Packet Filtering Dick Steflik
Stateless Packet Filters A border router configured to pass or reject packets based on information in the header of each individual packet can theoretically be configured to pass/reject based on any field but usually done based on: protocol type IP address TCP/UDP port Fragment number Source routing information
Protocol Filtering Filtering based on the IP protocol field allows rejecting of entire protocol suites UDP TCP ICMP IGMP This is almost too general ex suppose you block UDP then any TCP based application won’t be able to convert host/domain to IP address so it is seldom used.
IP Address Filtering Pass/reject packets based on membership in a set of acceptable IP addresses Usually not used to block specific hosts oscar is frequently blocked so corporate users can use AIM same for some disk backup services Usually block source routed packets big security hole (explained later) If a hacker knows an address that the filter will pass they can easily forge a packet that will pass through the filter
Port Filtering Most commonly used filtering method can also be thought of as protocol filtering as most ports below 1024 relate to specific high level protocols pass all but those specified reject all but those specified Important ports/protocol to block: telent NetBIOS POP NFS X Windows Windows Terminal Services pcAnywhere and VNC
Source Route Filtering Source routed packed should never be allowed into your network Source routing was added to IP to accommodate debugging Allows you to specify the path a packet will take through your network Strict Source Routing Specifies the exact path to be taken Loose Source Routing Indicates one or more hosts the packet must go through A hacker can plug in their own address and force packets to travel through a machine that they can sniff
Loose Source Routing A packet is given a list of hops to be taken Each packet carries same source address, destination is whatever the next IP in the hop path is; the hop path is in the IP Option field. 131 is the type for Loose Source Routing Length – total length of the option Offset – byte offset to next IP to hop to IP Option field 1 byte 1 byte 1byte 4 bytes 4 bytes Type Length offset IP 1 IP2 ……… 131
Loose Source Routed Example For example, if a packet was generated from 10.1.1.1, with a final destination of 172.16.1.1 via a hop to 192.168.1.1, the intial packet would have a source of 10.1.1.1, a dest of 192.168.1.1, and an IP option with a length of 7, an offset of 4, and the IP address starting at byte 4 of 172.16.1.1. If 192.168.1.1 forwards LSR packets, it would re-emit the packet with a source of 10.1.1.1, dest of 172.16.1.1, offset of 8, and the IP address at offset 4 of 192.168.1.1. 10.1.1.1 192.168.1.1 172.16.1.1 Initial source=10.1.1.1 dest. = 192.168.1.1 IP Option 131,7,4,172.16.1.1 Initial source=10.1.1.1 dest. = 172.16.1.1 IP Option 131,8,4,192.168.1.1 Problem with loose source routing is that some stacks will reverse the source route when responding to a source routed packet, this would make it trivial for a hacker to spoof a packet coming from a trusted source and insert their own address in the source route. The hacker can then sniff on it; the unsuspecting victim would then send return traffic to the spoofed source but LSR it through the attacker
Fragmentation Filtering Fragmentation was added to IP to facilitate passing through a network that only supports small packet sizes Any router in the path can break a large packet up into smaller pieces problem is that the port number is only in the first fragment meaning that filtering on TCP or UDP is lost
Problems with Stateless Filters Effectiveness of stateless filters is limited due to: They cannot check the payload of the packets service related filtering can only be done by application level proxies They do not retain the state of the connections
Stateful Packet Filtering Record the state of all connections flowing through the firewall and use the connection state as the basis for dropping packets create an in memory state table for the state of all Network and session layers pass only packets relating to allowed (configured) ports that are currently in the state table. Drop entries when the TCP close session happens or after a few minutes, this insures that the table stays “clean” and without holes in in it Newer Firewalls all provide Stateful packet filtering some also provide higher level protocol proxying
Hacking Through Packet Filters The following exploits are common: TCP can only be filtered in the 0th fragment setting the fragment number to 1 the packet will usually passe through the packet filter Older packet filters only filter ports below 1024 used to be that only HTTP used higher numbered ports for passing data back to web browsers, many new applications use ports above 1024 for normal communication Public services must be forwarded services like the updating of web pages via Netscape Composer must be controlled (possibly bt IP address) to limit public access Trojan horses can defeat packet filters using NAT
