LinuxCBT Firewall Notes

IPTables/Netfilter Notes:

1. IPTables is really a front-end(user-space) tool to manage NetFilter(integrated within th Linux Kernel)

2. IPTables functions primarily at OSI Layers 3(Network(IP)) & 4(Transport(TCP/UDP))

3. Layer 3 focuses on Source(192.168.1.20) & Destination(192.168.1.30) AddressesIP Addresses are based on 32-bit ranges (4billion addresses)

4. Layer 4 focuses on Protocols:Ports TCP:80, UDP:69TCP/UDP ports use a 16-bit range (0-65535)

5. IPTables can manage ICMPICMP uses types - echo-request, echo-reply

6. /boot/config* - check to ensure that CONFIG_NETFILTER=y

7. 3 Default Tables contain chains, which contain rules a. mangle - alter packets within TCP/UDP/ICMP/etc. (TOS/TTL) b. Network Address Translation (NAT) - change IP addresses/ports 192.168.1.20 - 10.0.0.1 c. filter - IP Packet filtering (INPUT, FORWARD, OUTPUT)

8. Discuss ACL syntax a. use the 'iptables' command b. iptables commands 1. name of chain - action(what to do to the chain(Append/Insert/Replace) 2. name of table(filter), - mangle/nat/user-defined 3. layer3 object(source/destination address) -s/-d 4. optionally layer4 object (tcp/udp protocols/ports) -p, --sport/--dport 5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOGEg. Block source IP(192.168.1.30) from communicating with our systemiptables -A INPUT -s 192.168.1.30 -j DROP

9. Saving/Restoring - Mangaging rules via text files a. iptables-save (default dumps to STDOUT) b. iptables-restore (default reads rules from STDIN) c. Flush rules - iptables -F (flushes all rules in all chains in filter table) d. To save rules use iptables-save > filename e. To restore rules use iptables-restore < filename

10. CHAIN MANAGEMENT - IN VARIOUS TABLES(MANGLE/NAT/FILTER)a. List various tables/chains 1. INPUT chain of Filter table relates to traffic destined to OUR host. 2. -v - reveals bytes in (K/M/G)

b. Appending(-A)/Inserting(-I INPUT line number) rules source ICMP(echo-request) to 192.168.1.30, traverses local OUTPUT chain 192.168.1.30 responds with echo-reply, traverses local INPUT chain 1. permit SSH - iptables -A INPUT -p tcp --dport 22 -j ACCEPT 2. deny Telnet - iptables -A INPUT -p tcp --dport telnet -j DROPNote: appending rules simply adds to end of list

c. Deleting(-D INPUT #)/Replacing(-R INPUT #) rules 1. /sbin/iptables -D INPUT 4 - deletes rules based on line number 2. /sbin/iptables -D INPUT -p tcp --dport telnet -j DROP - deletes rule based on first match 3. /sbin/iptables -R INPUT 1 -p tcp --dport telnet -j ACCEPT

d. Flush(-F INPUT)/Zero Counters (-Z INPUT) rules 1. /sbin/iptables -F

e. User-Defined Chains(-N ChainName)/Rename Chains(-E old new) 1. packet-processing occurs top-down through chains 2. define INTRANET chain - contain IP Addresses under our auspices a. /sbin/iptables -N INTRANET b. /sbin/iptables -R 1 -s 192.168.1.0/24 -j INTRANET c. /sbin/iptables -A INTRANET -p tcp --dport telnet -j DROP Note: User-defined chains MUST have unique names 3. rename chain - /sbin/iptables -E INTRANET EXTRANET

f. Chain Policies (-P ACCEPT/DROP) 1. Update INTRANET user-defined chain to permit appropriate access a. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 5801 -j ACCEPT b. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 5901 -j ACCEPT c. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT d. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport telnet -j ACCEPT e. /sbin/iptables -A INTRANET -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT 2. Change default policy of INPUT chain from ACCEPT to DROP a. /sbin/iptables -P INPUT DROP

Note: Default DROP policy may prevent typical TCP/UDP/ICMP communicationsTCP - uses 3-way handshake 1. SYN2. SYN-ACK3. ACK

BASIC MATCHES:--src,-s,--source-d,dst,--destination1. block all traffic from source ip 192.168.1.72/322. block all traffic based on interface. i.e. eth0/eth13. negation - block all traffic not sourced/from 192.168.1.100 a. /sbin/iptables -A INPUT -s ! 192.168.1.100 -j DROP4. wildcard an interface by adding '+' to the end of the common characters. a. eth0 eth1, eth+ - /sbin/iptables -A INPUT -i eth+ -p tcp --dport telnet -j DROP

