Stateless firewalls Hrek Haugerud, A. Professor & Senior Lecturer harek.haugerud@hioa.no Paal Engelstad, Professor paal.engelstad@hioa.no Stateless firewalls 3-2 Outline Firewall overview: What is it and why do we need it? Some typical firewall network topologies Linux firewalls Overview iptables Firewall design and System policy Setting up a stateless personal firewall from scratch Stateless firewalls 3-3 Network firewall filters traffic going between networks Personal/host/local firewall filters traffic between host and network A firewall filters network traffic going over a computer interface PosL neLwork llrewall neLwork A neLwork 8 llrewall !" $"%&'%()*+, Stateless firewalls 3-4 Firewall assumptions All traffic between outside and inside should pass through the firewall inside and outside often defined by different levels of trust Only authorized traffic should be allowed to pass Authorized traffic is defined by local security policy The firewall itself should ideally be immune to penetration However, any software might have bugs and vulnerabilities lnslde" (hlgher level of LrusL) ouLslde" (lower level of LrusL) llrewall Stateless firewalls 3-5 Different Types of Firewalls A firewall can be in the form of a: Stateless packet filter (lecture 3 this lecture) Stateful packet filter Connection tracking (lecture 4) Contain NAT functionality (lecture 5) Application gateway (not covered in this course) ALG, proxy, etc Stateless firewalls 3-6 Firewall as a packet filter Inspects packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Performs actions (like accept, drop, etc) based on a rule defined by you (e.g. with the iptables command on a Linux system) Accept Drop Stateless firewalls 3-7 Filtering can be based on: Packet header info source IP address destination IP address source port destination port protocol & flags TCP SYN bit ACK bit ... etc... UDP ICMP icmp-type flag Direction /interfaces Is the datagram leaving or entering the internal network? decisions can be different for different interfaces State (for stateful firewalls) NEW, ESTABLISHED, RELATED, INVALID Stateless firewalls 3-8 filter: IP and UDP Header (RECAP) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload ... 3-Luple" Stateless firewalls 3-9 filter: IP and TCP Header (RECAP) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HLEN | Reserved | | Window | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options (if any) | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload ... ! " # % & ' ( ) * " ) + ) , - . / - 1C- ags 3-Luple" (1C sockeL) Stateless firewalls 3-10 Src l sorL usL l dorL proL b 22 a 1338 Lcp 4800 1201 S?n+ACk Seq Ack 1C ags RECAP: TCP flags & 3-way handshake CllenL Server CllenL ume Server ume 1 2 3 Src l sorL usL l dorL proL a 1338 b 22 Lcp 1200 0 S?n Seq Ack 1C ags Src l sorL usL l dorL proL a 1338 b 22 Lcp 1201 4801 ACk Seq Ack 1C ags (uaLa) (ayload) Stateless firewalls 3-11 TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1200) SYN (4800), ACK (1201) ACK (4801) ACK, [DATA] ACK (4900), FIN (1300) ACK (1301) ACK (1301), FIN (4900) ACK (4901) Passive Open Connection Established Server Close Active Open Connection Established Client Close Stateless firewalls 3-12 filter: IP and ICMP Header (RECAP) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type/code-specific header fields | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP data (Type/code-specific format/length) ... Stateless firewalls 3-13 RECAP: Some ICMP Message types Q: Which types/codes seen in your traceroute assignment? !"#$ 0 Lcho reply 1-2 8eserved 3 uesunauon unreachable 4 Source quench 3 8edlrecL 8 Lcho requesL 9 8ouLer adverusemenL 10 8ouLer sollclLauon 11 1lme exceeded 12 arameLer problem 13/14 1lmesLamp requesL / reply 13/16 lnformauon requesL / reply 17/18 Addr. mask requesL/ reply eLc. &'($ )$*+,-#.'/ 0 uesunauon neLwork unreachable 1 uesunauon hosL unreachable 2 uesunauon proLocol unreachable 3 uesunauon porL unreachable 4 lragmenLauon requlred, and ul ag seL 3 Source rouLe falled 6 uesunauon neLwork unknown 7 uesunauon hosL unknown 8 Source hosL lsolaLed 9 neLwork admlnlsLrauvely prohlblLed 10 PosL admlnlsLrauvely prohlblLed 11 neLwork unreachable for 1CS 12 PosL unreachable for 1CS 13 Communlcauon admlnlsLrauvely prohlblLed 14 PosL recedence vlolauon 13 recedence cuLo ln eecL &'($ )$*+,-#.'