Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti.

Published byMay White Modified over 9 years ago

Similar presentations

Presentation on theme: "Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti."— Presentation transcript:

1 Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti

2 Mateti/PacketFilters2 Packet Filters.. “Firewalls” Packet-filters work at the network layer Packet-filters work at the network layer Application-level gateways work at the application layer Application-level gateways work at the application layer A “Firewall” … A “Firewall” … Communication Layers Application Presentation Session Transport Network Data Link Physical

3 Mateti/PacketFilters3 Packet Filtering Should arriving packet be allowed in? Should a departing packet be let out? Should arriving packet be allowed in? Should a departing packet be let out? Filter packet-by-packet, making decisions to forward/drop a packet based on: Filter packet-by-packet, making decisions to forward/drop a packet based on: source IP address, destination IP address source IP address, destination IP address TCP/UDP source and destination port numbers TCP/UDP source and destination port numbers ICMP message type ICMP message type TCP SYN and ACK bits TCP SYN and ACK bits......

4 Mateti/PacketFilters4 Functions of Packet Filter Control: Allow only those packets that you are interested in to pass through. Control: Allow only those packets that you are interested in to pass through. Security: Reject packets from malicious outsiders Security: Reject packets from malicious outsiders Watchfulness: Log packets to/from outside world Watchfulness: Log packets to/from outside world

5 Mateti/PacketFilters5 Packet Filtering: Control Example: Block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. Example: Block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23.

6 Mateti/PacketFilters6 Packet Filtering: Security Example 2: Block inbound TCP segments with ACK=0. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

7 Mateti/PacketFilters7 Packet Filtering Limitations Cannot Do: Allow only certain users in (requires application-specific information) Cannot Do: Allow only certain users in (requires application-specific information) Can do: Allow or deny entire services (protocols) Can do: Allow or deny entire services (protocols) Cannot Do: Allow, e.g., only certain files to be ftp’ed Cannot Do: Allow, e.g., only certain files to be ftp’ed

8 Mateti/PacketFilters8 Packet “filtering” Packet filtering is not just “filtering” Packet filtering is not just “filtering” Changing Packets: Filters often able to rewrite packet headers Changing Packets: Filters often able to rewrite packet headers Examine/modify IP packet contents only? Or entire Ethernet frames? Examine/modify IP packet contents only? Or entire Ethernet frames? Monitor TCP state? Monitor TCP state?

9 Mateti/PacketFilters9 Goals for this Lecture Two goals: general filtering concepts and techniques Two goals: general filtering concepts and techniques Also, concrete how to do it in Linux/ iptables Also, concrete how to do it in Linux/ iptables Similar tools/ideas exist in all modern OS. Similar tools/ideas exist in all modern OS. The design of a well-considered packet filter is postponed to next lecture. The design of a well-considered packet filter is postponed to next lecture.

10 Mateti/PacketFilters10 Packet Filtering in Linux netfilter and iptables are the building blocks of a framework inside Linux kernel. netfilter and iptables are the building blocks of a framework inside Linux kernel. netfilter is a set of hooks that allow kernel modules to register callback functions with the network stack. Such a function is called back for every packet that traverses the respective hook. netfilter is a set of hooks that allow kernel modules to register callback functions with the network stack. Such a function is called back for every packet that traverses the respective hook. iptables is a generic table structure for the definition of rule sets. Each rule within an iptable consists of a number of classifiers (iptables matches) and one connected action (iptables target). iptables is a generic table structure for the definition of rule sets. Each rule within an iptable consists of a number of classifiers (iptables matches) and one connected action (iptables target). netfilter, iptables, connection tracking, and the NAT subsystem together build the whole framework. netfilter, iptables, connection tracking, and the NAT subsystem together build the whole framework.

11 Mateti/PacketFilters11 Packet Filtering in Linux History 1st generation: ipfw (from BSD) 1st generation: ipfw (from BSD) 2nd generation: ipfwadm (Linux 2.0) 2nd generation: ipfwadm (Linux 2.0) 3rd generation: ipchains (Linux 2.2) 3rd generation: ipchains (Linux 2.2) 4th generation: iptable (Linux 2.4, 2.6) 4th generation: iptable (Linux 2.4, 2.6) In this lecture, we will concentrate on iptables. In this lecture, we will concentrate on iptables.

