linux firewall

33 %
67 %
Information about linux firewall
Entertainment

Published on November 26, 2007

Author: Justine

Source: authorstream.com

Slide1:  Linux Firewall For the Office and Home Nov 17, 2001 Matthew Tam, CISSP Today’s Agenda:  Today’s Agenda Introduction TCP/IP Recap Firewall Basics ipchains, iptables (Netfilter) Implementation for home use Implementation for business use Firewall Management Demo Introduction:  Introduction Why need a firewall? Increased network security Access Control (Network/Transport Level) Logging Why Linux? It’s FREE Not difficult to use!? Low hardware cost Flexible Lots of features compared with commercial counterpart Lots of Support!? Always evolving and improving (thanks to the open source community) TCP/IP Recap: General Info:  TCP/IP Recap: General Info Essentials for configuring a firewall A suite of network protocols that runs on the internet Layered Concept Lower layers provide means of communications for upper layers Key Terms TCP, UDP, IP, ICMP TCP/IP Recap: Layered Concept:  TCP/IP Recap: Layered Concept Application TCP UDP IP Device Driver Device Driver Application Application Application http, ftp, dns, telnet, netbios Ports src, dst eth0, eth1 ICMP TCP/IP Recap: Layered Communication:  TCP/IP Recap: Layered Communication Application TCP/UDP TCP/UDP IP Device Driver Device Driver IP Application Client Server TCP/IP Recap: Layered Concept:  TCP/IP Recap: Layered Concept http TCP UDP IP Device Driver Device Driver ftp Netbios-ns dns 80 20,21 137 53 192.168.0.166 202.252.123.1 eth0 eth1 TCP/IP Recap: TCP 3-way Handshake:  TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close TCP/IP Recap: TCP, UDP, IP, ICMP:  TCP/IP Recap: TCP, UDP, IP, ICMP TCP Stateful communication (Session, Reliable) UDP Stateless communication (no session, Less reliable, fast) IP Addressing, routing (best effort) ICMP Diagnostic (dangerous?) Firewall Basics: What is a Firewall?:  Firewall Basics: What is a Firewall? In simple term, a firewall is: A device filtering network traffic between 2 (or more) networks Network A Network B Firewall Basics: What is NOT a Firewall?:  Firewall Basics: What is NOT a Firewall? A firewall is NOT: The only thing for security Does not solves other aspect of infosec (eg. human, insiders, mis-configuration) You still have to let traffic in and out “install and leave it” Need to manage it for the ever-changing network environment Need to monitor it 100% safe Any software has bugs and vulnerabilities, so does any firewall Firewall Basics: Different Types of Firewalls:  Firewall Basics: Different Types of Firewalls A firewall can be in the form of: Packet-Filtering Gateway (Today’s focus) Application Gateway (http proxy, socks server) Firewall Basics: How does it work?:  Firewall Basics: How does it work? Packet filter Inspect packets as they transverse Checks Src-addr, dst-addr, src-ports, dst-ports, flags, session # Perform action (accept, drop) based on a rule (defined by you) Accept Drop ipchains: What is it?:  ipchains: What is it? A loadable kernel module that performs packet filtering Comes with most Linux distribution Concept of chain: Input, output, and forward Command or Script (up to you) No Port-forward Port-forward: use with “ipmasqadm portfw” iptables (a.k.a. Netfilter): What is it?:  iptables (a.k.a. Netfilter): What is it? Also a loadable kernel module Since kernel 2.4.x Comes with recent distribution Everything of ipchains plus: Stateful inspection Port forward (for servers behind firewall) More customized logging Improved matching (rate, string matching) More features = more difficult to use ipchains or iptables: Before we begin:  ipchains or iptables: Before we begin Make sure the linux O/S is hardened (Not covered here) Applied the latest patch from the distribution you selected Use the most recent version of ipchains or iptables ipchains: Basic Usage I:  ipchains: Basic Usage I Command Syntax: ipchains –A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]] [-d address [port[:port]] –j [action] -l Useful Option: ! Means “NOT” -l means “log to syslog” -y means “SYN set & ACK clear -> connection initiation” ! –y means “ACK set ->response to initiation, established connection” TCP/IP Recap: TCP 3-way Handshake:  TCP/IP Recap: TCP 3-way Handshake Client Server SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Passive Open Connection Established Server Close Active Open Connection Established Client Close ipchains: The basic concept:  ipchains: The basic concept Control the input, output, and forward behavior of the interfaces input eth0 output input eth1 output forward