Linux System Administration, level 2

Size: px

Start display at page:

Download "Linux System Administration, level 2"

Melinda Gibson
6 years ago
Views:

1 Linux System Administration, level 2 IP Tables: the Linux firewall 2004 Ken Barber Some Rights Reserved This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

2 TCP fundamentals TCP is a connection-oriented protocol Packets have flags and sequence numbers (like a serial number) in addition to port number Connections are tracked by sequence number Connections are intiated, maintained and torn down with the flags

3 TCP flags syn Requests a new connection ack Replies to a previous packet fin Asks nicely to tear down a connection rst Resets (abruptly ends) a connection equivalent to slamming down the phone There are others but these are the ones we're mostly concerned with in firewalling

4 The TCP 3-way handshake First host sends packet to 2 nd host's IP address with SYN flag set and an Initial Sequence Number picked at random Second host sends packet to 1 st host's IP address with ACK flag set, a reference to 1 st host's ISN, and an ISN of its own First host sends packet to 2 nd host with SYN and ACK flags set, referencing 2 nd host's ISN

5 TCP data flow SYN SYN-ACK PSH ACK ACK FIN FIN-ACK

6 What a firewall does Examines each packet against a chain of rules If it matches a rule, some action is taken If no rules match, a default action is taken

7 How Linux does it: iptables Included in kernel 2.4 and above Kernel 2.2 had ipchains (no stateful firewalling) Filters packets on OSI layers 2, 3 and 4 only Port numbers, tcp flags, icmp types, etc. (layer 4) IP addresses and some routing protos (layer 3) MAC addresses (layer 2) NO content filtering that is Layer 7

8 Chains of rules A rule is a set of properties for a packet... Such as a port number and/or IP address, etc....and an action (such as accept or drop ). A sequence of rules is a chain Each packet is compared to each rule, in sequence, until it matches a rule's criteria If a packet reaches the end of the chain without matching any rule, that chain's default action is taken

9 Chains and Tables Chains are organized into 3 tables: filter the main table. Filters packets. nat for doing Network Address Translation mangle for serious packet alteration (rarely used) The filter table has 3 default chains: INPUT for packets entering an interface OUTPUT for packets leaving an interface FORWARD for packets being routed

10 The Big Picture

11 Rule structure To add a rule to the filter table: # iptables -A chain criteria -j target -A: Add a rule (see next slide for the other commands) chain: name of the chain getting the new rule criteria: packet attributes we're looking for (IP address, port#, whatever) target: Action to take if a packet matches this rule

12 Common iptables commands -A chain Add this rule to the named chain -P chain Set this chain's default policy -N chain Create a new chain -L -v List the rules in all chains -F Flush all rules in all chains -t table Add this rule to the named table All rules are added to the filter table by default

13 Packet filtering criteria -p layer4protocol e.g. tcp, udp, icmp (or any protocol listed in /etc/protocols) -s source-ipaddress netmask optional -d dest-ipaddress netmask optional -i interface matches all incoming packets on the specified interface -o interface matches all outgoing packets on the specified interface

14 Extensions to matching criteria Note that these are highly protocol-dependent --sport port-number-or-name --dport port-number-or-name --state state possible states are: NEW, ESTABLISHED, RELATED, INVALID This is what gives us stateful firewalling Many more see man page

15 Targets (actions) Preceded by -j (for jump ) Possible values: ACCEPT the packet is allowed through DROP the packet is discarded The name of another chain Two others seldom used (see man page) RETURN QUEUE

16 A simple firewall rule A rule to allow incoming Web requests: # iptables -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT append this rule to the input chain -p tcp only match tcp packets --dport 80 only match packets with destination port 80 -j ACCEPT allow the packet in

17 Another sample rule # iptables -A INPUT -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT -A INPUT Append this rule to the INPUT chain -i eth0 Only match incoming packets on eth0 -m state --state ESTABLISHED,RELATED Match only packets with a state of established (part of an already established connection) or related (related in some way to an outgoing packet) -j ACCEPT Accept the packet and exit the chain

18 Extensions to the targets (actions) LOG Log the packet REJECT Send an ICMP error to the originator A few others, infrequently used. There are a few options available for each of these (such as which icmp code to send on a reject); see the man page

19 Saving & loading rules In Redhat distros, use service iptables save Saves in /etc/sysconfig/iptables Automatically loads on restart Other distros, use iptables-save and iptables-restore Saves/restores to/from stdin/stdout; you must redirect these commands to/from a file Won't automatically load; must specify in script

20 Security considerations ALWAYS: Set deny all as default policy: # iptables -P INPUT DROP Read your firewall logs. Every day. Ensure your firewall script is writeable only by root. NEVER: Allow network interfaces up before the firewall is running

21 Caveats Firewalls ONLY filter packets (layer 3-4); they do not protect against malware (layer 7) Use Proxy Servers to filter content A firewall is like a lock on your front door essential to security, but not enough by itself There are plenty of ways around a locked door, or a firewall For instance... windows

22 Even more security considerations Consider filtering outgoing packets: Protect the world from internal virii/trojans Kill 'doze filesharing (ports ) Consider whether to respond to bad packets ANY response is information to a 'hacker' However, you might have a legitimate need to respond for instance, troubleshooting connection problems

23 Conclusion Resources: Redhat Reference Guide, chapter 17 Dave Ranch's website The SANS Institute (sans.org) The Bastille Project (bastille-linux.org)

Certification. Securing Networks

Certification. Securing Networks Certification Securing Networks UNIT 9 Securing Networks 1 Objectives Explain packet filtering architecture Explain primary filtering command syntax Explain Network Address Translation Provide examples