Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Filtering and Firewall

Published byMartina Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "Packet Filtering and Firewall"— Presentation transcript:

1 Packet Filtering and Firewall

2 What is a packet filter A piece of software which looks at the header of packets as they pass through and decides its fate DROP ACCEPT Or something more complicated. Under Linux, packet filtering is built into the kernel.

3 Functions of Packet Filter
Control Allow only those packets that you are interested to pass through. Security Reject packets from malicious outsiders Ping of death telnet from outside Watchfulness Log packets to/from outside world

4 Packet Filter under Linux
1st generation ipfw (from BSD) 2nd generation ipfwadm (Linux 2.0) 3rd generation ipchains (Linux 2.2) 4th generation iptable (Linux 2.4) In this lecture, we will concentrate on iptable.

5 iptable Kernel starts with three lists of rules called (firewall) chains. INPUT OUTPUT FORWARD Each rule say “if the packet header looks like this, then here’s what to do”. If the rule doesn’t match the packet, then the next packet will be consulted.

6 Forward Routing Decision Input Output Local Process

7 If it’s destined for this box
When a packet comes in, the kernel first looks at the destination of the packet: this is called routing. If it’s destined for this box Passes downwards in the diagram To INPUT chain If it passes, any processes waiting for that packet will receive it. Otherwise go to step 3 Forward Input Output Routing Decision Local Process

8 If forwarding is not enabled
Input Output Routing Decision Local Process If forwarding is not enabled The packet will be dropped If forwarding is enable and the packet is destined for another network interface. The packet goes rightwards on our diagram to the FORWARD chain. If it is accepted, it will be sent out. Packets generated from local process pass to the OUPUT chain immediately. If its says accept, the packet will be sent out.

9 Usage SYNOPSIS iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -P chain target [options] iptables -E old-chain-name new-chain-name

10 -N Create a new chain -X Delete an empty chain -P Change the policy for a built-in chain -L List the rules in a chain -F Flush the rules out of a chain -Z Zero the packet and byte counters on all rules in a chain Operations to manage whole chains

11 -A Append a new rule to a chain -I Insert a new rule at some position in a chain -R Replace a rule at some position in a chain -D Delete a rule at some position in a chain Delete the first rule that matches in a chain Manipulate rules inside a chain

12 A simple experiment Drop all ICMP packets coming from the IP address # ping -c PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=64 time=0.2 ms ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s p icmp -j DROP 1 packets transmitted, 0 packets received, 100% packet loss #

13 Filtering Specifications
Specifying Source and Destination IP address Source -s, --source or –src Destination -d, --destination or –dst IP address can be specified in four ways. Full name (e.g. IP address (e.g )

14 Group specification (e.g. 199.95.207.0/24)
Specifying Inversion Many flags, including the ‘–s’ and ‘–d’ flags can have their arguments preceded by ‘!’ (not). Match address NOT equal to the ones given. E.g. ‘-s ! localhost’ matches any packet not coming from localhost.

15 Specifying an Interface
Physical device for packets to come in -i, --in-interface Physical device for packets to go out -o, --out-interface Packets traversing the INPUT chain don’t have an output interface Rule using ‘-o’ in this chain will never match. Packets traversing the OUPUT chain don’t have an input interface Rule using ‘-i’ in this chain will never match.

16 Specifying Protocol The protocol can be specified with the ‘-p’ flag.
Protocol can be a number if you know the numeric protocol values for IP. Protocol can be a name for special cases of TCP UDP ICMP Case insensitive (e.g. tcp works as well as TCP) Can be prefixed by a ‘!’, e.g. ‘–p ! TCP’

17 Specifying Fragments Sometimes a packet is too large
Divided into fragments Sent as multiple packets. IP header contains in the first segment only. Impossible to look inside the packet for protocol headers such as TCP, UDP, ICMP. This means that the first fragment is treated like any other packet. Second and further fragments won’t be.