ipchains: Using Script:  ipchains: Using Script Put the script in /etc/rc.d/rc.firewall (just as if you type it on command line) In some distribution, a file is put in /etc/sysconfig/firewall (Note: the syntax is not exactly the same as the command line) Run when firewall boots Good practices: Only enable ip forward inside the script and after all the rules are defined (ie. At the very end) run the script before interfaces goes up make sure the script is owned by root and with mode 700 ipchains Tips: Writing Script:  ipchains Tips: Writing Script Use deny for default chain, “-P” “ipchains –P forward deny” “ipchains –P input deny” “ipchains –P output deny” Remember to allow localhost traffic Use variables to assist you: LOCALNET_1="10.0.0.0/24“ LOCAL_INTERFACE_1="eth1“ “ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT” ipchains Tips: REJECT vs. DENY:  ipchains Tips: REJECT vs. DENY Two choice when blocking packet “REJECT” or “DENY” If “REJECT”, a “ICMP port unreachable” is sent back to the src-addr IF “DENY”, then the packet is just dropped Implementation Tips: :  Implementation Tips: Use common Linux distributions PC with >1 NIC card, hard disk for the O/S Install and harden O/S Load module (usually already loaded for default installation Run script Some Unique Linux distribution PC without hard disk (use RAM as disk) Floppyfw, LEAF Trinux (hardened) Store your script on floppy or cdrom Implementation for Home: Typical Setup:  Implementation for Home: Typical Setup Internet Firewall 1 or more PC’s Cable, ADSL, or Dial-up Modem Aim: Masquerade all out going traffic Allow all outgoing traffic Filter in-coming traffic Home use: firewall-config:  Home use: firewall-config Use GUI to help you Based on ipchains Most distribution Home use: firestarter:  Home use: firestarter Use GUI to help you Rpm package available Based on iptables Home use: firestarter:  Home use: firestarter Wizard Home Use: Cable vs. ADSL modem:  Home Use: Cable vs. ADSL modem Cable Connection: Use Standard DHCP for external interface Straight forward Set up LAN interfaces using “linuxconf” or “/etc/sysconfig/network-script/ifcfg-eth0” “pump” or “dhcpcd” “pump” has to be fixed by “initscripts-6.22-1” or the IP address will disappear after the dhcp leasing period Choose “pump” or “dhcpcd” in the script “/etc/sysconfig/network-script/ifup” Home Use: Cable vs. ADSL modem:  Home Use: Cable vs. ADSL modem ADSL Connection: NOT Standard DHCP for external interface Usually PPP over Ethernet (pppoE) Use package rp-pppoe to assist you http://www.roaringpenguin.com/pppoe/ Most ADSL connection requires user account Configure the account in “/etc/ppp/pppoe.conf “ When filtering, refer to “pppO” rather than “eth0” Step-by-Step guide for rp-pppoe at http://www.roaringpenguin.com/pppoe/how-to-connect.txt Home Use: Step-by-Step Setup - Step 1:  Home Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: If Cable: EXTERNAL_INTERFACE="eth0“ IF ADSL: EXTERNAL_INTERFACE=“ppp0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1" Local Network Address: LOCALNET_1="10.0.0.0/24" Home Use: Step-by-Step Setup - Step 2:  Home Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for internal and loopback interface: ipchains -A input -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Home Use: Step-by-Step Setup - Step 3:  Home Use: Step-by-Step Setup - Step 3 Filter incoming traffic towards external interface Done by the default chain “ipchains -P input DENY” But that will disallow all input Need to allow TCP high port traffic that is NOT “connection initiation” (SYN bit not set!) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --destination-port 1024:65535 -j ACCEPT What is “! –y” ??? :  What is “! –y” ??? Anyone Your firewall SYN (1000) SYN (2000), ACK (1001) ACK (2001) ACK, [DATA] ACK (2300), FIN (1500) ACK (1501) ACK (1501), FIN (2400) ACK (2401) Connection Established Server Close Active Open Connection Established Client Close Home Use: Step-by-Step Setup - Step 4:  Home Use: Step-by-Step Setup - Step 4 Some ports that you have to open DNS Replies ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y --source-port 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT FTP data ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --destination-port 20 -j ACCEPT ICMP Replies ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -j ACCEPT Home Use: Step-by-Step Setup - Final Step:  Home Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward Office Use:  Office Use Don’t rely on GUI GUI may not be flexible enough for you Commands gives you more control Learn it (you or your net admin staff) Put