TCP(Layer 4(Transport)) MATCHES: - Connection-Oriented-p tcp, --protocol tcp--sport,--source-port - generally picked arbitrarily from > 1024--dport 23/telnet(/etc/services),--destination-port--tcp-flags SYN,FIN,ACK SYN, ACK

UDP(Layer 4(Transport)) MATCHES: - ConnectionlessUDP Applications: 1. TFTP(booting systems/Updating infrastructure devices(Cisco)) - UDP:692. SysLog - UDP:5143. NTP - UDP:1234. DHCP - UDP:67 UDP:68-p udp, --protocol udp--sport,--source-port - same source port as destination port--dport 123/ntp(/etc/services),--destination-port1. restrict access to SysLog a. /sbin/iptables -A INPUT -p udp --dport 514 -s ! 192.168.1.1 -j DROP

Internet Control Messaging Protocol (ICMP)ICMP Types:

a. echo-request - PING b. echo-reply - pongPING - local system sends via OUTPUT chain an echo-request(PING)Remote system received echo-request in its INPUT chain ->Remote system responds with an echo-reply(Pong)

-p icmp, --protocol icmp--icmp-type name/number

2. Deny ICMP echo-replies from all hosts a. /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

3. Drop echo-replies from our system to all hosts

Match multiple ports with fewer rulesFilter traffic to ports 8080 and 23/sbin/iptables -A INPUT -p tcp --dport web-cache -j DROP/sbin/iptables -A INPUT -p tcp --dport telnet -j DROP

/sbin/iptbles -A INPUT -p tcp -m multiport --destination-port 8080,23 -s ! 127.0.0.1 -j DROP/sbin/iptbles -A INPUT -p tcp -m multiport --destination-port 8080,23 -s 192.168.1.30 -j DROP

MAC ADDRESS FILTERING:Deny access to our telnet service from IP Address: 192.168.1.10/sbin/iptables -A INPUT -p tcp -m mac --mac-source 00:02:B3:98:41:08

Note: Filtering based on MAC(Layer2) address is more secure than filtering based on IP(Layer3) address because the IP address can easily be changed.If user changes Layer3 address of host that matches our MAC rule, the rule still applies.

The State Machine/IPTables' Statefullness (TCP/UDP/ICMP)NEW,ESTABLISHED,RELATED,INVALIDBusiness Rule: Permit Host to initiate(SYN) but deny other hosts from initiating traffic to our hosts/sbin/iptables -I INTRANET 3 -m state --state ESTABLISHED -j ACCEPT/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPTNote: NEW means first SYN traffic

Targets:ACCEPT -> sends packet to other rules or processDROP -> sends no courtesy indication to client/calling-hostREJECT -> courtesy message is sent to clientREDIRECT -> applied to PREROUTING chain of NAT table - local ports ONLYLOG -> allows us to log using SysLog

Business Rule: Log all traffic destined to 192.168.1.20/10.0.0.1LOG ALL except VNC from 192.168.1.100/sbin/iptables -R INTRANET 1 -m multiport -p tcp --destination-port ! 5801,5901 -j LOG

Prefix interesting traffic with a log prefix--log-prefix "SSH ACCESS ATTEMPT:"

Prefix unauthorized traffic with "SERVICE NAME UNAUTHORIZED ACCESS ATTEMPT"

--log-tcp-options--log-ip-options--log-tcp-sequence--log-level debug-emerg (warning)

192.168.1.20 <-> 10.0.0.1 -> 10.0.0.50(Windows 2003) 192.168.1.10192.168.1.30192.168.1.72192.168.1.1(Cisco PIX Firewall)

192.168.1.30 (echo-request) -> 10.0.0.50192.168.1.20 -> FORWARD CHAIN of Filter Table

Change default (ACCEPT) Policy of FORWARD Chain to (DROP)/sbin/iptables -P FORWARD DROPBusiness Rule: Permit ALL 192.168.1.x hosts the ability to use Terminal Services on 10.0.0.50/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.050 -p tcp --dport 3389 -j ACCEPT

Create LOGGINGFORWARD Sub-chain/sbin/iptables -N LOGGINGFORWARD/sbin/iptables -A FORWARD -s 192.168.1.0/24 -d 10.0.0.50 -p tcp --dport 3389 -j LOG

Permit established sessions from 10.0.0.50 -> 192.168.1.0/24/sbin/iptables -I FORWARD 3 -m state --state ESTABLISHED -j ACCEPTSYN,SYN-ACK(ESTABLISHED)ACK

Business Rule: Allow Windows host the ability to SSH into any Linux Host on the 192.168.1.0/24/sbin/iptables -A FORWARD -s 10.0.0.50 -d 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

Business Rule: Allow 10.0.0.0/24 Hosts the ability to use the web (80/443)

