lecture 08 firewalls dr. supakorn kungpisdan [email protected] 1itec4621: network security
TRANSCRIPT
![Page 2: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/2.jpg)
ITEC4621: Network Security 2
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
![Page 3: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/3.jpg)
ITEC4621: Network Security 3
Primary Concerns
Confidentiality of information Unauthorized access External and internal attacks
![Page 4: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/4.jpg)
ITEC4621: Network Security 4
Defining Access Control Policy
Access Control Policy is a corporate policy that states which type of access is allowed across an organizations’ network perimeter.
For example, Allow SSH request only to the machine with IP 203.148.145.2 from
outside network Reject the request from any hosts inside the network to the web server
that has IP 203.147.23.2 Controlling such accesses mainly relies on FIREWALL
Even has ACLs on router, TCP wrappers on Unix, Intrusion Prevention Systems (IPSs)
![Page 5: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/5.jpg)
ITEC4621: Network Security 5
Firewall
Firewall is a gateway or access server (HW or SW based) or several gateways or access servers that act as buffers between any connected public network and a private network
It separates a trusted network from an untrusted network Firewall can be a router, a PC running specialized software, or a
combination of devices. It enforces an access control policy on network traffic as it passes
through access points. Firewalls filter traffic mainly based on various factors e.g. src/dest IP
addresses, src/dest port no., interfaces, protocols, etc.
![Page 6: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/6.jpg)
ITEC4621: Network Security 6
Firewall (cont’d)
Public INTERNET
Administered Network
![Page 7: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/7.jpg)
ITEC4621: Network Security 7
When Is a Firewall Required?
Dial-in modem pool and client-initiated VPN E.g. allow dial-in or VPN to access only email server
External connections to business partners Used to filter access among permanent link btw business partners
Between departments Internal firewall may be required to specify clearance level
Hosts Software firewall e.g. ZoneAlarm may be used in individual desktop
computers
![Page 8: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/8.jpg)
ITEC4621: Network Security 8
Firewall Overviews Firewall Functions
Packet Filtering Stateful Firewall Application-level Firewall or Proxy
Address Translation at Firewall DMZ IPTables Example
Roadmap
![Page 9: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/9.jpg)
ITEC4621: Network Security 9
Packet Filtering
Least-intelligent firewall Control traffic using information stored in packet headers Either passed or dropped The information filtered
Source/destination IP address or subnet TCP/UDP source/destination port Flag (TCP only) Etc.
![Page 10: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/10.jpg)
ITEC4621: Network Security 10
Filtering TCP Flags
“Our internal users can access any service out on the Internet, but all Internet traffic headed to the internal network should be blocked”
Generally, to establish a TCP connection, a sender sends a packet with SYN=1 and all other flags equal to 0.
Thus, more correctly, “All Internet traffic headed to the internal network with SYN=1
and all other flags equal to 0 should be blocked”
![Page 11: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/11.jpg)
TCP SYN Scan
The TCP SYN scan uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process.
When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.
ITEC4621: Network Security 11
![Page 12: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/12.jpg)
TCP SYN Scan (cont.)
ITEC4621: Network Security 12
Closed port
Open port
http://www.networkuptime.com/nmap/page3-2.shtml
![Page 13: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/13.jpg)
ITEC4621: Network Security 13
TCP SYN Stealth Port Scan
root@REDHATBOX root]#nmap -sS 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 05:07 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp open ssh
23/tcp open telnet
139/tcp open netbios-ssn
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 3.194 seconds
![Page 14: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/14.jpg)
TCP SYN Scan (cont.)
