Linux Firewalls. Frank Kuse, AfNOG / 30

Similar documents
Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Università Ca Foscari Venezia

iptables and ip6tables An introduction to LINUX firewall


Web Server ( ): FTP, SSH, HTTP, HTTPS, SMTP, POP3, IMAP, POP3S, IMAPS, MySQL (for some local services[qmail/vpopmail])

IPtables and Netfilter

Certification. Securing Networks

Assignment 3 Firewalls

Layered Networking and Port Scanning

Meet the Anti-Nmap: PSAD (EnGarde Secure Linux)

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

A 10 years journey in Linux firewalling Pass the Salt, summer 2018 Lille, France Pablo Neira Ayuso

Stateless Firewall Implementation

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

I Commands. iping, page 2 iping6, page 4 itraceroute, page 5 itraceroute6 vrf, page 6. itraceroute vrf encap vxlan, page 12

sottotitolo A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

Introduction to Firewalls using IPTables

python-iptables Documentation

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

netfilter/iptables/conntrack debugging

Lab Exercise Sheet 2 (Sample Solution)

Quick Note 05. Configuring Port Forwarding to access an IP camera user interface on a TransPort LR54. 7 November 2017

IK2206 Internet Security and Privacy Firewall & IP Tables

Michael Rash DEFCON 12 07/31/2004

How to use IP Tables

Netfilter. Fedora Core 5 setting up firewall for NIS and NFS labs. June 2006

:13 1/10 Traffic counting on the CCGX

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

Linux System Administration, level 2

Formal Analysis of Firewalls

Protec8ng'Host'from'Net'

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

This material is based on work supported by the National Science Foundation under Grant No

Worksheet 8. Linux as a router, packet filtering, traffic shaping

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

The specifications and information in this document are subject to change without notice. Companies, names, and data used

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Network Interconnection

it isn't impossible to filter most bad traffic at line rate using iptables.

Network Security. Routing and Firewalls. Radboud University, The Netherlands. Spring 2018

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

History Page. Barracuda NextGen Firewall F

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Cisco PCP-PNR Port Usage Information

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Corso di Sicurezza delle Reti e dei Sistemi Software aa 2015/16

Basic Linux Desktop Security. Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

netfilters connection tracking subsystem

Firewalls. October 13, 2017

Linux Security & Firewall

11 aid sheets., A non-programmable calculator.

Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Once the VM is started, the VirtualBox OS Manager window can be closed. But our Ubuntu VM is still running.

Article Number: 38 Rating: Unrated Last Updated: Thu, Apr 28, 2016 at 9:49 PM

Firewalling. Alessandro Barenghi. May 19, Dipartimento di Elettronica e Informazione Politecnico di Milano barenghi - at - elet.polimi.

Dual-stack Firewalling with husk

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

CS Computer and Network Security: Firewalls

This guide provides a quick reference for setting up SIP load balancing using Loadbalancer.org appliances.

Contents. Preventing Brute Force Attacks. The First Method: Basic Protection. Introduction. Prerequisites

Today Dummynet. KauNet Emulation. What is Dummynet? Why Emulation? What can you do with Dummynet? Application/Protocol testing:

Dropping Packets in Ubuntu Linux using tc and iptables

Module 19 : Threats in Network What makes a Network Vulnerable?

Connecting DataCenters with OverLapping Private IP Addresses & Hiding Real Server IP For Security.

Using ping, tracert, and system debugging

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

How to Configure a Remote Management Tunnel for an F-Series Firewall

Packet Capturing with TCPDUMP command in Linux

On Assessing the Impact of Ports Scanning on the Target Infrastructure

Eaton Intelligent Power Manager as a Virtual Appliance Deployment s Guide

Toward an ebpf-based clone of iptables

Network Security Laboratory 23 rd May STATEFUL FIREWALL LAB

Distributed Systems Security

FireHOL Manual. Firewalling with FireHOL. FireHOL Team. Release pre3 Built 28 Oct 2013

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Suricata IDPS and Nftables: The Mixed Mode

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

IP Packet. Deny-everything-by-default-policy

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Network Test and Monitoring Tools

Software Defined Networks and OpenFlow. Courtesy of: AT&T Tech Talks.

FireHOL + FireQOS Reference

Building an IPS solution for inline usage during Red Teaming

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Configuring Firewall Filters (J-Web Procedure)

Ethical Hacking Basics Course

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Lab 8: Introduction to Pen Testing (HPING)

Firewalls, VPNs, and SSL Tunnels

VPN Connection through Zone based Firewall Router Configuration Example

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Content Gateway v7.x: Frequently Asked Questions

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

CSC 401 Data and Computer Communications Networks

Transcription:

Linux Firewalls Frank Kuse, AfNOG 2017 1 / 30

About this presentation Based on a previous talk by Kevin Chege and Chris Wilson, with thanks! You can access this presentation at: Online: http://afnog.github.io/sse/firewalls/ Local: http://www.ws.afnog.org/afnog2017/sse/firewalls/index.html Github: https://github.com/afnog/sse/blob/master/firewalls/presentation.md Download PDF: http://www.ws.afnog.org/afnog2017/sse/firewalls/presentation.pdf Download Exercises: http://www.ws.afnog.org/afnog2017/sse/firewalls/exercises.pdf 2 / 30

What is a Firewall? 3 / 30

Advanced Firewalls Basic firewalls are packet filters Can't always make a decision based on one packet (examples?) Stateful firewalls (connection table) Application layer (L7) filtering/inspection/ids Redundant firewalls with synchronisation VPNs and SSL "VPNs" 4 / 30

