CSC 660: Advanced Operating SystemsSlide #1 CSC 660: Advanced OS Netfilter.

Slides:



Advertisements
Similar presentations
Access Control List (ACL)
Advertisements

The Journey of a Packet Through the Linux Network Stack
Chapter 9: Access Control Lists
IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems
Linux Netfilter Code Trace Part1: Iptable 周世中嚴長青.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Firewalls.
07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Packet Filtering and Firewall
Chapter 6: Packet Filtering
Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.
Access Control List ACL. Access Control List ACL.
Windows 7 Firewall.
Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
CSC 382: Computer SecuritySlide #1 Firewalls. CSC 382: Computer SecuritySlide #2 Firewalls 1.What is a firewall? 2.Types of Firewalls 3.Packet Filtering.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
IPtables Objectives Contents Practicals Summary
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.
CSN09101 Networked Services Week 6 : Firewalls + Security Module Leader: Dr Gordon Russell Lecturers: G. Russell.
An initial study on Multi Path Routing Over Multiple Devices in Linux 2.4.x kernel Towards CS522 term project By Syama Sundar Kosuri.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.
Firewalls Group 11Group 12 Bryan Chapman Richard Dillard Rohan Bansal Huang Chen Peijie Shen.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Firewall C. Edward Chow CS691 – Chapter 26.3 of Matt Bishop Linux Iptables Tutorial by Oskar Andreasson.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
Introduction to Linux Firewall
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Firewalls Chien-Chung Shen The Need for Firewalls Internet connectivity is essential –however it creates a threat (from the network) vs.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Lecture 3: Stateless Packet Filtering. 2 Agenda 1 1 Linux file system - networking sk_buff 2 2 Stateless packet filtering 3 3 About next assignment 4.
Netfilter Framework Jimit Mahadevia Nishit Shah This work is licensed under a Creative Commons Attribution-Share.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.
Zero-copy Receive Path in Virtio
FIREWALL configuration in linux
Packet Filtering Dick Steflik.
CIT 480: Securing Computer Systems
Chapter 4: Access Control Lists (ACLs)
* Essential Network Security Book Slides.
Setting Up Firewall using Netfilter and Iptables
Firewalls By conventional definition, a firewall is a partition made
دیواره ی آتش.
Firewalls.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Firewalls.
Presentation transcript:

CSC 660: Advanced Operating SystemsSlide #1 CSC 660: Advanced OS Netfilter

CSC 660: Advanced Operating SystemsSlide #2 Topics 1.What is a firewall? 2.Packet Filtering with iptables 3.Netfilter Architecture 4.Packet Data Structures 5.Netfilter Data Structures 6.Writing a Netfilter extension

CSC 660: Advanced Operating SystemsSlide #3 What is a Firewall? A software or hardware component that restricts network communication between two computers or networks In buildings, a firewall is a fireproof wall that restricts the spread of a fire –Network firewall prevents threats from spreading from one network to another

CSC 660: Advanced Operating SystemsSlide #4 What is a Firewall? (2) A mechanism to enforce security policy –Choke point that traffic has to flow through –ACLs on a host/network level Policy Decisions: –What traffic should be allowed into network? Integrity: protect integrity of internal systems Availability: protection from DOS attacks –What traffic should be allowed out of network? Confidentiality: protection from data leakage

CSC 660: Advanced Operating SystemsSlide #5 Packet Filtering Forward or drop packets based on TCP/IP header information, most often: –IP source and destination addresses –Protocol (ICMP, TCP, or UDP) –TCP/UDP source and destination ports –TCP Flags, especially SYN and ACK –ICMP message type Dual-homed hosts also make decisions based on: –Network interface the packet arrived on –Network interface the packet will depart on

CSC 660: Advanced Operating SystemsSlide #6 iptables Linux packet filtering system –iptables is user command to configure –netfilter is internal kernel architecture Features –Packet filtering –Connection tracking –Network Address Translation

CSC 660: Advanced Operating SystemsSlide #7 Tables Each table is a named array of rules. Within a table, rules are organized into chains. Tables: –Filter Packet filtering (no alterations), default table. Hooks: LOCAL_IN, LOCAL_OUT, FORWARD –NAT Network address translation. Hooks: LOCAL_OUT, PREROUTING, POSTROUTING –Mangle Flexible packet alterations. Hooks: LOCAL_OUT, PREROUTING

CSC 660: Advanced Operating SystemsSlide #8 iptables iptables [-t table] cmd [matches] [target] Commands: -A chain rule-spec: Append rule to chain. -D chain rule-spec: Delete a rule from chain -L chain: List all rules in chain. -F chain: Flush all rules from chain. -P chain target: Set default policy for chain. -N chain: Create a new chain. -X chain: Remove a user-defined chain.

CSC 660: Advanced Operating SystemsSlide #9 iptables Matches -p protocol: Specify protocol to match. tcp, udp, icmp, etc. -s address/mask: Source IP address to match. -d address/mask: Dest IP address to match. --sport: Source port (TCP/UDP) to match. --dport: Dest port (TCP/UDP) to match.

CSC 660: Advanced Operating SystemsSlide #10 iptables Extended Matches -m match: Specify match module to use. Example: limit Only accept 3 ICMP packets per hour. -m limit --limit 3/hour -p icmp -j REJECT Example: state Useful stateful packet filtering. -m state --state NEW: match only new conns -m state --state ESTABLISHED: match only established connections.

CSC 660: Advanced Operating SystemsSlide #11 iptables Targets -j ACCEPT Accept packet. -j DROP Drop packet w/o reply. -j REJECT Drop packet with reply. -j RETURN Return from this chain to calling chain. -j LOG Log packet; chain processing continues.

CSC 660: Advanced Operating SystemsSlide #12 Chain Targets -p ICMP -j DROP -p TCP -j test -p UDP -j DROP INPUT -s test -d

CSC 660: Advanced Operating SystemsSlide #13 Creating a Packet Filter 1.Create a security policy for a service. ex: allow only outgoing telnet service 2.Specify security policy in terms of which types of packets are allowed/forbidden 3.Write packet filter in terms of vendor’s filtering language

CSC 660: Advanced Operating SystemsSlide #14 Example: outgoing telnet TCP-based service Outbound packets –Destination port is 23 –Source port is random port >1023 –Outgoing connection established by first packet with no ACK flag set –Following packets will have ACK flag set Incoming packets –Source port is 23, as server runs on port 23 –Destination port is high port used for outbound packets –All incoming packets will have ACK flag set

CSC 660: Advanced Operating SystemsSlide #15 Example: outgoing telnet DirSrcDestProtoS.PortD.PortACK?Action OutIntAnyTCP>102323EitherAccept InAnyIntTCP23>1023YesAccept EitherAny EitherDeny First rule allows outgoing telnet packets Second rule allows response packets back in Third rule denies all else, following Principle of Fail-Safe Defaults

CSC 660: Advanced Operating SystemsSlide #16 Implementing the Filter with iptables # iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT # iptables -A INPUT -j REJECT

CSC 660: Advanced Operating SystemsSlide #17 Packet Filtering Hooks

CSC 660: Advanced Operating SystemsSlide #18 Netfilter Hooks LOCAL_OUT Hook for outgoing packets that are created locally. LOCAL_IN In ip_local_deliver() for incoming pkts destined for localhost. PRE_ROUTING Hook for incoming packets in ip_rcv() before routing. FORWARD In ip_forward() for incoming packets destined for another host. POST_ROUTING Hook in ip_finish_output() for all outgoing packets.

CSC 660: Advanced Operating SystemsSlide #19 TCP/IP Layering Application Transport Network Data Link HTTP, FTP, telnet TCP, UDP IP, ICMP, IGMP Ethernet, PPP,

CSC 660: Advanced Operating SystemsSlide #20 Packet Encapsulation

CSC 660: Advanced Operating SystemsSlide #21 Packet De-multiplexing

CSC 660: Advanced Operating SystemsSlide #22 IP Header

CSC 660: Advanced Operating SystemsSlide #23 UDP Header

CSC 660: Advanced Operating SystemsSlide #24 TCP Header

CSC 660: Advanced Operating SystemsSlide #25 sk_buff Kernel buffer that stores packets. –Contains headers for all network layers. Creation –Application sends data to socket. –Packet arrives at network interface. Copying –Copied from user/kernel space. –Copied from kernel space to NIC. –Send: appends headers via skb_reserve(). –Receive: moves ptr from header to header.

CSC 660: Advanced Operating SystemsSlide #26 sk_buff

CSC 660: Advanced Operating SystemsSlide #27 sk_buff struct sk_buff { struct sk_buff * next; /* Next buffer in list */ struct sk_buff * prev; /* Previous buffer in list */ struct sock *sk; /* Socket we are owned by */ struct timeval stamp; /* Time we arrived */ struct net_device *dev; /* I/O net device */ /* Transport layer header */ union { struct tcphdr *th; struct udphdr *uh; struct icmphdr *icmph; struct iphdr *ipiph; } h; /* Network layer header */ union { struct iphdr *iph; struct arphdr *arph; } nh;... };

CSC 660: Advanced Operating SystemsSlide #28 IP Tables Data Structures ipt_table private ipt_table_info entries ipt_entry next target ipt_entry next target ipt_entry next target ipt_entry next target ipt_entry next target

CSC 660: Advanced Operating SystemsSlide #29 struct ipt_entry ipt_entry target_offset next_offset elems ipt_entry_match ipt_entry_target May contain more than one match structure.

CSC 660: Advanced Operating SystemsSlide #30 struct ipt_entry { /* Specifications for IP header we are to match */ struct ipt_ip ip; /* Mark fields that rule examines. */ unsigned int nfcache; /* Size of ipt_entry + matches */ u_int16_t target_offset; /* Next ipt_entry: Size of ipt_entry + matches + target */ u_int16_t next_offset; /* Back pointer */ unsigned int comefrom; /* Packet and byte counters. */ struct ipt_counters counters; /* The matches (if any), then the target. */ unsigned char elems[0]; };

CSC 660: Advanced Operating SystemsSlide #31 ipt_entry_match struct ipt_entry_match contains –Union of user and kernel structures. Both contain match size. Kernel part contains ptr to struct ipt_match. –User-defined match information.

CSC 660: Advanced Operating SystemsSlide #32 struct ipt_match name : String that identifies this match. match : Boolean function that determines whether the packet matched the rule or not. checkentry : Boolean function that determines whether rule user attempted to enter was valid or not. destroy : Called when rule deleted. me : pointer to THIS_MODULE.

CSC 660: Advanced Operating SystemsSlide #33 ipt_entry_target struct ipt_entry_target contains –Union of user and kernel structures. Both contain target size. Kernel part contains ptr to struct ipt_target. –User-defined target information.

CSC 660: Advanced Operating SystemsSlide #34 ipt_target name : String that identifies target. target : Returns a Netfilter action for the packet. checkentry : Boolean function called when user attempts to enter this target. destroy : Called when rule deleted. me : pointer to THIS_MODULE.

CSC 660: Advanced Operating SystemsSlide #35 Netfilter Actions NF_ACCEPT Allow packet to pass. NF_DROP Drop unacceptable packets NF_STOLEN Forget about packet. NF_QUEUE Queue packet for userspace program. NF_REPEAT Call this hook again.

CSC 660: Advanced Operating SystemsSlide #36 Helper Functions ipt_get_target() –Returns pointer to target of a rule. IPT_MATCH_ITERATE() –Calls given fn for every match in given rule. –Function’s 1 st arg is struct ipt_match_entry. –Function returns zero for iteration to continue. IPT_ALIGN() –Calculates proper alignment of netfilter data structures.

