Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP.

Published byBuck Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP."— Presentation transcript:

1 Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP

2 Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo

3 Introduction Why need a firewall? –Increased network security –Access Control (Network/Transport Level) –Logging Why Linux? –It’s FREE –Not difficult to use!? –Low hardware cost –Flexible –Lots of features compared with commercial counterpart –Lots of Support!? –Always evolving and improving (thanks to the open source community)

4 TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms –TCP, UDP, IP, ICMP

5 TCP/IP Recap: Layered Concept Application TCPUDP IP Device Driver Device Driver Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMP

6 TCP/IP Recap: Layered Communication Application TCP/UDP IP Device Driver Device Driver IP Application ClientServer

7 TCP/IP Recap: Layered Concept http TCPUDP IP Device Driver Device Driver ftpNetbios-nsdns 8020,2113753 192.168.0.166 202.252.123.1 eth0eth1

8 TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close

9 TCP/IP Recap: TCP, UDP, IP, ICMP TCP –Stateful communication (Session, Reliable) UDP –Stateless communication (no session, Less reliable, fast) IP –Addressing, routing (best effort) ICMP –Diagnostic (dangerous?)

10 Firewall Basics: What is a Firewall? In simple term, a firewall is: –A device filtering network traffic between 2 (or more) networks Network ANetwork B

11 Firewall Basics: What is NOT a Firewall? A firewall is NOT: –The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out –“install and leave it” Need to manage it for the ever-changing network environment Need to monitor it –100% safe Any software has bugs and vulnerabilities, so does any firewall

12 Firewall Basics: Different Types of Firewalls A firewall can be in the form of: –Packet-Filtering Gateway (Today’s focus) –Application Gateway (http proxy, socks server)

13 Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst- ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Drop

14 ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: –Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw”

15 iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: –Stateful inspection –Port forward (for servers behind firewall) –More customized logging –Improved matching (rate, string matching) More features = more difficult to use

16 ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables

17 ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection”

18 TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close

19 ipchains: The basic concept Control the input, output, and forward behavior of the interfaces inputeth0 output input eth1output forward

20 ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: –Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) –run the script before interfaces goes up –make sure the script is owned by root and with mode 700

21 ipchains Tips: Writing Script Use deny for default chain, “-P” –“ipchains –P forward deny” –“ipchains –P input deny” –“ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: –LOCALNET_1="10.0.0.0/24“ –LOCAL_INTERFACE_1="eth1“ –“ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT”

22 ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src- addr IF “DENY”, then the packet is just dropped

23 Implementation Tips: Use common Linux distributions –PC with >1 NIC card, hard disk for the O/S –Install and harden O/S –Load module (usually already loaded for default installation –Run script Some Unique Linux distribution –PC without hard disk (use RAM as disk) –Floppyfw, LEAF –Trinux (hardened) –Store your script on floppy or cdrom

24 Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic

25 Home use: firewall-config Use GUI to help you Based on ipchains Most distribution

26 Home use: firestarter Use GUI to help you Rpm package available Based on iptables

27 Home use: firestarter Wizard

28 Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts- 6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup”

29 Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-to- connect.txthttp://www.roaringpenguin.com/pppoe/how-to- connect.txt

30 Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1="10.0.0.0/24"

31 Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

32 Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT

33 What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client Close

34 Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT

35 Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward

36 Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script

37 Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers)

38 Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2

39 Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1="10.0.0.0/24“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b”

40 Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

41 Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 - j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE - j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT

42 Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp -- destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT

43 Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward

44 Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: –/var/log/messages Use this command to view traffic as they pass along: –#tail –f /var/log/messages Can also use tcpdump or snoop to help you

45 Firewall Management: Building Rules gfcc For ipchains Provides good rules management

46 Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions

47 Firewall Management: Build your rules online! http://www.linux-firewall- tools.com/linux/firewal l/index.html

48 Firewall Management: Viewing Logs Firestarter Real-time “hit- list” showing the blocked traffic

49 Firewall Management: Log Analyzer fwlogwatch http://cert.uni- stuttgart.de/project s/fwlogwatch/http://cert.uni- stuttgart.de/project s/fwlogwatch/ Generate html report Real time reporting Some customization work

50 Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: –Scp (secure copy) –X-window (need proper access control) Log management, use: –Various syslog tools

51 Good References: Books TCP/IP Illustrated (All time classic) –By W. Richard Stevens Firewall and Internet Security (All time classic) –By William R. Cheswick, Steven M. Bellovin Linux Firewall –By Robert L. Ziegler

52 Good References: Sites SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewall- tools.com/linux/firewall/index.htmlhttp://www.linux-firewall- tools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packet- filtering-HOWTO/index.htmlhttp://netfilter.samba.org/unreliable-guides/packet- filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.html

53 END of Linux Firewall For the Office and Home Thank You! Email: matthew.tam@pisa.org.hk

Download ppt "Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
M2M Gateway Features Jari Lahti, CTO www.violasystems.com.

M2M Gateway Features Jari Lahti, CTO
1 Configuring Linksys Wireless Router Prof. Valencia Community College.

1 Configuring Linksys Wireless Router Prof. Valencia Community College.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Advanced Networking for DVRs

Advanced Networking for DVRs
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Similar presentations

Ads by Google