Linux Firewall

Uploaded from authorPOINT Lite
Download as
 PPT
Presentation Description 

No description available

Comments Sign in to comment
By:
 (2 month(s) ago)  
i need this linux firewall ppt

By:
 (7 month(s) ago)  
can i get this ppt i need to download it to learn it!!!

By:
 (7 month(s) ago)  
ety7u5y5e

Embed URL Thumbnail


Custom Embed WordPress Embed

Happy Thanksgiving
What's up on authorSTREAM?
Views: 963
Like it  ( Likes) Dislike it  ( Dislikes)
Added: November 26, 2007 This Presentation is Public 
Presentation Category : Entertainment All Rights Reserved
Presentation Transcript

Slide1: Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP


Today’s Agenda: Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo


Introduction: Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? It’s FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community)


TCP/IP Recap: General Info: TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMP


TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept Application TCP UDP IP Device Driver Device Driver Application Application Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMP


TCP/IP Recap: Layered Communication: TCP/IP Recap: Layered Communication Application TCP/UDP TCP/UDP IP Device Driver Device Driver IP Application Client Server


TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept http TCP UDP IP Device Driver Device Driver ftp Netbios-ns dns 80 20,21 137 53 192.168.0.166 202.252.123.1 eth0 eth1


TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close


TCP/IP Recap: TCP, UDP, IP, ICMP: TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?)


Firewall Basics: What is a Firewall?: Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network A Network B


Firewall Basics: What is NOT a Firewall?: Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out “install and leave it” Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall


Firewall Basics: Different Types of Firewalls: Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Today’s focus) Application Gateway (http proxy, socks server)


Firewall Basics: How does it work?: Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Drop


ipchains: What is it?: ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw”


iptables (a.k.a. Netfilter): What is it?: iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use


ipchains or iptables: Before we begin: ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables


ipchains: Basic Usage I: ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection”


TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close


ipchains: The basic concept: ipchains: The basic concept Control the input, output, and forward behavior of the interfaces input eth0 output input eth1 output forward


ipchains: Using Script: ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700


ipchains Tips: Writing Script: ipchains Tips: Writing Script Use deny for default chain, “-P” “ipchains –P forward deny” “ipchains –P input deny” “ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: LOCALNET_1="10.0.0.0/24“ LOCAL_INTERFACE_1="eth1“ “ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT”


ipchains Tips: REJECT vs. DENY: ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src-addr IF “DENY”, then the packet is just dropped


Implementation Tips: : Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom


Implementation for Home: Typical Setup: Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic


Home use: firewall-config: Home use: firewall-config Use GUI to help you Based on ipchains Most distribution


Home use: firestarter: Home use: firestarter Use GUI to help you Rpm package available Based on iptables


Home use: firestarter: Home use: firestarter Wizard


Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts-6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup”


Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-to-connect.txt


Home Use: Step-by-Step Setup - Step 1: Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1="10.0.0.0/24"


Home Use: Step-by-Step Setup - Step 2: Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT


Home Use: Step-by-Step Setup - Step 3: Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT


What is “! –y” ??? : What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client Close


Home Use: Step-by-Step Setup - Step 4: Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT


Home Use: Step-by-Step Setup - Final Step: Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward


Office Use: Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script


Implementation for Office: Typical Setup 1: Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers)


Implementation for Office: Typical Setup 2: Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2


Office Use: Step-by-Step Setup - Step 1: Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1="10.0.0.0/24“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b”


Office Use: Step-by-Step Setup - Step 2: Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT


Office Use: Step-by-Step Setup - Step 3: Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT


Office Use: Step-by-Step Setup - Step 4: Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT


Office Use: Step-by-Step Setup - Final Step: Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward


Troubleshooting Tips: Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail –f /var/log/messages Can also use tcpdump or snoop to help you


Firewall Management: Building Rules: Firewall Management: Building Rules gfcc For ipchains Provides good rules management


Firewall Management: View Current MASQ sessions: Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions


Firewall Management: Build your rules online!: Firewall Management: Build your rules online! http://www.linux-firewall-tools.com/linux/firewall/index.html


Firewall Management: Viewing Logs: Firewall Management: Viewing Logs Firestarter Real-time “hit-list” showing the blocked traffic


Firewall Management: Log Analyzer: Firewall Management: Log Analyzer fwlogwatch http://cert.uni-stuttgart.de/projects/fwlogwatch/ Generate html report Real time reporting Some customization work


Firewall Management: What’s missing?: Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools


Good References: Books: Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler


Good References: Sites: Good References: Sites SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewall-tools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.html


Slide53: END of Linux Firewall For the Office and Home Thank You! Email: matthew.tam@pisa.org.hk