Wednesday, December 11, 2013

Firewall Unleashed

Introduction
Firewalls are used to monitor and control the inbound and outbound traffic on the protected network. They have an ability to block and allow the internal as well as external services within the network. Before allowing access to the service, a firewall may also force the client / user to pass through an authentication. Sometimes a firewall can be also used in IPSEC tunnels as a platform. It monitors security-related events.

Packet Filtering
The packet filtering mechanism mainly contains inspection on TCP/IP and UDP packets. It also includes all ports in its inspection. In this process, certain rules are written for allowing and rejecting the packets passing through the network. The rules written in the firewall may contain TCP and UDP port numbers, source and destination addresses. One can implement firewall rules which may work in both inbound and outbound directions.

Types of Firewalls
There are basically four types of firewalls:
  1. Packet Filter Firewall
  2. Stateful Packet Filter Firewall
  3. Circuit Level Gateway
  4. Application Level Gateway
Packet Filter Firewall
This firewall comes into play when an administrator wants only certain packets to enter into the protected network. In this case, each packet will be monitored and inspected before passing through the network, and after monitoring and inspecting, the firewall will decide whether to let it pass or not.








There are two types of packet filter mechanisms:
  1. Stateful Packet Filtering
    These types of firewalls are known as a smart / clever firewall. If the firewall remembers the packets it allowed and blocked in the network, then it is known as Stateful packet filtering. Sometimes it is also called a dynamic packet process.
  2. Stateless Packet Filtering
    In this case, information about all those previous packets passed through the networks is not being remembered by a firewall. This type of firewall can be bypassed and easily fooled by attackers, and is especially dangerous for UDP data packets. This firewall will never come to know whether the given packet is a part of existing connection or any rough useless packet, because it isolates each and every packet.
  3. Stateful Filter Firewall
    I have already mentioned about the Stateful packet filtering process in the above section. Additionally, this type of firewall keeps a track record of TCP streams to inspect each and every packet passing through and in and out of the network. Generally this type of firewall is only constructed to inspect packets which are coming in only one direction, from client to server. There is an automatic process which handles counter requests (replies) going from server to client. It has an ability to support a wider range of protocols such as IRC, FTP, etc…

    Example: FTP Inspection

     

Example:
First, the client sends an FTP request to the server, and the firewall will store the connection state. Then the server will give the server port to the client in order to tell the client that we will be using this 2050 port (as mentioned in above pic). Then it checks for the state of connection such as SYN, ACK, etc. If everything is right and legitimate, then the server establishes the connection and starts transferring the data by keeping in mind that packets should not be lost.


Circuit Level Gateway
This is a type of firewall which is lying within the session layer. It checks the legitimacy of the TCP handshake between packets in order to check if the established session is legitimate or not. The problem with circuit level gateway is, they do not provide cleaning of entity packets. Due to this, private networks have an advantage and it is that they can hide their network information. Here individual packets will not be filtered. SOCKS are commonly used in this type of firewall.


Netfilter/IPtables
Netfilter.org is home of the packet filtering framework for Linux kernels starting from 2.4.x and later. Software within that framework is known as Iptables. All incoming packets passing through the routing engine determines whether it should be allowed to deliver to the client or not. Using iptables, you can create your own firewall based on your rules. Netfilter has three tables:
      1. Filter – Contains INPUT, FORWARD & OUTPUT chains.
      2. NAT – Contains the rule for source/destination address along with port translation.
      3. Mangle- Contains rules for specialized packet routing flag.
Syntax
 
#iptables < option >< chain >< matching_criteria>< target >

Features
      • It provides stateless and Stateful packet filtering for both IPv4 and IPv6.
      • It provides each and every kind of port translation in both IPv4 and IPv6.
Creating a Basic Firewall Using Iptables and Testing It Simultaneously

Challenge : Create a firewall for a university/college in which they want their SSH port to be open so students can work in the university’s virtual Linux environment. They specifically want to block the icmp echo packets coming to their server. Also allow all these ports on networks such as 80, 443, 21 & 20. The university also wants packets containing SYN & FIN flag to be allowed, and the rest of them must be blocked over the Internet. The network also must allow traffic on the loopback device which will be localhost/127.0.0.1

Solution:
Before you start configuring your firewall, you need to make sure that iptables/netfilters is installed on your Linux environment. Generally it is there, if it is not there then you can download it from this website.
Download iptables/Netfilter: http://www.netfilter.org/downloads.html
If there is an iptables running on your machine, it means it will have some rules by default. If you want to see that which rules are currently set to which option, you can run the below command.

