security policy firewall netfilter & iptables - ict...
TRANSCRIPT
![Page 1: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/1.jpg)
1
SPR500
Security PolicyFirewall
Netfilter & iptables
Raymond Chan2012.09.19
![Page 2: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/2.jpg)
2
Security Policy
What is a Security Policy?
![Page 3: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/3.jpg)
3
Security Policy
● Wikipedia - http://en.wikipedia.org/wiki/Security_policy
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls.
For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems
and adversaries including programs and access to data by people.
![Page 4: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/4.jpg)
4
Firewall
What is a firewall?
![Page 5: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/5.jpg)
5
Firewall
A product that inspects
Network traffic
at the network and transport layers
of the OSI Reference Model
and
Makes pass or filter decisions.
[ by most peoples]●
![Page 6: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/6.jpg)
6
Firewall
The implementation
of
Your
Internet
Security
PolicyBy an expert: Marcus Ranum – Inventor of the proxy firewall
![Page 7: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/7.jpg)
7
Firewall
● A security policy enforcement system● Network policy enforcement system● Host policy enforcement system● (not just “stops bad stuff”)
● A defensive tool – protecting assets from attack● Host-centric defense (esp. for IPv6 hosts)● Network-centric filtering● Single packet authorization
![Page 8: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/8.jpg)
8
Firewall Implementation under Linux
Kernel: Netfilter
User Land: iptables
![Page 9: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/9.jpg)
9
Netfilter
What is it?
A framework within
the Linux kernel
that can be used to hook functions
into the networking stack at various stages.
![Page 10: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/10.jpg)
10
Netfilter
What does it provide?
Mainly packet
Filtering
and
mangling
![Page 11: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/11.jpg)
11
Netfilter
What does it provide?
But also capable of doing
connection tracking
and
logging
![Page 12: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/12.jpg)
12
iptables
What is it?
userland tools
to tell the appropriate netfilter modules
what rules to use
for matching packets
![Page 13: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/13.jpg)
13
Netfilter modules
Available features:
● Packet filtering ● Stateful packet filtering● Filter packets based on packet headers● Filter outgoing packets based on user ID
● Address Translation: S-NAT, D-NAT● IP accounting and mangling
![Page 14: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/14.jpg)
14
Iptables: tables, chains and rules
Rules – packet specification and action● For matching specific packet● Action to be taken if matched
Chains● Related rules are placed in the same chain ● Order of rule in chain a vital
Tables● Chain of rules for the same function are placed
in specific tables
![Page 15: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/15.jpg)
15
Iptables: tables
Tables● filter table● nat table● mangle table● raw table
![Page 16: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/16.jpg)
16
Iptables: chains
Chains● Built-in chain
● INPUT
● OUTPUT
● FORWARD
● PREROUTING
● POSTROUTING
● User defined chain
![Page 17: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/17.jpg)
17
Iptables: tables and chains
Table: Chain:
filter
nat
mangle
input
output
forward
prerouting
postrouting
user-defined
![Page 18: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/18.jpg)
18
Iptables: rules
Default Rule – Chain Policy● Built-in chain● Rule of last resort
Regular Rules● Matches● Target
![Page 19: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/19.jpg)
19
Iptables: rules
Matches:● --source (-s)● --destination (-d)● --protocol (-p)● --in-interface (-i)● --out-interface (-o)● --state● --string
![Page 20: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/20.jpg)
20
Iptables: rules
Targets:● ACCEPT● DROP● LOG● REJECT● RETURN● QUEUE
![Page 21: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/21.jpg)
21
Iptables: rules
Targets● ACCEPT – let the packet through● DROP – drops the packet● QUEUE – passes the packet to userspace (application program)● RETURN – stops traversing the current chain and resume at the next rule in
the previous (calling) chain
![Page 22: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/22.jpg)
22
Iptables: chain policy
● Either ACCEPT or DROP● Policy of a chain applied when
● A packet reaches the end of a built-in chain, or● A packet matches a rule in a built-in chain with the target RETURN (?)
