1. Network and System Security Risk Assessment
Firewall

2. Review Last week, we have talked about sniffer and firewall
Sometimes, sniffer can sniff users’ private information
http, telnet….
Wireshark sniffing on the network
Firewall can control a computer/network communication
Iptables, ufw

3. Review Stateful firewall
Traditional: to allow outgoing website visiting and to drop other communication
To allow input tcp with source port 80 and ack
Can’t visit websites on ports other than 80
To use stateful firewall
State tracking
sudo iptables -A OUTPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p udp -j ACCEPT (DNS)
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 80 --tcp-flags SYN,ACK,RST,FIN ACK -j ACCEPT

4. Review Iptables examples Disable to be pinged, enable to ping
To limit the number of pings
To change the source IP of a ping packet sent out from our machine
sudo iptables -A INPUT -p icmp --icmp-type 8 -j DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -p icmp -m state --state ESTABLISH,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
sudo iptables -t nat -A POSTROUTING -p icmp --icmp-type 8 -j SNAT --to-source

5. Review Iptables Examples
Prevent a machine from telneting to other machines
Prevent a telnet server from being connected by other machines
Prevent inner network from connecting a social network

6. Review Iptables example To force redirect
1. to change the output packet to a specific website
2. to change the incoming packet to a specific server or port
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination :80
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination  :80

7. Review Iptables example the secure version of telnet: ssh
Besides encryption, ssh has another function: port forwarding
Using ssh port forwarding, firewall rules can be bypassed
sudo iptables -A INPUT -i lo -j ACCEPT
Sudo iptables –t nat –A OUTPUT –p tcp –dport 21 –j DEDIRECT –to-ports 7001

8. 使用了端口转发之后，TCP 端口 A 与 B 之间现在并不直接通讯，而是转发到了 SSH 客户端及服务端来通讯，从而自动实现了数据加密并同时绕过了防火墙的限制

9. Review Iptables example ftp server: only allows localhost ftp service
Also demonstrate ftp data and control connections
On the server, ftp is blocked
On the client, we try to do ssh port forwarding
sudo iptables -t nat -A OUTPUT -p tcp --dport 21 -j DNAT --to-destination :7002
ssh -L 7002:localhost:21

10. Review Iptables example Support squid to act as a web proxy
iptables -t nat -A PREROUTING  -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

11. MAKEFILE

12. Makefiles Provide a way for separate compilation.
Describe the dependencies among the project files.
The make utility.
Makefiles provide a way for separate compilation. When a file from a project is changed, only the files that depend on the changed file are compiled.

13. Using makefiles Naming: makefile or Makefile are standard
other name can be also used
Running make
make
make –f filename – if the name of your file is not “makefile” or “Makefile”
make target_name – if you want to make a target that is not the first one

14. Sample makefile Makefiles main element is called a rule: Example:
my_prog : eval.o main.o
g++ -o my_prog eval.o main.o
eval.o : eval.c eval.h
g++ -c eval.c
main.o : main.c eval.h
g++ -c main.c
_________________________
# -o to specify executable file name
# -c to compile only (no linking)
target : dependencies
TAB commands #shell commands

15. Variables Defining variables on the command line:
The old way (no variables) A new way (using variables)
Defining variables on the command line:
Take precedence over variables defined in the makefile.
make C=cc
C = g++
OBJS = eval.o main.o
HDRS = eval.h
my_prog : eval.o main.o
$(C) -o my_prog $(OBJS)
eval.o : eval.c
$(C) –c –g eval.c
main.o : main.c
$(C) –c –g main.c
$(OBJS) : $(HDRS)
my_prog : eval.o main.o
g++ -o my_prog eval.o main.o
eval.o : eval.c eval.h
g++ -c –g eval.c
main.o : main.c eval.h
g++ -c –g main.c

16. Implicit rules
Implicit rules are standard ways for making one type of file from another type.
There are numerous rules for making an .o file – from a .c file, a .p file, etc. make applies the first rule it meets.
If you have not defined a rule for a given object file, make will apply an implicit rule for it.
Example:
Our makefile The way make understands it
my_prog : eval.o main.o
$(C) -o my_prog $(OBJS)
$(OBJS) : $(HEADERS)
my_prog : eval.o main.o
$(C) -o my_prog $(OBJS)
$(OBJS) : $(HEADERS)
eval.o : eval.c
$(C) -c eval.c
main.o : main.c
$(C) -c main.c