CSC 660: Advanced Operating SystemsSlide #37 ipt_do_table Foreach ipt_entry in table: Foreach match in entry: If packet matches, call target. If target fn verdict is IPT_RETURN return to entry we were called from. Else if verdict IPT_CONTINUE continue on to next entry.

CSC 660: Advanced Operating SystemsSlide #38 ipt_do_table struct ipt_entry *e = get_entry(table_base,….) unsigned int verdict = NF_DROP; do { if (ip_packet_match(ip, indev, outdev, &e->ip, offset)) { struct ipt_entry_target *t; if (IPT_MATCH_ITERATE(e, do_match, …) != 0) goto no_match; t = ipt_get_target(e); // then get verdict from target } else { no_match: e = (void *)e + e->next_offset; } } while (!hotdrop); if (hotdrop) return NF_DROP; else return verdict;

CSC 660: Advanced Operating SystemsSlide #39 do_match int do_match(struct ipt_entry_match *m, const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, int offset, const void *hdr, u_int16_t datalen, int *hotdrop) { /* Stop iteration if it doesn't match */ if (!m->u.kernel.match->match(skb, in, out, m->data, offset, hdr, datalen, hotdrop)) return 1; else return 0; }

CSC 660: Advanced Operating SystemsSlide #40 Writing a Netfilter Extension Userspace modifications: iptables –Place libipt_foo.c in iptables/extensions. –Add foo to iptables/extensions/Makefile. Kernel modifications: netfilter –Add ipt_foo.c in net/ipv4/netfilter. –Add ipt_foo.h in include/linux/netfilter_ipv4.

CSC 660: Advanced Operating SystemsSlide #41 Modifying iptables: libipt_foo.c static struct iptables_match sctp = {.name = "sctp",.version = IPTABLES_VERSION,.size = IPT_ALIGN(sizeof(struct ipt_sctp_info)),.userspacesize = IPT_ALIGN(sizeof(struct ipt_sctp_info)),.help = &help,.init = &init,.parse = &parse,.final_check = &final_check,.print = &print,.save = &save,.extra_opts = opts }; void _init(void) { register_match(&sctp); }

CSC 660: Advanced Operating SystemsSlide #42 Modifying iptables: libipt_foo.c Functions in iptables_match handle options: –help: iptables –h –print: iptables –L –parse: iptables –[A|I|D|R] –save: iptables-save Parsing sets struct ipt_foo_info –Via (*match)->data field. –Info struct defined in kernel include file.

CSC 660: Advanced Operating SystemsSlide #43 Modifying Netfilter: ipt_foo.c static struct ipt_match ipt_my_reg = {.list = { NULL, NULL }.name = “limit",.match = &match,.checkentry = &checkentry,.destroy = &destroy,.me = THIS_MODULE }; static int __init limit_init(void) { if (ipt_register_match(&ipt_my_reg)) return -EINVAL; return 0; } static void __exit limit_fini(void) { ipt_unregister_match(&ipt_my_reg); }

CSC 660: Advanced Operating SystemsSlide #44 References 1.Michael D. Bauer, Linux Server Security, 2 nd edition, O’Reilly, Christian Benvenuti, Understanding Linux Network Internals, O’Reilly, Daniel P. Bovet and Marco Cesati, Understanding the Linux Kernel, 3 rd edition, O’Reilly, Thomas F. Herbert, The Linux TCP/IP Stack, Charles River Media, Jennifer Hou, “Inside Netfilter,” Lu-chuan Kung, “Netfilter Tutorial,” Robert Love, Linux Kernel Development, 2 nd edition, Prentice-Hall, Rusty Russell, Linux World 2000 Netfilter Tutorial, Rusty Russell and Harald Welte, Linux netfiler Hacking HOWTO, HOWTO.html, HOWTO.html 10.Rusty Russel, Linux Packet Filtering HOWTO, HOWTO.html, HOWTO.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.