1 / 28

Linux Packet Filters

Linux Packet Filters. Casey Kelso. Net Filter Framework. Allows modules to observe and modify packets. Kernel modules can register custom hooks at packet processing points. Currently available for Ipv4, Ipv6, and DECNET but can be extended to other protocol families. Firewall.

shakira
Download Presentation

Linux Packet Filters

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Linux Packet Filters Casey Kelso

  2. Net Filter Framework • Allows modules to observe and modify packets. • Kernel modules can register custom hooks at packet processing points. • Currently available for Ipv4, Ipv6, and DECNET but can be extended to other protocol families.

  3. Firewall • Protection Mechanism • Protects at the network transition point • Protects against outside dangers • Ensures traffic is acceptable • Enforces security policies • Logs network activity

  4. Packet filter rule criteria • IP source / destination address • Transport protocol TCP / UDP • TCP / UDP source / destination ports • TCP Flags • Application gateways or proxies • HTTP, SMTP • mediate between communication applications

  5. Ingress Filtering Outside Network Local Network Source Address Destination Address

  6. Egress Filtering Outside Network Local Network Destination Address Source Address

  7. TCP Ports • Incoming TCP connection establishment requests are blocked. • Outgoing TCP connection establishment request are allowed. • TCP Connection establishment requests can be detected by checking if SYN = 1 and ACK = 0 in the TCP header.

  8. Problems with Blocking Ports FTP • Client sends commands from port 21, to port 21 of the server. • When a directory of file is requested, the data is delivered from port 20 on the server to a dynamically allocated port on the client. • This causes problems because the TCP connection establishment will be blocked.

  9. Problems with Blocking Ports 21 Dyn Commands Server Client Dyn 20 Data

  10. Solution: Passive FTP 21 Dyn Commands Establish Conn Dyn 20 Client Server Data Dyn 20

  11. Packet Filter – Quality Attributes • Filter inbound and outbound packets. • Distinguish packets, establishing a connection. • Filter options for protocols other than IP,TCP, & UDP. • Filter options for arbitrary bit patterns. • Filter options for inbound and outbound routing. • Packet filter rule priority.

  12. FORWARDEDPACKETS Device Driver INPUT) DEVICE DRIVER (OUTPUT) CRC CHECK CONSISTENCY CHECKS NF_IP_PRE_ ROUTING NF_IP_POST_ROUTING ROUTING ROUTING NF_IP_FORWARD (iptables: FORWARD) NF_IP_LOCAL_IN (iptables: INPUT) NF_IP_LOCAL_OUT (iptables: OUTPUT) HIGHER LAYERS LOCAL PROCESSES Packet Filter Architecture INCOMING PACKETS OUTGOING PACKETS

  13. Netfilter Hooks • Uniform interface, reduces implementation cost. • Provides a hook for packet-filter code. • Netfilter modules can be loaded into the kernel at runtime. • Integer identifier is allocated to each of the netfilters.

  14. Netfilter Hooks • NF_IP_PRE_ROUTING – First IP hook, in ip_rcv() function. Only consistency checks, version, length, and checksum fields of IP header are processed before this hook. • NF_IP_LOCAL_IN – all incoming hooks to the local computer pass through this hook. • NF_IP_FORWARD – all incoming packets not addressed to the local computer.

  15. Netfilter Hooks • NF_IP_LOCAL_OUT – all outgoing packets created by the local machine pass through this hook in the ip_build_and_send_pkt() function. • NF_IP_POST_ROUTING – This is the last hook before a packet is sent, it is located in the ip_finish_output() function.

  16. NF_HOOK Macro • Resides in include/linux/netfilter.h • Causes the routing code to process the netfilters. #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (list_empty(&nf_hooks[(pf)][(hook)]) ? (okfn)(skb) : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn)))

  17. NF_HOOK Parameters • pf (protocol family) – PF_INET for IPV4, IP_NET6 for IPV6. • hook – the hook identifier. • skb – pointer to the sk_buff structure. • indev – input device • outdev – output device • okfn() - function invoked when all filter functions registered with this hook return NF_ACCEPT.