Best Practices Use a proxy Use Stateful Packet Filters physically breaks the network path Use Stateful Packet Filters can’t be bypassed like stateless filters Disable all Ports by Default enable only what is absolutely needed if a Trojan Horse get in it will most likely set up a server that the hacker can then attach to, it the port is blocked, this can’t happen Secure the Base Operating System (Hardening) apply all patches provided by vendor check the vendor web site frequently always use a hardened protocol stack
IP Chains Stateless packet filter optionally built into the Linux kernel will pass or deny packets based on a rule set applied against IP header fields used in v 2.2 kernels, replaced by IPTables in 2.4 kernels
IPChains Flow lo interface IP Packet checksum sanity Input Chain Route Decision Forward Chain Output Chain ACCEPT Local DENY DENY DENY Demasquerade
IPChains Commands Command Description -A Add rule to chain -D Delete rule from chain -I Insert rule -R Replace rule -F Flush all rules -L List all rules -N Create new chain -X Delete user defined chain -P Set default targe
IPChains Command Options Command Option Description -s Source address of packet -d Destination address of packet -i Interface packet is arriving from -p Protocol -j Target to send packet to -y For -p tcp. Packet is SYN packet. --icmp-type For -p icmp. -l Log the packet to syslog. /var/log/messages Available in Red Hat 6.0+ kernel
IPChains Targets System targets Description (policy) ACCEPT Let packet through DENY Deny packet REJECT Deny packet and notify sender MASQ Forward chain masquerade REDIRECT Send to different port RETURN Handled by default targets
IPChains- Chain Types IP input chain IP output chain IP forwarding chain User defined chains (just give it a new name instead of the built-in names: input, output or forward)
IPChains Example # Flush Rules ipchains -F forward ipchains -F output ipchains -F input # Set default to deny all ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # Add Rules # Accept packets from itself (localhost) (s)ource to itself (d)estination # Keeps system logging, X-Windows or any socket based service working. ipchains -A input -j ACCEPT -p all -s localhost -d localhost -i lo ipchains -A output -j ACCEPT -p all -s localhost -d localhost -i lo # Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 -l # Accept requests/responses from/to your own firewall machine ipchains -A input -j ACCEPT -p all -d XXX.XXX.XXX.XXX -i eth0 ipchains -A output -j ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 # Allow outgoing packets source (s) to destination (d) ipchains -A input -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 ipchains -A output -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 # Deny and log (option -l) outside packets from internet which claim to be from your loopback interface ipchains -A input -j REJECT -p all -s localhost -i eth0 -l ipchains -A forward -s 192.168.10.0/24 -j MASQ ipchains -A forward -i eth1 -j MASQ # Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
IPTables Commands -A , --append Append rule to chain -D , --delete Delete rule from chain -I , --insert Insert rule at beginning or at specified sequence number in chain. -R , --replace Replace rule -F , --flush Flush all rules -Z , --zero Zero byte counters in all chains -L , --list List all rules. Add option --line-numbers for rule number. -N , --new-chain Create new chain -X , --delete-chain Delete user defined chain -P , --policy Set default policy for a chain -E , --rename-chain Rename a chain
IPTables Command Options -s , --source Source address of packet -d , --destination Destination address of packet -I , --in-interface Interface packet is arriving from -o , --out-interface Interface packet is going to -p , --protocol Protocol: *tcp --sport port[:port] --dport port[:port] --syn *udp *icmp *mac -j , --jump Target to send packet to -f , --fragment Fragment matching -c , --set-counters Set packet/byte counter -m tcp , --match tcp *--source-port port[:port] (port # or range #:#) *--destination-port port[:port] *--tcp-flags -m state , --match state --state *ESTABLISHED *RELATED *NEW *INVALID (Push content, not expected to recieve this packet.)
IPTables Defined Policies Defined Policies Description ACCEPT Let packet through DROP Deny packet with no reply REJECT Deny packet and notify sender RETURN Handled by default targets MARK Used for error response. Use with option --reject-with type MASQUERADE Used with nat table and DHCP. LOG Log to file and specify message: °--log-level # °--log-prefix "prefix" °--log-tcp-sequence °--log-tcp-options °--log-ip-options ULOG Log to file and specify userpace logging messages SNAT Valid in PREROUTING chain. Used by nat. REDIRECT Used with nat table. Output. DNAT Valid in POSTROUTING chain. Output. QUEUE Pass packet to userspace.
IPTables Example Simple firewall for the desktop Linux system: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Allow network connections which have already been established (started by host) and related to your connection. FTP requires this as it may use various ports in support of the file transfer.) Allow network input/output from self (lo).
…more # Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopback iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windows iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font server iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny packets which claim to be from your loopback interface.