCEPT
Yes
Yes
Yes
No
No
No
$IPT -N IN_TCP_UDP
$IPT -A IN_TCP_UDP -m state –-state INVALID -j LOG_DROP
$IPT -A IN_TCP_UDP -p tcp –-syn -j FLOOD
$IPT -A IN_TCP_UDP -p tcp -j FLAGS
$IPT -A IN_TCP_UDP -m state –-state ESTABLISHED,RELATED / -j ACCEPT
$IPT -A IN_TCP_UDP -s $IP -j LOG_DROP
IN_TCP_UDP User Chaincont'd
AUTHrequest?
Authorizedservice? ACCEPT
RETURN
ACCEPT
REJECT
Yes
Yes
No
No
SSH=”my_IP_addr your_IP_addr”WWW=”my_IP_addr your_IP_addr”
for sip in $SSH; do$IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 22 -m state /
–-state NEW -j ACCEPTdone
for sip in $WWW; do$IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 80 -m state /
–-state NEW -j ACCEPTdone
# Authentication request
$IPT -A IN_TCP_UDP -p tcp –-dport 113 -j REJECT
# Add rules for other required services, for example:## services=”IP addresses”## for sip in $services; do# $IPT -A IN_TCP_UDP -p proto -s $sip –dport port -m state /# –-state NEW -j ACCEPT# done
OUT_TCP_UDP User ChainProtected host can access
ftp, ssh, smtp, whois, DNS, http, https, rsync services. All other services are blocked.
Authorizedservice?
Established orrelated state?
RETURN
Source IPOK?
ACCEPTLOG_DROP
ACCEPT
Yes
Yes
Yes
No
No
OUT_SERVICES=”21 22 25 43 53 80 443 873”# Permitted outbound connections# ftp, ssh, smtp, whois, DNS, http, https, rsync
$IPT -N OUT_TCP_UDP
$IPT -A OUT_TCP_UDP -p tcp -j FLAGS
$IPT -A OUT_TCP_UDP -s ! $IP -j LOG_DROP
$IPT -A OUT_TCP_UDP -m state –-state ESTABLISHED,RELATED / -j ACCEPT
for dpt in $OUT_SERVICES; do$IPT -A OUT_TCP_UDP -m state –-state NEW -p tcp /
–-dport $dpt -j ACCEPTdone$IPT -A OUT_TCP_UDP -m state –-state NEW -p udp /
–-dport 53 -j ACCEPT
FLAGS
No
ACCEPT
IN_ICMP User ChainOnly dest unreachable, parameter problem, source quench, and time exceeded
are the only authorized ICMP messages.
Parameterproblem?
Timeexceeded?
Sourcequench?
Destinationunreachable?
Authorizedping? ACCEPT
RETURN
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
PING=”my_IP_addr your_IP_addr”$IPT -N IN_ICMPfor sip in $PING; do
$IPT -A IN_ICMP -p icmp –-icmp-type echo-request /-s $sip -d $IP -j ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type echo-reply /-s $sip -d $IP -j ACCEPT
done
$IPT -A IN_ICMP -p icmp –-icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp –-icmp-type parameter-problem -j ACCEPT
# default is to return on pass through
Yes
Yes
Yes
Yes
Yes
No
No
No
No
OUT_ICMP User ChainOnly dest unreachable, parameter problem, source quench, and time exceeded
are the only authorized ICMP messages.
Parameterproblem?
Fragmentationneeded?
Sourcequench?
Destinationunreachable?
Authorizedping? ACCEPT
RETURN
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
$IPT -N OUT_ICMPfor sip in $PING; do
$IPT -A OUT_ICMP -p icmp –-icmp-type echo-request /-s $sip -d $IP -j ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type echo-reply /-s $sip -d $IP -j ACCEPT
done
$IPT -A OUT_ICMP -p icmp –-icmp-type destination-unreachable -j ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type fragmentation-needed -j ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type source-quench -j ACCEPT
$IPT -A OUT_ICMP -p icmp –-icmp-type parameter-problem -j ACCEPT
# default is to return on pass through
Yes
Yes
Yes
Yes
Yes
No
No
No
No
Bad IP User ChainTraffic from special IPs are blocked, e.g. RFC 1918
RETURN
Bad destIP?