12 Mateti/PacketFilters12 ipfilter, ipchains and, iptables UNIX, Linux, NetBSD, OpenBSD, … UNIX, Linux, NetBSD, OpenBSD, … FreeBSD (ipfw)http://www.freebsd.org/ FreeBSD (ipfw)http://www.freebsd.org/http://www.freebsd.org/ OpenBSD (pf) http://www.benzedrine.cx/pf OpenBSD (pf) http://www.benzedrine.cx/pfhttp://www.benzedrine.cx/pf The kernel does all the routing decisions The kernel does all the routing decisions There are “userspace” (non-kernel) tools that interact with the kernel There are “userspace” (non-kernel) tools that interact with the kernel iptable iptable Have to be root user Have to be root user

13 Mateti/PacketFilters13 Netfilter/ iptables Capabilities Build Internet firewalls based on stateless and stateful packet filtering. Build Internet firewalls based on stateless and stateful packet filtering. Use NAT and masquerading for sharing internet access where you don't have enough addresses. Use NAT and masquerading for sharing internet access where you don't have enough addresses. Use NAT for implementing transparent proxies Use NAT for implementing transparent proxies Mangling (packet manipulation) such as altering the TOS/DSCP/ECN bits of the IP header Mangling (packet manipulation) such as altering the TOS/DSCP/ECN bits of the IP header

14 Mateti/PacketFilters14 Linux Iptables/Netfilter In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall. In Linux kernel 2.4 and 2.6, we use the netfilter package with iptables commands to setup the firewall. The old package called IPchains is deprecated. The old package called IPchains is deprecated. http://www.netfilter.org/ http://www.netfilter.org/ http://www.netfilter.org/

15 Mateti/PacketFilters15 Iptables - Features (1) Stateful filtering of TCP & UDP traffic Stateful filtering of TCP & UDP traffic Ports opened & closed as clients use the Internet Ports opened & closed as clients use the Internet Presents a (mostly) “blank wall” to attackers Presents a (mostly) “blank wall” to attackers “Related” option for complex applications “Related” option for complex applications Active mode FTP Active mode FTP Multimedia applications (Real Audio, etc.) Multimedia applications (Real Audio, etc.) Can filter on fragments Can filter on fragments

16 Mateti/PacketFilters16 Iptables - Features (2) Improved logging options Improved logging options User-defined logging prefixes User-defined logging prefixes Log selected packets (e.g., handshake packets) Log selected packets (e.g., handshake packets) Port Address Translation (PAT) Port Address Translation (PAT) Network Address Translation (NAT) Network Address Translation (NAT) Inbound Inbound Redirect to DMZ web server, mail server, etc. Redirect to DMZ web server, mail server, etc. Outbound Outbound Group outbound traffic and/or use static assignment Group outbound traffic and/or use static assignment

17 Mateti/PacketFilters17 Packet Traversal in Linux Input Output Local Processes Forward Routing Decision Pre- Routing Post- Routing

18 Mateti/PacketFilters18 IPtables “chains” A chain is a sequence of filtering rules. A chain is a sequence of filtering rules. Rules are checked in order. First match wins. Every chain has a default rule. Rules are checked in order. First match wins. Every chain has a default rule. If no rules match the packet, chain policy is applied. If no rules match the packet, chain policy is applied. Chains are dynamically inserted/ deleted. Chains are dynamically inserted/ deleted.

19 Mateti/PacketFilters19 Built-in chains 1. INPUT: packets for local processes 1. No output interface 2. OUTPUT: packets produced by local processes 1. No input interface 2. All packets to and from lo (loopback) interface traverse input and output chains 3. FORWARD: for all transiting packets 1. Do not traverse INPUT or OUTPUT 2. Has input and output interface 4. PREROUTING 5. POSTROUTING