#iptables -L


So it shows that currently the input and forward chain’s values are set as DROP and output chain’s value has been set to ACCEPT.
One should keep a practice that if he/she is going to create a new firewall, he/she needs to flush all previous/old rules which are previously set. To clear all those rules, you need to give this command.

#iptables –F or #iptables –flush

It will flush/remove/clear/delete all the previous rules set in the firewall. Now we are in a position to create a new firewall with our custom rules to address the given challenge.
In reading our challenge, one thing is sure: that our primary policy set will be in such a way that our input chain policy will be set to DROP in order to drop all the packets initially at the firewall level so that they don’t come inside the network, and then we will set different packets to let them come inside our network. So our input chain’s policy value will be set to DROP along with forward policy value. And we will set the output policy value as ACCEPT, as there won’t be any harm if some packets are going from the network to the outside world on the Internet. So here are those terminal commands.

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

The first two commands are easily understandable: we are dropping each and every incoming packet and we are allowing every outgoing packet. We use the forward policy to route the packets within the LAN. So if you want to allow that scenario, set the value of that policy as ACCEPT. In our case they have not mentioned anything, so we will block it for this moment.
Now the second thing to do is to allow the traffic which establishes new sessions. In order to do that, we can give the below command.

#iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

Here I am going to describe some options used in this command which will remain constant throughout this example. Option –A stands for append. Its work is to append the given rule to the relevant rule chain. Here our rule chain is INPUT. The –m option is used for matching. Here it is matching our different state with the live traffic and if it finds anything, it applies the policy on that. Lastly, the -j option tells exactly what to do with the packet which is matched and found by the firewall. For jump, there are some targets such as ACCEPT & DROP. As you know, ACCEPT will allow that packet to come inside the network through the firewall and DROP will simply drop the packet. When you give this command to the terminal, and if you set the policy using the iptables –L command, you will see the below result.


I have given the below command to print “Starting New firewall”:

#echo “Starting New firewall”

Moving forward, now we need to open the SSH port whose port number is 22. So basically students of the university/college can play in their virtual Linux box via port number 22 (SSH) by sitting anywhere. Here is a command for that:

#iptables -A INPUT -i eth1 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT

Here we have two new options which are –i and –p. The “-i” stands for interface declaration. It may be possible that the university has more than one interface, so set which interface you want to apply these rules. According to the challenge, they want to apply these rules on their eth1 interface.

The “-p” option is used to define the protocol such as tcp and udp. Here we are defining our SSH port, so we will use the tcp option and last but not least we will use the “-dport” option, which stands for destination port. In our case, we are working on SSH and the port number of SSH is 22. So we will define dport value as 22.

The “-d” option is used for the destination IP address. We mentioned it in our command. When you set this policy through your terminal and then you list the result, it will look something like this:


Testing SSH with ACCEPT and DROP Value Set
Value set ACCEPT:



Now it is time to configure all ports mentioned in our challenge. We will form a group of two. First we will accept all those packets which are coming through http and https. The command for that is shown below.

#iptables -A INPUT -p tcp –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT

All the options are mentioned. The only difference is that in dport value we give 80 which stands for http and 443 which stands for https. We will not be testing each and every policy we set in our firewall. We will test only some of those major ones. After running the above commands in your terminal, when you list the rules it will look something like this:


Now we are going to allow loopback traffic on the localhost which will be l0/127.0.0.1. Here we will allow both inbound and outbound traffic in loopback. The command for that is shown below.

