logging in or signing up linux firewall Justine Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 2536 Category: Entertainment License: All Rights Reserved Like it (4) Dislike it (0) Added: November 26, 2007 This Presentation is Public Favorites: 2 Presentation Description No description available. Comments Posting comment... By: twas (4 month(s) ago) good Saving..... Post Reply Close Saving..... Edit Comment Close By: mrselly (11 month(s) ago) thankssssssssssss Saving..... Post Reply Close Saving..... Edit Comment Close By: VinayMeshram (14 month(s) ago) hello Sir, My name is Vinay. IM the student of hardware & networking. I really need this ppt for my presentation so plz tell me the how can i download this ppt or send me this ppt on my mail id vinay_007meshram@yahoo.com. Please send me sir... Thank You Saving..... Post Reply Close Saving..... Edit Comment Close By: peeaarkey (17 month(s) ago) mail me thsi Pl rajesh.kanna1212@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: dmdfoss (19 month(s) ago) Please send this PPT IF POSSIBLE Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Slide1: Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSPToday’s Agenda: Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management DemoIntroduction: Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? It’s FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community)TCP/IP Recap: General Info: TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMPTCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept Application TCP UDP IP Device Driver Device Driver Application Application Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMPTCP/IP Recap: Layered Communication: TCP/IP Recap: Layered Communication Application TCP/UDP TCP/UDP IP Device Driver Device Driver IP Application Client Server TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept http TCP UDP IP Device Driver Device Driver ftp Netbios-ns dns 80 20,21 137 53 192.168.0.166 202.252.123.1 eth0 eth1TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client CloseTCP/IP Recap: TCP, UDP, IP, ICMP: TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?)Firewall Basics: What is a Firewall?: Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network A Network B Firewall Basics: What is NOT a Firewall?: Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out “install and leave it” Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall Firewall Basics: Different Types of Firewalls: Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Today’s focus) Application Gateway (http proxy, socks server) Firewall Basics: How does it work?: Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Dropipchains: What is it?: ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw” iptables (a.k.a. Netfilter): What is it?: iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use ipchains or iptables: Before we begin: ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables ipchains: Basic Usage I: ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection” TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Closeipchains: The basic concept: ipchains: The basic concept Control the input, output, and forward behavior of the interfaces input eth0 output input eth1 output forward ipchains: Using Script: ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700ipchains Tips: Writing Script: ipchains Tips: Writing Script Use deny for default chain, “-P” “ipchains –P forward deny” “ipchains –P input deny” “ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: LOCALNET_1="10.0.0.0/24“ LOCAL_INTERFACE_1="eth1“ “ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT” ipchains Tips: REJECT vs. DENY: ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src-addr IF “DENY”, then the packet is just droppedImplementation Tips: : Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom Implementation for Home: Typical Setup: Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic Home use: firewall-config: Home use: firewall-config Use GUI to help you Based on ipchains Most distribution Home use: firestarter: Home use: firestarter Use GUI to help you Rpm package available Based on iptables Home use: firestarter: Home use: firestarter Wizard Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts-6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup” Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-to-connect.txt Home Use: Step-by-Step Setup - Step 1: Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1="10.0.0.0/24" Home Use: Step-by-Step Setup - Step 2: Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Home Use: Step-by-Step Setup - Step 3: Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT What is “! –y” ??? : What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client CloseHome Use: Step-by-Step Setup - Step 4: Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPTHome Use: Step-by-Step Setup - Final Step: Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forwardOffice Use: Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script Implementation for Office: Typical Setup 1: Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers)Implementation for Office: Typical Setup 2: Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2Office Use: Step-by-Step Setup - Step 1: Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1="10.0.0.0/24“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b” Office Use: Step-by-Step Setup - Step 2: Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPTOffice Use: Step-by-Step Setup - Step 3: Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 4: Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Final Step: Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forwardTroubleshooting Tips: Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail –f /var/log/messages Can also use tcpdump or snoop to help you Firewall Management: Building Rules: Firewall Management: Building Rules gfcc For ipchains Provides good rules management Firewall Management: View Current MASQ sessions: Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions Firewall Management: Build your rules online!: Firewall Management: Build your rules online! http://www.linux-firewall-tools.com/linux/firewall/index.html Firewall Management: Viewing Logs: Firewall Management: Viewing Logs Firestarter Real-time “hit-list” showing the blocked traffic Firewall Management: Log Analyzer: Firewall Management: Log Analyzer fwlogwatch http://cert.uni-stuttgart.de/projects/fwlogwatch/ Generate html report Real time reporting Some customization work Firewall Management: What’s missing?: Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools Good References: Books: Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler Good References: Sites: Good References: Sites SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewall-tools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.htmlSlide53: END of Linux Firewall For the Office and Home Thank You! Email: matthew.tam@pisa.org.hk You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