20 Mateti/PacketFilters20 A Packet Filtering Rule … Specifies matching criteria Specifies matching criteria Source and Destination IP addresses, ports Source and Destination IP addresses, ports Source MAC Address Source MAC Address States States Invalid Packets Invalid Packets CRC error, fragments,... CRC error, fragments,... TCP flags TCP flags SYN, FIN, ACK, RST, URG, PSH, ALL, NONE SYN, FIN, ACK, RST, URG, PSH, ALL, NONE Rate limit Rate limit What to do What to do Accept, Reject. Drop, take/jump them to another chain, … Accept, Reject. Drop, take/jump them to another chain, … Rules remain in kernel memory Rules remain in kernel memory Save all rules into a file, if you wish, and insert them on reboot Save all rules into a file, if you wish, and insert them on reboot ”

21 Mateti/PacketFilters21 Targets/Jumps ACCEPT – let the packet through ACCEPT – let the packet through REJECT – sends ICMP error message REJECT – sends ICMP error message DROP – reject, but don’t send ICMP message DROP – reject, but don’t send ICMP message MASQ – masquerade MASQ – masquerade RETURN – end of chain; stop traversing this chain and resume the calling chain RETURN – end of chain; stop traversing this chain and resume the calling chain QUEUE – pass the packet to the user space QUEUE – pass the packet to the user space User defined chains User defined chains (none) – rule’s counters incremented and packet passed on (used for accounting) (none) – rule’s counters incremented and packet passed on (used for accounting)

22 Mateti/PacketFilters22 Syntax of iptables command iptables –t TABLE –A CHAIN –[i|o] IFACE –s w.x.y.z –d a.b.c.d –p PROT –m state -- state STATE –j ACTION iptables –t TABLE –A CHAIN –[i|o] IFACE –s w.x.y.z –d a.b.c.d –p PROT –m state -- state STATE –j ACTION TABLE = nat | filter | mangle TABLE = nat | filter | mangle CHAIN = INPUT | OUTPUT | FORWARD | PREROUTING| POSTROUTING CHAIN = INPUT | OUTPUT | FORWARD | PREROUTING| POSTROUTING IFACE = eth0 | eth1 | ppp0 |... IFACE = eth0 | eth1 | ppp0 |... PROT = tcp | icmp | udp | … PROT = tcp | icmp | udp | … STATE = NEW | ESTABLISHED | RELATED | … STATE = NEW | ESTABLISHED | RELATED | … ACTION = DROP | ACCEPT | REJECT | DNAT | SNAT | … ACTION = DROP | ACCEPT | REJECT | DNAT | SNAT | …

23 Mateti/PacketFilters23 Specifying IP addresses Source: -s, --source or –src Source: -s, --source or –src Destination: -d, --destination or –dst Destination: -d, --destination or –dst IP address can be specified in four ways. IP address can be specified in four ways. (Fully qualified) host name (e.g., floyd, floyd.osis.cs.wright.edu (Fully qualified) host name (e.g., floyd, floyd.osis.cs.wright.edu IP address (e.g., 127.0.0.1) IP address (e.g., 127.0.0.1) Group specification (e.g., 130.108.27.0/24) Group specification (e.g., 130.108.27.0/24) Group specification Group specification (e.g., 130.108.27.0/255.255.255.0) (e.g., 130.108.27.0/255.255.255.0) ‘–s ! IPaddress’ and ‘–d ! IPaddress’: Match address not equal to the given. ‘–s ! IPaddress’ and ‘–d ! IPaddress’: Match address not equal to the given.

24 Mateti/PacketFilters24 Specifying an Interface Physical device for packets to come in Physical device for packets to come in -i, --in-interface -i, --in-interface -i eth0 -i eth0 Physical device for packets to go out Physical device for packets to go out -o, --out-interface -o, --out-interface -o eth3 -o eth3 INPUT chain has no output interface INPUT chain has no output interface Rule using ‘-o’ in this chain will never match. Rule using ‘-o’ in this chain will never match. OUPUT chain has no input interface OUPUT chain has no input interface Rule using ‘-i’ in this chain will never match. Rule using ‘-i’ in this chain will never match.

25 Mateti/PacketFilters25 Specifying Protocol -p protocol -p protocol Protocol number Protocol number 17 17 Protocol can be a name Protocol can be a name TCP TCP UDP UDP ICMP ICMP –p ! protocol –p ! protocol

26 Mateti/PacketFilters26 “-t Table” nat table nat table Chains: PREROUTING, POSTROUTING, and OUTPUT. Chains: PREROUTING, POSTROUTING, and OUTPUT. used to translate the packet's source or destination. used to translate the packet's source or destination. Addresses and ports Addresses and ports Packets traverse this table only once. Packets traverse this table only once. should not do any filtering in this table should not do any filtering in this table filter table filter table Chains: INPUT, OUTPUT, and FORWARD. Chains: INPUT, OUTPUT, and FORWARD. Almost all targets are usable Almost all targets are usable take action against packets and look at what they contain and DROP or /ACCEPT them, take action against packets and look at what they contain and DROP or /ACCEPT them, mangle table mangle table Chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD. Chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD. Can alter values of several fields of a packet Can alter values of several fields of a packet Not for filtering; nor will any DNAT, SNAT or Masquerading work in this table. Not for filtering; nor will any DNAT, SNAT or Masquerading work in this table.

27 Mateti/PacketFilters27 iptables examples 1. iptables --flush Delete all rules Delete all rules 2. iptables -A INPUT -i lo -j ACCEPT Accept all packets arriving on lo for local processes Accept all packets arriving on lo for local processes 3. iptables -A OUTPUT -o lo -j ACCEPT 4. iptables --policy INPUT DROP Unless other rules apply, drop all INPUT packets Unless other rules apply, drop all INPUT packets 5. iptables --policy OUTPUT DROP 6. iptables --policy FORWARD DROP 7. iptables -L -v -n List all rules, verbosely, using numeric IP addresses etc. List all rules, verbosely, using numeric IP addresses etc.

28 Mateti/PacketFilters28 The LOG Target LOG LOG --log-level --log-level --log-prefix --log-prefix --log-tcp-sequence --log-tcp-sequence --log-tcp-options --log-tcp-options --log-ip-options --log-ip-options 1. iptables -A OUTPUT -o eth0 -j LOG Jump the packets that are on OUTPUT chain intending to leave from eth0 interface to LOG Jump the packets that are on OUTPUT chain intending to leave from eth0 interface to LOG 2. iptables -A INPUT -m state --state INVALID -j LOG --log-prefix “INVALID input: ” Jump the packets that are on INPUT chain with an INVALID state to to LOG and have the logged text begin with “INVALID input: ” Jump the packets that are on INPUT chain with an INVALID state to to LOG and have the logged text begin with “INVALID input: ”

29 Mateti/PacketFilters29 iptables syntax examples 1. iptables -A INPUT -i eth1 -p tcp -s 192.168.17.1 --sport 1024:65535 -d 192.168.17.2 --dport 22 -j ACCEPT Accept all TCP packets arriving on eth1 for local processes from 192.168.17.1 with any source port higher than 1023 to 192.168.17.2 and destination port 22. Accept all TCP packets arriving on eth1 for local processes from 192.168.17.1 with any source port higher than 1023 to 192.168.17.2 and destination port 22. 2. 2. iptables -t nat -A PREROUTING -p TCP -i eth0 -d 128.168.60.12 --dport 80 -j DNAT --to-destination 192.168.10.2 Change the destination address of all TCP packets arriving on eth0 aimed at Change the destination address of all TCP packets arriving on eth0 aimed at 128.168.60.12 port 80 to 192.168.10.2 port 80.

30 Mateti/PacketFilters30 iptables syntax examples 1. iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport 0:1023 –j REJECT Reject all incoming TCP traffic destined for ports 0 to 1023 Reject all incoming TCP traffic destined for ports 0 to 1023 2. iptables –A OUTPUT –p tcp –s 0/0 –d ! osis110 –j REJECT Reject all outgoing TCP traffic except the one destined for osis110 Reject all outgoing TCP traffic except the one destined for osis110 3. iptables –A INPUT –p TCP –s osis110 --syn –j DROP Drop all SYN packets from host osis110 Drop all SYN packets from host osis110 4. 4. iptables -A PREROUTING -t nat -p icmp -d 130.108.0.0/24 -j DNAT --to 130.108.2.10 Redirect all ICMP packets aimed at any host in the range 130.108.0.0/24 to 130.108.2.10

31 Mateti/PacketFilters31 Operations on chains Operations to manage whole chains Operations to manage whole chains N: create a new chain N: create a new chain P: change the policy of built-in chain P: change the policy of built-in chain L:list the rules in a chain L:list the rules in a chain F: flush the rules out of a chain F: flush the rules out of a chain Manipulate rules inside a chain Manipulate rules inside a chain A: append a new rule to a chain A: append a new rule to a chain I: insert a new rule at some position in a chain I: insert a new rule at some position in a chain R: Replace a rule at some position in a chain R: Replace a rule at some position in a chain D: delete a rule in a chain D: delete a rule in a chain

32 Mateti/PacketFilters32 Defining New Chains iptables -A INPUT -i eth1 –d IPaddress \ -j EXT-input iptables -A INPUT -i eth1 –d IPaddress \ -j EXT-input iptables -A EXT-input -p udp --sport 53 \ --dport 53 -j EXT-dns-server-in iptables -A EXT-input -p udp --sport 53 \ --dport 53 -j EXT-dns-server-in iptables -A EXT-input -p tcp ! --syn \ --sport 53 --dport 1024:65535\ -j EXT-dns-server-in iptables -A EXT-input -p tcp ! --syn \ --sport 53 --dport 1024:65535\ -j EXT-dns-server-in iptables -A EXT-dns-server-in\ –s hostName -j ACCEPT iptables -A EXT-dns-server-in\ –s hostName -j ACCEPT

33 Mateti/PacketFilters33 User Chains -j userChainName -j userChainName User-defined chains can jump to other user- defined chains. User-defined chains can jump to other user- defined chains. Packets will be dropped if they are found to be in a rule/chain-loop. Packets will be dropped if they are found to be in a rule/chain-loop. If there are no matches, returns to calling chain. If there are no matches, returns to calling chain. Packets that were not accepted/dropped resume traversal on the next rule on the chain. Packets that were not accepted/dropped resume traversal on the next rule on the chain. -j REJECT causes failure -j REJECT causes failure

34 Mateti/PacketFilters34 Specifying Fragments iptables -A OUTPUT -f -d 192.168.1.1 -j DROP iptables -A OUTPUT -f -d 192.168.1.1 -j DROP First fragment is treated like any other packet. Second and further fragments won’t be. First fragment is treated like any other packet. Second and further fragments won’t be. Specify a rule specifically for second and further fragments, using the ‘-f’ Specify a rule specifically for second and further fragments, using the ‘-f’ “Impossible” to look inside the packet for protocol headers such as TCP, UDP, ICMP. “Impossible” to look inside the packet for protocol headers such as TCP, UDP, ICMP. E.g., “ -p TCP -sport www” will never match a fragment other than the first fragment. E.g., “ -p TCP -sport www” will never match a fragment other than the first fragment.

35 Mateti/PacketFilters35 Match Extensions: MAC Specified with ‘-m mac’ or --match mac’ Specified with ‘-m mac’ or --match mac’ match incoming packet's source Ethernet address (MAC). match incoming packet's source Ethernet address (MAC). --mac-source 00:60:08:91:CC:B7 --mac-source 00:60:08:91:CC:B7

36 Mateti/PacketFilters36 Match Extensions: Limit -m limit’ or --match limit -m limit’ or --match limit Restrict the rate of matches, such as for suppressing log messages. Restrict the rate of matches, such as for suppressing log messages. --limit 5/second --limit 5/second Specifies the maximum average number of matches to allow per second as 5 Specifies the maximum average number of matches to allow per second as 5 --limit-burst 12 --limit-burst 12 The maximum initial number of packets to match is 12 The maximum initial number of packets to match is 12 This number gets recharged by one every time the limit specified above is not reached. This number gets recharged by one every time the limit specified above is not reached. Default 3 matches per hour, with a burst of 5 Default 3 matches per hour, with a burst of 5

37 Mateti/PacketFilters37 Match Extensions: State -m state’ allows ‘--state’ option. -m state’ allows ‘--state’ option. NEW NEW A packet which can create a new connection. A packet which can create a new connection. ESTABLISHED ESTABLISHED A packet which belongs to an existing connection A packet which belongs to an existing connection RELATED RELATED A packet which is related to, but not part of, an existing connection such as ICMP error. A packet which is related to, but not part of, an existing connection such as ICMP error. INVALID INVALID A packet which could not be identified for some reasons. A packet which could not be identified for some reasons. iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

