100 likes | 215 Views
COM342 Networks and Data Communications. Lecture 10: Security; Firewalls. Ian McCrum Room 5B18 Tel: 90 366364 voice mail on 6 th ring Email: IJ.McCrum@Ulster.ac.uk Web site: http://www.eej.ulst.ac.uk. Routers. Connecting two Local Area Networks together.
E N D
COM342Networks and Data Communications Lecture 10: Security; Firewalls Ian McCrum Room 5B18 Tel: 90 366364 voice mail on 6th ring Email: IJ.McCrum@Ulster.ac.uk Web site: http://www.eej.ulst.ac.uk www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Routers • Connecting two Local Area Networks together. • Connecting a Local Area Network to the internet, e.g via an ADSL modem, A Cable modem or a slow dialup modem. • Connecting a LAN to a coporate network, e,g within a building. • Other uses; Masquerading to allow a number or private IP numbered machines to use the net, pretending to have an IP number that is allowed to traverse the internet • Restrict certain traffic while routing other traffic; useful for security…. Firewall (see also bastion hosts and DMZ ) • As well as restricting traffic we can reform packets to provide security. Either a ip/port to ip/port connection that is encrypted or a complete IP <-> IP connection that is encrypted. (see SSH tunnels and VPNs ( also CIPE, IPsec and others…) www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Firewalls (Linux Iptables software) • We have seen how TCP/IP ( “internet”) data transport across the network involves • An IP number (or a name that gets converted into a number) • A port number (e.g port 80 for outgoing web pages) • The packet type, TCP or UDP. • To block unwanted traffic, we must specify what gets through the firewall and what doesn’t • Each installation varies; We might allow all outgoing traffic but block all incoming traffic. This won’t work since some of it may be in response to an outgoing request. www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
The Netfilter software ( “Iptables) • The way that the linux netfilter software operates is to have the following… • Rules; decisions are based on rules that we create. A rule specifies the criteria necessary for a packet to match it. • Targets; this is usually ACCEPT, DROP or REJECT • Chains; Rules are grouped into chains which in turn are in… • Tables; three default tables are INPUT, OUTPUT and FORWARD (two others are NAT and MANGLE) • States; used for stateful packet filtering… subtle but useful, you can create rules based on whether a packet exists in any of the following states; NEW, ESTABLISHED, RELATED and INVALID. www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Creating and Storing Rules • Rules can be appended to the chains with –A option. Also available are –I to insert, -R to replace, there is also a –D to delete a rule. • $iptables –A INPUT –s0/0 –d 193.61.142.121 –m state - -state NEW –p tcp –dport 80 –i eth0 –j ACCEPT • The rule above allows any source IP to access your port 80, so anyone can access the webserver running at .121 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Complete example ( no forwarding) *filter # The default targets for the three chains are set INPUT DROP [0:0] FORWARD DROP [0:0] OUTPUT DROP [0:0] # need to allow “loopback” to work -A INPUT –i lo –j ACCEPT # need to drop invalid conenctions -A INPUT –m state - -state INVALID –j DROP -A OUTPUT –m state - -state INVALID –j DROP -A FORWARD –m state - -state INVALID –j DROP # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT COMMIT www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Another Complete Example *filter # The default targets for the three chains are set INPUT DROP [0:0] FORWARD DROP [0:0] OUTPUT DROP [0:0] # need to allow “loopback” to work -A INPUT –i lo –j ACCEPT # need to drop invalid conenctions -A INPUT –m state - -state INVALID –j DROP -A OUTPUT –m state - -state INVALID –j DROP -A FORWARD –m state - -state INVALID –j DROP # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT #allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff -A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT -A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT #allow outgoing connections to webservers, my users can surf the world… …. Continued on the next slide www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
…. Continued # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT # Allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff -A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT -A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT # Allow outgoing connections to webservers, my users can surf the world… -A OUTPUT –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT -A FORWARD –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT # Actually safer to add a –s option above to explicitly only enable source ip numbers as well (with –s 192.168.0.3 etc) # this means repeating the line above, once for each IP source allowed to surf. # Allow outgoing mail to my ISPs SMTP and POP2 server only -A OUTPUT –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT -A FORWARD –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT # Log all other attempted outgoing connections, use this if you aren’t sure of what ports to allow… -A OUTPUT –o eth0 –j LOG -A FORWARD –j LOG # default is to DROP outgoing connections so we should see this in the logs COMMIT *nat # Set up IP forwarding and NAT -A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
More on NAT and FORWARDING # for static IP numbers you can use the line below -A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1 # for dynamic IP numbers use the line below instead -A POSTROUTING –o eth0 –j MASQUERADE # this is a special case, the source IP is changed to the IP of the outgoing interface (eth0) # this works with static as well, but the netfilter advice is to use the first version for static Ips. # For ethernet (wired) networks that is ok, cards drivers are inserted into the kernel with # insmod or modprobe if needed (95% of cards autoinsert ok) # ifconfig sets IP numbers/netmasks for each card, the route command tells where gateways are # for wireless cards you use iwconfig to set the ESSID and MODE (ad-hoc or managed) # The above slides allow any internal LAN machine to get out as required. To get outside traffic # to end up at a specific machine is a bit trickier. E.g if we run a web server on a PC, port 80. # port forwarding allows incoming traffic (port 80) on the firewall to be passed on to a internal PC # two types of NAT exist, source and destination (SNAT/DNAT). Each incoming port can only be # forwarded once so you cannot run two webservers at once, unless you use different ports *nat -A POSTROUTING –o eth0 –j SNAT - -to 193.61.142.120 -A PREROUTING –i eth0 –p tcp –d 193.61.142.120 - -dport 80 –j DNAT - -to 192.168.0.3:80 COMMIT www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt
Miscellaneous # Pings can be useful, to enable these -A INPUT -p icmp - -icmp-type echo-request –j ACCEPT # it might be a good idea to limit pings to certain machines only ( -s option) OTHER THINGS… We have not looked at The MANGLE table for altering packets The string module, allows rule matching based on strings anywhere in the data payload Time based rules Quote and bandwidth limits Tarpits ( catch and hold potential hacker packets, use up their resources and not your own) MORE INFORMATION These slides taken from a document “Firewalling with netfilter/iptables by Barry O’Donovan From UCD, Barry is a member of the Irish Linux Users Group. See also http://www.netfilter.org Google for “IPTABLES TUTORIALS” Read the “HOWTO” documents held at http://www.tldp.org (tldp stands for “The Linux Documentation Project”) www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt