linux firewalls
play

Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30 About this - PowerPoint PPT Presentation

Apr 08, 2024 •117 likes •432 views

Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30 About this presentation Based on a previous talk by Kevin Chege and Chris Wilson, with thanks! Y ou can access this presentation at: Online: http://afnog.github.io/sse /fir ewalls/ Local:

  1. Linux Firewalls Frank Kuse, AfNOG 2018 1 / 30

  2. About this presentation Based on a previous talk by Kevin Chege and Chris Wilson, with thanks! Y ou can access this presentation at: Online: http://afnog.github.io/sse /fir ewalls/ Local: http://www.ws.afnog.org/afnog2017/sse /fir ewalls/index.html Github: https://github.com/afnog/sse/blob/maste r/fir ewalls/presentation.md Download PDF: http://www.ws.afnog.org/afnog2017/sse /fir ewalls/presentation.pdf Download Exercises: http://www.ws.afnog.org/afnog2017/sse /fir ewalls/Exercises.pdf 2 / 30

  3. WhatisaFirewall? 3 / 30

  4. AdvancedFirewalls Basic firewalls are packet filters Can't always make a decision based on one packet (examples?) Stateful firewalls (connection table) Application layer (L7) filtering/inspection/IDS Redundant firewalls with synchronisation VPNs and SSL "VPNs" 4 / 30

  5. StatefulFirewalls CONNECT/ SYN ﴿ Step 1 of the 3wayhandshake ﴾ unusual event CLOSED (Start) client/receiver path CLOSE/ server/sender path EN/ LIST CLOSE/ ﴿ Step 2 of the 3wayhandshake ﴾ SYN/SYN+ACK LISTEN 5 / 30

  6. LimitationsofFirewalls 6 / 30

  7. BlockingWebsites 7 / 30

  8. Whatdofirewallsfilter? 8 / 30

  9. Typical features Rulesets (lists of rules, read in order) Rules (IF this THEN that) Match conditions interface, IP address, protocol, port, time, contents Actions accept, drop, reject, jump to another table, return Default policy 9 / 30

  10. iptables/netfilter 10 / 30

  11. Listingcurrentrules iptables W e use the command to interact with the firewall (in the kernel): $ sudo apt install iptables $ sudo iptables -L -nv Chain INPUT (policy ACCEPT 119 packets, 30860 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 36 packets, 1980 bytes) pkts bytes target prot opt in out source destination 11 / 30

  12. Yourfirstruleset Configure your firewall to allow ICMP packets. $ sudo iptables -A INPUT -p icmp -j ACCEPT $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 4 packets, 520 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 What effect will this have? What are the numbers? 12 / 30

  13. Testingrules How can you test it? $ ping -c4 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.058 ms ... $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 220 packets, 218K bytes) pkts bytes target prot opt in out source destination 8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Why do we see 8 packets against the rule, instead of 4? iptables -L INPUT -nZ Z Y ou can use to Z ero the counters. 13 / 30

  14. Blockingpings Add another rule: $ sudo iptables -A INPUT -p icmp -j DROP $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 12 packets, 1560 bytes) pkts bytes target prot opt in out source destination 8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 $ ping -c1 127.0.0.1 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.067 ms Is that what you expected? 14 / 30

  15. Ruleprecedence -I Insert a DROP rule before theACCEPT rule with : $ sudo iptables -I INPUT -p icmp -j DROP $ sudo iptables -L INPUT -nv Chain INPUT (policy ACCEPT 12 packets, 1560 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 10 840 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 15 / 30

  16. Ruleprecedencetesting $ ping -c1 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms 16 / 30

  17. Listruleswithindexes -L --line-numbers Use the iptables options: $ sudo iptables -L INPUT -nv --line-numbers Chain INPUT (policy ACCEPT 15 packets, 1315 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 17 / 30

  18. DeletingRules Delete rule by index: $ sudo iptables -D INPUT 3 Delete rule by target: $ sudo iptables -D INPUT -p icmp -j ACCEPT Check the results: $ sudo iptables -L INPUT -nv --line-numbers Chain INPUT (policy ACCEPT 9 packets, 835 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 18 / 30

