\def\lximg{/usr/share/lx/icons/fueller.png} \input{configpres} \subsection{Firewall} \title{Firewall} \maketitle \def\lximg{none} % ---------------------------- \subsubsection{Basics} \begin{frame}[fragile] \frametitle{Open System Interconnection Model (OSI)} \begin{itemize} \item Separate Communication Flow into Levels \end{itemize} \begin{figure}[h] \centering \includegraphics[scale=0.6]{images/firewall-osi.png} \end{figure} \end{frame} % ---------------------------- \begin{frame} \frametitle{Firewalls} \begin{itemize} \item Focus of Packet Filter \begin{itemize} \item Layer 3 and 4 \end{itemize} \item Focus of state-full Firewalls \begin{itemize} \item Layer 4 and higher \item Deep Packet Inspection \item Protocol and Application Specific Filtering \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Netfilter / iptables} \begin{itemize} \item Standard Firewall for Linux \item based on Netfilter (Kernel) \item related tools (userspace) \begin{itemize} \item iptables (for IPv4) \item ip6tables (for IPv6) \item arptables (for Layer 2, ARP) \item ebtables (for Ethernet bridges) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Elements} \begin{frame} \frametitle{} \begin{itemize} \item Elements: Tables, Chains and Rules \end{itemize} \begin{figure}[h] \centering \includegraphics[scale=0.5]{images/firewall-schema.png} \end{figure} \end{frame} % ---------------------------- \begin{frame} \frametitle{Tables} \begin{itemize} \item Multiple Chains \item One Table for each Hook \begin{itemize} \item raw: Pre-connection Tracking \item mangle: Packet Modification \item nat: Network Address Translation \item filter: Packet filtering, e.g. for Security \item security: for Mandatory Access Control, e.g. SELinux \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Chains (1)} \begin{itemize} \item Multiple Rules \item Processing from top to bottom \item Pre-defined Chains \begin{itemize} \item PREROUTING: Packet reception \item INPUT: Locally delivered \item FORWARD: Forwarding \item OUTPUT: Locally produced \item POSTROUTING: Packet send \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Chains (2)} \begin{itemize} \item User-defined Chains \item Simple reuse for multiple projects \item Separate common Rules \item Standard Services and Protocols \begin{itemize} \item Web-Services \item Remote Access \item Virtual Private Network (VPN) \item NTP \end{itemize} \item Standard Behavior \begin{itemize} \item LOG and DROP \item Bandwidth throttling \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Rules (1)} \begin{itemize} \item Specification \begin{itemize} \item Source/Destination: Address, Mask, and Port \item In- and Out-Interface \end{itemize} \item Match extension \begin{itemize} \item protocol specific: icmp, tcp udp, \dots \item connbytes/-limit/-mark/-track \item state \item time \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Rules (2)} \begin{itemize} \item Actions (final) \begin{itemize} \item ACCEPT \item REJECT \item DROP \end{itemize} \item Actions (continue) \begin{itemize} \item LOG \item JUMP \item GOTO \item RETURN \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame} \frametitle{Workflow} \begin{figure}[h] \centering \includegraphics[scale=0.5]{images/firewall-schema.png} \end{figure} \end{frame} % ---------------------------- \subsubsection{Tools} \begin{frame} \frametitle{Tools} \begin{itemize} \item Configuration \begin{itemize} \item iptables / ip6tables \item iptables-persistence \item shorewall \item fwbuilder \end{itemize} \item Analysis \begin{itemize} \item Logfile \item nmap \item wireshark \item Kali-Linux \end{itemize} \end{itemize} Note: Use penetration tools \emph{very} carefully! \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{iptables: Commands} \begin{beamerboxesrounded}[shadow=true]{Show all Chains of Table \emph{filter}:} \begin{scriptsize} \begin{verbatim} iptables -t filter -L iptables -L # Table filter is default \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Flush all Chains:} \begin{scriptsize} \begin{verbatim} iptables -F \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Set default Policies:} \begin{scriptsize} \begin{verbatim} iptables -P \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{User-defined Chains:} \begin{scriptsize} \begin{verbatim} iptables -N # create new chain iptables -X # delete chain iptables -E # rename chain \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{iptables: Commands} \begin{beamerboxesrounded}[shadow=true]{Rules:} \begin{scriptsize} \begin{verbatim} iptables -A # append rule to chain iptables -C # find matching rule in chain iptables -D # remove rule from chain iptables -D iptables -I # insert rule in chain as rule-num iptables -R # replace rule in chain iptables -F # flush all rules in chain \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{iptables: Commands} \begin{beamerboxesrounded}[shadow=true]{Rule specifications:} \begin{scriptsize} \begin{verbatim} --source / # match source IP/IP-range --sport # match source port --destination / # match destination IP/IP-range --dport # match destination port \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Match extensions:} \begin{scriptsize} \begin{verbatim} --modprobe # load target or match extension module --m connstate --ctstate # extension connstate, match state --m icmp --icmp-type # extension icmp-type, match packet type --m limit --limit / # extension limit, limit to rate per interval \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Pitfalls} \begin{frame} \frametitle{Pitfalls} \begin{itemize} \item IPv4 and IPv6 \item complex or multi-port protocols (e.g. FTP) \item Infrastructure Services (e.g. DHCP, DNS) \end{itemize} \end{frame} % ---------------------------- \subsubsection{Examples} \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{Preparation} \begin{scriptsize} \begin{verbatim} # set default policy iptables -P INPUT DROP # opt: REJECT, ACCEPT iptables -P FORWARD DROP # opt: REJECT, ACCEPT iptables -P OUTPUT DROP # opt: REJECT, ACCEPT # flush all chains iptables -F ... \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{SSH-Client} \begin{scriptsize} \begin{verbatim} # # Allow incoming traffic only # on established connections # iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{Web-Server} \begin{scriptsize} \begin{verbatim} # # Allow outgoing traffic only # on established connections # iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{FTP-Server (iptables-persistent script)} \begin{scriptsize} \begin{verbatim} *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # FTP Server -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Important: always necessary for iptables-restore COMMIT \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{User-defined LOGDROP chain} \begin{scriptsize} \begin{verbatim} # create new chain iptables -X LOGDROP iptables -N LOGDROP iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --log-level 7 iptables -A LOGDROP -j DROP \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[containsverbatim] \frametitle{Example} \begin{beamerboxesrounded}[shadow=true]{Trace all outgoing traffic} \begin{scriptsize} \begin{verbatim} *filter # create new chain -N LOGACCEPT -A LOGACCEPT -j LOG -A LOGACCEPT -j ACCEPT :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT LOGACCEPT [0:0] # Important: always necessary for iptables-restore COMMIT \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Related Links} \begin{frame} Project Homepage \begin{itemize} \item \url{http://www.netfilter.org/projects/iptables/} \end{itemize} Tools \begin{itemize} \item Firewall Builder \\ \url{http://www.fwbuilder.org/} \item Shorewall \\ \url{http://shorewall.net/} \item Kali-Linux \\ \url{http://www.kali.org/} \end{itemize} \end{frame} \subsection{} \input{tailpres}