Linux Firewall

1
Linux Firewall For the Office and Home Nov
17, 2001 Matthew Tam, CISSP
2
Todays Agenda

• Introduction
• TCP/IP Recap
• Firewall Basics
• ipchains, iptables (Netfilter)
• Implementation for home use
• Implementation for business use
• Firewall Management
• Demo

3
Introduction

• Why need a firewall?
• Increased network security
• Access Control (Network/Transport Level)
• Logging
• Why Linux?
• Its FREE
• Not difficult to use!?
• Low hardware cost
• Flexible
• Lots of features compared with commercial
  counterpart
• Lots of Support!?
• Always evolving and improving (thanks to the open
  source community)

4
TCP/IP Recap General Info

• Essentials for configuring a firewall
• A suite of network protocols that runs on the
  internet
• Layered Concept
• Lower layers provide means of communications for
  upper layers
• Key Terms
• TCP, UDP, IP, ICMP

5
TCP/IP Recap Layered Concept

• http, ftp, dns, telnet, netbios
• Ports
• src, dst
• eth0, eth1

Application
Application
Application
Application
TCP
UDP
IP
ICMP
Device Driver
Device Driver
6
TCP/IP Recap Layered Communication
Application
Application
Client
Server
TCP/UDP
TCP/UDP
IP
IP
Device Driver
Device Driver
7
TCP/IP Recap Layered Concept
http
ftp
Netbios-ns
dns
80
20,21
137
53
TCP
UDP
192.168.0.166
IP
202.252.123.1
Device Driver
Device Driver
eth0
eth1
8
TCP/IP Recap TCP 3-way Handshake
Client
Server
SYN (1000)
Passive Open
Active Open
SYN (2000), ACK (1001)
ACK (2001)
ACK, DATA
Connection Established
Connection Established
ACK (2300), FIN (1500)
ACK (1501)
ACK (1501), FIN (2400)
Client Close
Server Close
ACK (2401)
9
TCP/IP Recap TCP, UDP, IP, ICMP

• TCP
• Stateful communication (Session, Reliable)
• UDP
• Stateless communication (no session, Less
  reliable, fast)
• IP
• Addressing, routing (best effort)
• ICMP
• Diagnostic (dangerous?)

10
Firewall BasicsWhat is a Firewall?

• In simple term, a firewall is
• A device filtering network traffic between 2 (or
  more) networks

Network A
Network B
11
Firewall BasicsWhat is NOT a Firewall?

• A firewall is NOT
• The only thing for security
• Does not solves other aspect of infosec (eg.
  human, insiders, mis-configuration)
• You still have to let traffic in and out
• install and leave it
• Need to manage it for the ever-changing network
  environment
• Need to monitor it
• 100 safe
• Any software has bugs and vulnerabilities, so
  does any firewall

12
Firewall BasicsDifferent Types of Firewalls

• A firewall can be in the form of
• Packet-Filtering Gateway (Todays focus)
• Application Gateway (http proxy, socks server)

13
Firewall BasicsHow does it work?

• Packet filter
• Inspect packets as they transverse
• Checks Src-addr, dst-addr, src-ports, dst-ports,
  flags, session
• Perform action (accept, drop) based on a rule
  (defined by you)

Accept
Drop
14
ipchains What is it?

• A loadable kernel module that performs packet
  filtering
• Comes with most Linux distribution
• Concept of chain
• Input, output, and forward
• Command or Script (up to you)
• No Port-forward
• Port-forward use with ipmasqadm portfw

15
iptables (a.k.a. Netfilter) What is it?

• Also a loadable kernel module
• Since kernel 2.4.x
• Comes with recent distribution
• Everything of ipchains plus
• Stateful inspection
• Port forward (for servers behind firewall)
• More customized logging
• Improved matching (rate, string matching)
• More features more difficult to use

16
ipchains or iptables Before we begin

• Make sure the linux O/S is hardened (Not covered
  here)
• Applied the latest patch from the distribution
  you selected
• Use the most recent version of ipchains or
  iptables

17
ipchains Basic Usage I

• Command Syntax
• ipchains AI chain -i interface
• -p protocol -y -s address portport
• -d address portport j action -l
• Useful Option
• ! Means NOT
• -l means log to syslog
• -y means SYN set ACK clear -gt connection
  initiation
• ! y means ACK set -gtresponse to initiation,
  established connection