ITEC4621: Network Security 14
SMB, running on top of netbiosRemote desktop
![Page 15: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/15.jpg)
ITEC4621: Network Security 15
FIN Scanners
Normally a port scanner will check if any services are open on a host by sending SYN=1, ACK=1 packet. This can be blocked by a firewall
Instead, an attacker sends FIN=1, ACK=1 packet to a host with destination to a port number. If ACK=1, RST=1 packet returns, no service on particular port If ACK=1, FIN=1 packet returns, the service is monitoring that port
FIN scan can identify services and OS of remote machine
root@REDHATBOX root]#nmap -sF 192.168.0.1
![Page 16: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/16.jpg)
ITEC4621: Network Security 16
Packet Filtering ICMP
Internet Control Message Protocol: provides background support for the IP protocol
ICMP does not use ports. Type identifies ICMP packet type Code provides detailed explanation about the current session
E.g. Type 3 = Destination unreachable Type 0 = Echo reply Code 3 = Port unreachable Code 0 = Network Unreachable
![Page 17: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/17.jpg)
ITEC4621: Network Security 17
Example of Filtering ICMP
Avoid a “Ping Flood” attack…
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
As input is default DROP, this allows only 1 ping per second to be accepted.
![Page 18: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/18.jpg)
ITEC4621: Network Security 18
Packet Filtering - Pros
Fast: operate on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (payload) of packets.
Application independence : ignore packet payload Least expensive of types of firewalls. Packet filtering rules are relatively easy to configure. There are no configuration changes necessary to the
protected workstations.
![Page 19: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/19.jpg)
ITEC4621: Network Security 19
Packet Filtering - Cons
Allow a direct connection between endpoints through the firewall. Leaves the potential for a vulnerability to be exploited.
No screening of packet payload available. Impossible to block users from visiting web sites deemed off limits, for
example. Logging of network traffic includes only IP addresses and TCP/UDP port
numbers, no packet payload information is available. Complex firewall policies are difficult to implement using filtering rules
alone. Authentication based on IP addresses rather than user
![Page 20: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/20.jpg)
ITEC4621: Network Security 20
Stateful Firewall
Extend feature of Packet Filtering maintaining a connection table in order to monitor the state of
a communication session Attacker cannot fool the firewall by sending a message with
ACK=1 Can remember state information Suitable for UDP traffic
![Page 21: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/21.jpg)
ITEC4621: Network Security 21
Packet Filtering VS Stateful Firewall
ACL Allow the protected host to establish any service
sessions with the remote server Allow any session that has already been established to
pass Drop all other traffic
![Page 22: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/22.jpg)
ITEC4621: Network Security 22
Packet Filtering VS Stateful Firewall (cont’d)
Port 1037
Port 1037
Port 80
Port 80
![Page 23: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/23.jpg)
ITEC4621: Network Security 23
Packet Filtering VS Stateful Firewall (cont’d)
Port 1037
Port 1037
Port 80
Port 80
![Page 24: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/24.jpg)
ITEC4621: Network Security 24
Packet Filtering VS Stateful Firewall (cont’d)
Only the protected host can establish a connection with the server
![Page 25: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/25.jpg)
ITEC4621: Network Security 25
Packet Filtering VS Stateful Firewall (cont’d)
Look up the table and found that the host has not established the connection with the attacker yet
Thought that the attacker has already established a connection with the host
Port 1037 Port 80
Port 1037 Port 80
![Page 26: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/26.jpg)
ITEC4621: Network Security 26
IPTables Rules Based on Network State
Packets can be in a number of different states: NEW – a packet which starts a new connection RELATED – new connection, but part of an old session ESTABLISHED – connection already running INVALID – something else (?)
> iptables –t filter –A INPUT –i ppp+ state --state RELATED,ESTABLISHED –j ACCEPT
![Page 27: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/27.jpg)
ITEC4621: Network Security 27
Stateful Firewall - Pros
Offers improved security over basic packet filters due to packet examination
Better logging of activities over basic packet filters Good performance Configuration changes to the protected workstations are
unnecessary
![Page 28: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/28.jpg)
ITEC4621: Network Security 28
Stateful Firewall - Cons
Allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited.
No hiding of your private systems. Setting up stateful packet examination rules is more
complicated. Only supported protocols at the application layer. No user authentication.