Stateful Firewalls unusual event client/receiver path server/sender path Step 2 of the 3wayhandshake SYN/SYN+ACK (Start) LISTEN/ CLOSED LISTEN CLOSE/ CONNECT/ SYN Step 1 of the 3wayhandshake CLOSE/ 5 / 30

Limitations of Firewalls 6 / 30

Blocking Websites 7 / 30

What do firewalls filter? 8 / 30

Typical features Rulesets (lists of rules, read in order) Rules (IF this THEN that) Match conditions interface, IP address, protocol, port, time, contents Actions accept, drop, reject, jump to another table, return Default policy 9 / 30

iptables/netfilter 10 / 30

Listing current rules We use the iptables command to interact with the firewall (in the kernel): $ sudo apt install iptables $ sudo iptables -L -nv Chain INPUT (policy ACCEPT 119 packets, 30860 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 36 packets, 1980 bytes) pkts bytes target prot opt in out source destination 11 / 30

Your first ruleset Configure your firewall to allow ICMP packets. $ sudo iptables -A INPUT -p icmp -j ACCEPT $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 4 packets, 520 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 What effect will this have? What are the numbers? 12 / 30

Testing rules How can you test it? $ ping -c4 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.058 ms... $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 220 packets, 218K bytes) pkts bytes target prot opt in out source destination 8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Why do we see 8 packets against the rule, instead of 4? You can use iptables -L INPUT -nz to Z ero the counters. 13 / 30

Blocking pings Add another rule: $ sudo iptables -A INPUT -p icmp -j DROP $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 12 packets, 1560 bytes) pkts bytes target prot opt in out source destination 8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 $ ping -c1 127.0.0.1 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.067 ms Is that what you expected? 14 / 30

Rule precedence Insert a DROP rule before the ACCEPT rule with -I : $ sudo iptables -I INPUT -p icmp -j DROP $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 12 packets, 1560 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 10 840 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 15 / 30

Rule precedence testing $ ping -c1 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms 16 / 30

List rules with indexes Use the iptables -L --line-numbers options: $ sudo iptables -L INPUT -nv --line-numbers Chain INPUT (policy ACCEPT 15 packets, 1315 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 17 / 30

Deleting Rules Delete rule by index: $ sudo iptables -D INPUT 3 Delete rule by target: $ sudo iptables -D INPUT -p icmp -j ACCEPT Check the results: $ sudo iptables -L INPUT -nv --line-numbers Chain INPUT (policy ACCEPT 9 packets, 835 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 18 / 30

Persistent Rules What happens when you reboot? 19 / 30

Persistent Rules What happens when you reboot? The rules that we created are only in the kernel's memory. They will be lost on reboot. How can we make them permanent? Could be as simple as: /sbin/iptables-save > /etc/default/iptables /sbin/iptables-restore < /etc/default/iptables Or install iptables-persistent which automates this a little. 20 / 30

Connection Tracking Every packet is tracked by default (made into a connection). You can see them with conntrack -L : sudo /usr/sbin/conntrack -L tcp 6 431999 ESTABLISHED src=196.200.216.99 dst=196.200.219.140 sport=58516 dport=22 src=196.200.219.140 dst=196.200.216.99 sport=22 dport=58516 [ASSURED] mark=0 use=1 What does this mean? 21 / 30

Connection Tracking sudo /usr/sbin/conntrack -L tcp 6 431999 ESTABLISHED src=196.200.216.99 dst=196.200.219.140 sport=58516 dport=22 src=196.200.219.140 dst=196.200.216.99 sport=22 dport=58516 [ASSURED] mark=0 use=1 ESTABLISHED is the connection state What are valid states? src=196.200.216.99 is the source address of the tracked connection dst=196.200.219.140 is the destination address Which one is the address of this host? Will it always be? sport=58516: source port dport=22: destination port Another set of addresses: what is this? 22 / 30

Connection Tracking How do we use it? iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT You normally want this! Can you see any problems? 23 / 30

Connection Tracking Problems What happens if someone hits your server with this? sudo hping3 --faster --rand-source -p 22 196.200.219.140 --syn Or if you run a server that has thousands of clients? 24 / 30

Connection Tracking Problems Add a rule to block all connection tracking to a particular port: sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 22 -j NOTRACK Write your rules so that connection tracking is not needed (allow traffic both ways). You probably want to do this for your DNS server. How? 25 / 30

Connection Tracking Problems Add a rule to block all connection tracking to a particular port: sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 22 -j NOTRACK Write your rules so that connection tracking is not needed (allow traffic both ways). You probably want to do this for your DNS server. How? sudo /sbin/iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACK 26 / 30

Standard simple rule set This is one of the first things I set up on any new box: iptables -P INPUT ACCEPT iptables -F INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix 'Rejected INPUT ' Check that I can access the server without triggering a "Rejected INPUT" message in the logs, and then lock it down: iptables -P INPUT DROP 27 / 30

Exercise Install nmap : sudo apt install nmap Scan your system: sudo nmap -ss pcxx.sse.ws.afnog.org Which ports are open? How would you block them? You will probably lock yourself out of your PC. That is OK, we can fix it :) As long as the changes have NOT been made permanent, we can reboot the system to restore access. 28 / 30

Exercise The correct answer is: iptables -I INPUT 2 -p tcp --dport 22 -j DROP Which prevents new connections, but as long as rule 1 allows ESTABLISHED connections you will not be locked out (unless you lose your connection). The output of iptables -L -nv should look like: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 151 11173 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 29 / 30

FIN Any questions? (yeah, right!) 30 / 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback