packet filtering n.
Skip this Video
Loading SlideShow in 5 Seconds..
Packet Filtering PowerPoint Presentation
Download Presentation
Packet Filtering

Loading in 2 Seconds...

play fullscreen
1 / 25

Packet Filtering - PowerPoint PPT Presentation

  • Uploaded on

Packet Filtering. CS-480b Dick Steflik. Stateless Packet Filters. A border router configured to pass or reject packets based on information in the header of each individual packet can theoretically be configured to pass/reject based on any field but usually done based on: protocol type

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Packet Filtering' - max

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
packet filtering

Packet Filtering


Dick Steflik

stateless packet filters
Stateless Packet Filters
  • A border router configured to pass or reject packets based on information in the header of each individual packet
    • can theoretically be configured to pass/reject based on any field
      • but usually done based on:
        • protocol type
        • IP address
        • TCP/UDP port
        • Fragment number
        • Source routing information
protocol filtering
Protocol Filtering
  • Filtering based on the IP protocol field allows rejecting of entire protocol suites
    • UDP
    • TCP
    • ICMP
    • IGMP
  • This is almost too general
    • ex suppose you block UDP then any TCP based application won’t be able to convert host/domain to IP address
  • so it is seldom used.
ip address filtering
IP Address Filtering
  • Pass/reject packets based on membership in a set of acceptable IP addresses
  • Usually not used to block specific hosts
    • oscar is frequently blocked so corporate users can use AIM
    • same for some disk backup services
  • Usually block source routed packets
    • big security hole (explained later)
  • If a hacker knows an address that the filter will pass they can easily forge a packet that will pass through the filter
port filtering
Port Filtering
  • Most commonly used filtering method
  • can also be thought of as protocol filtering as most ports below 1024 relate to specific high level protocols
  • pass all but those specified
  • reject all but those specified
  • Important ports/protocol to block:
    • telent
    • NetBIOS
    • POP
    • NFS
    • X Windows
    • Windows Terminal Services
    • pcAnywhere and VNC
source route filtering
Source Route Filtering
  • Source routed packed should never be allowed into your network
    • Source routing was added to IP to accommodate debugging
    • Allows you to specify the path a packet will take through your network
      • Strict Source Routing
        • Specifies the exact path to be taken
      • Loose Source Routing
        • Indicates one or more hosts the packet must go through
        • A hacker can plug in their own address and force packets to travel through a machine that they can sniff
loose source routing
Loose Source Routing
  • A packet is given a list of hops to be taken
  • Each packet carries same source address, destination is whatever the next IP in the hop path is; the hop path is in the IP Option field.
  • 131 is the type for Loose Source Routing
  • Length – total length of the option
  • Offset – byte offset to next IP to hop to

IP Option field

1 byte 1 byte 1byte 4 bytes 4 bytes

Type Length offset IP 1 IP2 ………


loose source routed example
Loose Source Routed Example

For example, if a packet was generated from, with a final destination of via a hop to, the intial packet would have a source of, a dest of, and an IP option

with a length of 7, an offset of 4, and the IP address starting at byte 4 of If

forwards LSR packets, it would re-emit the packet with a source of, dest of, offset of 8,

and the IP address at offset 4 of

Initial source=

dest. =

IP Option 131,7,4,

Initial source=

dest. =

IP Option 131,8,4,

Problem with loose source routing is that some stacks will reverse the source route when responding to a source routed packet, this would make it trivial for a hacker to spoof a packet coming from a trusted source and insert their own address in the source route. The hacker can then sniff on it; the unsuspecting victim would then send return traffic to the spoofed source but LSR it through the attacker

fragmentation filtering
Fragmentation Filtering
  • Fragmentation was added to IP to facilitate passing through a network that only supports small packet sizes
  • Any router in the path can break a large packet up into smaller pieces
    • problem is that the port number is only in the first fragment meaning that filtering on TCP or UDP is lost
problems with stateless filters
Problems with Stateless Filters
  • Effectiveness of stateless filters is limited due to:
    • They cannot check the payload of the packets
      • service related filtering can only be done by application level proxies
    • They do not retain the state of the connections
stateful packet filtering
Stateful Packet Filtering
  • Record the state of all connections flowing through the firewall and use the connection state as the basis for dropping packets
    • create an in memory state table for the state of all Network and session layers
    • pass only packets relating to allowed (configured) ports that are currently in the state table.
      • Drop entries when the TCP close session happens or after a few minutes, this insures that the table stays “clean” and without holes in in it
  • Newer Firewalls all provide Stateful packet filtering
    • some also provide higher level protocol proxying
hacking through packet filters
Hacking Through Packet Filters
  • The following exploits are common:
    • TCP can only be filtered in the 0th fragment
      • setting the fragment number to 1 the packet will usually passe through the packet filter
    • Older packet filters only filter ports below 1024
      • used to be that only HTTP used higher numbered ports for passing data back to web browsers, many new applications use ports above 1024 for normal communication
    • Public services must be forwarded
      • services like the updating of web pages via Netscape Composer must be controlled (possibly bt IP address) to limit public access
    • Trojan horses can defeat packet filters using NAT
best practices
Best Practices
  • Use a proxy
    • physically breaks the network path
  • Use Stateful Packet Filters
    • can’t be bypassed like stateless filters
  • Disable all Ports by Default
    • enable only what is absolutely needed
      • if a Trojan Horse get in it will most likely set up a server that the hacker can then attach to, it the port is blocked, this can’t happen
  • Secure the Base Operating System (Hardening)
    • apply all patches provided by vendor
      • check the vendor web site frequently
    • always use a hardened protocol stack
ip chains
IP Chains
  • Stateless packet filter
  • optionally built into the Linux kernel
  • will pass or deny packets based on a rule set applied against IP header fields
  • used in v 2.2 kernels, replaced by IPTables in 2.4 kernels
ipchains flow
IPChains Flow

