Linux Firewall

For the Office and Home

Nov 17, 2001 Matthew Tam, CISSP

Todays Agenda
Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo

Introduction
Why need a firewall?
Increased network security Access Control (Network/Transport Level) Logging

Why Linux?
Its FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community)

TCP/IP Recap: General Info

Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms
TCP, UDP, IP, ICMP

TCP/IP Recap: Layered Concept

Application Application Application Application

http, ftp, dns, telnet, netbios

Ports

TCP
ICMP
Device Driver

UDP
IP
Device Driver

src, dst

eth0, eth1

TCP/IP Recap: Layered Communication

Client
Application Application

Server

TCP/UDP

TCP/UDP

IP
Device Driver

IP
Device Driver

TCP/IP Recap: Layered Concept

http ftp Netbios-ns dns

80

20,21

137

53

TCP
IP
Device Driver

UDP
192.168.0.166 202.252.123.1
Device Driver

eth0

eth1

TCP/IP Recap: TCP 3-way Handshake

Client

SYN (1000)
Active Open

Server
Passive Open

SYN (2000), ACK (1001) ACK (2001)

ACK, [DATA]
Connection Established

ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400)

Connection Established

Client Close

ACK (2401)

Server Close

TCP/IP Recap: TCP, UDP, IP, ICMP

TCP
Stateful communication (Session, Reliable)

UDP
Stateless communication (no session, Less reliable, fast)

IP
Addressing, routing (best effort)

ICMP
Diagnostic (dangerous?)

Firewall Basics: What is a Firewall?

In simple term, a firewall is:
A device filtering network traffic between 2 (or more) networks

Network A

Network B

Firewall Basics: What is NOT a Firewall?

A firewall is NOT:
The only thing for security
Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out

install and leave it

Need to manage it for the ever-changing network environment Need to monitor it

100% safe
Any software has bugs and vulnerabilities, so does any firewall

Firewall Basics: Different Types of Firewalls

A firewall can be in the form of:
Packet-Filtering Gateway (Todays focus) Application Gateway (http proxy, socks server)

Firewall Basics: How does it work?

Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dstports, flags, session # Perform action (accept, drop) based on a rule (defined by you)
Accept

Drop

ipchains: What is it?

A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain:
Input, output, and forward

Command or Script (up to you) No Port-forward Port-forward: use with ipmasqadm portfw

iptables (a.k.a. Netfilter): What is it?

Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus:
Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching)

More features = more difficult to use

ipchains or iptables: Before we begin

Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables

ipchains: Basic Usage I

Command Syntax: ipchains A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] j [action] -l Useful Option: ! Means NOT -l means log to syslog -y means SYN set & ACK clear -> connection initiation ! y means ACK set ->response to initiation, established connection

TCP/IP Recap: TCP 3-way Handshake

Client

SYN (1000)
Active Open

Server
Passive Open

SYN (2000), ACK (1001) ACK (2001)

ACK, [DATA]
Connection Established

ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400)

Connection Established

Client Close

ACK (2401)

Server Close

ipchains: The basic concept

Control the input, output, and forward behavior of the interfaces
output forward input

input

eth0

eth1

output

ipchains: Using Script

Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices:
Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700

ipchains Tips: Writing Script

Use deny for default chain, -P ipchains P forward deny ipchains P input deny ipchains P output deny Remember to allow localhost traffic Use variables to assist you:
LOCALNET_1="10.0.0.0/24 LOCAL_INTERFACE_1="eth1 ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT

ipchains Tips: REJECT vs. DENY

Two choice when blocking packet REJECT or DENY If REJECT, a ICMP port unreachable is sent back to the srcaddr IF DENY, then the packet is just dropped

Implementation Tips:
Use common Linux distributions
PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script

Some Unique Linux distribution

PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom

Implementation for Home: Typical Setup

1 or more PCs

Internet
Firewall
Cable, ADSL, or Dial-up Modem

Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic

Home use: firewall-config

Use GUI to help you Based on ipchains Most distribution

Home use: firestarter

Use GUI to help you Rpm package available Based on iptables

Home use: firestarter

Wizard

Home Use: Cable vs. ADSL modem

Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using linuxconf or /etc/sysconfig/network-script/ifcfg-eth0 pump or dhcpcd pump has to be fixed by initscripts6.22-1 or the IP address will disappear after the dhcp leasing period Choose pump or dhcpcd in the script /etc/sysconfig/network-script/ifup

Home Use: Cable vs. ADSL modem

ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in /etc/ppp/pppoe.conf When filtering, refer to pppO rather than eth0 Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-toconnect.txt