  18. Packet Filter Function Return Val • NF_DROP – packet is dropped. • NF_ACCEPT – packet is accepted. • NF_STOLEN – packet function withholds the packet for further processing. • NF_QUEUE – Puts the packet in a queue from which it can be removed and processed. • NF_REPEAT – Repeat current filter function.

  19. Registering/Unregistering Hooks • nf_register_hook() will register a packet-filter hook with the linux kernel. • nf_unregister_hook() will unregister a packet-filter hook with the linux kernel. • The parameter passed is the nf_hook_ops structure, containing all information about the packet-filter function.

  20. NF_HOOK_OPS Structure • Contains all management information for the packet filter function. struct nf_hook_ops{ struct list_head list; nf_hookfn *hook; int pf; int hooknum; int priority; };

  21. NF_HOOK_OPS Structure • list – The linux kernel maintains a list of NF_HOOK_OPS structures. • hook() - Pointer to the packet-filter function. • pf – Protocol family identifier (PF_INET, PF_INET6) • hooknum – Hook identifier. • priority – The priority of the packet-filter function in the rules list of the hook.

  22. NF_ITERATE • Function is called to execute all hooks of the given hook type & protocol family. nf_hook_slow() returns with the verdict. • NF_QUEUE: leads to the ipq_enqueue() function defined in /net/ip4/netfilter/ip_queue.c. • NF_ACCEPT: The next packet filter is called on this hook, and if all packet filters return NF_ACCEPT then nf_hook_slow() returns NF_ACCEPT and the okfn() is called. • NF_DROP: kfree_skb() is called. • If all hook functions return NF_ACCEPT then NF_ACCEPT is returned to nf_hook_slow().

  23. NF_ACCEPT • The okfn() defined by the net filter function is called. • okfn() should call to the output function associated with the dst structure bound to the sk_buff. This could be the ip_output() function defined in net/ipv4/ip_output.c. • From ip_output() the packet is either fragmented or delivered to ip_finish_output(). • ip_finish_output() sets the skb->dev to the device associated output device structure, and the protocol type to ETH_IP_IP. Finally the NF_IP_POST_ROUTING network hook is called. • This is the last net filter hook, after this ip_finish_output2() is called and the sk_buff is freed.

  24. Advantages of Netfilter Architecture • Easy integration of packet-filter functions into the kernel. • Stateful connection tracking. • Packets are handled precisely by the rules lists, INPUT, FORWARD, or OUTPUT. • Forwarded packets do not have to traverse all 3 hooks. • Built-in port forwarding. • Compatibility with Linux network switching for faster packet forwarding. • Fully supports Ipv4, Ipv6, and DECNET. • Source MAC address filtering. • DOS packet rate limiting.

  25. Stateful Connection Tracking • The ip_conntrack.o module, is capable of assigning specific states to the packets of a TCP connection. • The connection tracking module is also capable of limiting packet quantities directed over a network interface. • NEW: Connection is being established. • ESTABLISHED: Packets belong to an existing TCP connection. • RELATED: Packets are in relation to an existing connection, but not an integral part of that connection. • INVALID: Unclassified packets.

  26. Address Translation • The NAT module ip_table_nat.o includes protocol specific modules such as ip_nat_ftp.o. These modules allow for better performance than the 2.2 Kernel's method of masquerading. • Source NAT: Changes the source address of an incoming packet before it is forwarded. • Source NAT w/ masquerading: Special version of SNAT for dynamically allocated IP addresses. • Destination NAT: Used to redirect packets to a different destination address, it must be hooked into the NF_IP_PRE_ROUTING hook to change the IP header before routing occurs. This can be used for transparent proxies.

  27. Compatibility Modules • ipchains.o – Ensures a smooth transition from the Linux 2.2 ipchains configuration files and scripts to a new Linux 2.4 kernel or later. • ipfwadm.o – Ensures a smooth transition from the Linux 2.0 ipfwadm configuration files and scripts to a Linux 2.4 kernel or later. • These modules exist for compatility reasons, to make the transition to the Linux 2.4 kernel or newer. Therefore they do not have future support as scripts should be rewritten for the new ip filter framework.

  28. Questions?

More Related