  19. PersistentRules What happens when you reboot? 19 / 30

  20. PersistentRules What happens when you reboot? The rules that we created are only in the kernel's memory. They will be lost on reboot. How can we make them permanent? Could be as simple as: /sbin/iptables-save > /etc/default/iptables /sbin/iptables-restore < /etc/default/iptables iptables-persistent Or install which automates this a little. 20 / 30

  21. ConnectionTracking Every packet is tracked by default (made into a connection). conntrack -L Y ou can see them with conntrack -L : sudo /usr/sbin/conntrack -L tcp 6 431999 ESTABLISHED src=196.200.216.99 dst=196.200.219.140 sport=58516 dport=22 src=196.200.219.140 dst=196.200.216.99 sport=22 dport=58516 [ASSURED] mark=0 use=1 What does this mean? 21 / 30

  22. ConnectionTracking sudo /usr/sbin/conntrack -L tcp 6 431999 ESTABLISHED src=196.200.216.99 dst=196.200.219.140 sport=58516 dport=22 src=196.200.219.140 dst=196.200.216.99 sport=22 dport=58516 [ASSURED] mark=0 use=1 EST ABLISHED is the connection state What are valid states? src=196.200.216.99 is the source address of the tracked connection dst=196.200.219.140 is the destination address Which one is the address of this host? Will it always be? sport=58516: source port dport=22: destination port Another set of addresses: what is this? 22 / 30

  23. ConnectionTracking How do we use it? iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT Y ou normally want this! Can you see any problems? 23 / 30

  24. ConnectionTrackingProblems What happens if someone hits your server with this? sudo hping3 --faster --rand-source -p 22 196.200.219.140 --syn Or if you run a server that has thousands of clients? 24 / 30

  25. ConnectionTrackingProblems Add a rule to block all connection tracking to a particular port: sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 22 -j NOTRACK Write your rules so that connection tracking is not needed (allow traffic both ways). Y ou probably want to do this for your DNS server. How? 25 / 30

  26. ConnectionTrackingProblems Add a rule to block all connection tracking to a particular port: sudo /sbin/iptables -t raw -A PREROUTING -p tcp --dport 22 -j NOTRACK Write your rules so that connection tracking is not needed (allow traffic both ways). Y ou probably want to do this for your DNS server. How? sudo /sbin/iptables -t raw -A PREROUTING -p udp --dport 53 -j NOTRACK 26 / 30

  27. Standardsimpleruleset This is one of the first things I set up on any new box: iptables -P INPUT ACCEPT iptables -F INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix 'Rejected INPUT ' Check that I can access the server without triggering a "Rejected INPUT" message in the logs, and then lock it down: iptables -P INPUT DROP 27 / 30

  28. Exercise nmap Install nmap : sudo apt install nmap Scan your system: sudo nmap -sS pcXX.sse.ws.afnog.org Which ports are open? How would you block them? Y ou will probably lock yourself out of your PC. That is OK, we can fix it :) As long as the changes have NOT been made permanent, we can reboot the system to restore access. 28 / 30

  29. Exercise The correct answer is: iptables -I INPUT 2 -p tcp --dport 22 -j DROP Which prevents new connections, but as long as rule 1 allows EST ABLISHED connections you will not be locked out (unless you lose your connection). iptables -L -nv The output of should look like: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 151 11173 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 29 / 30

  30. FIN Any questions? (yeah, right!) 30 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

469 views • 14 slides
Master Thesis Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls Christoph Paasch

Master Thesis Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls Christoph Paasch

Theoretic overview Shim6 and Firewalls: Problem statement Implementation Performance evaluation Configuring a shim6-firewall Conclusion Master Thesis Supporting IPv6 host-based multihoming (shim6) in Linux Firewalls Christoph Paasch

422 views • 31 slides
Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) March 24, 2015 3:44pm 2015 Avinash Kak, Purdue University c Goals: Packet-filtering vs. proxy-server