17. Defining implicit rules
%.o : %.c
$(C) -c –g $<
C = g++
OBJS = eval.o main.o
HDRS = eval.h
my_prog : eval.o main.o
$(C) -o my_prog $(OBJS)
$(OBJS) : $(HDRS)
Avoiding implicit rules - empty commands
target: ; #Implicit rules will not apply for this target.
The target is considered a pattern for matching file names;

18. Automatic variables
Automatic variables are used to refer to specific part of rule components.
eval.o : eval.c eval.h
g++ -c eval.c
- The name of the target of the rule (eval.o).
$< - The name of the first dependency (eval.c).
$^ - The names of all the dependencies (eval.c eval.h).
$? - The names of all dependencies that are newer than the target
target : dependencies
TAB commands #shell commands

19. Makefile for a basic kernel module
obj-m += hello-1.o
all:
make -C /lib/modules/$(shell uname -r)/build \ M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build \ M=$(PWD) clean
The build process for modules differs significantly from that used for user-space applications; the kernel is a large, standalone program with detailed and explicit requirements on how its pieces are put together.
kernel build system handles the rest. The assignment above (which takes advantage of the extended syntax provided by GNU make) states that there is one module to be built from the object file hello.o. The resulting module is named hello.ko after being built from the object file.

20. Giving your Linux more pop since 1995
Kernel Modules
Giving your Linux more pop since 1995

21. History Introduced in Linux version 1.2 (1995)
At the time, drivers were already designed to be somewhat modular, so not a lot of work was needed to revamp one driver for use as a LKM. There are a lot of drivers, though...
By 2000, most drivers and “module-able” things are converted.

22. What are Modules
A Module is a object file that contains code to extend the functionality of the base kernel.
Modules are used to add support for new hardware and file systems.
Also used to add new system calls and executable interpreters.

23. Why are they Important?
If modules did not exist then adding new features to the kernel would be nearly impossible.

24. Pros and Cons Pros: Cons Time savings Portability Memory savings
Security (PAM)
Cons
No safeguards
Security (rootkits)

25. Modules vs. Applications
Modules are really a part of the kernel and so run in kernel space.
Apps just do their tasks and end. Modules sit in the kernel space waiting to be run.
Apps can be linked to outside libraries; modules can only "see" in the kernel and other loaded modules.

26. Module Loading
Kernel Symbol Table: references kernel functions that modules can use.
When loaded, unresolved symbols in module are linked to system table
EXPORT_SYMBOL() allows specified symbol to be used by kernel and other modules.
Use cat /proc/kallsyms to get a list of all exported kernel symbols.

27. Image from: http://www.xml.com/ldd/chapter/book/ch02.html
Unlike an application program, a module does not execute on its own. Rather, it patiently waits until some application program invokes its service.
but how does that application program gain access to the module’s services? That’s the role of the module_ init() function. By calling one or more kernel functions, module_ init () “registers” the module’s “capabilities” with the kernel. In effect the module is saying “Here I am and here’s what I can do.”
Image from:

28. Module HOW-TO Some useful commands insmod insert module into kernel
rmmod remove kernel module
lsmod show currently loaded modules
The above work, but are dumb. Instead, use modprobe [-r] which is aware of module dependencies and config settings.
Use depmod to find module dependencies. File location: /lib/modules/version/modules.dep

29. Writing a Kernel Module
Kernel modules have two basic functions:
a "start" (initialization) function called init_module(), is called when the module is insmoded into the kernel
an "end" (cleanup) function called cleanup_module(), is called just before it is rmmoded.
Since kernel , you can use whatever name you like for the start and end functions of a module
Module license

30. NETFILTER

31. Netfilter A framework for packet mangling in kernel
Built in Linux 2.4 kernel or higher version
Independent of network protocol stack
Provide an easy way to do firewall setting or packet filtering, network address translation and packet mangling