18
TCP/IP Recap TCP 3-way Handshake
Client
Server
SYN (1000)
Passive Open
Active Open
SYN (2000), ACK (1001)
ACK (2001)
ACK, DATA
Connection Established
Connection Established
ACK (2300), FIN (1500)
ACK (1501)
ACK (1501), FIN (2400)
Client Close
Server Close
ACK (2401)
19
ipchains The basic concept

• Control the input, output, and forward behavior
  of the interfaces

output
input
forward
input
eth0
eth1
output
20
ipchains Using Script

• Put the script in /etc/rc.d/rc.firewall (just as
  if you type it on command line)
• In some distribution, a file is put in
  /etc/sysconfig/firewall (Note the syntax is not
  exactly the same as the command line)
• Run when firewall boots
• Good practices
• Only enable ip forward inside the script and
  after all the rules are defined (ie. At the very
  end)
• run the script before interfaces goes up
• make sure the script is owned by root and with
  mode 700

21
ipchains Tips Writing Script

• Use deny for default chain, -P
• ipchains P forward deny
• ipchains P input deny
• ipchains P output deny
• Remember to allow localhost traffic
• Use variables to assist you
• LOCALNET_1"10.0.0.0/24
• LOCAL_INTERFACE_1"eth1
• ipchains -A output -i LOCAL_INTERFACE_1 -j
  ACCEPT

22
ipchains Tips REJECT vs. DENY

• Two choice when blocking packet REJECT or
  DENY
• If REJECT, a ICMP port unreachable is sent
  back to the src-addr
• IF DENY, then the packet is just dropped

23
Implementation Tips

• Use common Linux distributions
• PC with gt1 NIC card, hard disk for the O/S
• Install and harden O/S
• Load module (usually already loaded for default
  installation
• Run script
• Some Unique Linux distribution
• PC without hard disk (use RAM as disk)
• Floppyfw, LEAF
• Trinux (hardened)
• Store your script on floppy or cdrom

24
Implementation for HomeTypical Setup
Internet
Firewall
1 or more PCs
Cable, ADSL, or Dial-up Modem

• Aim
• Masquerade all out going traffic
• Allow all outgoing traffic
• Filter in-coming traffic

25
Home use firewall-config

• Use GUI to help you
• Based on ipchains
• Most distribution

26
Home use firestarter

• Use GUI to help you
• Rpm package available
• Based on iptables

27
Home use firestarter

• Wizard

28
Home UseCable vs. ADSL modem

• Cable Connection
• Use Standard DHCP for external interface
• Straight forward
• Set up LAN interfaces using linuxconf or
  /etc/sysconfig/network-script/ifcfg-eth0
• pump or dhcpcd
• pump has to be fixed by initscripts-6.22-1 or
  the IP address will disappear after the dhcp
  leasing period
• Choose pump or dhcpcd in the script
  /etc/sysconfig/network-script/ifup

29
Home UseCable vs. ADSL modem

• ADSL Connection
• NOT Standard DHCP for external interface
• Usually PPP over Ethernet (pppoE)
• Use package rp-pppoe to assist you
• http//www.roaringpenguin.com/pppoe/
• Most ADSL connection requires user account
• Configure the account in /etc/ppp/pppoe.conf
• When filtering, refer to pppO rather than
  eth0
• Step-by-Step guide for rp-pppoe at
• http//www.roaringpenguin.com/pppoe/how-to-connect
  .txt

30
Home UseStep-by-Step Setup - Step 1

• Lay down some essential variables
• Internet connected interface
• If Cable EXTERNAL_INTERFACE"eth0
• IF ADSL EXTERNAL_INTERFACEppp0
• Loopback interface
• LOOPBACK_INTERFACE"lo
• Internal interface
• LOCAL_INTERFACE_1"eth1"
• Local Network Address
• LOCALNET_1"10.0.0.0/24"