828 views • 70 slides
FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls

FIRE|WALLS Ohad Katz Overview What are Firewalls Why we need them Types of Firewalls (Categories) Implementation Best practices What are Firewalls? Internet Firewall Client/Host Network Network Security

585 views • 39 slides
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however

Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential however it creates a threat Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled

699 views • 34 slides
Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks

Firewalls Why do people want a firewall? [...] a firewalls purpose is to keep the jerks out of your network while still letting you get your job done. [Limiting] what kinds of connectivity is allowed between different

538 views • 30 slides
Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or

Firewalls Computer Center, CS, NCTU Firewalls Firewall A piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Choke point between secured

613 views • 34 slides
Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software

Firewalls jnlin Computer Center, CS, NCTU Firewalls q Firewall hardware/software choke point between secured and unsecured network filter incoming and outgoing traffic prevent communications which are forbidden by the

1.06k views • 57 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and

Firewalls Network Security: Firewalls, A system or combination of systems VPNs, and Honeypots that enforces a boundary between two CS 239 or more networks - NCSA Firewall Functional Summary Computer Security Usually, a

271 views • 10 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the

MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the

MOBILITY STRATEGY AND APPROACH OF IEC Dr. Bernhard Thies German National Committee of the IEC Connecting an Electric Vehicle to the Grid (Smart) Power generation Grid Battery electric Charging station vehicle looks easy but many

278 views • 15 slides
FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes

FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes

FISCAL YEAR 2018: TENTATIVE BUDGET JUNE 20, 2017 BOARD OF EDUCATION MEETING Informational Notes D155 strives to keep its operating funds in the black. Revenues exceeded expenditures in 2014-2015 &amp; 2015-2016 Revenues are

747 views • 41 slides
FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY

FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY

SPECIAL EVENT: FREE KIDS! UNLEASHING THE POTENTIAL OF THE UN GLOBAL STUDY ON CHILDREN DEPRIVED OF LIBERTY Manfred Nowak United Nations Independent Expert leading the Global Study on Children Deprived of Liberty Wednesday, 30. May 2018,

548 views • 25 slides
Minutes for IAI [Major] Engineering Panel October 22, 2015 10:00 am ICCB Office, Springfield IL

Minutes for IAI [Major] Engineering Panel October 22, 2015 10:00 am ICCB Office, Springfield IL

Developing a Pathway 1) Curricular maintenance of the ASE and IAI involvement http://www.itransfer.org/faculty.aspx (see minutes below) https://www.transferology.com/login.htm?btn=login&amp;msg=expired When the transfer process breaks

305 views • 5 slides
Attribution and Aggregation of Network Flows for Security Analysis Annarita Giani Ian De Souza

Attribution and Aggregation of Network Flows for Security Analysis Annarita Giani Ian De Souza

Attribution and Aggregation of Network Flows for Security Analysis Annarita Giani Ian De Souza Vincent Berk George Cybenko Institute for Security Technology Studies Thayer School of Engineering Dartmouth College Hanover, NH FloCon 2006,

224 views • 21 slides
BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The

BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The

BLAVATNIK SCHOOL OF GOVERNMENT, OXFORD The Creation of a Modern International Organization: The Story of the International Commission on Missing Persons (ICMP) Sousse, Ankara, the Sinai Peninsula, Beirut, Paris, Bamako and the migration and

230 views • 6 slides
Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham

Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham

Market Operator User Group Dublin, 16 May 2019 1 Agenda Item Presenter Welcome Mark Needham M+4 Resettlement Claire Kane Settlements Sean ORourke Disputes &amp; Repricing Update Julie McGee Known Issues Update Eoin Farrell Ex-Ante

1.01k views • 85 slides
The problem: FSMs Basis of CS and CE Current standard for representation:

The problem: FSMs Basis of CS and CE Current standard for representation:

S halva Kohen A runavha Chanda K ai-Zhan Lee E mma Etherington The problem: FSMs Basis of CS and CE Current standard for representation: Unintuitive interface Very long descriptions Redundant behavior commands

137 views • 13 slides

More recommend