\def\lximg{/usr/share/lx/icons/fueller.png}

\input{configpres}

\subsection{Firewall Examples}

\title{Example Firewall}
\maketitle

\def\lximg{none}

% ----------------------------
\subsubsection{Initialization}

\begin{frame}[fragile]
\frametitle{iptables config}
\begin{itemize}
\item Create and change to new directory ex\_ipt
\item Get root (su)
\item Print current iptables configuration (iptables)
\item Save current configuration (iptables-save)
\item Reset iptables configuration (iptables)
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
mkdir ex_ipt
cd ex_ipt
su
iptables -L
iptables-save > start.conf
iptables -X
iptables -F
iptables -Z
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Policy}

\begin{frame}[fragile]
\frametitle{Default Policy}
\begin{itemize}
\item Drop all incoming, outgoing and forwarding traffic
\item Save this default policies to file
\item Reset iptables and restore saved config
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables-save > step1
iptables -F
iptables-restore < step1
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{User-defined Chains}

\begin{frame}[fragile]
\frametitle{LOGDROP}
\begin{itemize}
\item From now on, edit stepX file and load with iptables-restore
\item Create new Chain LOGDROP
\item Log and drop INPUT and OUTPUT traffic with new chain
\item Check with ping
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# New chain
:LOGDROP - [0:0]
-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
-A LOGDROP -j DROP

# Catch all falling through
-A INPUT -i eth0 -j LOGDROP
-A OUTPUT -o eth0 -j LOGDROP
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Traffic Filter}

\begin{frame}[fragile]
\frametitle{Allow loopback traffic}
\begin{itemize}
\item Allow INPUT and OUTPUT traffic on interface lo
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{DNS}
\begin{itemize}
\item Allow DNS requests from this machine (UDP, Port 53)
\item Allow DNS responses
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{ICMP}
\begin{itemize}
\item Allow simple ping requests (icmp-type 0 and 8)
\item Limit to 2 requests per second
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# PING limited accept
-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp -j DROP
# Limit outgoing PING as well
-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
-A OUTPUT -p icmp -j DROP
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Established Connections}
\begin{itemize}
\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections
\item Remove obsolete rules (DNS)
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# Allow established connections in and out
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
[...]
# DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Log new connections}
\begin{itemize}
\item Create new Chain LOGNEW\_ACCEPT
\item New Connections should be logged with prefix ''New: ''
\item Traffic should be accepted
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# LOGNEW_ACCEPT Chain
:LOGNEW_ACCEPT - [0:0]
-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
-A LOGNEW_ACCEPT -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Log new DNS connections}
\begin{itemize}
\item Log new DNS connection with rule LOGNEW\_ACCEPT
\end{itemize}

\pause

\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{scriptsize}
\begin{verbatim}
# DNS
-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
          -j LOGNEW_ACCEPT
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Summary}

\begin{frame}[fragile]
\frametitle{Full example with Ping, DNS, and SSH}
\begin{scriptsize}
\begin{verbatim}
# Generated by iptables-save v1.4.14 on Sat Apr  6 19:47:41 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# New chain
:LOGDROP - [0:0]
-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
-A LOGDROP -j DROP

# DNS Chain
:LOGNEW_ACCEPT - [0:0]
-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
-A LOGNEW_ACCEPT -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Full example with Ping, DNS, and SSH}
\begin{scriptsize}
\begin{verbatim}
# loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# PING limited accept
-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
-A INPUT -p icmp -j LOGDROP
-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
-A OUTPUT -p icmp -j LOGDROP

# Allow established connections in and out
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
\end{verbatim}
\end{scriptsize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Full example with Ping, DNS, and SSH}
\begin{scriptsize}
\begin{verbatim}
# DNS
-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
          -j LOGNEW_ACCEPT

# Outgoing SSH
-A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \
          -j LOGNEW_ACCEPT

# Incoming SSH
-A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT

# Catch all falling through
-A INPUT -i eth0 -j LOGDROP
-A OUTPUT -o eth0 -j LOGDROP

COMMIT
# Completed on Sat Apr  6 19:47:41 2013
\end{verbatim}
\end{scriptsize}
\end{frame}

% ----------------------------
\subsection{}
\input{tailpres}