Home Use: Step-by-Step Setup - Step 1

Lay down some essential variables Internet connected interface:
If Cable: EXTERNAL_INTERFACE="eth0 IF ADSL: EXTERNAL_INTERFACE=ppp0

Loopback interface:
LOOPBACK_INTERFACE="lo

Internal interface:
LOCAL_INTERFACE_1="eth1"

Local Network Address:

LOCALNET_1="10.0.0.0/24"

Home Use: Step-by-Step Setup - Step 2

Flush any chain that is running:
ipchains -F

Apply the Default Filter:

ipchains -P forward DENY ipchains -P input DENY

Masquerade all out-going traffic:

ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE

Allow all traffic for internal and loopback interface:

ipchains ipchains ipchains ipchains -A -A -A -A input -i $LOCAL_INTERFACE_1 -j ACCEPT output -i $LOCAL_INTERFACE_1 -j ACCEPT input -i $LOOPBACK_INTERFACE -j ACCEPT output -i $LOOPBACK_INTERFACE -j ACCEPT

Home Use: Step-by-Step Setup - Step 3

Filter incoming traffic towards external interface Done by the default chain ipchains -P input DENY But that will disallow all input Need to allow TCP high port traffic that is NOT connection initiation (SYN bit not set!)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT

What is ! y ???
Anyone

SYN (1000)
Active Open

Your firewall

SYN (2000), ACK (1001) ACK (2001)

ACK, [DATA]
Connection Established

ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400)

Connection Established

Client Close

ACK (2401)

Server Close

Home Use: Step-by-Step Setup - Step 4

Some ports that you have to open DNS Replies
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT

FTP data
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT

ICMP Replies
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT

Home Use:
Step-by-Step Setup - Final Step
Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward

Office Use
Dont rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script

Implementation for Office: Typical Setup 1

Internal LAN

Internet
Firewall
router

DMZ (servers)

Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers

Implementation for Office: Typical Setup 2

Internal LAN 1

Firewall

Internal LAN 2

Aim: Filter traffic between two networks

Office Use: Step-by-Step Setup - Step 1

Lay down some essential variables Internet connected interface:
EXTERNAL_INTERFACE="eth0

Loopback interface:
LOOPBACK_INTERFACE="lo

Internal interface:
LOCAL_INTERFACE_1="eth1 LOCAL_INTERFACE_2=eth2

Network Addresses and servers:

LOCALNET_1="10.0.0.0/24 MAIL_SERVER=a.a.a.a WEB_SERVER=b.b.b.b

Office Use: Step-by-Step Setup - Step 2

Flush any chain that is running:
ipchains -F

Apply the Default Filter:

ipchains -P forward DENY ipchains -P input DENY Ipchains P output DENY

Masquerade all out-going traffic:

ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE

Allow all traffic for loopback interface:

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

Office Use: Step-by-Step Setup - Step 3

Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service:
ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A ipchains -A ipchains -A ipchains -A ACCEPT input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j

Office Use: Step-by-Step Setup - Step 4

Port forwarding to your servers Need ipmasqadm Example, web server:
ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE d $EXTERNAL_WEB_IP -p tcp -destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT

Office Use:
Step-by-Step Setup - Final Step
Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward

Troubleshooting Tips
Dont panic when it doesnt work Use -l (logging) to help you Logs are logged in syslog Location:
/var/log/messages

Use this command to view traffic as they pass along:

#tail f /var/log/messages

Can also use tcpdump or snoop to help you

Firewall Management: Building Rules

gfcc For ipchains Provides good rules management

Firewall Management: View Current MASQ sessions

gfcc View current masquerading sessions

Firewall Management: Build your rules online!

http://www.linux-firewalltools.com/linux/firewal l/index.html

Firewall Management: Viewing Logs

Firestarter Real-time hitlist showing the blocked traffic

Firewall Management: Log Analyzer

fwlogwatch http://cert.unistuttgart.de/project s/fwlogwatch/ Generate html report Real time reporting Some customization work

Firewall Management: Whats missing?

Enterprise level multiple firewall Rules building, use:
Scp (secure copy) X-window (need proper access control)

Log management, use:

Various syslog tools

Good References: Books

TCP/IP Illustrated (All time classic)
By W. Richard Stevens

Firewall and Internet Security (All time classic)

By William R. Cheswick, Steven M. Bellovin

Linux Firewall
By Robert L. Ziegler

Good References: Sites

SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewalltools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packetfiltering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.html

END of Linux Firewall

For the Office and Home

Thank You!
Email: matthew.tam@pisa.org.hk