/ 0 11L explred ln LranslL 1 lragmenL reassembly ume exceeded Stateless firewalls 3-14 Filtering a packet The usual reaction to a packet is: Accept it Drop it (silently discard it) Reject it (discard and send ICMP notification) Log it Change header information (e.g. NAT) Drop or reject? Stateless firewalls 3-15 Why would you need a firewall? Increased network security First line of defense Access Control (Network/Transport Level) Logging Stateless firewalls 3-16 Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of information security (e.g. human, insiders, mis-configuration) You still have to let traffic in and out install and leave it Need to manage it for the ever-changing network environment Need to monitor it. Stay on guard! 100% safe Any software might have bugs and vulnerabilities, so does any firewall Stateless firewalls 3-17 Outline Firewall overview: What is it and why do we need it? Some typical firewall network topologies Linux firewalls Overview iptables Firewall design and System policy Setting up a stateless personal firewall from scratch Stateless firewalls 3-18 Firewall/Gateway: For subnets without public services Often combined with NAT several hosts on the LAN can share one public IP address and a single broadband connection to the ISP. Typical for home/ small networks (i.e. no webserver or SSH access) Using restrictive policy E.g. no incoming connection requests at all. lnLernal rlvaLe neLwork/ 012 CusLomer Packer LxLernal ubllc neLwork/ 32!4524! Packer llrewall (CaLeway) nA1? Server CllenL CllenL Stateless firewalls 3-19 DMZ (De-Militarized Zone): For subnets with public services Typical for larger organizations The network is split into two zones: 1. DMZ: Containing servers accessible from the Internet e.g. Web servers 2. LAN: Network with a more restrictive rule-set in case DMZ-servers get compromised Different levels of trust between LAN and DMZ Needs a firewall in between Let us look at two different models of network with a DMZ... Stateless firewalls 3-20 DMZ: Example 1 DMZ= A part your LAN with other restrictions, e.g. allowing publicly available services (web servers, mail etc.) lnLernal rlvaLe neLwork/ 012 )67 llrewall (Choke) Web Server CusLomer Packer LxLernal ubllc neLwork/ 32!4524! p Server Packer llrewall (CaLeway) Server CllenL CllenL Stateless firewalls 3-21 DMZ : Example 1I Often combined with local firewalls on hosts within LAN, to protect against other possibly infected hosts on LAN lnLernal rlvaLe neLwork/ 012 )67 Web Server CusLomer Packer Server CllenL CllenL LxLernal ubllc neLwork/ 32!4524! p Server Packer llrewall lf1 lf2 Stateless firewalls 3-22 Outline Firewall overview: What is it and why do we need it? Some typical firewall network topologies Linux firewalls Overview iptables Firewall design and System policy Setting up a stateless personal firewall from scratch Stateless firewalls 3-23 Firewalls with Linux netfilter: The actual firewall Operates in Kernel space iptables: The configuration tool Operates in user space Note: iptables is only a tool for the managing and setting of rules. It won't work without packet filtering (netfilter) support in the kernel. Ubuntu: iptables & netfilter are installed by default TinyCore: Use ab iptables command to install it By default netfilter allows all traffic, so you wont notice its presence, before you start using iptables to configure netfilter Stateless firewalls 3-24 iptables usage iptables [-t table] {-A|-D} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum iptables [-t table] {-L|-F|-Z} [chain] [options] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target iptables [-t table] -E old-chain-name new-chain-name First, let us consider packet filtering (firewall) usage Then, we must set table=filter Or we can omit it all together, because filter is default No table specified, means that filtering is implied Stateless firewalls 3-25 iptables usage for packet filtering (I) iptables -t filter {-A|-D} chain rule-specification iptables -t filter -I chain [rulenum] rule-specification iptables -t filter -R chain rulenum rule-specification iptables -t filter -D chain rulenum iptables -t filter {-L|-F|-Z} [chain] [options] iptables -t filter -N chain iptables -t filter -X [chain] iptables -t filter -P chain target iptables -t filter -E old-chain-name new-chain-name First, let us consider packet filtering (firewall) usage Then, we must set table=filter Or we can omit it all together, because filter is default No table specified, means that filtering is implied Stateless firewalls 3-26 iptables