400 likes | 610 Views
CS 498 Lecture 11 Netfilter. Jennifer Hou Department of Computer Science University of Illinois at Urbana-Champaign Reading: 1. Oskar Andreasson, Iptable Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/ 2. Linux Netfilter Hacking HOWTO. Outline. Functionality Architecture
E N D
CS 498 Lecture 11 Netfilter Jennifer Hou Department of Computer Science University of Illinois at Urbana-Champaign Reading: 1. Oskar Andreasson, Iptable Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/ 2. Linux Netfilter Hacking HOWTO
Outline • Functionality • Architecture • Introduction to the Iptable command • An real-life example
Netfilter Architecture • The Hooks • A kernel module can register with netfilter to see packets at various points in the stack • Five hooks defined in IPv4: • PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING. • Each hook can inspect/alter packets and return NF_DROP, NF_ACCEPT, NF_QUEUE, NF_REPEAT or NF_STOLEN.
Netfilter Hooks • PRE_ROUTING • Incoming packets pass this hook in ip_rcv() before routing • LOCAL_IN • All incoming packets addressed to the local host pass this hook in ip_local_deliver() • FORWARD • All incoming packets not addressed to the local host pass this hook in ip_forward() • LOCAL_OUT • All outgoing packets created by this local computer pass this hook in ip_build_and_send_pkt() • POST_ROUTING • All outgoing packets (forwarded or locally created) will pass this hook in ip_finish_output()
Internet Protocol Implementation in Linux Higher Layers ip_input.c ip_output.c ip_queue_xmit ip_local_deliver MULTICAST IP_LOCAL_OUTPUT . . . ip_mr_input IP_LOCAL_INPUT ip_queue_xmit2 ip_forward.c IP_FORWARD ip_local_deliver ip_forward_finish ip_forward ip_output ip_fragment ip_finish_output ip_rcv_finish ROUTING ForwardingInformation Base IP_POST_ROUTING IP_PRE_ROUTING ip_route_input ip_rcv ip_finish_output2 ARP ARP neigh_resolve_output dev.c dev.c dev_queue_xmit net_rx_action
Netfilter Hooks (cont.) PRE_ROUTING POST_ROUTING FORWARD LOCAL_IN LOCAL_OUT
Netfilter Functionality • IP packet filter • Stateful firewalling • NAT • Packet mangling
Basic functionality - IP Packet Filter • IP Filter • Used to filter packets • The command to enter a rule is called iptables • The framework inside the kernel is called netfilter • Full matching on IP, TCP, UDP and ICMP packet headers • IP Filter rules • Insertion point • Match • Target
IP Packet Filter Example # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss #
Basic functionality - Stateful Firewalling • Full state matching • TCP, UDP, ICMP • Uses a generic connection tracking module, conntrack • Conntrack manages individual connections and serves to allocate incoming,outgoing and forwarded IP packets to existing connection. • A new connection entry is generated as soon as the connection-tracking module registers a connection-establishment packet. • This enables the NAT implementation to figure out exactly whether an incoming packet needs a free IP address and port number or one of the addresses and port numbers previously assigned can be used.
Basic functionality - Stateful Firewalling • Certain protocols are "complex“ and require extra modules called "conntrack helpers" • One example is FTP. • The client initially establishes a control connection to TCP port 21 at the server, and transmits FTP commands and replies. • As soon as a file has to be transmitted, FTP server opens an additional data connection in the reverse direction (from TCP port 20 in the server to a dynamically selected client port (which the client sends to the server)).
Basic functionality - Stateful Firewalling (cont.) • Userland states • NEW • All new connections • Includes Non SYN TCP packets • ESTABLISHED • All connections that has seen traffic in both directions • RELATED • All connections/packets related to other connections • Examples: ICMP errors, FTP-Data, DCC • INVALID • Certain invalid packets depending on states • E.g. FIN/ACK when no FIN was sent • # iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP
Basic functionality - NAT • NAT - Network Address Translation • The science of switching Source or Destination Addresses • Two types of NAT in Linux 2.4 • Netfilter NAT • Fast NAT • Usages • Making a LAN look as if it came from a single source (the firewall) • Creating separate servers with a single IP • Netfilter NAT • DNAT - Destination Network Address Translation • SNAT - Source Network Address Translation • Requires Connection tracking to keep states and expectations
NAT Example SNAT ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 DNAT ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -j DNAT --to 5.6.7.8:8080
Basic functionality - Packet Mangling • Mangling packets going through the firewall • Gives you the ability to a multitude of possibilities. • Example usages • Strip all IP options • Change TOS values • Change TTL values • Strip ECN values • Clamp MSS to PMTU • Mark packets within kernel • Mark connections within kernel
What We Use It For Currently there are three tables: filter, nat, mangle. • filter table used by packet filtering system • hooks in at LOCAL_IN (INPUT), FORWARD, LOCAL_OUT (OUTPUT) • iptable_filter hooks in at those points and passes all packets to the table • default table operated on by iptables program
The nat Table nat table used to control nat • hooks in at LOCAL_OUT (OUTPUT), PREROUTING, POSTROUTING • iptable_nat hooks in and passes packets whose connections have not seen NAT table to the table
The mangle Table • mangle table used for special effects • hooks in at LOCAL_OUT (OUTPUT), PREROUTING • iptable_mangle hooks in and passes all packets to the table
Basic iptables syntax iptables [table] [command] [options] <matches> <target> • Commands: • append, insert, replace, delete, list, policy, etc. • Options: • verbose, line numbers, exact, etc. • Matches: • dport, dst, sport, src, states, TCP options, owner, etc. • Targets: • ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.