31
Home UseStep-by-Step Setup - Step 2

• Flush any chain that is running
• ipchains -F
• Apply the Default Filter
• ipchains -P forward DENY
• ipchains -P input DENY
• Masquerade all out-going traffic
• ipchains -A forward -s LOCALNET_1 -j MASQ -i
  EXTERNAL_INTERFACE
• Allow all traffic for internal and loopback
  interface
• ipchains -A input -i LOCAL_INTERFACE_1 -j ACCEPT
  
• ipchains -A output -i LOCAL_INTERFACE_1 -j
  ACCEPT
• ipchains -A input -i LOOPBACK_INTERFACE -j
  ACCEPT
• ipchains -A output -i LOOPBACK_INTERFACE -j
  ACCEPT

32
Home UseStep-by-Step Setup - Step 3

• Filter incoming traffic towards external
  interface
• Done by the default chain ipchains -P input
  DENY
• But that will disallow all input
• Need to allow TCP high port traffic that is NOT
  connection initiation (SYN bit not set!)
• ipchains -A input -i EXTERNAL_INTERFACE -p tcp !
  -y --destination-port 102465535 -j ACCEPT

33
What is ! y ???
Anyone
Your firewall
SYN (1000)
Active Open
SYN (2000), ACK (1001)
ACK (2001)
ACK, DATA
Connection Established
Connection Established
ACK (2300), FIN (1500)
ACK (1501)
ACK (1501), FIN (2400)
Client Close
Server Close
ACK (2401)
34
Home UseStep-by-Step Setup - Step 4

• Some ports that you have to open
• DNS Replies
• ipchains -A input -i EXTERNAL_INTERFACE -p tcp !
  -y --source-port 53 -j ACCEPT
• ipchains -A input -i EXTERNAL_INTERFACE -p udp
  --source-port 53 -j ACCEPT
• FTP data
• ipchains -A input -i EXTERNAL_INTERFACE -p tcp
  --destination-port 20 -j ACCEPT
• ICMP Replies
• ipchains -A input -i EXTERNAL_INTERFACE -p icmp
  --icmp-type echo-reply -j ACCEPT
• ipchains -A input -i EXTERNAL_INTERFACE -p icmp
  --icmp-type destination-unreachable -j ACCEPT
• ipchains -A input -i EXTERNAL_INTERFACE -p icmp
  --icmp-type time-exceeded -j ACCEPT

35
Home Use Step-by-Step Setup - Final Step

• Enable IP forwarding
• echo "1" gt /proc/sys/net/ipv4/ip_forward

36
Office Use

• Dont rely on GUI
• GUI may not be flexible enough for you
• Commands gives you more control
• Learn it (you or your net admin staff)
• Put together a firewall script

37
Implementation for OfficeTypical Setup 1
Internet
Firewall
Internal LAN
router
DMZ (servers)

• Aim
• Masquerade all out going traffic
• Filter both in-coming and out-going traffic
• Port forward incoming traffic for your servers

38
Implementation for OfficeTypical Setup 2
Firewall
Internal LAN 1
Internal LAN 2

• Aim
• Filter traffic between two networks

39
Office UseStep-by-Step Setup - Step 1

• Lay down some essential variables
• Internet connected interface
• EXTERNAL_INTERFACE"eth0
• Loopback interface
• LOOPBACK_INTERFACE"lo
• Internal interface
• LOCAL_INTERFACE_1"eth1
• LOCAL_INTERFACE_2eth2
• Network Addresses and servers
• LOCALNET_1"10.0.0.0/24
• MAIL_SERVERa.a.a.a
• WEB_SERVERb.b.b.b

40
Office UseStep-by-Step Setup - Step 2

• Flush any chain that is running
• ipchains -F
• Apply the Default Filter
• ipchains -P forward DENY
• ipchains -P input DENY
• Ipchains P output DENY
• Masquerade all out-going traffic
• ipchains -A forward -s LOCALNET_1 -j MASQ -i
  EXTERNAL_INTERFACE
• Allow all traffic for loopback interface
• ipchains -A input -i LOOPBACK_INTERFACE -j
  ACCEPT
• ipchains -A output -i LOOPBACK_INTERFACE -j
  ACCEPT