usage for packet filtering (II) iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name First, let us consider packet filtering (firewall) usage Then, we must set table=filter Or we can omit it all together, because filter is default No table specified, means that filtering is implied Stateless firewalls 3-27 iptables usage for packet filtering (III) iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name Let us go through this in detail... Stateless firewalls 3-28 iptables is simply the linux command iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name The command takes different input parameters and switches Stateless firewalls 3-29 iptables command is primarily used to add/remove packet filtering rules iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name rule-specification = [matches...] [target] target = -j targetname targetname = {DROP|REJECT|ACCEPT|LOG} Simple examples of rule-specifications: -i eth0 -j DROP Drop packets passing the eth0 interface -s 128.39.13.6 p tcp -j ACCEPT Accept tcp packets with source ip-address 128.39.13.6 So what is chain and what is rulenum...? Stateless firewalls 3-30 iptables commands to add/remove rules into these lists (chains) iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name -A, --append : Append one or more rules to end of chain. -D, --delete : Delete rule from chain. -I, --insert : Insert rule into chain (default rulenum = 1) -R, --replace : Replace a rule in the chain with another one. -L, --list : List out all rules in the chain (default = all chains). -F, --flush : Flush (delete all) rules from a chain -Z, --zero : Zero packet and byte counter of a chain (or all chains) Stateless firewalls 3-31 Example: Append new packet filtering rules to a chain iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name rule-specification = [matches...] [-j {DROP|REJECT|ACCEPT|LOG}] Simple examples of rule-specifications: iptables A OUTPUT -o eth0 -j DROP Drop outgoing packets passing the eth0 interface iptables A INPUT -s 128.39.13.6 p tcp -j ACCEPT Accept incoming tcp packets with source ip-address 128.39.13.6 Stateless firewalls 3-32 Rules are organized into numbered lists of rules. These lists are called chains iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name Rules are numbered starting at one (i.e. rulenum=1) When appended/inserted, each rule obtains a rule number, according to its order in the chain Displayed by the --list (-L) command, for example: iptables -L -v - - line-numbers Stateless firewalls 3-33 Default chains for packet filtering: INPUT, OUTPUT, FORWARD iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name Built-in chains (= non-user-defined chains): INPUT chain: These rules apply to all packets destined to firewall OUTPUT chain: Applies to all packets originating from firewall FORWARD chain: Applies to all packets passing through firewall-router Next week. + User-defined chains with user-defined names Stateless firewalls 3-34 More on rule-specification (matches) [!] -p, --protocol protocol (The "! inverts the test, e.g.: iptables A INPUT ! p tcp j DROP ) [!] -s, --source, --src address[/mask] [!] -d, --destination, --dst address[/mask] [!] --sport port[:port] [!] --dport port[:port] [!] -i, --in-interface name [!] -o, --out-interface name -m, --match match The protocol of the packet, e.g. tcp, udp, udplite, icmp, esp, ah, sctp, or it can be a numeric value, see /etc/protocols. Address is typically a network IP address (with /mask), or a plain IP address. Same syntax as for the -s (source) flag Match on source port (or port-range) Match on destination port (or port-range) name = eth0, eth1, lo etc... name = eth0, eth1, lo etc... Use extension module to tests for specific property Stateless firewalls 3-35 Examples: Manipulating rules in chains iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name iptables F flushing (deleting) all rules in all chains (OUTPUT, INPUT, FORWARD) iptables F OUTPUT flushing (deleting) all rules in the OUTPUT chain iptables D INPUT 3 deleting rule number 3 in the INPUT chain iptables L FORWARD list out all rules in the FORWARD chain iptables L list out all rules in all chains Stateless firewalls 3-36 Manipulating the chains iptables {-A|-D} chain rule-specification iptables -I chain [rulenum] rule-specification iptables -R chain rulenum rule-specification iptables -D chain rulenum iptables {-L|-F|-Z} [chain] [options] iptables -N chain iptables -X [chain] iptables -P chain target iptables -E old-chain-name new-chain-name -N, --new-chain : Create a new user-defined chain by the given name. -X, --delete-chain : Delete user-defined chain (must be empty, i.e. rules flushed). Default=all user-defined chains. -P, --policy : Set the policy for built-in chain. (No policy can be set for user-defined chains) -E, --rename-chain : Rename user-defined chain Stateless firewalls 3-37 Example: Setting the policy iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT OR: iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP The policy specifies what will happen (e.g DROP or ACCEPT) to packet that do not find any match in a built-in chain. In iptables -P chain target, the target-part refers to e.g. DROP or ACCEPT More about target later Stateless firewalls 3-38 Personal firewall (One interface) Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns All outgoing packets are filtered by the rules in the OUTPUT chain All incoming packets are filtered by the rules in the INPUT chain eLh0 drop drop Appllcauons (e.g. Apache, ssh, ...) -*./)01.%2 nlC Stateless firewalls 3-39 Personal firewall (One interface) Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns All outgoing packets are filtered by the rules in the OUTPUT chain All incoming packets are filtered by the rules in the INPUT chain eLh0 drop drop Appllcauons (e.g. Apache, ssh, ...) Local processes -*./)01.%2 nlC Stateless firewalls 3-40 Troubleshooting using tcpdump Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns tcpdump is capturing outgoing packets just before they go to NIC (after filtering etc.) tcpdump is capturing incoming packets just after they come from NIC (before filtering etc.) eLh0 drop drop Appllcauons (e.g. Apache, ssh, ...) Local processes nlC
" # $ % & ' $ 3'45.1 6'718%. 94"7: )*$"; Stateless firewalls 3-41 Personal firewall w/ loopback-interface Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns Also including the loopback interface first OUTPUT then INPUT loopback (lo) eLh0 drop drop Appllcauons (e.g. Apache, ssh, ...) Local processes -*./)01.%2 nlC Stateless firewalls 3-42 Personal firewall w/ loopback-interface Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns Drawing it a little more conveniently (Of course, lo is not a part of netfilter) loopback (lo) eLh0 drop drop Appllcauons (e.g. Apache, ssh, ...) Local processes -*./)01.%2 nlC Stateless firewalls 3-43 Example: Accepting loopback traffic Cu1u1 lnu1 CS-kernel (1C/l sLack) Appllcauons (e.g. Apache, ssh...) Llnux llrewall eLh0 kLs lo iptables A INPUT i lo j ACCEPT iptables A OUTPUT o lo j ACCEPT Stateless firewalls 3-44 Network firewall (router): Left to right All packets passing through are filtered by the rules in the FORWARD chain Routing decision: dest.IP = local_IP Send to INPUT dest.IP != local_IP Send to FORWARD lC8WA8u Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns eLh1 loopback (lo) eLh0 8ouung declslon drop Appllcauons (e.g. Apache, ssh, ...) Local processes lC8WA8u drop drop -*./)01.%2 nlC nlC Stateless firewalls 3-45 Network firewall (router): Both ways lC8WA8u Cu1u1 lnu1 CS-kernel (1C/l sLack) lLer chalns eLh1 loopback (lo) eLh0 8ouung declslon 8ouung declslon Appllcauons (e.g. Apache, ssh, ...) Local processes lC8WA8u drop drop drop -*./)01.%2 nlC nlC Stateless firewalls 3-46 lLer chalns iptables used to configure netfilter lC8WA8u Cu1u1 lnu1 CS-kernel (1C/l sLack) eLh1 loopback (lo) eLh0 8ouung declslon 8ouung declslon lC8WA8u drop drop drop -*./)01.%2 Appllcauons (e.g. www, ssh, ...) -#89:;$* !"#$%&'()"# +,-.(/012 3"44(#526 nlC nlC Stateless firewalls 3-47 Outline Firewall overview: What is it and why do we need it? Some typical firewall network topologies Linux firewalls Overview iptables Firewall design and System policy Setting up a stateless personal firewall from scratch Stateless firewalls 3-48 Firewall design A word of caution /Disclaimer: There are almost as many opinions about network administration as there are network administrators. Things are done differently almost everywhere Often decisions regarding infrastructure and equipment are already taken Then, you have to customize and make the best out of what you've got. The following section is an approach to gain insight into the traffic flow of a network. It is not meant as a disclosure of the topic. We will concentrate on traffic-shaping and filtering, since that is central in this course. Other courses have this