Iptables syntax - A few matches Protocol -p, --protocol [!] [protocol] • tcp, udp, icmp or all • Numeric value • /etc/protocols Destination IP & Port -d, --destination [!] address[/mask] • Destination address • Resolvable (/etc/resolve.conf) --dport, --destination-port [!] port[:port] • Destination port • Numeric or resolvable (/etc/services) • Port range
Iptables syntax - A few matches (cont.) Source IP & Port -s, --source [!] address[/mask] • Source address • Resolvable (/etc/resolve.conf) --sport, --source-port [!] port[:port] • Source port • Numeric or resolvable (/etc/services) • Port range
Iptables syntax - A few matches (cont.) Incoming and Outgoing interface • -i, --in-interface [!] interface • -o, --out-interface [!] interface
Iptables syntax - Some targets • ACCEPT • Accepts the packet • Ends further processing of the specific chain • Ends processing of all previous chains • Except other main chains and tables • DROP • Drops the packet • No reply • Ends all further processing
Iptables syntax - Some targets (cont.) • REJECT • Drops packet • Returns a reply • User specified reply • Calculated reply • TCP-RST or ICMP errors • Ends all further processing • RETURN • Returns from a chain to the calling chain
Example test Input Rule1: -p ICMP –j DROP Rule1: -s 192.168.1.1 Rule2: -p TCP –j test Rule2: -d 192.168.1.1 Rule3: -p UDP –j DROP What happens to a TCP packet with the source address192.168.1.1 and the destination address 1.2.3.4?
Iptables syntax - ... and a few simple rules • iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset • iptables -A INPUT -p tcp --dport 80:1024 -j DROP • iptables -A FORWARD -p tcp --dport 22:113 -j DROP • iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP • iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT • iptables -A OUTPUT -p tcp -o lo -j ACCEPT • iptables -P OUTPUT DROP
Iptables syntax • Listing the rules • -L, --list [chain] • -F, --flush [chain] • Flushes (erases) all rules in a chain • Or a table • -N, --new chain • Creates a user-specified chain • There must be no target with that name previously • -X, --delete-chain [chain] • Deletes a user-created chain • No rules may reference the chain • Can delete all user-created chains in a table
Iptables syntax - Creating & Deleting user-created chains Creating... • iptables -t filter -N badtcppackets and Deleting a chain • iptables -t filter -X badtcppackets and Deleting all user-created chains • iptables -t filter -X
A simple example ruleset – The Goals • The firewall • Will act as its own firewall • Incoming: • ICMP Echo request & reply • Identd requests • HTTP requests • Outgoing: • Everything generated by the host • Except "nonet" group • And a LAN • From Internet to LAN • Related traffic • Established traffic • From LAN to Internet • Everything
A simple example ruleset - The technical details • Firewall • LAN on eth0 • LAN IP 192.168.1.1 • Internet on eth1 • Internet IP 10.0.0.1/32 • LAN • IP range 192.168.1.0/24
A simple example ruleset - The POSTROUTING chain • We need SNAT to let our LAN out on the Internet. Without this, the Internet don’t know where to route the packets • iptables -t nat -A POSTROUTING -i eth0 -o eth1 -j SNAT --to-source 10.0.0.1
A simple example ruleset - The INPUT chain • Need to allow all incoming traffic specified in goals • Need to allow return traffic for everything we send • Default to DROP iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 113 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
A simple example ruleset - The OUTPUT chain • Accept everything except the nonet group to leave • iptables -A OUTPUT -m owner --gid-owner nonet -j DROP
A simple example ruleset - The FORWARD chain • Everything from LAN to Internet • ICMP replies, related and Established traffic from Internet to LAN • iptables -P FORWARD DROP • iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT • iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
Examples • iptables -A INPUT -p tcp -m state --state NEW ! --syn -j REJECT --reject-with-tcp-reset • iptables -A INPUT -p tcp --dport 80:1024 -j DROP • iptables -A FORWARD -p tcp --dport 22:113 -j DROP • iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP • iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT • iptables -A OUTPUT -p tcp -o lo -j ACCEPT • iptables -P OUTPUT DROP