32. Netfilter II—how it works
Defines a set of hooks
Hooks are well defined point in the path of packets when these packets pass through network stack
The protocol code will jump into netfilter framework when it hits the hook point.
Registers Kernel functions to these hooks:
Called when a packet reaches at hook point
Can decide the fate of the packets
After the functions, the packet could continue its journey

33. Netfilter Hooks Each protocol family can have different hooks
IPv4 defines 5 hooks
Upper layer
IP_output
IP_input
NF_IP_LOCAL_OUT
NF_IP_LOCAL_IN
Route
Route
NF_IP_POSTROUTING
NF_IP_FORWARD
NF_PRE_ROUTING
Network driver device

34. Netfilter hook points NF_IP_PRE_ROUTING: NF_IP_LOCAL_IN:
After sanity checks, before routing decision
NF_IP_LOCAL_IN:
After routing decisions, if the packet destines for this host
NF_IP_FORWARD:
Packets are not destined for this host but need to be forwarded to another interface
NF_IP_LOCAL_OUT:
All packets created from local host would come here before it is been sent out
NF_IP_POST_ROUTING:
All packets have been routed and ready to hit the wire

35. Netfilter hook functions
Multiple functions could register to the same hook point
Need to set priority
The corresponding packet will path the hook points
Each function registered for that hook point is called in the order of priority and is free to manipulate the packet
What to do in hook functions
The function could do anything it wants
But need to tell netfilter to return one of the five values:
NF_ACCEPT
NF_DROP
NF_STOLEN
NF_QUEUE
NF_REPEAT

37. Netfilter Hook implementation
Steps
Fill out the nf_hook_ops structure
Write a hook function:
It has specific format
Register to system
Compile and load the modules
Example:
Iptables –t filter –A INPUT –p tcp –j DROP
Drop all the incoming tcp packet

38. Netfilter Hook implementation (I)
Fill in a netfilter hook operation structure
Data type: (in include/linux/netfilter.h)

39. Example static struct nf_hook_ops localin_ops;
localin_ops.hook = localin_handler;
localin_ops.pf = PF_INET;
localin_ops.hooknum =NF_IP_LOCAL_IN;
localin_ops.priority=NF_IP_PRI_FIRST;

40. Netfilter Hook implementation II
Format: must be of function type nf_hookfn
Unsigned int nf_hookfn(hooknum,struct sk_buff**skb,in_dev,out_dev,int(*okfn)(struct sk_buff*)))
Hooknum: the hook point where the function registered
skb: a reference to the packet
In_dev,outdev: net device this packet is from/to
Hook function returns one of the following: NF_ACCEPT,NF_DROP,NF_STOLEN
NF_QUEUE,NF_REPEAT
The first, hooknum, is a hooktype we already have covered. The second is a pointer to a pointer to a socket kernel buffer. The next two are netdevice pointers; we'll use these later to block and filter interfaces.

41. Example unsigned int localin_handler
(unsigned int hook, struct sk_buff **skb,
const struct net_device *indev, const
struct net_device *outdev, int (*okfn) (struct sk_buff *)) {
struct iphdr *iphead = skb->nh.iph;
if ((iphead->protocol)== IPPROTO_TCP) //Drop all TCP packet
return NF_DROP; }

42. Netfilter Hook implementation III
Call this function to register at the hook
int nf_register_hook(struct nf_hook_ops *reg)
void nf_unregister_hook(struct nf_hook_ops *reg)
#include …
static int __init
init (void){
return nf_register_hook (&localin_ops); }
static void __exit
fini (void){
return nf_unregister_hook (&localin_ops);
module_init (init);
module_exit (fini);
Compile it and insmod

43. Conclusion
Netfilter is a glue code between the protocol hooks and the kernel function modules
Iptables is useful to set our firewall
Provide a simple way to hack packet
Netfilter is a glue code between the protocol hooks and the kernel function modules
Control jumps from the protocol code to the netfilter code to the various modules registered and the flow back
Iptables is useful to set our firewall
Provide a simple way to hack packet

44. References The Linux Kernel Module Programming Guide
Wikipedia: Linux Kernel
Wikipedia: Linux Modules
Linux Device Drivers: Building and Running Modules
Linux Loadable Kernel Module HOWTO
Linux PAM page
Linux Kernel Development. Ch. 16: Modules. pp
Linux Kernel Cross-Reference