1© David Morgan 2011FirewallsFirewallsDavid Morgan© David Morgan 2011Firewall typesFirewall types Packet filter– linux, iptables-based– Windows XP’s built-in– router device built-ins– single TCP conversation Proxy server– specialized server program on internal machine– client talks to it instead of desired external server– it conducts conversation with external server for client and plays relay middleman between them subject to policy– 2 separate TCP conversations2© David Morgan 2011Linux Linux ““NetfilterNetfilter””FirewallingFirewalling Packet filter, not proxy Centerpiece command: iptables Starting point: packet structure details© David Morgan 2011IP packet structureIP packet structureSource Address Destination AddressIP’s Data PayloadProtocolNumber3© David Morgan 2011Payload types Payload types --subprotocolssubprotocols… and othersSrc DestUDP (17) datagram17Src DestTCP (6) packet6Src DestICMP (1) message1© David Morgan 2011UDP UDP datagramdatagramstructurestructureSource Port Destination PortUDP’s Data Payload4© David Morgan 2011TCP packet structureTCP packet structureSource Port Destination PortTCP’s Data PayloadSequence # Acknowledgment© David Morgan 2011ICMP message structureICMP message structureICMP-type Codeheader of subject/wayward IP packetor otherICMP-type dependent payloadChecksum5© David Morgan 2011Firewall = Firewall = rulesetruleset An in-memory datastructure by whose elements packets that appear at interfaces are evaluated A corresponding series of commands, each invocation of which populates the table with a single element Elements are called “rules”© David Morgan 2011Firewall Firewall --iptablesiptables iptables – single invocation creates single rule firewall is product of multiple invocations6© David Morgan 2011IptablesIptablesorganizationorganization Tables (have chains)– filter table– nat table Chains (contain rules)– filterINPUT chainOUTPUTFORWARD– natPREROUTING chainPOSTROUTING© David Morgan 2011An Individual RuleAn Individual Rule condition - examines and qualifies a packet action - operates on the packet if it qualifies compare – programming language “if”structure7© David Morgan 2011What a Rule saysWhat a Rule says “If a packet’s header looks like this, then here’s what to do with the packet” “looks like this”e.g.– goes to a certain (range of) address(es) or– uses the telnet port, 23 or– is an ICMP packet “what to do”e.g.– pass it– discard it© David Morgan 2011iptablesiptables--t filtert filter--A A OUTPUTOUTPUT--o eth1 o eth1 --p p tcptcp----sport 23 sport 23 ----dportdport1024:655351024:65535--s 192.168.4.0/24 s 192.168.4.0/24 --d 0.0.0.0/0 d 0.0.0.0/0 ––j ACCEPTj ACCEPT– Table for this rule– Rule action-A add rule to chain/list-D delete rule from chain/list-P default policy for chain/list– Rule chain/list (tables contain chains)INPUTOUTPUTFORWARD– Packet qualifiersby interface and directionprotocolsource port number(s)destination port number(s)source address (range)destination address (range)– Packet dispositionACCEPTDROPREJECTPREROUTINGPOSTROUTINGSNATDNAT8© David Morgan 2011What a Chain isWhat a Chain is ordered checklist of regulatory rules– Multiple rules, for packets with particular characteristics– Single rule for default (catch-all) policy operation– Packet tested against rules in successionFirst matching rule determines “what to do” to packet– If packet matches no ruleChain’s default policy determines “what to do” to packet© David Morgan 2011Operationally comparableOperationally comparableif [ condition A]action Alpha; exitendifif [condition B]action Beta; exitendifif [condition C]action Gamma; exitendif...action <default>; exitWhat happens?action for first true condition(if any)otherwisedefault action9© David Morgan 2011Multiple chainsMultiple chains Input chain– When arriving at an interface, do we let a packet come in? Output chain– When departing from an interface, do we let a packet go out? Forwarding chain– When traversing this machine to another, do we let a packet pass between interfaces?© David Morgan 2011Filter traversal by packetsFilter traversal by packetsFORWARDOUTPUTINPUTincomingroutingdecisionoutgoinglocal processlocal process10© David Morgan 2011iptablesiptables--t filtert filter--A A INPUTINPUT--i eth1 i eth1 --p p tcptcp----sport 1024:65535 sport 1024:65535 ----dportdport2323--s 0.0.0.0/0 s 0.0.0.0/0 --d 192.168.4.1/32 d 192.168.4.1/32 ––j ACCEPTj ACCEPTiptablesiptables--t filtert filter--A A OUTPUTOUTPUT--o eth1 o eth1 --p p tcptcp----sport 23 sport 23 ----dportdport1024:655351024:65535--s 192.168.4.1/32 s 192.168.4.1/32 --d 0.0.0.0/0 d 0.0.0.0/0 ––j ACCEPTj ACCEPTiptablesiptables--t filtert filter--P P INPUTINPUTDROPDROPiptablesiptables--t filtert filter--P P OUTPUTOUTPUTDROPDROPA 4A 4--rule filtering firewallrule filtering firewallExecuted in chronological sequence as shown, resultant 2-chain firewall permits telnet access between this machine 192.168.4.1 and others via eth1. And nothing else.(0.0.0.0/0 matches any address; aa.bb.cc.dd/32, the single address aa.bb.cc.dd)© David Morgan 2011Priority of chronology =Priority of chronology =priority of effectpriority of effectiptablesiptables--t filtert filter--A A INPUTINPUT--i eth1 i eth1 --p p tcptcp----sport 1024:65535 sport 1024:65535 ----dportdport2323--s 0.0.0.0/0 s 0.0.0.0/0 --d 192.168.4.1/32 d 192.168.4.1/32 ––j ACCEPTj ACCEPTiptablesiptables--t filtert filter--A A OUTPUTOUTPUT--o eth1 o eth1 --p p tcptcp----sport 23 sport 23 ----dportdport1024:655351024:65535--s 192.168.4.1/32 s 192.168.4.1/32 --d 0.0.0.0/0 d 0.0.0.0/0 ––j ACCEPTj ACCEPTiptablesiptables--t filtert filter--P P INPUTINPUTDROPDROPiptablesiptables--t filtert filter--P P OUTPUTOUTPUTDROPDROP… EXCEPT no telnet from machine 64.1.1.1, because first rule eclipses second since it preceded it. (Second not reached, never applied.)iptablesiptables--t filtert filter--A A INPUTINPUT--i eth1 i eth1 --p p tcptcp----sport 1024:65535 sport 1024:65535 ----dportdport2323--s 64.1.1.1/32 s 64.1.1.1/32 --d 192.168.4.1/32 d 192.168.4.1/32 ––j DROPj DROP11© David Morgan 2011natnattable: rules that alter packettable: rules that alter packet• Masqueradingiptablesiptables--t t natnat--A A