Bad sourceIP? LOG_BAD_IP
LOG_BAD_IP
Yes
Yes
No
No
# Broadcast addressesBAD_IPS=”0.0.0.0/8 255.255.255.255”# RFC 1918 addressesBAD_IPS=”$BAD_IPS 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16” ”# Loop back addressBAD_IPS=”$BAD_IPS 127.0.0.0/4”# Multicast addressesBAD_IPS=”$BAD_IPS 224.0.0.0/4 240.0.0.0/5”
$IPT -N BAD_IPfor ip in $BAD_IPS; do
$IPT -A BAD_IP -s $ip -j LOG_BAD_IPdone
for ip in $BAD_IPS; do$IPT -A BAD_IP -d $ip -j LOG_BAD_IP
done
# Returns to the calling chain by default
Hostile Hosts User ChainHostil hosts may be shunned – inbound and outbound can be blocked
RETURN
Hostile destIP?
Hostile sourceIP? LOG_SHUN_IP
LOG_SHUN_IP
Yes
Yes
No
No
# Hostile ips starts out emptySHUN_IPS=””# To add an address to the list# iptables -S SHUN_IP -s address -j SHUN_IPS# To delete an address from the list# iptables -D SHUN_IP -s address -j SHUN_IPS# To clear the list# iptables -F SHUN_IP
$IPT -N SHUN_IPfor ip in $SHUN_IPS; do
$IPT -A SHUN_IP -s $ip -j LOG_SHUN_IPdone
for ip in $SHUN_IPS; do$IPT -A SHUN_IP -d $ip -j LOG_SHUN_IP
done
# Returns to the calling chain by default
FLOODThe firewall will block SYNs when their rate of
arrival exceeds a specified threshold.
LOG_FLOOD
SYN rateexceeded?
RETURN
Yes
No
SYN_OPT=”-m limit –-limit 5/second –-limit-burst 10”
$IPT -N FLOOD
$IPT -A FLOOD $SYN_OPT -j RETURN
$IPT -A FLOOD -j LOG_FLOOD
TCP Flags TCP flags are validataed, blocking
certain types of TCP scans.
LOG_FLAGSBad TCP
flags?
RETURN
Yes
No
$IPT -N FLAGS
$IPT -A FLAGS -p tcp –-tcp-flags ACK,FIN FIN -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ACK,PSH PSH -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ACK,URG URG -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags FIN,RST FIN,RST -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags SYN,FIN SYN,FIN -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags SYN,RST SYN,RST -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ALL ALL -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ALL NONE -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ALL FIN,PSH,URG -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ALL SYN,FIN,PSH,URG -j LOG_FLAGS$IPT -A FLAGS -p tcp –-tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_FLAGS
Logging ChainsLog and drop all that is bad
LOG_OPT=”--log-level=3 -m limit –-limit 1/second –-limit-burst 10”# This limits the rate of logging
$IPT -N LOG_DROP$IPT -A LOG_DROP -j LOG –-log-prefix “IPT Drop: “ $LOG_OPT$IPT -A LOG_DROP -j DROP
$IPT -N LOG_BAD_IP$IPT -A LOG_BAD_IP -p tcp –-dport 137:139 -j DROP # MS Broadcast$IPT -A LOG_BAD_IP -p udp –-dport 137:139 -j DROP # MS Broadcast$IPT -A LOG_BAD_IP -j LOG –-log-prefix “IPT BAD_IP: “$IPT -A LOG_BAD_IP -j DROP
$IPT -N LOG_SHUN_IP$IPT -A LOG_SHUN_IP -j LOG –-log-prefix “IPT SHUN: “ $LOG_OPT$IPT -A LOG_SHUN_IP -j DROP
$IPT -N LOG_FLOOD$IPT -A LOG_FLOOD -j LOG –-log-prefix “IPT FLOOD: “ $LOG_OPT$IPT -A LOG_FLOOD -j DROP
$IPT -N LOG_FLAGS$IPT -A LOG_FLAGS -j LOG –-log-prefix “IPT FLAGS: “ $LOG_OPT$IPT -A LOG_FLAGS -j DROP
Configuring IPTables
– Configure IPTables to run on startup
chkconfig iptables on– Disables IPTables at startup
chkconfig iptables off
– Starting and stopping IPTables
service iptables startservice iptables saveservice iptables stopservice iptables restart
Assignment
• Using the example in these slides build a script to install this firewall
• Comment the script• List the rules and comment the listing• Install the firewall, i.e. run the script• ftp to an ftp server • Have some one run nmap against your IP
address• Print and comment the log file