38 Mateti/PacketFilters38 Network Address Translation (NAT) IP addresses are replaced at the boundary of a private network IP addresses are replaced at the boundary of a private network Enables hosts on private networks to communicate with hosts on the Internet Enables hosts on private networks to communicate with hosts on the Internet NAT is run on routers that connect private networks to the public Internet NAT is run on routers that connect private networks to the public Internet Mangles both inbound and outbound packets Mangles both inbound and outbound packets Routers don’t normally do this Routers don’t normally do this

39 Mateti/PacketFilters39 Basic operation of NAT NAT device has address translation table NAT device has address translation table

40 Mateti/PacketFilters40 Uses of NAT Pooling of IP addresses Pooling of IP addresses Supporting migration between network service providers Supporting migration between network service providers IP masquerading IP masquerading Load balancing of servers Load balancing of servers iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4 iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4 Client-only site (SOHO) Client-only site (SOHO) Multiple servers Multiple servers Can get into otherwise “hidden” LANs Can get into otherwise “hidden” LANs Can also load share as NAT round robins connection Can also load share as NAT round robins connection Transparent proxying Transparent proxying

41 Mateti/PacketFilters41 NAT: Pooling of IP addresses Scenario: Corporate network has many hosts but only a small number of public IP addresses Scenario: Corporate network has many hosts but only a small number of public IP addresses NAT solution: NAT solution: Corporate network is managed with a private address space Corporate network is managed with a private address space NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device dynamically picks a public IP address from the address pool, and binds this address to the private address of the host When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device dynamically picks a public IP address from the address pool, and binds this address to the private address of the host

42 Mateti/PacketFilters42 NAT: Pooling of IP addresses iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30 iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30

43 Mateti/PacketFilters43 NAT: Migration to a new ISP Scenario: In Classless Inter-Domain Routing (CIDR), the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. Scenario: In Classless Inter-Domain Routing (CIDR), the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. NAT solution: NAT solution: Assign private addresses to the hosts of the corporate network Assign private addresses to the hosts of the corporate network NAT device has static address translation entries which bind the private address of a host to the public address. NAT device has static address translation entries which bind the private address of a host to the public address. Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network.

44 Mateti/PacketFilters44 NAT: Migration to new ISP

45 Mateti/PacketFilters45 Concerns about NAT: Performance: Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum Modifying port number requires that NAT boxes recalculate TCP checksum Modifying port number requires that NAT boxes recalculate TCP checksum

46 Mateti/PacketFilters46 Concerns about NAT: Fragmentation Care must be taken that a datagram that is not fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. Care must be taken that a datagram that is not fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.

47 Mateti/PacketFilters47 Concerns about NAT: End-to- end connectivity: NAT destroys universal end-to-end reachability of hosts on the Internet. NAT destroys universal end-to-end reachability of hosts on the Internet. A host in the public Internet cannot initiate communication to a host in a private network. A host in the public Internet cannot initiate communication to a host in a private network.

48 Mateti/PacketFilters48 Concerns about NAT: IP address in application data Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. Some NAT devices inspect and adjust the payload of widely used application layer protocols if an IP address is detected. Some NAT devices inspect and adjust the payload of widely used application layer protocols if an IP address is detected.

49 Mateti/PacketFilters49 Source NAT (SNAT) Mangle the source IP address of a packet Mangle the source IP address of a packet Used for internal  external connections Used for internal  external connections Done on POSTROUTING, just before packet leaves Done on POSTROUTING, just before packet leaves Masquerading is a form of this Masquerading is a form of this iptables –t nat –A POSTROUTING –o eth1 –j SNAT –-to-source 10.252.49.231 iptables –t nat –A POSTROUTING –o eth1 –j SNAT –-to-source 10.252.49.231 iptables –t nat –A POSTROUTING –s 10.0.1.2 -j SNAT --to-source 128.143.71.21 iptables –t nat –A POSTROUTING –s 10.0.1.2 -j SNAT --to-source 128.143.71.21

50 Mateti/PacketFilters50 Destination NAT (DNAT) Alters the destination IP address of the packet Alters the destination IP address of the packet Done on OUTPUT or PREROUTING Done on OUTPUT or PREROUTING Load sharing, transparent proxying are forms of this Load sharing, transparent proxying are forms of this iptables -t nat -A PREROUTING -i eth0 -p tcp -- sport 1024:65535 -d 130.108.17.115 --dport 80 -j DNAT --to-destination 130.108.17.111 iptables -t nat -A PREROUTING -i eth0 -p tcp -- sport 1024:65535 -d 130.108.17.115 --dport 80 -j DNAT --to-destination 130.108.17.111 iptables -t nat -A PREROUTING -i eth0 -p tcp -- sport 1024:65535 -d 130.108.17.111 --dport 80 -j DNAT --to-destination 192.168.17.111:81 iptables -t nat -A PREROUTING -i eth0 -p tcp -- sport 1024:65535 -d 130.108.17.111 --dport 80 -j DNAT --to-destination 192.168.17.111:81 130.108.17.111 iptables -t nat -A PREROUTING -i eth0 -p tcp -- sport 1024:65535 -d 130.108.17.111 --dport 80 -j DNAT --to-destination 192.168.56.10-192.168.56.15

51 Mateti/PacketFilters51 IP masquerading Special case of NAT, Network address and port translation (NAPT), port address translation (PAT). Special case of NAT, Network address and port translation (NAPT), port address translation (PAT). Scenario: Single public IP address is mapped to multiple hosts in a private network. Scenario: Single public IP address is mapped to multiple hosts in a private network. NAT solution: NAT solution: Assign private addresses to the hosts of the corporate network Assign private addresses to the hosts of the corporate network NAT device modifies the port numbers for outgoing traffic NAT device modifies the port numbers for outgoing traffic

52 Mateti/PacketFilters52 Networking at Home: Masquerading Modem connections/DHCP Modem connections/DHCP Doesn’t drop connections when address changes Doesn’t drop connections when address changes Makes all packets from internal look like they are coming from the modem machine/DHCP address (outgoing interface’s address): Makes all packets from internal look like they are coming from the modem machine/DHCP address (outgoing interface’s address): ## Masquerade everything out ppp0. ## Masquerade everything out ppp0. echo 1 > /proc/sys/net/ipv4/ip_forward modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

53 Mateti/PacketFilters53 IP masquerading

54 Mateti/PacketFilters54 SNAT vs. MASQUERADE SNAT SNAT translates only the source IP addresses, the port number is preserved unchanged. translates only the source IP addresses, the port number is preserved unchanged. requires that you have equal number of outgoing IP addresses as IP address in your intranet requires that you have equal number of outgoing IP addresses as IP address in your intranet does not have to search for the available port or available IP address (Hence, SNAT is faster than MASQUERADE) does not have to search for the available port or available IP address (Hence, SNAT is faster than MASQUERADE) When you have only a few static IP addresses, MASQUERADE is the preferred method. When you have only a few static IP addresses, MASQUERADE is the preferred method.

55 Mateti/PacketFilters55 IPtable Optimization Place loopback rules as early as possible. Place loopback rules as early as possible. Place forwarding rules as early as possible. Place forwarding rules as early as possible. Use the state and connection-tracking modules to bypass the firewall for established connections. Use the state and connection-tracking modules to bypass the firewall for established connections. Combine rules to standard TCP client-server connections into a single rule using port lists. Combine rules to standard TCP client-server connections into a single rule using port lists. Place rules for heavy traffic services as early as possible. Place rules for heavy traffic services as early as possible.

56 Mateti/PacketFilters56 State Matching When tracking connections When tracking connections NEW – for a new connection NEW – for a new connection ESTABLISHED – for packets in an existing connection ESTABLISHED – for packets in an existing connection RELATED – for packets related to an existing connection (ICMP errors, FTP) RELATED – for packets related to an existing connection (ICMP errors, FTP) INVALID – unrelated to existing connections (should drop) INVALID – unrelated to existing connections (should drop)

57 Mateti/PacketFilters57 Stateful Filtering When router keeps track of “connections” When router keeps track of “connections” Accept TCP packets when connection initiated from inside Accept TCP packets when connection initiated from inside Accept UDP packets when part of response to internal request Accept UDP packets when part of response to internal request Also called dynamic as firewall rules change over time Also called dynamic as firewall rules change over time

58 Mateti/PacketFilters58 Stateful Filtering Continued Increases load on router Increases load on router Possible DoS point Possible DoS point Router reboots can drop connections Router reboots can drop connections Difficult to know if/when response coming Difficult to know if/when response coming Remote machine may be down Remote machine may be down Hole opened in any case Hole opened in any case

59 Mateti/PacketFilters59 Stateful Filtering Continued May be able to check for protocol correctness May be able to check for protocol correctness E.g., DNS query to DNS port E.g., DNS query to DNS port Logging Logging Probably don’t want to log every packet Probably don’t want to log every packet Maybe Maybe First First Bad Bad Attacks Attacks

60 Mateti/PacketFilters60 Transparent Proxies Proxy: software setup on firewall machine Proxy: software setup on firewall machine Each client must know how to connect to proxy Each client must know how to connect to proxy Proxy then performs connection and relays information Proxy then performs connection and relays information Only proxy machine needs DNS Only proxy machine needs DNS Squid a likely candidate Squid a likely candidate

61 Mateti/PacketFilters61 Transparent Proxies Continued Another approach: firewall chain intercepts external requests and sends them to proxy Another approach: firewall chain intercepts external requests and sends them to proxy Clients need not know about proxying Clients need not know about proxying Clients do need DNS Clients do need DNS Need proxy for each service Need proxy for each service

62 Mateti/PacketFilters62 Error Codes If deny (reject), ICMP error message sent back If deny (reject), ICMP error message sent back Helps remote machine stop attempting to connect Helps remote machine stop attempting to connect Reduces number of packets Reduces number of packets But: may give too much information to attacker But: may give too much information to attacker

63 Mateti/PacketFilters63 Error Codes Continued Host and network unreachable Host and network unreachable Problem: some OS’s drop all connections to remote machine if received Problem: some OS’s drop all connections to remote machine if received E.g., if connected to web server and attempt to connect to non-existent mail server on same machine, web connection severed E.g., if connected to web server and attempt to connect to non-existent mail server on same machine, web connection severed Also: administratively unreachable Also: administratively unreachable

64 Mateti/PacketFilters64 References Oskar Andreasson, “Iptables Tutorial,” 2003, about 150 pages, iptables-tutorial.frozentux.net/ Oskar Andreasson, “Iptables Tutorial,” 2003, about 150 pages, iptables-tutorial.frozentux.net/iptables-tutorial.frozentux.net/ Comprehensive, but poorly written. Comprehensive, but poorly written. David Coulson, iptables, parts 1 and 2, 2003, about 8 pages, www.davidcoulson.net/writing/lxf/ 38/iptables.pdf ;... /39/iptables.pdf David Coulson, iptables, parts 1 and 2, 2003, about 8 pages, www.davidcoulson.net/writing/lxf/ 38/iptables.pdf ;... /39/iptables.pdfwww.davidcoulson.net/writing/lxf/ 38/iptables.pdf/39/iptables.pdfwww.davidcoulson.net/writing/lxf/ 38/iptables.pdf/39/iptables.pdf Shallow, but well written Shallow, but well written Linux (iptables)http://www.netfilter.org/ Linux (iptables)http://www.netfilter.org/http://www.netfilter.org/ FreeBSD (ipfw)http://www.freebsd.org/ FreeBSD (ipfw)http://www.freebsd.org/http://www.freebsd.org/ OpenBSD (pf) http://www.benzedrine.cx/pf OpenBSD (pf) http://www.benzedrine.cx/pfhttp://www.benzedrine.cx/pf

Download ppt "Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti."

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Firewalls and Network Address Translation (NAT) Chapter 7.

Firewalls and Network Address Translation (NAT) Chapter 7.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
1 Comnet 2010 Communication Networks Recitation 7 Lookups & NAT.

1 Comnet 2010 Communication Networks Recitation 7 Lookups & NAT.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
1 Firewall & IP Tables. 2 Firewall IP Tables 3 32-4 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.

1 Firewall & IP Tables. 2 Firewall IP Tables FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system.
Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.

Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google