![Page 29: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/29.jpg)
ITEC4621: Network Security 29
Proxy
Also called “application gateway” or “forwarder” Is an application that mediates traffic between two network
segments Used instead of filtering to prevent traffic from passing
directly between networks Source and destination never actually “connect”
![Page 30: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/30.jpg)
ITEC4621: Network Security 30
How a Proxy Passes Traffic
Proxy does not route traffic, but being “interpreter” Protocol specific: web proxy, email proxy, your app proxy
![Page 31: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/31.jpg)
ITEC4621: Network Security 31
How a Proxy Passes Traffic (cont’d)
1. Internal host sends an http request to the proxy2. Proxy found that the host has requested a web page. It then
passes the request to an http application inside the proxy3. Check with ACL. If ok, the proxy creates a new request containing
the internal host’s request by setting the proxy as the source4. The web server responds to the proxy. The http application checks
with ACL. If ok, the proxy creates a http response to the internal host
![Page 32: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/32.jpg)
ITEC4621: Network Security 32
Proxies - Pros
Firewall does not let end points communicate directly with one another.
Has the best content filtering capability. Can hide private systems. Robust user authentication. Offers the best logging of activities. Policy rules are usually easier than packet filtering rules.
![Page 33: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/33.jpg)
ITEC4621: Network Security 33
Proxies - Cons
Performance problems; much slower than the other two Must have a proxy for every protocol. Failure to have a proxy may
prevent a protocol from being handled correctly by the firewall. TCP is the preferred transport. UDP may not be supported. Limited transparency, clients may need to be modified. Setting up
the proxy server in a browser, for example.
![Page 34: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/34.jpg)
ITEC4621: Network Security 34
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
![Page 35: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/35.jpg)
ITEC4621: Network Security 35
Address Translation
Translate IP address from one to another Hide the system from outside network Using Network Address Translation (NAT)
Map between public IPs and private IPs Range of private IPs
10.0.0.0-10.255.255.255/8 172.16.0.0-172.31.255.255/12 192.168.0.0-192.168.255.255/16
Types of NATs Static NAT Hiding (or Dynamic) NAT Port Address Translation (PAT)
![Page 36: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/36.jpg)
ITEC4621: Network Security 36
Static NAT
One private IP is mapped to one public IP Can access the internal system from the Internet Allow both inbound and outbound traffic Does not need to change the source port Most NAT devices allow some systems to use static NAT,
while hiding the rest Suitable for assigning to servers in DMZ
![Page 37: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/37.jpg)
ITEC4621: Network Security 37
Hiding (or Dynamic) NAT
Firewall converts local IP to its IP for outgoing and incoming packets Many-to-many relationship: multiple private IPs are mapped to a
single public IP depending on a list of available IPs Outbound traffic can be mapped into the firewall IP or any other legal
IPs Does not allow inbound connection
Local machines cannot operate as servers Increase security cannot be accessed from outside firewall
![Page 38: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/38.jpg)
ITEC4621: Network Security 38
Port Address Translation (PAT)
Utilized by most proxies must use firewall IP, not any public IP Also allow inbound traffic For inbound traffic, PAT checks port no. and forwards the
packet to specified internal system
![Page 39: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/39.jpg)
ITEC4621: Network Security 39
PAT (cont’d)
![Page 40: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/40.jpg)
ITEC4621: Network Security 40
Firewall Overviews Firewall Functions Address Translation at Firewall DMZ IPTables Example
Roadmap
![Page 41: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/41.jpg)
ITEC4621: Network Security 41
DMZ
Demilitarized Zone (DMZ) is the subnet that is not in a private or public network.
DMZ provides additional protection since attacker may be able to break in the web server and get inside the internal network
Using static filtering at router to provide multilayer protection
Place proxy behind the firewall to secure internet connection
All the DMZ servers may be statically NATed
![Page 42: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/42.jpg)
ITEC4621: Network Security 42
DMZ (cont’d)
Public INTERNET
Outer FirewallInner Firewall
DMZ
Internal Server External Server (Public)
![Page 43: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/43.jpg)
ITEC4621: Network Security 43
Firewall Overviews Firewall Functions Address Translation at Firewall Firewall Deployment IPTables Example
Roadmap
![Page 44: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/44.jpg)
ITEC4621: Network Security 44
IPtables
Since kernel 2.4, the standard for firewall on Linux is iptables.
