World of FIREWALL'S
Firewalls are used to
control the inbound and outbound traffic on a protected network. They have an
ability to block and allow the internal as well as external services within the
network. Before allowing access to the service, a firewall may also force the
client / user to pass through authentication. It is also used to monitor the
ingoing and outgoing traffic of the protected network. Sometimes a firewall can
be also used in IPSEC tunnels as a platform. It monitors security-related
events.
The packet filtering
mechanism mainly contains inspection on TCP/IP and UDP packets. It also
includes all ports in its inspection. In this process, certain rules are
written for allowing and rejecting the packets passing through the network. The
rules written in the firewall may contain TCP and UDP port numbers, source and
destination addresses. One can implement firewall rules which may work in both
inbound and outbound directions.
Types
of Firewalls
There are basically
four types of firewalls:
- Packet Filter Firewall
- Stateful Packet Filter Firewall
- Circuit Level Gateway
- Application Level Gateway
- Packet Filter Firewall
This firewall comes into play when an administrator wants only
certain packets to enter into the protected network. In this case, each packet
will be monitored and inspected before passing through the network, and after
monitoring and inspecting, the firewall will decide whether to let it pass or
not.
Figure : Packet Filtering Firewall Location
There are two types of
packet filter mechanisms:
- Stateful Packet Filtering
This type of firewalls is known as a smart / clever firewall. If
the firewall remembers the packets it allowed and blocked in the network, then
it is known as stateful packet filtering. Sometimes it is also called a dynamic
packet process.
- Stateless Packet Filtering
In this case, information about all those previous packets
passed through the networks is not being remembered by a firewall. This type of
firewall can be bypassed and easily fooled by attackers, and is especially
dangerous for UDP data packets. This firewall will never come to know whether
the given packet is a part of existing connection or any rough useless packet,
because it isolates each and every packet.
- Stateful Filter Firewall
I have already mentioned the stateful packet filtering process
in the above section. Additionally, this type of firewall keeps a track record
of TCP streams to inspect each and every packet passing through and in and out
of the network. Generally this type of firewall is only constructed to inspect
packets which are coming in only one direction, from client to server. There is
an automatic process which handles counter requests (replies) going from server
to client. It has an ability to support a wider range of protocols such as IRC,
FTP, etc…
Example: FTP Inspection
Figure : FTP Inspection Architecture
Example:
First, the client
sends an FTP request to the server, and the firewall will store the connection
state. Then the server will give the server port to the client in order to tell
the client that we will be using this 2050 port (as mentioned in above pic).
Then it checks for the state of connection such as SYN, ACK, etc. If everything
is right and legitimate, then the server establishes the connection and starts
transferring the data by keeping in mind that packets should not be lost.
- Circuit Level Gateway
This is a type of firewall within the session layer. It checks
the legitimacy of the TCP handshake between packets in order to check if the
established session is legitimate or not. The problem with circuit level
gateway is, they do not provide cleaning of entity packets. Due to this,
private networks have an advantage and it is that they can hide their network
information. Here individual packets will not be filtered. SOCKS are commonly
used in this type of firewall.
Circuit Level Gateway
Architecture
Here TCP/IP packets
will be accepted by the firewall. There is identical specification of the rules
such as packet filter firewalls. Adding to that, several rules can state which
connections will be allowed and which connections should be not allowed. An
allowed connection (via rules) will create a new fresh connection with the
server.
- Application-Level Gateway
Application-level gateway contains security components such as a
firewall. As per its name, sometimes it is also denoted as ALG
(application-level gateway). Here the client connects to the server using any
TCP/IP application such as FTP or Telnet. Then the name of the remote host is
needed from the user to access it. The gateway also relays the TCP segment
which has some information of application data between client and server.
Application layer proxy firewall flow scenario
Here the client and
server both will connect to the proxies instead of connecting directly. So if
the proxy finds any suspicious file or activity on their network, it will drop
that connection. This firewall is made to handle complex protocols such as SIP,
H.323, etc. Here packets are received and also processed by the server. The
client generates new packets every time.
Types of Policies
There are two types of
policies in these types of firewalls.
- Permissive: Generally it allows all packets to pass through the
network using relative ports and block just some packets, such as IRC,
TELNET, SNMP, etc. If you forget to block something, then it can cause a
vulnerable network.
- Restrictive: By default it blocks
all packets and allows some packets to pass through the network using certain ports and allows HTTP/s, SSH, SMTP, POP3 etc. This policy is secure, compared to the permissive one. Here if you forget to allow any port, someone will complain to you and you can allow that port; on the other hand, in permissive policy, if ports are open without you knowing, then no one will complain or tell you.
Netfilter/IPtables
Netfilter.org is home of the packet filtering framework for
Linux kernels starting from 2.4.x and later. Software within that framework is
known as Iptables. All incoming packets passing through the routing
engine determines whether it should be allowed to deliver to the client or not.
Using iptables, you can create your own firewall based on your rules. Netfilter
has three tables:
1.
Filter
– Contains INPUT,
FORWARD & OUTPUT chains.
2.
NAT
– Contains the
rule for source/destination address along with port translation.
3.
Mangle
- Contains rules
for specialized packet routing flag.
Syntax
#iptables < option >< chain ><
matching_criteria>< target >
Features
·
It provides stateless
and stateful packet filtering for both IPv4 and IPv6.
·
It provides each and
every kind of port translation in both IPv4 and IPv6.
Creating Basic
Firewall Using Iptables And Testing It Simultaneously
Challenge: Create a firewall for a university/college in
which they want their SSH port to be open so students can work in the
university’s virtual Linux environment. They specifically want to block the
icmp echo packets coming to their server. Also allow all these ports on
networks such as 80, 443, 21 & 20. The university also wants packets containing
SYN & FIN flag to be allowed, and the rest of them must be blocked over the
Internet. The network also must allow traffic on the loopback device which will
be localhost/127.0.0.1
Solution:
Before you start
configuring your firewall, you need to make sure that iptables/netfilters is
installed on your Linux environment. Generally it is there, if it is not there
then you can download it from any website.
If there is an
iptables running on your machine, it means it will have some rules by default.
If you want to see that which rules are currently set to which option, you can
run the below command.
#iptables -L
So it shows that
currently the input and forward chain’s values are set as DROP and output
chain’s value has been set to ACCEPT.
One should keep a
practice that if he/she is going to create a new firewall, he/she needs to
flush all previous/old rules which are previously set. To clear all those
rules, you need to give this command.
#iptables –F or #iptables –flush
It will
flush/remove/clear/delete all the previous rules set in the firewall. Now we
are in a position to create a new firewall with our custom rules to address the
given challenge.
In reading our
challenge, one thing is sure: that our primary policy set will be in such a way
that our input chain policy will be set to DROP in order to drop all the
packets initially at the firewall level so that they don’t come inside the
network, and then we will set different packets to let them come inside our
network. So our input chain’s policy value will be set to DROP along with
forward policy value. And we will set the output policy value as ACCEPT, as
there won’t be any harm if some packets are going from the network to the
outside world on the Internet. So here are those terminal commands.
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
The first two commands
are easily understandable: we are dropping each and every incoming packet and
we are allowing every outgoing packet. We use the forward policy to route the
packets within the LAN. So if you want to allow that scenario, set the value of
that policy as ACCEPT. In our case they have not mentioned anything, so we will
block it for this moment.
Now the second thing to
do is to allow the traffic which establishes new sessions. In order to do that,
we can give the below command.
#iptables -A INPUT -m state
–state RELATED,ESTABLISHED -j ACCEPT
Here I am going to
describe some options used in this command which will remain constant
throughout this example. Option –A stands for append. Its work is to append the
given rule to the relevant rule chain. Here our rule chain is INPUT. The –m
option is used for matching. Here it is matching our different state with the
live traffic and if it finds anything, it applies the policy on that. Lastly,
the -j option tells exactly what to do with the packet which is matched and
found by the firewall.
For the jump, there
are some targets such as ACCEPT & DROP. As you know, ACCEPT will allow that
packet to come inside the network through the firewall and DROP will simply
drop the packet. When you give this command to the terminal, and if you set the
policy using the iptables –L command, you will see the below result.
I have given the below command to print “Starting New firewall”:
#echo “Starting New
firewall”
Moving forward, now we
need to open the SSH port whose port number is 22. So basically students of the
university/college can play in their virtual Linux box via port number 22 (SSH)
by sitting anywhere. Here is a command for that:
#iptables -A INPUT -i eth1
-p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
Here we have two new
options which are –i and –p. The “-i” stands for interface declaration. It may
be possible that the university has more than one interface, so set which
interface you want to apply these rules. According to the challenge, they want
to apply these rules on their eth1 interface.
The “-p” option is
used to define the protocol such as tcp and udp. Here we are defining our SSH
port, so we will use the tcp option and last but not least we will use the
“-dport” option, which stands for destination port. In our case, we are working
on SSH and the port number of SSH is 22. So we will define dport value as 22.
The “-d” option is
used for the destination IP address. We mentioned it in our command. When you
set this policy through your terminal and then you list the result, it will
look something like this:
Testing SSH with
ACCEPT and DROP Value Set
Value set ACCEPT:
Value set DROP:
Now it is time to
configure all ports mentioned in our challenge. We will form a group of two.
First we will accept all those packets which are coming through http and https.
The command for that is shown below.
#iptables -A INPUT -p tcp
–dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT
All the options are
mentioned. The only difference is that in dport value we give 80 which stands
for http and 443 which stands for https. We will not be testing each and every
policy we set in our firewall. We will test only some of those major ones.