together a firewall script Implementation for Office: Typical Setup 1:  Implementation for Office: Typical Setup 1 Internet Firewall Internal LAN router Aim: Masquerade all out going traffic Filter both in-coming and out-going traffic Port forward incoming traffic for your servers DMZ (servers) Implementation for Office: Typical Setup 2:  Implementation for Office: Typical Setup 2 Firewall Internal LAN 1 Aim: Filter traffic between two networks Internal LAN 2 Office Use: Step-by-Step Setup - Step 1:  Office Use: Step-by-Step Setup - Step 1 Lay down some essential variables Internet connected interface: EXTERNAL_INTERFACE="eth0“ Loopback interface: LOOPBACK_INTERFACE="lo“ Internal interface: LOCAL_INTERFACE_1="eth1“ LOCAL_INTERFACE_2=“eth2” Network Addresses and servers: LOCALNET_1="10.0.0.0/24“ MAIL_SERVER=“a.a.a.a” WEB_SERVER=“b.b.b.b” Office Use: Step-by-Step Setup - Step 2:  Office Use: Step-by-Step Setup - Step 2 Flush any chain that is running: ipchains -F Apply the Default Filter: ipchains -P forward DENY ipchains -P input DENY Ipchains –P output DENY Masquerade all out-going traffic: ipchains -A forward -s $LOCALNET_1 -j MASQ -i $EXTERNAL_INTERFACE Allow all traffic for loopback interface: ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 3:  Office Use: Step-by-Step Setup - Step 3 Filter traffic for LOCAL_INTERFACE_1 and EXTERNAL_INTERFACE base on EACH service you allow: Example http and dns service: ipchains -A input -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -s $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -s $ANYWHERE -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -s $LOCALNET_1 -d $ANYWHERE -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $LOCAL_INTERFACE_1 -j ACCEPT ipchains -A input -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p udp --destination-port 53 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Step 4:  Office Use: Step-by-Step Setup - Step 4 Port forwarding to your servers Need “ipmasqadm” Example, web server: ipmasqadm portfw -a -P tcp -L $EXTERNAL_WEB_IP 80 -R $WEB_SERVER 80 ipchains -A input -s $ANYWHERE –d $EXTERNAL_WEB_IP -p tcp --destination-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A input -s $WEB_SERVER -d $ANYWHERE -p tcp --source-port 80 -i $LOCAL_INTERFACE_2 -j ACCEPT ipchains -A output -p tcp --source-port 80 -i $EXTERNAL_INTERFACE -j ACCEPT Office Use: Step-by-Step Setup - Final Step:  Office Use: Step-by-Step Setup - Final Step Enable IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward Troubleshooting Tips:  Troubleshooting Tips Don’t panic when it doesn’t work Use “-l” (logging) to help you Logs are logged in syslog Location: /var/log/messages Use this command to view traffic as they pass along: #tail –f /var/log/messages Can also use tcpdump or snoop to help you Firewall Management: Building Rules:  Firewall Management: Building Rules gfcc For ipchains Provides good rules management Firewall Management: View Current MASQ sessions:  Firewall Management: View Current MASQ sessions gfcc View current masquerading sessions Firewall Management: Build your rules online!:  Firewall Management: Build your rules online! http://www.linux-firewall-tools.com/linux/firewall/index.html Firewall Management: Viewing Logs:  Firewall Management: Viewing Logs Firestarter Real-time “hit-list” showing the blocked traffic Firewall Management: Log Analyzer:  Firewall Management: Log Analyzer fwlogwatch http://cert.uni-stuttgart.de/projects/fwlogwatch/ Generate html report Real time reporting Some customization work Firewall Management: What’s missing?:  Firewall Management: What’s missing? Enterprise level – multiple firewall Rules building, use: Scp (secure copy) X-window (need proper access control) Log management, use: Various syslog tools Good References: Books:  Good References: Books TCP/IP Illustrated (All time classic) By W. Richard Stevens Firewall and Internet Security (All time classic) By William R. Cheswick, Steven M. Bellovin Linux Firewall By Robert L. Ziegler Good References: Sites:  Good References: Sites SANS: Choosing a firewall http://www.sans.org/infosecFAQ/firewall/best.htm Robert L. Ziegler Site: http://www.linux-firewall-tools.com/linux/firewall/index.html ipchains HOW-TO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Netfilter project and iptables HOW-TO: http://netfilter.samba.org/ http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html Robert Graham, analyzing firewall logs: http://www.robertgraham.com/pubs/firewall-seen.html Slide53:  END of Linux Firewall For the Office and Home Thank You! Email: matthew.tam@pisa.org.hk