lo interface

IP Packet

















ipchains commands
IPChains Commands

Command Description

-A Add rule to chain

-D Delete rule from chain

-I Insert rule

-R Replace rule

-F Flush all rules

-L List all rules

-N Create new chain

-X Delete user defined chain

-P Set default targe

ipchains command options
IPChains Command Options

Command Option Description

-s Source address of packet

-d Destination address of packet

-i Interface packet is arriving from

-p Protocol

-j Target to send packet to

-y For -p tcp. Packet is SYN packet.

--icmp-type For -p icmp.

-l Log the packet to syslog.

/var/log/messages Available in Red Hat 6.0+ kernel

ipchains targets
IPChains Targets

System targets Description


ACCEPT Let packet through

DENY Deny packet

REJECT Deny packet and notify sender

MASQ Forward chain masquerade

REDIRECT Send to different port

RETURN Handled by default targets

ipchains chain types
IPChains- Chain Types

IP input chain

IP output chain

IP forwarding chain

User defined chains (just give it a new name instead of the built-in names: input, output or forward)

ipchains example
IPChains Example

# Flush Rules ipchains -F forward ipchains -F output ipchains -F input # Set default to deny allipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Add Rules# Accept packets from itself (localhost) (s)ource to itself (d)estination # Keeps system logging, X-Windows or any socket based service working. ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo # Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses ipchains -A input -j REJECT -p all -s -i eth0 -l # Accept requests/responses from/to your own firewall machine ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0# Allow outgoing packets source (s) to destination (d)ipchains -A input -j ACCEPT -p all -s -i eth1ipchains -A output -j ACCEPT -p all -s -i eth1# Deny and log (option -l) outside packets from internet which claim to be from your loopback interfaceipchains -A input -j REJECT -p all -s localhost -i eth0 -lipchains -A forward -s -j MASQipchains -A forward -i eth1 -j MASQ# Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward

iptables commands
IPTables Commands

-A , --append Append rule to chain

-D , --delete Delete rule from chain

-I , --insert Insert rule at beginning or at specified sequence number in chain.

-R , --replace Replace rule

-F , --flush Flush all rules

-Z , --zero Zero byte counters in all chains

-L , --list List all rules. Add option --line-numbers for rule number.

-N , --new-chain Create new chain

-X , --delete-chain Delete user defined chain

-P , --policy Set default policy for a chain

-E , --rename-chain Rename a chain

iptables command options
IPTables Command Options

-s , --source Source address of packet

-d , --destination Destination address of packet

-I , --in-interface Interface packet is arriving from

-o , --out-interface Interface packet is going to

-p , --protocol Protocol:


--sport port[:port]

--dport port[:port]





-j , --jump Target to send packet to

-f , --fragment Fragment matching

-c , --set-counters Set packet/byte counter

-m tcp , --match tcp *--source-port port[:port] (port # or range #:#)

*--destination-port port[:port]


-m state , --match state --state





(Push content, not expected to recieve this packet.)

iptables defined policies
IPTables Defined Policies

Defined Policies Description

ACCEPT Let packet through

DROP Deny packet with no reply

REJECT Deny packet and notify sender

RETURN Handled by default targets

MARK Used for error response. Use with option --reject-with type

MASQUERADE Used with nat table and DHCP.

LOG Log to file and specify message:

°--log-level #

°--log-prefix "prefix"




ULOG Log to file and specify userpace logging messages

SNAT Valid in PREROUTING chain. Used by nat.

REDIRECT Used with nat table. Output.

DNAT Valid in POSTROUTING chain. Output.

QUEUE Pass packet to userspace.

iptables example
IPTables Example
  • Simple firewall for the desktop Linux system:
    • iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
  • Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.) Allow network input/output from self (lo).

# Allow loopback access. This rule must come before the rules denying port access!!iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopbackiptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFSiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFSiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windowsiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font serveriptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer portiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer portiptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFSiptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFSiptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny packets which claim to be from your loopback interface.