After running the above commands in your terminal, when you list the rules it
will look something like this:
Now we are going to
allow loopback traffic on the localhost which will be l0/127.0.0.1. Here we
will allow both inbound and outbound traffic in loopback. The command for that
is shown below.
#iptables -A INPUT -i l0 -p
all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT
#iptables -A OUTPUT -o l0 -p all -j ACCEPT
As you can assume, we
have set our interface value of the loopback device which is l0/127.0.0.1. On
top of that we are allowing all ports to communicate with this device. After
you set this result, when you list the rules it will look something like this:
You can see that
entries are increasing at the down side as we are setting our each and every
rule. Now we will allow port 21 & 20 to communicate with our network. The
command for that is:
#iptables -A INPUT -p tcp –dport
21 -j ACCEPT
#iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#iptables -A INPUT -p tcp –dport 20 -j ACCEPT
After applying these
rules to the terminal, list the firewall policy. It will look like this:
Moving forward, the
university specifically wants to block all icmp echo packets coming to their
server. To do that, here is the command:
#iptables -A INPUT -p icmp
-d 192.168.150.136 –icmp-type 8 -j DROP
Here we have defined
the destination IP address where we want to block/DROP all icmp echo packets.
Icmp has some number types starting from 0 to 41-255 and each number has some
meaning, for example number 8 stands for echo. If you want to know more about
that, refer to RFC792. List the rules after setting this latest icmp policy.
Value set
ACCEPT: Reply from the server
is coming.
Value set DROP: Server won’t respond anymore.
Finally, at last, the
university wants to accept the packets coming on the network which contains SYN
and FIN flags only. It means the rest of the all packets containing flags such
as RST, PSH, ACK & URG must be blocked. I could only give two commands in
order to show that only packets containing SYN and FIN flags should come
through, though I have typed all commands in order to have a close look if you
want to use them in the future, and then you can uncomment and change them
according to your needs.
So here are the
commands for that:
iptables -A INPUT -m tcp -p
tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
I have executed first
two commands and the rest of those are in the comment. So in the first two
commands it shows that they have loaded first all flags by defining ALL and
then they just want SYN and FIN to enter via packet into the network. So when
you list the rules it will look like this:
So in the last two
commands it tells us that it is showing that total tcp flags are FIN, SYN, RST,
PSH, ACK & URG, but from all of them you need to accept the packets which
only contains SYN and FIN flags. So here is the testing for that. For testing purpose
I am using hping3 utility in KALI Linux.
To write all these
commands in the terminal is a very tedious thing. It is better to write a
script for this. To create a script, you will need to go to the /sbin/ folder
and then you create any file with a touch command. In my case it’s a ccc.sh
file, so the command would be like this:
#touch ccc.sh
Then you open that
file with your favorite editor and write all the following code in that. Before
you start writing all the rules, you must define the below:
#!/bin/bash
This command will
identify that it’s a bash script. Otherwise it won’t recognize anything written
in that file. So your final code would be like this:
#!/bin/bash
echo “Starting New firewall”
#Flushing old firewall rules
iptables -F
#standard Firewall rules for INPUT OUTPUT and FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo “Starting New firewall”
#Flushing old firewall rules
iptables -F
#standard Firewall rules for INPUT OUTPUT and FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#Allowing 3-way
handshake
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#Allowing SSH server
iptables -A INPUT -i eth0 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –dport 22 -d 192.168.150.136 -j ACCEPT
#Allow HTTP HTTPS – 80,443
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#Allowing Loopback traffic(Input and Output
both) – l0
iptables -A INPUT -i l0 -p all -j ACCEPT
iptables -A OUTPUT -o l0 -p all -j ACCEPT
iptables -A INPUT -i l0 -p all -j ACCEPT
iptables -A OUTPUT -o l0 -p all -j ACCEPT
#Allow FTP – 21 20
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#Blocking IMCP packets
iptables -A INPUT -p icmp -d 192.168.150.136 –icmp-type 8 -j DROP
iptables -A INPUT -p icmp -d 192.168.150.136 –icmp-type 8 -j DROP
#Blocking Packets with all tcp flags
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
#Listing the Set Rules
iptables -L
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL SYN -j ACCEPT
iptables -A INPUT -m tcp -p tcp –tcp-flags ALL FIN -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL RST -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL PSH -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL ACK -j ACCEPT
#iptables -A INPUT -m tcp -p tcp –tcp-flags ALL URG -j ACCEPT
#Listing the Set Rules
iptables -L
Now you run that file
by simply typing ./ccc.sh in the terminal. In case it does not work, then you
need to set the permission to that file by simply typing chmod 777 ccc. sh and
then it will surely run.
No comments:
Post a Comment