41
Office UseStep-by-Step Setup - Step 3

• Filter traffic for LOCAL_INTERFACE_1 and
  EXTERNAL_INTERFACE base on EACH service you
  allow
• Example http and dns service
• ipchains -A input -s LOCALNET_1 -d ANYWHERE -p
  tcp --destination-port 80 -i LOCAL_INTERFACE_1
  -j ACCEPT
• ipchains -A output -s ANYWHERE -p tcp
  --source-port 80 -i LOCAL_INTERFACE_1 -j ACCEPT
• ipchains -A input -s ANYWHERE -p tcp
  --source-port 80 -i EXTERNAL_INTERFACE -j ACCEPT
• ipchains -A output -s LOCALNET_1 -d ANYWHERE -p
  tcp --destination-port 80 -i EXTERNAL_INTERFACE
  -j ACCEPT
• ipchains -A input -p udp --destination-port 53 -i
  LOCAL_INTERFACE_1 -j ACCEPT
• ipchains -A output -p udp --destination-port 53
  -i LOCAL_INTERFACE_1 -j ACCEPT
• ipchains -A input -p udp --destination-port 53 -i
  EXTERNAL_INTERFACE -j ACCEPT
• ipchains -A output -p udp --destination-port 53
  -i EXTERNAL_INTERFACE -j ACCEPT

42
Office UseStep-by-Step Setup - Step 4

• Port forwarding to your servers
• Need ipmasqadm
• Example, web server
• ipmasqadm portfw -a -P tcp -L EXTERNAL_WEB_IP 80
  -R WEB_SERVER 80
• ipchains -A input -s ANYWHERE d
  EXTERNAL_WEB_IP -p tcp --destination-port 80 -i
  EXTERNAL_INTERFACE -j ACCEPT
• ipchains -A output -p tcp --source-port 80 -i
  LOCAL_INTERFACE_2 -j ACCEPT
• ipchains -A input -s WEB_SERVER -d ANYWHERE -p
  tcp --source-port 80 -i LOCAL_INTERFACE_2 -j
  ACCEPT
• ipchains -A output -p tcp --source-port 80 -i
  EXTERNAL_INTERFACE -j ACCEPT

43
Office Use Step-by-Step Setup - Final Step

• Enable IP forwarding
• echo "1" gt /proc/sys/net/ipv4/ip_forward

44
Troubleshooting Tips

• Dont panic when it doesnt work
• Use -l (logging) to help you
• Logs are logged in syslog
• Location
• /var/log/messages
• Use this command to view traffic as they pass
  along
• tail f /var/log/messages
• Can also use tcpdump or snoop to help you

45
Firewall Management Building Rules

• gfcc
• For ipchains
• Provides good rules management

46
Firewall ManagementView Current MASQ sessions

• gfcc
• View current masquerading sessions

47
Firewall ManagementBuild your rules online!

• http//www.linux-firewall-tools.com/linux/firewall
  /index.html

48
Firewall ManagementViewing Logs

• Firestarter
• Real-time hit-list showing the blocked traffic

49
Firewall ManagementLog Analyzer

• fwlogwatch
• http//cert.uni-stuttgart.de/projects/fwlogwatch/
• Generate html report
• Real time reporting
• Some customization work

50
Firewall ManagementWhats missing?

• Enterprise level multiple firewall
• Rules building, use
• Scp (secure copy)
• X-window (need proper access control)
• Log management, use
• Various syslog tools

51
Good References Books

• TCP/IP Illustrated (All time classic)
• By W. Richard Stevens
• Firewall and Internet Security (All time classic)
• By William R. Cheswick, Steven M. Bellovin
• Linux Firewall
• By Robert L. Ziegler

52
Good References Sites

• SANS Choosing a firewall
• http//www.sans.org/infosecFAQ/firewall/best.htm
• Robert L. Ziegler Site
• http//www.linux-firewall-tools.com/linux/firewall
  /index.html
• ipchains HOW-TO
• http//www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
• Netfilter project and iptables HOW-TO
• http//netfilter.samba.org/
• http//netfilter.samba.org/unreliable-guides/packe
  t-filtering-HOWTO/index.html
• Robert Graham, analyzing firewall logs
• http//www.robertgraham.com/pubs/firewall-seen.htm
  l

53
END of Linux Firewall For the Office and
Home Thank You! Email matthew.tam_at_pisa.org.hk