![Page 23: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/23.jpg)
23
Iptables: tables and chains
Filter Table's built-in chains:
● INPUT chain● OUTPUT chain● FORWARD chain
![Page 24: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/24.jpg)
24
Iptables: tables and chains
NAT Table's built-in chains:
● PREROUTING chain● Translate destination addresses
● OUTPUT chain● POSTROUTING chain
● Translate source addresses
![Page 25: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/25.jpg)
25
Iptables: tables and chains
Mangle Table's built-in chains:
● PREROUTING chain● OUTPUT chain● INPUT chain ● FORWARD chain● POSTROUTING chain
![Page 26: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/26.jpg)
26
Tables, chains, and rules
The BIG question:
When will a specific rule in a specific chainof a specific table
be used?
![Page 27: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/27.jpg)
27
Firewall:Basic Operation
● Creating firewall rules● Listing existing firewall rules● Flushing out existing firewall rules● Set/Change chain policy● Saving existing firewall rules● Restore firewall rules from file
![Page 28: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/28.jpg)
28
Firewall: Basic Operation
Chain Policy● To list current chain policy
● iptables -t table -L● To set chain policy for chains in the filter
table(DROP or ACCEPT)● iptables -P INPUT DROP● iptables -P OUTPUT ACCEPT● iptables -P FORWARD ACCEPT
![Page 29: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/29.jpg)
29
Firewall: Basic Operation
Chain Policy● Each chain must be set individually● OUTPUT chain in the filter table and the
OUTPUT chain in the nat table are separate chain
● Use the “-t table” to specify which table the chain is in
● User defined chain does not need a chain policy
![Page 30: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/30.jpg)
30
Firewall: Basic Operation
A Perfectly secure Firewall● iptables -t filter -F● iptables -t filter -P INPUT DROP
Note: After flushing all the rules in all the chains in the filter table, the input chain policy applies to all incoming packets, and drops them all – block all incoming packets.
![Page 31: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/31.jpg)
31
Firewall: Basic Operation
A Practically secure Firewall● iptables -t filter -F● iptables -t filter -P INPUT DROP
Allow packets from any web server to go through the firewall
● iptables -A INPUT -p tcp --sport 80 -j ACCEPTAllow incoming SSH connection requests from any machine
● Iptables -A INPUT -p tcp --port 22 -j ACCEPT
![Page 32: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/32.jpg)
32
Firewall: Basic Operation
iptables rule syntax:● iptables [-t tables] [options] chain [match] [target]
● iptables [-t table] [-ADC] chain rule-specification [options]
● iptables [-t table] -I chain [rulenum] rule-specification [options]
● iptables [-t table] -R chain rulenum rule-specification
● iptables [-t table] -D chain rulenum [options]
● iptables [-t table] -{LFZ] [chain] [options]
● iptables [-t table] -N chain
● iptables [-t table] -X [chain]
● iptables [-t table] -P chain target [options]
● iptables [-t table] -E old-chain-name new-chain-name
![Page 33: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/33.jpg)
33
Firewall: Basic Operation
MAC match rule:● iptables [-t tables] [options] chain [match]
[target]● Example:
● iptables -A INPUT -m mac --mac-source 00:05:0A:1B:2D:3E -j ACCEPT
● iptables -A INPUT -m mac –mac-source !00:05:0A:1B:2D:3E -j ACCEPT
● MAC match valid only in the PREROUTING, FORWARD and INPUT chains
![Page 34: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/34.jpg)
34
Firewall: Basic OperationSave Current rules:
iptables-save [-c] [-t table]
Dump the contents of an IP table in a parseable format to STDOUT.
iptbales-save > firewall.txt
Dump all the current IP tables to the file firewall.txt
![Page 35: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/35.jpg)
35
Firewall: Basic Operationrestore rules from file:
iptables-restore [-c] [-n]
Restore IP tables from data specified on STDIN● -c restore the values of all packet and byte counters
● -n don't flush the previous contents of the table
iptbales-restore < firewall.txt
Restore IP tables from the previously save file firewall.txt
![Page 36: Security Policy Firewall Netfilter & iptables - ICT Senecaraymond.chan/spr500/spr500-firewall... · 3 Security Policy Wikipedia - Security policy is a definition of what it means](https://reader031.vdocuments.site/reader031/viewer/2022020108/5b243a847f8b9a9a428b456e/html5/thumbnails/36.jpg)
36
SPR500Security Policy
FirewallNetfilter & iptables
Questions & Answers
Raymond Chan2012.09.19