#iptables -A INPUT -i l0 -p all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT

As you can assume, we have set our interface value of the loopback device which is l0/127.0.0.1. On top of that we are allowing all ports to communicate with this device. After you set this result, when you list the rules it will look something like this:


You can see that entries are increasing at the down side as we are setting our each and every rule. Now we will allow port 21 & 20 to communicate with our network. The command for that is:

#iptables -A INPUT -p tcp –dport 21 -j ACCEPT
#iptables -A INPUT -p tcp –dport 20 -j ACCEPT

After applying these rules to the terminal, list the firewall policy. It will look like this:


Value set ACCEPT: Reply from the server is coming.


Value set DROP: Server won’t respond anymore.


Finally at last, the university wants to accept the packets coming on the network which contains SYN and FIN flags only. It means the rest of the all packets containing flags such as RST, PSH, ACK & URG must be blocked. I could only give two commands in order to show that only packets containing SYN and FIN flags should come through, though I have typed all commands in order to have a close look if you want to use them in the future, and then you can uncomment and change them according to your needs.

So here are the commands for that:

iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT

I have executed first two commands and the rest of those are in the comment. So in the first two commands it shows that they have loaded first all flags by defining ALL and then they just want SYN and FIN to enter via packet into the network. So when you list the rules it will look like this:


So in the last two commands it tells us that it is showing that total tcp flags are FIN, SYN, RST, PSH, ACK & URG, but from all of them you need to accept the packets which only contains SYN and FIN flags. So here is the testing for that. For testing purpose I am using hping3 utility in KALI Linux.

To write all these commands in the terminal is a very tedious thing. It is better to write a script for this. To create a script, you will need to go to the /sbin/ folder and then you create any file with a touch command. In my case it’s a ccc.sh file, so the command would be like this:

#touch ccc.sh

Then you open that file with your favorite editor and write all the following code in that. Before you start writing all the rules, you must define the below:

#!/bin/bash

This command will identify that it’s a bash script. Otherwise it won’t recognize anything written in that file. So your final code would be like this:

#!/bin/bash
echo “Starting New firewall”
#Flushing old firewall rules
iptables -F
#standard Firewall rules for INPUT OUTPUT and FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Allowing 3-way handshake
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#Allowing SSH server
iptables -A INPUT -i eth0 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
#Allow HTTP HTTPS – 80,443
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#Allowing Loopback traffic(Input and Output both) – l0
iptables -A INPUT -i l0 -p all -j ACCEPT
iptables -A OUTPUT -o l0 -p all -j ACCEPT
#Allow FTP – 21 20
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#Blocking IMCP packets
iptables -A INPUT -p icmp -d 192.168.150.136 –icmp-type 8 -j DROP
#Blocking Packets with all tcp flags
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
#Listing the Set Rules
iptables -L

Now you run that file by simply typing ./ccc.sh in the terminal. In case it does not work, then you need to set the permission to that file by simply typing chmod 777 ccc. sh and then it will surely run.

Conclusion

You have come to know how we can build our custom firewall in order to protect our network. It is very much cost effective and easy to setup your own. Also it has hybrid modules, function & features. It is also a best practice for network administrators to play with the firewall.

References
    1. http://securityworld.worldiswelcome.com/packet-filtering-firewall-an-introduction
    2. http://www.checkpoint.com/smb/help/z100g/7.5/7082.htm
    3. http://aeriqusyairi.com/2013/08/13/packet-filtering-firewalls/
    4. https://en.wikipedia.org/wiki/Circuit-Level_Gateway
    5. http://zapidi888.blogspot.co.uk/2009/10/lecture-8-firewall.html
    6. http://myitweb.weebly.com/application-level-gateway.html
    7. http://www.linuxjournal.com/article/7296
    8. http://my.safaribooksonline.com/book/networking/firewalls/0672327716/iptables-the-linux-firewall-administration-program/ch03lev1sec4
    9. http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html
    10. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TARGETS
    11. http://www.nthelp.com/icmp.html


No comments: