1 / 37

CS 498 Lecture 11 Netfilter

CS 498 Lecture 11 Netfilter. Jennifer Hou Department of Computer Science University of Illinois at Urbana-Champaign Reading: 1. Oskar Andreasson, Iptable Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/ 2. Linux Netfilter Hacking HOWTO. Outline. Functionality Architecture

royal
Download Presentation

CS 498 Lecture 11 Netfilter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS 498 Lecture 11 Netfilter Jennifer Hou Department of Computer Science University of Illinois at Urbana-Champaign Reading: 1. Oskar Andreasson, Iptable Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/ 2. Linux Netfilter Hacking HOWTO

  2. Outline • Functionality • Architecture • Introduction to the Iptable command • An real-life example

  3. Netfilter Architecture • The Hooks • A kernel module can register with netfilter to see packets at various points in the stack • Five hooks defined in IPv4: • PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING. • Each hook can inspect/alter packets and return NF_DROP, NF_ACCEPT, NF_QUEUE, NF_REPEAT or NF_STOLEN.

  4. Netfilter Hooks • PRE_ROUTING • Incoming packets pass this hook in ip_rcv() before routing • LOCAL_IN • All incoming packets addressed to the local host pass this hook in ip_local_deliver() • FORWARD • All incoming packets not addressed to the local host pass this hook in ip_forward() • LOCAL_OUT • All outgoing packets created by this local computer pass this hook in ip_build_and_send_pkt() • POST_ROUTING • All outgoing packets (forwarded or locally created) will pass this hook in ip_finish_output()

  5. Internet Protocol Implementation in Linux Higher Layers ip_input.c ip_output.c ip_queue_xmit ip_local_deliver MULTICAST IP_LOCAL_OUTPUT . . . ip_mr_input IP_LOCAL_INPUT ip_queue_xmit2 ip_forward.c IP_FORWARD ip_local_deliver ip_forward_finish ip_forward ip_output ip_fragment ip_finish_output ip_rcv_finish ROUTING ForwardingInformation Base IP_POST_ROUTING IP_PRE_ROUTING ip_route_input ip_rcv ip_finish_output2 ARP ARP neigh_resolve_output dev.c dev.c dev_queue_xmit net_rx_action

  6. Netfilter Hooks (cont.) PRE_ROUTING POST_ROUTING FORWARD LOCAL_IN LOCAL_OUT

  7. Netfilter Functionality • IP packet filter • Stateful firewalling • NAT • Packet mangling

  8. Basic functionality - IP Packet Filter • IP Filter • Used to filter packets • The command to enter a rule is called iptables • The framework inside the kernel is called netfilter • Full matching on IP, TCP, UDP and ICMP packet headers • IP Filter rules • Insertion point • Match • Target

  9. IP Packet Filter Example # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss #

  10. Basic functionality - Stateful Firewalling • Full state matching • TCP, UDP, ICMP • Uses a generic connection tracking module, conntrack • Conntrack manages individual connections and serves to allocate incoming,outgoing and forwarded IP packets to existing connection. • A new connection entry is generated as soon as the connection-tracking module registers a connection-establishment packet. • This enables the NAT implementation to figure out exactly whether an incoming packet needs a free IP address and port number or one of the addresses and port numbers previously assigned can be used.

  11. Basic functionality - Stateful Firewalling • Certain protocols are "complex“ and require extra modules called "conntrack helpers" • One example is FTP. • The client initially establishes a control connection to TCP port 21 at the server, and transmits FTP commands and replies. • As soon as a file has to be transmitted, FTP server opens an additional data connection in the reverse direction (from TCP port 20 in the server to a dynamically selected client port (which the client sends to the server)).

  12. Basic functionality - Stateful Firewalling (cont.) • Userland states • NEW • All new connections • Includes Non SYN TCP packets • ESTABLISHED • All connections that has seen traffic in both directions • RELATED • All connections/packets related to other connections • Examples: ICMP errors, FTP-Data, DCC • INVALID • Certain invalid packets depending on states • E.g. FIN/ACK when no FIN was sent • # iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP

  13. Basic functionality - NAT • NAT - Network Address Translation • The science of switching Source or Destination Addresses • Two types of NAT in Linux 2.4 • Netfilter NAT • Fast NAT • Usages • Making a LAN look as if it came from a single source (the firewall) • Creating separate servers with a single IP • Netfilter NAT • DNAT - Destination Network Address Translation • SNAT - Source Network Address Translation • Requires Connection tracking to keep states and expectations

  14. NAT Example SNAT ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 DNAT ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -j DNAT --to 5.6.7.8:8080

  15. Basic functionality - Packet Mangling • Mangling packets going through the firewall • Gives you the ability to a multitude of possibilities. • Example usages • Strip all IP options • Change TOS values • Change TTL values • Strip ECN values • Clamp MSS to PMTU • Mark packets within kernel • Mark connections within kernel

  16. What We Use It For Currently there are three tables: filter, nat, mangle. • filter table used by packet filtering system • hooks in at LOCAL_IN (INPUT), FORWARD, LOCAL_OUT (OUTPUT) • iptable_filter hooks in at those points and passes all packets to the table • default table operated on by iptables program

  17. The Hooks of filter

  18. The nat Table nat table used to control nat • hooks in at LOCAL_OUT (OUTPUT), PREROUTING, POSTROUTING • iptable_nat hooks in and passes packets whose connections have not seen NAT table to the table

  19. The Hooks of nat

  20. The mangle Table • mangle table used for special effects • hooks in at LOCAL_OUT (OUTPUT), PREROUTING • iptable_mangle hooks in and passes all packets to the table

  21. Basic iptables syntax iptables [table] [command] [options] <matches> <target> • Commands: • append, insert, replace, delete, list, policy, etc. • Options: • verbose, line numbers, exact, etc. • Matches: • dport, dst, sport, src, states, TCP options, owner, etc. • Targets: • ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

  22. Iptables syntax - A few matches Protocol -p, --protocol [!] [protocol] • tcp, udp, icmp or all • Numeric value • /etc/protocols Destination IP & Port -d, --destination [!] address[/mask] • Destination address • Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] • Destination port • Numeric or resolvable (/etc/services) • Port range

  23. Iptables syntax - A few matches (cont.) Source IP & Port -s, --source [!] address[/mask] • Source address • Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] • Source port • Numeric or resolvable (/etc/services) • Port range

  24. Iptables syntax - A few matches (cont.) Incoming and Outgoing interface • -i, --in-interface [!] interface • -o, --out-interface [!] interface

  25. Iptables syntax - Some targets • ACCEPT • Accepts the packet • Ends further processing of the specific chain • Ends processing of all previous chains • Except other main chains and tables • DROP • Drops the packet • No reply • Ends all further processing

  26. Iptables syntax - Some targets (cont.) • REJECT • Drops packet • Returns a reply • User specified reply • Calculated reply • TCP-RST or ICMP errors • Ends all further processing • RETURN • Returns from a chain to the calling chain

  27. Example test Input Rule1: -p ICMP –j DROP Rule1: -s 192.168.1.1 Rule2: -p TCP –j test Rule2: -d 192.168.1.1 Rule3: -p UDP –j DROP What happens to a TCP packet with the source address192.168.1.1 and the destination address 1.2.3.4?

  28. Iptables syntax - ... and a few simple rules • iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset • iptables -A INPUT -p tcp --dport 80:1024 -j DROP • iptables -A FORWARD -p tcp --dport 22:113 -j DROP • iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP • iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT • iptables -A OUTPUT -p tcp -o lo -j ACCEPT • iptables -P OUTPUT DROP

  29. Iptables syntax • Listing the rules • -L, --list [chain] • -F, --flush [chain] • Flushes (erases) all rules in a chain • Or a table • -N, --new chain • Creates a user-specified chain • There must be no target with that name previously • -X, --delete-chain [chain] • Deletes a user-created chain • No rules may reference the chain • Can delete all user-created chains in a table

  30. Iptables syntax - Creating & Deleting user-created chains Creating... • iptables -t filter -N badtcppackets and Deleting a chain • iptables -t filter -X badtcppackets and Deleting all user-created chains • iptables -t filter -X

  31. A simple example ruleset – The Goals • The firewall • Will act as its own firewall • Incoming: • ICMP Echo request & reply • Identd requests • HTTP requests • Outgoing: • Everything generated by the host • Except "nonet" group • And a LAN • From Internet to LAN • Related traffic • Established traffic • From LAN to Internet • Everything

  32. A simple example ruleset - The technical details • Firewall • LAN on eth0 • LAN IP 192.168.1.1 • Internet on eth1 • Internet IP 10.0.0.1/32 • LAN • IP range 192.168.1.0/24

  33. A simple example ruleset - The POSTROUTING chain • We need SNAT to let our LAN out on the Internet. Without this, the Internet don’t know where to route the packets • iptables -t nat -A POSTROUTING -i eth0 -o eth1 -j SNAT --to-source 10.0.0.1

  34. A simple example ruleset - The INPUT chain • Need to allow all incoming traffic specified in goals • Need to allow return traffic for everything we send • Default to DROP iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 113 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  35. A simple example ruleset - The OUTPUT chain • Accept everything except the nonet group to leave • iptables -A OUTPUT -m owner --gid-owner nonet -j DROP

  36. A simple example ruleset - The FORWARD chain • Everything from LAN to Internet • ICMP replies, related and Established traffic from Internet to LAN • iptables -P FORWARD DROP • iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT • iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

  37. Examples • iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset • iptables -A INPUT -p tcp --dport 80:1024 -j DROP • iptables -A FORWARD -p tcp --dport 22:113 -j DROP • iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP • iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT • iptables -A OUTPUT -p tcp -o lo -j ACCEPT • iptables -P OUTPUT DROP

More Related