Firewalls Implementation IPTables Firewall Implementation Taken from Red Hat Linux Firewalls, Bill McCarty Copyright Red Hat and Bill McCarty

Scripting Intro Brief introduction to shell scripts in Unix – Shell script is a command interpreter – Standard in – Standard out – Standard error – Redirection “ > “, “<” – “>|” forced overwrite – “>>” append

Scripts Start Create a firewall file – Make it executable – Chmod 777 acklers_firewall All scripts will start with #!/bin/bash - will execute the remaining lines as commands except comments Comments start with a # Variables are defined before using IP=” ” Variables are referenced with $name $IP does a lexical substitution for IP def.

Scripts Control flow If-then-else if [ condition ] then “do something” else “something to do goes here” fi if – fi act as parentheses exit 1 exits the script [ ] - needs white space around the condition

Control flow example if [ ! -x /sbin/iptables ] then echo “Firewall: can't execute iptables” exit 1 fi Which iptables gets th path to iptables.

Scripts Control flow for loop for var in list: do stuff to do done var a variable that takes on each value in turn in list list is a list of values that var takes on BADIPS=” / /12” for ip in $BADIPS; do iptables -A INPUT -s $ip -j DROP done

Firewall Construction Plan Firewall policies High level design Detailed design Test

Firewall Policies Egress filtering Restrictive: Only explicitly authorized packets may exit the protected host. Ingress filtering Restrictive: Only explicitly authorized packets may enter the protected host. Hostile hosts Hostile hosts may be shunned. Special IPsTraffic from special IPs are blocked, e.g. RFC 1918

Firewall Policies cont'd Inbound servicesRemote clients can access SSH and HTTP services provided by the protected host. All other services are blocked. Outbound servicesLocal clients can access only these remote services: DNS, FTP, HTTP, HTTPS, RSYNC, SMTP, SSH, and WHOIS servers. All other services are block to local clients

Firewall Policies cont'd Inbound ICMPOnly dest unreachable, parameter problem, source quench, and time exceeded are the only authorized ICMP messages. Outbound ICMPOnly dest unreachable, fragmentation needed, parameter problem, and source quench are the only authorized ICMP messages. LoggingAll blocked packets are logged via the Syslog facility

Firewall Policies cont'd Ping Only specified hosts can ping, or be pinged, by the protected host. SYN Flood The firewall will block SYNs when their rate of arrival exceeds a specified threshold. TCP Flags TCP flags are validated, blocking certain types of TCP scans.

Packet Path with NAT and MANGLE mangle PREROUTING nat PREROUTING filter INPUT filter OUTPUT nat POSTROUTING filter FORWARD Mangle OUTPUT route Local Process Network

Our Firewall no NAT, no MANGLE, no FORWARD Firewall for a single-homed protected host No FORWARD chain in the FILTER table No NAT table No MANGLE table Only INPUT and OUTPUT chains in the FILTER table

Our Packet Path filter INPUT filter OUTPUT Network

Setup Some Assignments # Abreviation for iptables IPT=/sbin/iptables # Loop back address LO= “ ” # Ip address of firewall host IP=”xxx.xxx.xxx.xxx” /sbin/ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'

Setting Up the Chains & Tables Ensure that iptables is installed. Set default policy to protect system while rules are installed. Flush and delete all user chains. Flush and delete all built-in chains. Reset all counters. If [ ! -x $IPT ] then echo “Firewall: Can't find iptables” exit 1 fi $IPT-P INPUTDROP#Set default policy to DROP $IPT-P OUTPUTDROP#Set default policy to DROP $IPT-P FORWARDDROP#Set default policy to DROP $IPT-F#Flush all chains $IPT-X#Delete all user chains for table in filter nat mangle do $IPT-t $table-F#Flush table's rules $IPT-t $table-X#Delete table's chains $IPT-t $table-Z#Zero the table's counters done

INPUT Chain Policy filter table Loopback OK » Accept Bad IP » Log and drop Shunned IPs » Log and drop Branches » ICMP or TCP/UDP? Logs and drops the rest

INPUT Chain Network LOG_DROP IN_TCP_UDP IN_ICMP ICMP? SHUN_IP BAD_IP Loopback?ACCEPT $IPT-A INPUT-i lo-j ACCEPT $IPT-A INPUT-j BAD_IP $IPT-A INPUT-j SHUN_IP $IPT-A INPUT-p ! icmp-j IN_TCP_UDP $IPT-A INPUT-p icmp-j IN_ICMP $IPT-A INPUT-j LOG_DROP

OUTPUT Chain Policy filter table Loopback OK » Accept Bad IP » Log and drop Shunned IPs » Log and drop Branches » ICMP or TCP/UDP? Logs and drops the rest