topic from their point of view. Stateless firewalls 3-49 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-50 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-51 Defining host, servers and services What services should the network offer to the Internet? Most usual here are HTTP, FTP, SMTP to name some. I addition comes special systems used by the organization which communicate with external nodes. Some services should also run on the intranet, like a local DNS server, NFS, netbios, database and so on. Finally, what services should the hosts on your network be allowed to access on the Internet? Some would restrict these to a bare minimum. Others would allow everything out. An important point in the specification is how well the different solutions will scale or be reconfigured. This is actually quite important for all the following steps too. You should always think about the future. Stateless firewalls 3-52 Defining hosts, servers and services (example) Hosts and servers Class "Internet" = All non-local machines Class "Webserver" = Our local webserver (192.168.1.2) Class "Workstations" = Workstations (192.168.1.16/29) Class "Nameserver" = "Our local nameserver (192.168.1.3) Class "Mailserver = "Our local mailserver (192.168.1.4) Services Class "WWW" = "http, https" Class "DNS" = "dns" Class "SSH" " = "ssh" Class "MAIL" = "pop3, smtp" Stateless firewalls 3-53 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-54 Defining privileges Not all machines on your network are entitled to use all services offered in your network. Perhaps the web server is the only one with access to the database or mail can only be sent from the workstations. These privileges can be displayed with a table. In the following example, we use the term "Internet" of all machines except the ones on our network. Granting WWW to the Internet does not include WWW to local machines. It can be useful to define such classes for simplicity. Stateless firewalls 3-55 Defining privileges (example) Such a listing is useful regardless of what filtering technology you choose to use later on. The principles of filtering are always the same. <'*8 =$,>-+$ =$,>$, WorksLauons WWW lnLerneL WorksLauons WWW Webserver WorksLauons SSP Webserver WorksLauons SSP nameserver WorksLauons unS nameserver WorksLauons MAlL Mallserver Webserver unS nameserver nameserver unS lnLerneL Mallserver unS nameserver Mallserver MAlL lnLerneL Stateless firewalls 3-56 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-57 Translate services into port numbers For every service to allow (SSH, WWW, FTP ...) identify ports and protocol In order to define your ruleset iptables does not know anything about web surfing, but can identify TCP packets heading for port 80. Some services are a bit tricky, e.g.: FTP works with several ports Non-standard applications (gaming, chat) that use undocumented ports Network analysis to figure it out. You should finally have a list of port which should be open on every host. This will make it easier for you when you shall construct the actual rule-set. Stateless firewalls 3-58 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-59 Drawing cases The table with the privileges did not take into account the route those connections actually take through your network. Which route they choose outside your domain is not in your hands. For monitoring later on, it could be useful to draw some Cases which display actual traffic. These cases do not have to follow a special standard. The aim is to draw something that shows you what to expect where. It also shows which firewall is responsible for what. Stateless firewalls 3-60 Drawing cases (example) Stateless firewalls 3-61 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-62 Setting up the firewall The next task is to actually configure the firewalls. If you already are familiar with the filtering technology you wish to use and have done solid groundwork in the previous steps, this should be straight forward. Stateless firewalls 3-63 System policy Constitutes a detailed plan A clear policy to avoid misunderstandings several people working on the firewall / network others that need to understand Defining the system policy Define hosts, servers and services Define privileges Translate services into port numbers Drawing cases Setting up firewalls Install and configure surveillance tools Test, test, test Re-evaluate earlier decisions Stateless firewalls 3-64 Re-evaluating