Introduction
Firewalls are used to monitor and control the inbound and
outbound traffic on the protected network. They have an ability to block
and allow the internal as well as external services within the network.
Before allowing access to the service, a firewall may also force the
client / user to pass through an authentication. Sometimes a firewall
can be also used in IPSEC tunnels as a platform. It monitors
security-related events.
Packet Filtering
The packet filtering mechanism mainly contains inspection on
TCP/IP and UDP packets. It also includes all ports in its inspection. In
this process, certain rules are written for allowing and rejecting the
packets passing through the network. The rules written in the firewall
may contain TCP and UDP port numbers, source and destination addresses.
One can implement firewall rules which may work in both inbound and
outbound directions.
Types of Firewalls
There are basically four types of firewalls:
-
Packet Filter Firewall
-
Stateful Packet Filter Firewall
-
Circuit Level Gateway
-
Application Level Gateway
Packet Filter Firewall
This firewall comes into play when an administrator wants only
certain packets to enter into the protected network. In this case, each
packet will be monitored and inspected before passing through the
network, and after monitoring and inspecting, the firewall will decide
whether to let it pass or not.
There are two types of packet filter mechanisms:
-
Stateful Packet FilteringThese types of firewalls are known as a smart / clever firewall. If the firewall remembers the packets it allowed and blocked in the network, then it is known as Stateful packet filtering. Sometimes it is also called a dynamic packet process.
-
Stateless Packet FilteringIn this case, information about all those previous packets passed through the networks is not being remembered by a firewall. This type of firewall can be bypassed and easily fooled by attackers, and is especially dangerous for UDP data packets. This firewall will never come to know whether the given packet is a part of existing connection or any rough useless packet, because it isolates each and every packet.
-
Stateful Filter FirewallI have already mentioned about the Stateful packet filtering process in the above section. Additionally, this type of firewall keeps a track record of TCP streams to inspect each and every packet passing through and in and out of the network. Generally this type of firewall is only constructed to inspect packets which are coming in only one direction, from client to server. There is an automatic process which handles counter requests (replies) going from server to client. It has an ability to support a wider range of protocols such as IRC, FTP, etc…Example: FTP Inspection
Example:
First, the client sends an FTP
request to the server, and the firewall will store the connection state.
Then the server will give the server port to the client in order to
tell the client that we will be using this 2050 port (as mentioned in
above pic). Then it checks for the state of connection such as SYN, ACK,
etc. If everything is right and legitimate, then the server establishes
the connection and starts transferring the data by keeping in mind that
packets should not be lost.
Circuit Level Gateway
This is a type of firewall which is lying within the session
layer. It checks the legitimacy of the TCP handshake between packets in
order to check if the established session is legitimate or not. The
problem with circuit level gateway is, they do not provide cleaning of
entity packets. Due to this, private networks have an advantage and it
is that they can hide their network information. Here individual packets
will not be filtered. SOCKS are commonly used in this type of firewall.
Netfilter/IPtables
Netfilter.org is home of the packet
filtering framework for Linux kernels starting from 2.4.x and later.
Software within that framework is known as Iptables.
All incoming packets passing through the routing engine determines
whether it should be allowed to deliver to the client or not. Using
iptables, you can create your own firewall based on your rules.
Netfilter has three tables:
-
Filter – Contains INPUT, FORWARD & OUTPUT chains.
-
NAT – Contains the rule for source/destination address along with port translation.
-
Mangle- Contains rules for specialized packet routing flag.
Syntax
#iptables < option >< chain >< matching_criteria>< target >
Features
-
It provides stateless and Stateful packet filtering for both IPv4 and IPv6.
-
It provides each and every kind of port translation in both IPv4 and IPv6.
Creating a Basic Firewall Using Iptables and Testing It Simultaneously
Challenge : Create a
firewall for a university/college in which they want their SSH port to
be open so students can work in the university’s virtual Linux
environment. They specifically want to block the icmp echo packets
coming to their server. Also allow all these ports on networks such as
80, 443, 21 & 20. The university also wants packets containing SYN
& FIN flag to be allowed, and the rest of them must be blocked over
the Internet. The network also must allow traffic on the loopback device
which will be localhost/127.0.0.1
Solution:
Before you start configuring your
firewall, you need to make sure that iptables/netfilters is installed on
your Linux environment. Generally it is there, if it is not there then
you can download it from this website.