OUTPUT Chain LOG_DROP OUT_TCP_UDP OUT_ICMP ICMP? SHUN_IP BAD_IP Loopback?ACCEPT $IPT-A OUTPUT -o lo-j ACCEPT $IPT-A OUTPUT-j BAD_IP $IPT-A OUTPUT-j SHUN_IP $IPT-A OUTPUT-p ! icmp-j OUT_TCP_UDP $IPT-A OUTPUT-p icmp-j OUT_ICMP $IPT-A OUTPUT-j LOG_DROP

User chains User chains: IN_TCP_UDP Further filters TCP & UDP datagrams IN_ICMP Further filters ICMP datagrams OUT_TCP_UDP Further filters TCP & UDP datagrams OUT_ICMP Further filters ICMP datagrams FLOOD Stops SYN flood attacks FLAGS Drops packets with incorrect tcp flags set BAD_IP Drops packets from bad IP addresses SHUN_IP Drops packets from IP addresses that have been identified as hostile

User logging chains Logging chains: LOG_DROP Logs and drops various packets selected to be dropped LOG_FLOOD Logs and drops various packets judged to be a SYN flood LOG_FLAGS Logs and drops various packets judged to have incorrect TCP flags set LOG_BAD_IP Logs and drops various packets coming from or going to bad IP addresses LOG_SHUN_IP Logs and drops various packets coming from or going to IP addresses that are to be sunned

IN_TCP_UDP User Chain Remote clients can access SSH and HTTP services provided by the protected host. All other services are blocked. Source IP spoofed? Established or related state? FLAGS FLOOD Invalid state? ACCEPTLOG_DROP ACCEPT Yes No $IPT -N IN_TCP_UDP $IPT -A IN_TCP_UDP -m state –-state INVALID -j LOG_DROP $IPT -A IN_TCP_UDP -p tcp –-syn -j FLOOD $IPT -A IN_TCP_UDP -p tcp -j FLAGS $IPT -A IN_TCP_UDP -m state –-state ESTABLISHED,RELATED / -j ACCEPT $IPT -A IN_TCP_UDP -s $IP -j LOG_DROP

IN_TCP_UDP User Chain cont'd AUTH request? Authorized service? ACCEPT RETURN ACCEPT REJECT Yes No SSH=”my_IP_addr your_IP_addr” WWW=”my_IP_addr your_IP_addr” for sip in $SSH; do $IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 22 -m state / –-state NEW -j ACCEPT done for sip in $WWW; do $IPT -A IN_TCP_UDP -p tcp -s $sip –-dport 80 -m state / –-state NEW -j ACCEPT done # Authentication request $IPT -A IN_TCP_UDP -p tcp –-dport 113 -j REJECT # Add rules for other required services, for example: # # services=”IP addresses” # # for sip in $services; do # $IPT -A IN_TCP_UDP -p proto -s $sip –dport port -m state / # –-state NEW -j ACCEPT # done

OUT_TCP_UDP User Chain Protected host can access ftp, ssh, smtp, whois, DNS, http, https, rsync services. All other services are blocked. Authorized service? Established or related state? RETURN Source IP OK? ACCEPTLOG_DROP ACCEPT Yes No OUT_SERVICES=” ” # Permitted outbound connections # ftp, ssh, smtp, whois, DNS, http, https, rsync $IPT -N OUT_TCP_UDP $IPT -A OUT_TCP_UDP -p tcp -j FLAGS $IPT -A OUT_TCP_UDP -s ! $IP -j LOG_DROP $IPT -A OUT_TCP_UDP -m state –-state ESTABLISHED,RELATED / -j ACCEPT for dpt in $OUT_SERVICES; do $IPT -A OUT_TCP_UDP -m state –-state NEW -p tcp / –-dport $dpt -j ACCEPT done $IPT -A OUT_TCP_UDP -m state –-state NEW -p udp / –-dport 53 -j ACCEPT FLAGS No ACCEPT

IN_ICMP User Chain Only dest unreachable, parameter problem, source quench, and time exceeded are the only authorized ICMP messages. Parameter problem? Time exceeded? Source quench? Destination unreachable? Authorized ping? ACCEPT RETURN ACCEPT PING=”my_IP_addr your_IP_addr” $IPT -N IN_ICMP for sip in $PING; do $IPT -A IN_ICMP -p icmp –-icmp-type echo-request / -s $sip-d $IP -j ACCEPT $IPT -A IN_ICMP -p icmp –-icmp-type echo-reply / -s $sip-d $IP -j ACCEPT done $IPT -A IN_ICMP -p icmp –-icmp-type destination-unreachable -j ACCEPT $IPT -A IN_ICMP -p icmp –-icmp-type source-quench -j ACCEPT $IPT -A IN_ICMP -p icmp –-icmp-type time-exceeded -j ACCEPT $IPT -A IN_ICMP -p icmp –-icmp-type parameter-problem -j ACCEPT # default is to return on pass through Yes No