rules All system-policies change over time. Changes in infrastructure and upgrades will probably require adjustments in your configurations. How well does your system adapt to these changes? Do your solutions scale to more hosts on your network? Stateless firewalls 3-65 Outline Firewall overview: What is it and why do we need it? Some typical firewall network topologies Linux firewalls Overview iptables Firewall design and System policy Setting up a stateless personal firewall from scratch Stateless firewalls 3-66 Setting up a stateless personal firewall from scratch Assumptions/prerequisites: A Linux system with one network interface. The running kernel has netfilter support. See how rules change as you add new rules. It is very useful to learn some tricks early on. This line shows a nice way to watch over your current rules and which way the packets go: watch -n 2 iptables -L v -n --line-numbers watch: n <seconds> iptables -L <listing-options>: -v = verbose, -n = numeric IP/ports This command monitors the rules and additionally shows what packets go where in the different chains. Write all iptables commands to a script Run the script Stateless firewalls 3-67 Steps for stateless firewall setup Steps (simplified) in your script Define symbolic constants Flush any pre-existing rules Allow loopback traffic Set policy on chains: DROP Allowing in and out rules for selected services: DNS, Mail (SMTP, IMAP), WWW (http), SSH etc... Stateless firewalls 3-68 Define symbolic constants Example: The IP-address of the network interface is stored in the variable: $MY_IP MY_IP=192.168.10.10 Stateless firewalls 3-69 Flush any pre-existing rules iptables -t filter -F iptables -t nat -F iptables -t mangle -F If there are any user-defined chains as well, they should be removed too. iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain Stateless firewalls 3-70 Allow loopback traffic The loopback device must not be filtered, since it is for private use, and some software systems depend on this for their functioning. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Stateless firewalls 3-71 Set policy on chains: DROP The default policy for a chain shows what will happen with packets that don't find any match. Setting the policy to ACCEPT means that you have to sort out singel-handedly every type of traffic you want to drop. Setting it to DROP is a more secure approach. iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP Leave the nat and mangle without such a DROP- policy! All filtering done in filter Stateless firewalls 3-72 Allowing in/out rules for selected services Examples: WHAT IS THIS? iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out. ... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT For DNS, we have specified the interface card explicitly. This is useful when more than one card. Stateless firewalls 3-73 Allowing in/out rules for selected services Examples: Allowing ssh in iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out. ... AND THIS? iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT For DNS, we have specified the interface card explicitly. This is useful when more than one card. Stateless firewalls 3-74 Allowing in/out rules for selected services Examples: Allowing ssh in iptables -A INPUT -p tcp --sport 1024:65535 --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 --dport 1024:65535 -j ACCEPT If you want to allow ssh in, you also need to allow the reply-packets out. Allowing DNS out iptables -A OUTPUT -o eth0 -p udp --sport 1024:65535 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 1024:65535 --sport 53 -j ACCEPT For DNS, we have specified the interface card explicitly. This is useful when more than one card. Stateless firewalls 3-75 Filtering malformed packets Until now, we have focused on the rules regarding correct packages. But attacks and scans often rely on malformed packages. A firewall script has usually a set of rules in the beginning to take care of everything that is not according to protocol. An extensive list can be found in Ziegler: Linux Firewalls. Stateless firewalls 3-76 Summary: stateless firewall setup Steps (simplified) in your script Define symbolic constants Flush any pre-existing rules Accept loopback traffic Set policy on chains: DROP Drop malformed packets (bad addresses, common unprivileged ports, bad flags....) Accept in and out traffic for selected services: DNS, Mail (smtp, imap), WWW (http), SSH, etc...