linux firewall Justine Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 2536 Category: Entertainment License: All Rights Reserved Like it (4) Dislike it (0) Added: November 26, 2007 This Presentation is Public Favorites: 2 Presentation Description No description available. Comments Posting comment... By: twas (4 month(s) ago) good Saving..... Post Reply Close Saving..... Edit Comment Close By: mrselly (11 month(s) ago) thankssssssssssss Saving..... Post Reply Close Saving..... Edit Comment Close By: VinayMeshram (14 month(s) ago) hello Sir, My name is Vinay. IM the student of hardware & networking. I really need this ppt for my presentation so plz tell me the how can i download this ppt or send me this ppt on my mail id vinay_007meshram@yahoo.com. Please send me sir... Thank You Saving..... Post Reply Close Saving..... Edit Comment Close By: peeaarkey (17 month(s) ago) mail me thsi Pl rajesh.kanna1212@gmail.com Saving..... Post Reply Close Saving..... Edit Comment Close By: dmdfoss (19 month(s) ago) Please send this PPT IF POSSIBLE Saving..... Post Reply Close Saving..... Edit Comment Close loading.... See all Premium member Presentation Transcript Slide1: Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSPToday’s Agenda: Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management DemoIntroduction: Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? It’s FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community)TCP/IP Recap: General Info: TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMPTCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept Application TCP UDP IP Device Driver Device Driver Application Application Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMPTCP/IP Recap: Layered Communication: TCP/IP Recap: Layered Communication Application TCP/UDP TCP/UDP IP Device Driver Device Driver IP Application Client Server TCP/IP Recap: Layered Concept: TCP/IP Recap: Layered Concept http TCP UDP IP Device Driver Device Driver ftp Netbios-ns dns 80 20,21 137 53 192.168.0.166 202.252.123.1 eth0 eth1TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client CloseTCP/IP Recap: TCP, UDP, IP, ICMP: TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?)Firewall Basics: What is a Firewall?: Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network A Network B Firewall Basics: What is NOT a Firewall?: Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out “install and leave it” Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall Firewall Basics: Different Types of Firewalls: Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Today’s focus) Application Gateway (http proxy, socks server) Firewall Basics: How does it work?: Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Dropipchains: What is it?: ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw” iptables (a.k.a. Netfilter): What is it?: iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use ipchains or iptables: Before we begin: ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables ipchains: Basic Usage I: ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection” TCP/IP Recap: TCP 3-way Handshake: TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Closeipchains: The basic concept: ipchains: The basic concept Control the input, output, and forward behavior of the interfaces input eth0 output input eth1 output forward ipchains: Using Script: ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700ipchains Tips: Writing Script: ipchains Tips: Writing Script Use deny for default chain, “-P” “ipchains –P forward deny” “ipchains –P input deny” “ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: LOCALNET_1="10.0.0.0/24“ LOCAL_INTERFACE_1="eth1“ “ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT” ipchains Tips: REJECT vs. DENY: ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src-addr IF “DENY”, then the packet is just droppedImplementation Tips: : Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom Implementation for Home: Typical Setup: Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic Home use: firewall-config: Home use: firewall-config Use GUI to help you Based on ipchains Most distribution Home use: firestarter: Home use: firestarter Use GUI to help you Rpm package available Based on iptables Home use: firestarter: Home use: firestarter Wizard Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts-6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup” Home Use: Cable vs. ADSL modem: Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-to-connect.txt Home Use: Step-by-Step Setup - Step 1: Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1="10.0.0.0/24" Home Use: Step-by-Step Setup - Step 2: Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Home Use: Step-by-Step Setup - Step 3: Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT What is “! –y” ??? : What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client CloseHome Use: Step-by-Step Setup - Step 4: Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPTHome Use: Step-by-Step Setup - Final Step: Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forwardOffice Use: Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script Implementation for Office: Typical Setup 1: Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers)Implementation for Office: Typical Setup 2: Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2Office Use: Step-by-Step Setup - Step 1: Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1="10.0.0.0/24“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b” Office Use: Step-by-Step Setup - Step 2: Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPTOffice Use: Step-by-Step Setup - Step 3: Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 4: Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Final Step: Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forwardTroubleshooting Tips: Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail –f /var/log/messages Can also use tcpdump or snoop to help you Firewall Management: Building Rules: Firewall Management: Building Rules gfcc For ipchains Provides good rules management Firewall Management: View Current MASQ sessions: Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions Firewall Management: Build your rules online!: Firewall Management: Build your rules online! http://www.linux-firewall-tools.com/linux/firewall/index.html Firewall Management: Viewing Logs: Firewall Management: Viewing Logs Firestarter Real-time “hit-list” showing the blocked traffic Firewall Management: Log Analyzer: Firewall Management: Log Analyzer fwlogwatch http://cert.uni-stuttgart.de/projects/fwlogwatch/ Generate html report Real time reporting Some customization work Firewall Management: What’s missing?: Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools Good References: Books: Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler Good References: Sites: Good References: Sites SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewall-tools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.htmlSlide53: END of Linux Firewall For the Office and Home Thank You! Email: matthew.tam@pisa.org.hk