Using IPChains - PowerPoint PPT Presentation

1 / 16

About This Presentation

Title:

Using IPChains

Description:

Number of Views:32

Avg rating:3.0/5.0

Slides: 17

Provided by: sriramsr

Category:

Tags: firewalling | ipchains | using

Transcript and Presenter's Notes

Title: Using IPChains

1
Using IPChains

2
Introduction

Linux ipchains is a rewrite of the Linux IPv4
firewalling code. It is required to administer
the IP packet filters in Linux kernel versions
2.1.102 and above.
The older Linux firewalling code doesn't deal
with fragments, has 32-bit counters (on Intel at
least), doesn't allow specification of protocols
other than TCP, UDP or ICMP, can't make large
changes atomically, and can't specify inverse
rules. It can also be tough to manage (making it
prone to user error).
Currently the code is in the mainstream kernel
from 2.1.102

3
Basics of Packet Filtering

The underlying principle of a packet filter is to
look at the header of an incoming packet and
decide the following course of action. Options
include Accept (allow it to pass), Deny (discard
it), and Reject (like denying, but with a
notification sent to the originator).
If your kernel does not contain the file
/proc/net/ip_fwchains, then you will need to
create it, using the following procedure
CONFIG_FIREWALLy
CONFIG_IP_FIREWALLy
ipchains replaces ipfwadm, which was used for the
old IP Firewall code.

4
Packet Filtering (contd.)

The ipchains tool inserts and deletes rules from
the kernel's packet filtering section.
As any firewall setup is stored in the kernel, it
is lost upon reboot. The options ipchains-save
and ipchains-restore make your rules permanent.
To do this, run (as root)
ipchains-save gt /etc/ipchains.rules

5
Private Networks Masquerading

Masquerading is a special kernel facility by
which the firewall rewrites outgoing packets to
look like they are coming from the firewall
itself.
It is matched by a process of de-masquerading,
which then rewrites the corresponding replies to
address them to the originator.

6
Packet Traversal of Filters

A Firewall Chain or a Chain is simply a list
of rules.
The kernel starts with three such Chains,
namely, Input, Output, and Forward.
When a packet enters (for example, through the
ethernet card), the kernel uses the Input Chains
set of rules to decide its fate.
If it is intended for another machine, it
consults the rules described in the Forward
Chain. Similarly, it consults the output chain
when the packet is to be sent out.

7
Packet Traversal of Filters (contd.)

As mentioned earlier, a Chain is no more than a
set of rules. Simplistically put, each rule
merely indicates to the kernel that if the
packet header matches this, then do the following
with that packet.
If a rule is not matched, then the next rule in
the chain is consulted, and so on.
In the event that no such condition is fulfilled,
there is a Chain Policy (a default action of
sorts) which tells the kernel what to do next. In
most cases, such packets are rejected or denied.

8
Stages of Filtering

9
Manipulating your own Chains

You start with 3 default Chains (Input, Output,
Forwarding) which cannot be deleted. Apart from
those, the following operations are allowed
Create a new chain (-N).
Delete an empty chain (-X).
Change the policy for a built-in chain. (-P).
List the rules in a chain (-L).
Flush the rules out of a chain (-F).
Zero the packet and byte counters on all rules in
a chain (-Z).

10
Manipulating Chains (contd.)

To Manipulate rules within a chain, the
following operations are possible
Append a new rule to a chain (-A).
Insert a new rule at some position in a chain
(-I).
Replace a rule at some position in a chain (-R).
Delete a rule at some position in a chain (-D).
Delete the first rule that matches in a chain
(-D).
Note There are also options to view and
manipulate masqueradingrelated features.

11
An Example with a Single Rule

Goal to block all ICMP Protocol packets from the
address 127.0.0.1
This is a useful test tool. 127.0.0.1 is the
loopback interface, and an ICMP 8 is an echo
request (the echo response is ICMP 0). Thus, we
can test this rule by sending a ping to 127.0.0.1

12
Result

13
Filtering Specifications

-p for protocol
-s for Source IP Address (you can also do this by
specifying the host name). A numerical range of
IP Addresses may also be used.
-d will do the same as s, but using a
destination IP Address.
-h for ICMP Type and Code
-i for interface

14
Handling Fragments

Very often, an incoming packet will be fragmented
and later reassembled, if the original packet is
very large.
However, some of the specifications earlier
require viewing the start of a packet, which is
only in the first fragment. If a packet does
not have the matching sequence, then it does not
pass the rule. This often poses a problem.
Rules using a fragment flag (-f or !...-f) may be
used. The only drawback is that other malformed
packets will be treated as fragments.

15
After-Effects of Filtering

Once a packet has matched a rule, the following
things may happen
The byte counter for that rule is increased by
the size of the packet (header inclusive).
The packet counter for that rule is incremented.
If the rule requests it, the packet is logged.
If the rule requests it, the packet's Type Of
Service field is changed.
If the rule requests it, the packet is marked
(not in 2.0 kernel series).
The rule target is examined to decide what to do
to the packet next.

16
Specifying a Target

The possible targets are as follows
ACCEPT accepts the packet
REJECT drops the packet and notifies the sender
DENY simply discards the packet.
MASQ masquerades the packet
REDIRECT This will specify a local port (number
or, optionally, name) to where the packet should
be relayed. This option is specific to TCP and
UDP packets.
RETURN It is equivalent to falling off of the
Chain immediately
Note There may be other targets, but they would
indicate user-defined chains.