Download iptables/Netfilter: http://www.netfilter.org/downloads.html
If there is an iptables running on
your machine, it means it will have some rules by default. If you want
to see that which rules are currently set to which option, you can run
the below command.
#iptables -L
So it shows that currently the input and forward chain’s values are set as DROP and output chain’s value has been set to ACCEPT.
One should keep a practice that if
he/she is going to create a new firewall, he/she needs to flush all
previous/old rules which are previously set. To clear all those rules,
you need to give this command.
#iptables –F or #iptables –flush
It will flush/remove/clear/delete
all the previous rules set in the firewall. Now we are in a position to
create a new firewall with our custom rules to address the given
challenge.
In reading our challenge, one thing
is sure: that our primary policy set will be in such a way that our
input chain policy will be set to DROP in order to drop all the packets
initially at the firewall level so that they don’t come inside the
network, and then we will set different packets to let them come inside
our network. So our input chain’s policy value will be set to DROP along
with forward policy value. And we will set the output policy value as
ACCEPT, as there won’t be any harm if some packets are going from the
network to the outside world on the Internet. So here are those terminal
commands.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
The first two commands are easily
understandable: we are dropping each and every incoming packet and we
are allowing every outgoing packet. We use the forward policy to route
the packets within the LAN. So if you want to allow that scenario, set
the value of that policy as ACCEPT. In our case they have not mentioned
anything, so we will block it for this moment.
Now the second thing to do is to
allow the traffic which establishes new sessions. In order to do that,
we can give the below command.
#iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
Here I am going to describe some
options used in this command which will remain constant throughout this
example. Option –A stands for append. Its work is to append the given
rule to the relevant rule chain. Here our rule chain is INPUT. The –m
option is used for matching. Here it is matching our different state
with the live traffic and if it finds anything, it applies the policy on
that. Lastly, the -j option tells exactly what to do with the packet
which is matched and found by the firewall. For jump, there are some
targets such as ACCEPT & DROP. As you know, ACCEPT will allow that
packet to come inside the network through the firewall and DROP will
simply drop the packet. When you give this command to the terminal, and
if you set the policy using the iptables –L command, you will see the
below result.
I have given the below command to print “Starting New firewall”:
#echo “Starting New firewall”
Moving forward, now we need to open
the SSH port whose port number is 22. So basically students of the
university/college can play in their virtual Linux box via port number
22 (SSH) by sitting anywhere. Here is a command for that:
#iptables -A INPUT -i eth1 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
Here we have two new options which
are –i and –p. The “-i” stands for interface declaration. It may be
possible that the university has more than one interface, so set which
interface you want to apply these rules. According to the challenge,
they want to apply these rules on their eth1 interface.
The “-p” option is used to define
the protocol such as tcp and udp. Here we are defining our SSH port, so
we will use the tcp option and last but not least we will use the
“-dport” option, which stands for destination port. In our case, we are
working on SSH and the port number of SSH is 22. So we will define dport
value as 22.
The “-d” option is used for
the destination IP address. We mentioned it in our command. When you set
this policy through your terminal and then you list the result, it will
look something like this:
Testing SSH with ACCEPT and DROP Value Set
Value set ACCEPT:
Now it is time to configure all
ports mentioned in our challenge. We will form a group of two. First we
will accept all those packets which are coming through http and https.
The command for that is shown below.
#iptables -A INPUT -p tcp –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT
All the options are mentioned. The
only difference is that in dport value we give 80 which stands for http
and 443 which stands for https. We will not be testing each and every
policy we set in our firewall. We will test only some of those major
ones. After running the above commands in your terminal, when you list
the rules it will look something like this:
Now we are going to allow loopback
traffic on the localhost which will be l0/127.0.0.1. Here we will allow
both inbound and outbound traffic in loopback. The command for that is
shown below.
#iptables -A INPUT -i l0 -p all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT
As you can assume, we have set our
interface value of the loopback device which is l0/127.0.0.1. On top of
that we are allowing all ports to communicate with this device. After
you set this result, when you list the rules it will look something like
this:
You can see that entries are
increasing at the down side as we are setting our each and every rule.
Now we will allow port 21 & 20 to communicate with our network. The
command for that is:
#iptables -A INPUT -p tcp –dport 21 -j ACCEPT
#iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#iptables -A INPUT -p tcp –dport 20 -j ACCEPT
After applying these rules to the terminal, list the firewall policy. It will look like this:
Value set ACCEPT: Reply from the server is coming.
Value set DROP: Server won’t respond anymore.
Finally at last, the university
wants to accept the packets coming on the network which contains SYN and
FIN flags only. It means the rest of the all packets containing flags
such as RST, PSH, ACK & URG must be blocked. I could only give two
commands in order to show that only packets containing SYN and FIN flags
should come through, though I have typed all commands in order to have a
close look if you want to use them in the future, and then you can
uncomment and change them according to your needs.
So here are the commands for that:
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
I have executed first two commands
and the rest of those are in the comment. So in the first two commands
it shows that they have loaded first all flags by defining ALL and then
they just want SYN and FIN to enter via packet into the network. So when
you list the rules it will look like this:
So in the last two commands it tells us that it is showing that
total tcp flags are FIN, SYN, RST, PSH, ACK & URG, but from all of
them you need to accept the packets which only contains SYN and FIN
flags. So here is the testing for that. For testing purpose I am using
hping3 utility in KALI Linux.
To write all these commands in the
terminal is a very tedious thing. It is better to write a script for
this. To create a script, you will need to go to the /sbin/ folder and
then you create any file with a touch command. In my case it’s a ccc.sh
file, so the command would be like this:
#touch ccc.sh
Then you open that file with your
favorite editor and write all the following code in that. Before you
start writing all the rules, you must define the below:
#!/bin/bash
This command will identify that it’s
a bash script. Otherwise it won’t recognize anything written in that
file. So your final code would be like this:
#!/bin/bash
echo “Starting New firewall”
echo “Starting New firewall”
#Flushing old firewall rules
iptables -F
iptables -F
#standard Firewall rules for INPUT OUTPUT and FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Allowing 3-way handshake
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#Allowing SSH server
iptables -A INPUT -i eth0 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
#Allow HTTP HTTPS – 80,443
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#Allowing Loopback traffic(Input and Output both) – l0
iptables -A INPUT -i l0 -p all -j ACCEPT
iptables -A OUTPUT -o l0 -p all -j ACCEPT
iptables -A INPUT -i l0 -p all -j ACCEPT
iptables -A OUTPUT -o l0 -p all -j ACCEPT
#Allow FTP – 21 20
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#Blocking IMCP packets
iptables -A INPUT -p icmp -d 192.168.150.136 –icmp-type 8 -j DROP
iptables -A INPUT -p icmp -d 192.168.150.136 –icmp-type 8 -j DROP
#Blocking Packets with all tcp flags
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
#Listing the Set Rules
iptables -L
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
#Listing the Set Rules
iptables -L
Now you run that file by simply
typing ./ccc.sh in the terminal. In case it does not work, then you need
to set the permission to that file by simply typing chmod 777 ccc. sh
and then it will surely run.
Conclusion
You have come to know how we can
build our custom firewall in order to protect our network. It is very
much cost effective and easy to setup your own. Also it has hybrid
modules, function & features. It is also a best practice for network
administrators to play with the firewall.
References
- http://securityworld.worldiswelcome.com/packet-filtering-firewall-an-introduction
- http://www.checkpoint.com/smb/help/z100g/7.5/7082.htm
- http://aeriqusyairi.com/2013/08/13/packet-filtering-firewalls/
- https://en.wikipedia.org/wiki/Circuit-Level_Gateway
- http://zapidi888.blogspot.co.uk/2009/10/lecture-8-firewall.html
- http://myitweb.weebly.com/application-level-gateway.html
- http://www.linuxjournal.com/article/7296
- http://my.safaribooksonline.com/book/networking/firewalls/0672327716/iptables-the-linux-firewall-administration-program/ch03lev1sec4
- http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html
- https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TARGETS
- http://www.nthelp.com/icmp.html
No comments:
Post a Comment