18 E.g. The following rule will drop any fragments going to 192.168.1.1
E.g ‘-p TCP -sport www’ (specifying a source port of ‘www’), will never match a fragment other than the first fragment. You can specify a rule specifically for second and further fragments, using the ‘-f’ (or –fragment) flag. E.g. The following rule will drop any fragments going to # iptables -A OUTPUT -f -d j DROP

19 TCP extensions Automatically loaded if ‘--protocol tcp’ is specified.
--tcp-flags Allows you to filter on specific TCP flags. The first string of flags is the mask The second string of flags tells which one(s) should be set. E.g. # iptables -A INPUT –protocol tcp –tcp-flags ALL SYN,ACK –j DROP

20 --syn --source-port Indicates that all flags should be examined
ALL is synonymous with ‘SYN,ACK,FIN,RST,URG,PSH’ But only SYN and ACK should be set. There is also an argument ‘NONE’ meaning no flags. --syn Optionally preceded by a ‘!’. Shorthand for --tcp-flags SYN,RST,ACK SYN’. --source-port Single port or range of ports Can be specified by names listed in /etc/services

21 --destination-port or --dport --tcp-option
--sport Synonymous with ‘--source-port’. --destination-port or --dport Specify the destination port. --tcp-option Followed by an optional ‘!’ and a number. Matches a packet with a TCP option equaling that number. E.g. Specify TCP connection attempts from -p TCP –s syn

22 UDP Extensions ICMP Extensions
Loaded if ‘--protocol udp’ is specified. Provides the following options --source-port --sport --destination-port --dport ICMP Extensions Loaded if ‘--protocol icmp’ is specified. --icmp-type Specify ICMP type (numeric type or name)

23 Other Match Extension Invoked with the ‘-m’ option. Mac Limit
Specified with ‘-m mac’ or –match mac’ Used for matching incoming packet's source Ethernet address. (MAC). Only one option ‘--mac-source’ E.g. –mac-source 00:60:08:91:CC:B7 Limit Specified with ‘-m limit’ or --match limit’. Restrict the rate of matches, such as for suppressing log messages.

24 Two options --limit --limit-burst
Followed by a number Specifies the maximum average number of matches to allow per second. Can specify other unit such as ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’. E.g. --limit 5/second or --limit 5/s --limit-burst Followed by a number. The maximum initial number of packets to match. This number gets recharged by one every time the limit specified above is not reached. Often used with the LOG target. Default 3 matches per hour, with a burst of 5 E.g. iptables –A FORWARD –m limit –j LOG

25 State Match Specifying ‘-m state’ allows an additional
‘--state’ option. NEW A packet which creates a new connection. ESTABLISHED A packet which belongs to an existing connection RELATED A packet which is related to, but not part of, an existing connection such as ICMP error. INVALID A packet which could not be identified for some reasons.

26 Target Specifications
Two built-in targets DROP ACCEPT Extensions LOG --log-level Specify the level of log 0 to 7. --log-prefix Followed by a string up to 14 chars Sent at the start of the log REJECT DROP + send an ICMP port unreachable error message

27 User-defined chains User can create new chains.
By convention, user-defined chains are lower-case. Packet matches rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. If that chain doesn’t decide the fate of the packet, then once traversal of that chain has finished, traversal resumes on the next rule on the current chain.

28 User-defined chains can jump to other user-defined chains.
INPUT test Rule1: -p ICMP –j DROP Rule1: -s Rule2: -p TCP –j test Rule2: -d Rule3: -p UDP –j DROP User-defined chains can jump to other user-defined chains. Your packets will be dropped if they are found to be in a Loop.

29 Network Address Translation
We are not going to cover NAT in details. I just show an example here for redirecting ICMP echo request. Iptables can also achieve masquerading for internet sharing, port forwarding etc. Please find out the details yourself. iptables -A PREROUTING -t nat -p icmp -d \ -j DNAT --to

30 Firewall A firewall is a computer system dedicated to ‘isolate’ a LAN from the Internet. It is at the entry point of the LAN it protects. It inspect and make decisions about all incoming packets before it reaches other parts of the system. Outgoing traffic may also be inspected and/or blocked.

31 A firewall can be a simple packet filter.
It can also be an enormously complex computer system with extensive logging systems, intrusion detection systems. Nowadays, it is easy to download a free firewall that can be run on your Linux or Unix system.

32 These firewall usually provides good interface to specify rules to
Block particular incoming connections from systems outside your LAN. Block all connections to or from certain systems you distrust. Allow and ftp services, but block dangerous services like TFTP, RPC, rlogin etc. Block certain type of packets.

33 References Rusty Russell, “Linux 2.4 Packet Filtering HOWTO”, it can be found in many web achieve.

34 Remarks We haven’t covered all the functions of iptables yet.
You are encourage to read The manual of iptables Rusty Russell, “NAT-HOWTO” Rusty Russel, “netfilter-hacking-HOWTO

Download ppt "Packet Filtering and Firewall"

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti.

Mateti/PacketFilters1 Packet Filtering Prabhaker Mateti Prabhaker Mateti.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.

Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.

1 ICMP : Internet Control Message Protocol Computer Network System Sirak Kaewjamnong.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

Similar presentations

Ads by Google