It implements its rules using three “tables” Filter – handles standard “firewall” things NAT – rewriting of source/destination IPs Mangle –packet information manipulation
![Page 45: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/45.jpg)
ITEC4621: Network Security 45
IPTables – Filter Table
The filter table is divided up into three chains. INPUT OUTPUT FORWARD
Chains have a default policy (either ACCEPT, REJECT, or DROP).
Packets will only be dealt with using one of the three chains.
![Page 46: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/46.jpg)
ITEC4621: Network Security 46
203.148.145.110.1.1.1
DMZ
192.168.1.1
eth0
eth1
eth2
Internal network
Public Network
Web server10.1.1.254
App server192.168.1.254: 6001
![Page 47: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/47.jpg)
ITEC4621: Network Security 47
Rule Structure Append or Delete Rule: iptables [-t table] -[AD] chain rule-specification [options]
Insert New Rule: iptables [-t table] -I chain [rulenum] rule-specification [options]
Replace Rule: iptables [-t table] -R chain rulenum rule-specification [options]
Delete Rule: iptables [-t table] -D chain rulenum [options]
List Rules, Flush Rules, Zero counters: iptables [-t table] -[LFZ] [chain] [options]
New Chain iptables [-t table] -N chain
Delete Chain: iptables [-t table] -X [chain]
Set Chain Policy (Accept, Drop): iptables [-t table] -P chain target [options]
Rename Chain: iptables [-t table] -E old-chain-name new-chain-name
![Page 48: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/48.jpg)
ITEC4621: Network Security 48
Adding Rules
Rules can be added, removed, and changed using the iptables command.
> iptables –t filter –A INPUT –i lo –j ACCEPT
Append to the INPUT chain that packets arriving on the LOOPBACK device should be ACCEPTed
![Page 49: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/49.jpg)
ITEC4621: Network Security 49
IPTables Example
Scenario: Personal Firewall that should allow all outbound connections and restrict all inbound traffic to just an SSH server running on port 22.
![Page 50: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/50.jpg)
ITEC4621: Network Security 50
IPTables Example (cont’d)
Initial Rules:# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
![Page 51: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/51.jpg)
ITEC4621: Network Security 51
IPTables Example - Initial firewall configuration
# Flush any rules that may still be configured/sbin/iptables -t filter -F INPUT/sbin/iptables -t filter -F OUTPUT/sbin/iptables -t filter -F FORWARD
# Set the default policies for the chains/sbin/iptables -t filter -P INPUT DROP/sbin/iptables -t filter -P OUTPUT ACCEPT/sbin/iptables -t filter -P FORWARD DROP
![Page 52: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/52.jpg)
ITEC4621: Network Security 52
IPTables Example (cont’d)Add the rule to allow incoming tcp connections on 22:
# iptables -I INPUT -p tcp --dport 22 -j ACCEPT# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
![Page 53: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/53.jpg)
ITEC4621: Network Security 53
IPTables Example (cont’d)Add a rule to allow incoming connections from ourself (on the loopback interface only – outside
interface could be spoofed).# iptables –I INPUT –i eth0 –s localhost –j DROP# iptables -I INPUT -i lo -j ACCEPT# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
![Page 54: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/54.jpg)
ITEC4621: Network Security 54
Add a rule to allow incoming connections on any port if it is alreadyestablished or related to an established connection.# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination
IPTables Example (cont.)
![Page 55: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/55.jpg)
ITEC4621: Network Security 55
Add a rule to log all packets before we drop them:# iptables -A INPUT -j LOG --log-level debug --log-prefix "IPTABLES: DROPPED"# iptables -L
Chain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere DROP all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere LOG level debug prefix `IPTABLES:
DROPPED'
IPTables Example (cont’d)
![Page 56: Lecture 08 Firewalls Dr. Supakorn Kungpisdan supakorn@mut.ac.th 1ITEC4621: Network Security](https://reader031.vdocuments.net/reader031/viewer/2022013004/56649e9e5503460f94ba03a1/html5/thumbnails/56.jpg)
ITEC4621: Network Security 56
Questions?