Add a comment

Related presentations

Related pages

Linux-Firewall.org - Download - heise online

Linux-Firewall.org: Personal Firewall für Linux mit Bedienoberfläche; erlaubt es festzulegen, welche Programme mit dem Internet Kontakt aufnehmen dürfen ...
Read more

SysQuadrat - Linux Administration Wartung

Linux Firewall Sicherheit Security IDS rootserver Administration Michael Weinert icinga kvm Samba Emailserver webserver
Read more

Linux-Distributionen für die Netzwerksicherheit ...

Der Schutz des Netzwerks gehört zu den essenziellen Aufgaben von Administratoren. Es gibt diverse Linux-Distributionen, die genau für diesen Zweck ...
Read more

Personal Firewalls › Wiki › ubuntuusers.de

Es wird erklärt, warum auf einem frisch installierten Ubuntu System eine Personal Firewall unnötig ist. Ein passendes Forum findet sich am Ende der Seite.
Read more

7 of the best Linux firewalls | TechRadar

7 of the best Linux firewalls | We take a look at distributions designed to secure your network Buying advice from the leading technology site
Read more

10 Useful Open Source Security Firewalls for Linux Systems

We’ve come up with 10 most popular Open source Linux firewalls that might be very useful in selecting one that suits your requirements.
Read more

List of router and firewall distributions - Wikipedia, the ...

Router/firewall and UTM. Sophos: Active: Linux derivative: x86, x86-64? Free, Paid or hardware/virtual appliance: UTM - offers free home use for up to 50 ...
Read more

Top 5 Best Linux Firewalls - The Geek Stuff

As part of the contest we conducted recently, we got 160+ comments from the geeky readers who choose their favorite firewall. Based on this data, the top s
Read more

IPCop Firewall

A secure Linux distribution managed through a web-interface. It turns an old PC into a firewall and VPN gateway. Features an Intrusion Detection System.
Read more

Linux-Praxisbuch: Linux-Firewall mit IP-Tables ...

Grundlegende Begriffe . Um Doppelungen zu vermeiden, soll an dieser Stelle auf zwei wesentliche Wikipedia-Artikel hingewiesen werden, welche die ...
Read more