Network Address Translation (NAT)subnet1 10.0.0.50-> Linux Firewall 192.168.1.20-> subnet2 - MASQUERADINGSource Network Address Translation SNAT

3 Default Chains (CANNOT BE DELETED):1. PREROUTING -> DNAT - Destination NAT2. POSTROUTING -> SNAT/MASQUERADING(DHCP)3. OUTPUT -> Locally-sourced packets

Business Rule: MASQUERADE all traffic from 10.x.y.z/24 to 192.x.y.zBusiness Rule: MASQUERADE all 10.x.y.z/24 traffic & force source-port range to 1024-10240/sbin/iptables -R POSTROUTING 1 -t nat -p tcp -j MASQUERADE --to-ports 1024-10240

Source Network Address Translation (SNAT) - used when using static IPspermits 1-to-1 and/or 1-to-many mappingsBusiness Rule: SNAT all 10.x.y.z/24 traffic & force source-port range to 1024-10240

/sbin/iptables -R POSTROUTING 1 -t nat -p tcp -j SNAT --to-source 192.168.1.20:1024-10240

Business Rule: Bind multiple addresses to the eth0(public/Internet) interfaceAlso, SNAT 10.x.y.z/24 traffic using 192.168.1.21

Business Rule: Use source 192.168.1.21 when communicating with 192.168.1.10Use source 192.168.1.22 when communicating with everyone else/sbin/iptables -R POSTROUTING 1 -p tcp -j SNAT --to-source 192.168.1.21 -d 192.168.1.10 -s 10.0.0.0/24

/sbin/iptables -A POSTROUTING -p tcp -j SNAT --to-source 192.168.1.22 -s 10.0.0.0/24 -o eth0

subnet1 10.0.0.50-> Linux Firewall 192.168.1.20-> NET subnet2 - MASQUERADING

DNAT - permits connections to unexposed hostsBusiness Rule: Publish to the NET port 3389 -> Windows box/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 10.0.0.50

NAT:SNAT/MASQUERADING(POSTROUTING)DNAT(PREROUTING)Local NAT (OUTPUT)

NETMAP TARGET: NAT Table - PREROUTING CHAINsubnet1(10.0.0.0/24) -> Linux/Netfilter Firewall -> subnet2(192.168.1.0/24) ->NETWin2k3 .502**8 = 256 - 2(subnet/broadcast) 254 useable addresses - 1-254Business Rule: present all 10.0.0.0/24 hosts as equivalent 192.168.1.0/24

/sbin/iptables -A PREROUTING -t nat -s 10.0.0.0/24 -j NETMAP --to 192.168.1.0/2410.0.0.0172.16-31/.0.0/16

subnet1(Internal)10.0.0.0/24 subnet3(192.168.1.0/24) -> Gatewaysubnet2(DMZ1)172.16.75.0/24Host -> 172.16.75.2

Business Rule: NAT 172.16.75.2(22/80) -> 192.168.1.200Note: This requires 2 DNAT entries/sbin/iptables -t nat -A PREROUTING -d 192.168.1.202 -p tcp --dport 22 -j DNAT --to-destination 172.16.75.2

/sbin/iptables -t nat -A PREROUTING -d 192.168.1.202 -p tcp --dport 80 -j DNAT --to-destination 172.16.75.2Note: This is AKA Port Address Translation (PAT)Configure split DNS or 2 DNS systems (inside/outside)

Business Rule: Deny access to the DMZ from Internet(192.168.1.0/24) HostsNote: Need to filter in Filter table - FORWARD chain/sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT/sbin/iptables -P FORWARD DROP/sbin/iptables -A FORWARD -s 172.16.75.0/24 -m state --state established -j ACCEPTNote: This rule-set restricts DMZ-based hosts from sourcing traffic.

Double DMZ (Tier1/Tier2 Implementations)subnet1(Internal)10.0.0.0/24 subnet3(192.168.1.0/24) -> Gateway

subnet2(DMZ1)172.16.75.0/24 (Web Tier)Host -> 172.16.75.2subnet4(DMZ2)172.17.76./24 (Middleware Tier)

Tier1(Presentation(WWW))Tier2(MiddleWare)Tier3(RDBMS)

Business Rule: Permit ONLY subnet2(DMZ1) to talk to subnet4(DMZ2)Business Rule: Permit subnet4(DMZ2) to source connections to DBMS/sbin/iptables -A FORWARD -s 172.17.76.0/24 -d 10.0.0.0/24 -p tcp --dport 1433 -j ACCEPT

NET -> Tier1(WWW) -> Tier2(Middleware) -> Tier3(RDBMS)

Documents

LinuxCBT Firewall Notes