OUT_ICMP User Chain Only dest unreachable, parameter problem, source quench, and time exceeded are the only authorized ICMP messages. Parameter problem? Fragmentation needed? Source quench? Destination unreachable? Authorized ping? ACCEPT RETURN ACCEPT $IPT -N OUT_ICMP for sip in $PING; do $IPT -A OUT_ICMP -p icmp –-icmp-type echo-request / -s $sip-d $IP -j ACCEPT $IPT -A OUT_ICMP -p icmp –-icmp-type echo-reply / -s $sip-d $IP -j ACCEPT done $IPT -A OUT_ICMP -p icmp –-icmp-type destination-unreachable -j ACCEPT $IPT -A OUT_ICMP -p icmp –-icmp-type fragmentation-needed -j ACCEPT $IPT -A OUT_ICMP -p icmp –-icmp-type source-quench -j ACCEPT $IPT -A OUT_ICMP -p icmp –-icmp-type parameter-problem -j ACCEPT # default is to return on pass through Yes No

Bad IP User Chain Traffic from special IPs are blocked, e.g. RFC 1918 RETURN Bad dest IP? Bad source IP? LOG_BAD_IP Yes No # Broadcast addresses BAD_IPS=” / ” # RFC 1918 addresses BAD_IPS=”$BAD_IPS / / /16” ” # Loop back address BAD_IPS=”$BAD_IPS /4” # Multicast addresses BAD_IPS=”$BAD_IPS / /5” $IPT-N BAD_IP for ip in $BAD_IPS; do $IPT-A BAD_IP-s $ip-j LOG_BAD_IP done for ip in $BAD_IPS; do $IPT-A BAD_IP-d $ip-j LOG_BAD_IP done # Returns to the calling chain by default

Hostile Hosts User Chain Hostil hosts may be shunned – inbound and outbound can be blocked RETURN Hostile dest IP? Hostile source IP? LOG_SHUN_IP Yes No # Hostile ips starts out empty SHUN_IPS=”” # To add an address to the list # iptables -S SHUN_IP -s address -j SHUN_IPS # To delete an address from the list # iptables -D SHUN_IP -s address -j SHUN_IPS # To clear the list # iptables -F SHUN_IP $IPT-N SHUN_IP for ip in $SHUN_IPS; do $IPT-A SHUN_IP-s $ip-j LOG_SHUN_IP done for ip in $SHUN_IPS; do $IPT-A SHUN_IP-d $ip-j LOG_SHUN_IP done # Returns to the calling chain by default

FLOOD The firewall will block SYNs when their rate of arrival exceeds a specified threshold. LOG_FLOOD SYN rate exceeded? RETURN Yes No SYN_OPT=”-m limit –-limit 5/second –-limit-burst 10” $IPT -N FLOOD $IPT -A FLOOD $SYN_OPT -j RETURN $IPT -A FLOOD -j LOG_FLOOD

TCP Flags TCP flags are validataed, blocking certain types of TCP scans. LOG_FLAGS Bad TCP flags? RETURN Yes No $IPT -N FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ACK,FIN FIN -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ACK,PSH PSH -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ACK,URG URG -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags FIN,RST FIN,RST -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags SYN,FIN SYN,FIN -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags SYN,RST SYN,RST -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ALL ALL -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ALL NONE -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ALL FIN,PSH,URG-j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ALL SYN,FIN,PSH,URG -j LOG_FLAGS $IPT -A FLAGS -p tcp –-tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_FLAGS

Logging Chains Log and drop all that is bad LOG_OPT=”--log-level=3 -m limit –-limit 1/second –-limit-burst 10” # This limits the rate of logging $IPT -N LOG_DROP $IPT -A LOG_DROP-j LOG –-log-prefix “IPT Drop:“ $LOG_OPT $IPT -A LOG_DROP-j DROP $IPT -N LOG_BAD_IP $IPT -A LOG_BAD_IP-p tcp –-dport 137:139 -j DROP # MS Broadcast $IPT -A LOG_BAD_IP-p udp –-dport 137:139 -j DROP # MS Broadcast $IPT -A LOG_BAD_IP-j LOG –-log-prefix “IPT BAD_IP:“ $IPT -A LOG_BAD_IP-j DROP $IPT -N LOG_SHUN_IP $IPT -A LOG_SHUN_IP-j LOG –-log-prefix “IPT SHUN:“ $LOG_OPT $IPT -A LOG_SHUN_IP-j DROP $IPT -N LOG_FLOOD $IPT -A LOG_FLOOD-j LOG –-log-prefix “IPT FLOOD:“ $LOG_OPT $IPT -A LOG_FLOOD-j DROP $IPT -N LOG_FLAGS $IPT -A LOG_FLAGS-j LOG –-log-prefix “IPT FLAGS:“ $LOG_OPT $IPT -A LOG_FLAGS-j DROP

Configuring IPTables – Configure IPTables to run on startup chkconfig iptables on – Disables IPTables at startup chkconfig iptables off – Starting and stopping IPTables service iptables start service iptables save service iptables stop service iptables restart

Assignment Using the example in these slides build a script to install this firewall Comment the script List the rules and comment the listing Install the firewall, i.e. run the script ftp to an ftp server Have some one run nmap against your IP address Print and comment the log file