1 / 10

COM342 Networks and Data Communications

COM342 Networks and Data Communications. Lecture 10: Security; Firewalls. Ian McCrum Room 5B18 Tel: 90 366364 voice mail on 6 th ring Email: IJ.McCrum@Ulster.ac.uk Web site: http://www.eej.ulst.ac.uk. Routers. Connecting two Local Area Networks together.

hovan
Télécharger la présentation

COM342 Networks and Data Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COM342Networks and Data Communications Lecture 10: Security; Firewalls Ian McCrum Room 5B18 Tel: 90 366364 voice mail on 6th ring Email: IJ.McCrum@Ulster.ac.uk Web site: http://www.eej.ulst.ac.uk www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  2. Routers • Connecting two Local Area Networks together. • Connecting a Local Area Network to the internet, e.g via an ADSL modem, A Cable modem or a slow dialup modem. • Connecting a LAN to a coporate network, e,g within a building. • Other uses; Masquerading to allow a number or private IP numbered machines to use the net, pretending to have an IP number that is allowed to traverse the internet • Restrict certain traffic while routing other traffic; useful for security…. Firewall (see also bastion hosts and DMZ ) • As well as restricting traffic we can reform packets to provide security. Either a ip/port to ip/port connection that is encrypted or a complete IP <-> IP connection that is encrypted. (see SSH tunnels and VPNs ( also CIPE, IPsec and others…) www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  3. Firewalls (Linux Iptables software) • We have seen how TCP/IP ( “internet”) data transport across the network involves • An IP number (or a name that gets converted into a number) • A port number (e.g port 80 for outgoing web pages) • The packet type, TCP or UDP. • To block unwanted traffic, we must specify what gets through the firewall and what doesn’t • Each installation varies; We might allow all outgoing traffic but block all incoming traffic. This won’t work since some of it may be in response to an outgoing request. www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  4. The Netfilter software ( “Iptables) • The way that the linux netfilter software operates is to have the following… • Rules; decisions are based on rules that we create. A rule specifies the criteria necessary for a packet to match it. • Targets; this is usually ACCEPT, DROP or REJECT • Chains; Rules are grouped into chains which in turn are in… • Tables; three default tables are INPUT, OUTPUT and FORWARD (two others are NAT and MANGLE) • States; used for stateful packet filtering… subtle but useful, you can create rules based on whether a packet exists in any of the following states; NEW, ESTABLISHED, RELATED and INVALID. www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  5. Creating and Storing Rules • Rules can be appended to the chains with –A option. Also available are –I to insert, -R to replace, there is also a –D to delete a rule. • $iptables –A INPUT –s0/0 –d 193.61.142.121 –m state - -state NEW –p tcp –dport 80 –i eth0 –j ACCEPT • The rule above allows any source IP to access your port 80, so anyone can access the webserver running at .121 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  6. Complete example ( no forwarding) *filter # The default targets for the three chains are set INPUT DROP [0:0] FORWARD DROP [0:0] OUTPUT DROP [0:0] # need to allow “loopback” to work -A INPUT –i lo –j ACCEPT # need to drop invalid conenctions -A INPUT –m state - -state INVALID –j DROP -A OUTPUT –m state - -state INVALID –j DROP -A FORWARD –m state - -state INVALID –j DROP # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT COMMIT www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  7. Another Complete Example *filter # The default targets for the three chains are set INPUT DROP [0:0] FORWARD DROP [0:0] OUTPUT DROP [0:0] # need to allow “loopback” to work -A INPUT –i lo –j ACCEPT # need to drop invalid conenctions -A INPUT –m state - -state INVALID –j DROP -A OUTPUT –m state - -state INVALID –j DROP -A FORWARD –m state - -state INVALID –j DROP # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT #allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff -A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT -A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT #allow outgoing connections to webservers, my users can surf the world… …. Continued on the next slide www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  8. …. Continued # allow all established and related connections that come in to me -A INPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A OUTPUT –m state - -state ESTABLISHED,RELATED –j ACCEPT -A FORWARD –m state - -state ESTABLISHED,RELATED –j ACCEPT # Allow connections to my ISPs DNS server(s) both for me outporting and my forwarding LAN stuff -A OUTPUT –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT -A FORWARD –d 193.61.128.3 –m state - -state NEW –p udp - -dport 53 –o eth0 –j ACCEPT # Allow outgoing connections to webservers, my users can surf the world… -A OUTPUT –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT -A FORWARD –d 0/0 –m state - -state NEW –p tcp –m multiport - -dport http,https –o eth0 –j ACCEPT # Actually safer to add a –s option above to explicitly only enable source ip numbers as well (with –s 192.168.0.3 etc) # this means repeating the line above, once for each IP source allowed to surf. # Allow outgoing mail to my ISPs SMTP and POP2 server only -A OUTPUT –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT -A FORWARD –d mail.my-isp.com –m state - -state NEW –p tcp –m multiport - -dport smtp,pop3 –o eth0 –j ACCEPT # Log all other attempted outgoing connections, use this if you aren’t sure of what ports to allow… -A OUTPUT –o eth0 –j LOG -A FORWARD –j LOG # default is to DROP outgoing connections so we should see this in the logs COMMIT *nat # Set up IP forwarding and NAT -A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  9. More on NAT and FORWARDING # for static IP numbers you can use the line below -A POSTROUTING –o eth0 –j SNAT - -to 192.168.0.1 # for dynamic IP numbers use the line below instead -A POSTROUTING –o eth0 –j MASQUERADE # this is a special case, the source IP is changed to the IP of the outgoing interface (eth0) # this works with static as well, but the netfilter advice is to use the first version for static Ips. # For ethernet (wired) networks that is ok, cards drivers are inserted into the kernel with # insmod or modprobe if needed (95% of cards autoinsert ok) # ifconfig sets IP numbers/netmasks for each card, the route command tells where gateways are # for wireless cards you use iwconfig to set the ESSID and MODE (ad-hoc or managed) # The above slides allow any internal LAN machine to get out as required. To get outside traffic # to end up at a specific machine is a bit trickier. E.g if we run a web server on a PC, port 80. # port forwarding allows incoming traffic (port 80) on the firewall to be passed on to a internal PC # two types of NAT exist, source and destination (SNAT/DNAT). Each incoming port can only be # forwarded once so you cannot run two webservers at once, unless you use different ports *nat -A POSTROUTING –o eth0 –j SNAT - -to 193.61.142.120 -A PREROUTING –i eth0 –p tcp –d 193.61.142.120 - -dport 80 –j DNAT - -to 192.168.0.3:80 COMMIT www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

  10. Miscellaneous # Pings can be useful, to enable these -A INPUT -p icmp - -icmp-type echo-request –j ACCEPT # it might be a good idea to limit pings to certain machines only ( -s option) OTHER THINGS… We have not looked at The MANGLE table for altering packets The string module, allows rule matching based on strings anywhere in the data payload Time based rules Quote and bandwidth limits Tarpits ( catch and hold potential hacker packets, use up their resources and not your own) MORE INFORMATION These slides taken from a document “Firewalling with netfilter/iptables by Barry O’Donovan From UCD, Barry is a member of the Irish Linux Users Group. See also http://www.netfilter.org Google for “IPTABLES TUTORIALS” Read the “HOWTO” documents held at http://www.tldp.org (tldp stands for “The Linux Documentation Project”) www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt

More Related