1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
|
\def\lximg{/usr/share/lx/icons/fueller.png}
\input{configpres}
\subsection{Firewall}
\title{Firewall}
\maketitle
\def\lximg{none}
\begin{frame}
\frametitle{Contents}
\tableofcontents
\end{frame}
% ----------------------------
\subsubsection{Basics}
\begin{frame}[fragile]
\frametitle{Open System Interconnection Model (OSI)}
\begin{itemize}
\item Separate Communication Flow into Levels
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[scale=0.6]{images/firewall-osi.png}
\end{figure}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Firewalls}
\begin{itemize}
\item Focus of Packet Filter
\begin{itemize}
\item Layer 3 and 4
\end{itemize}
\item Focus of state-full Firewalls
\begin{itemize}
\item Layer 4 and higher
\item Deep Packet Inspection
\item Protocol and Application Specific Filtering
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Netfilter / iptables}
\begin{itemize}
\item Standard Firewall for Linux
\item based on Netfilter (Kernel)
\item related tools (userspace)
\begin{itemize}
\item iptables (for IPv4)
\item ip6tables (for IPv6)
\item arptables (for Layer 2, ARP)
\item ebtables (for Ethernet bridges)
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Elements}
\begin{frame}
\frametitle{}
\begin{itemize}
\item Elements: Tables, Chains and Rules
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[scale=0.5]{images/firewall-schema.png}
\end{figure}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Tables}
\begin{itemize}
\item Multiple Chains
\item One Table for each Hook
\begin{itemize}
\item raw: Pre-connection Tracking
\item mangle: Packet Modification
\item nat: Network Address Translation
\item filter: Packet filtering, e.g. for Security
\item security: for Mandatory Access Control, e.g. SELinux
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Chains (1)}
\begin{itemize}
\item Multiple Rules
\item Processing from top to bottom
\item Pre-defined Chains
\begin{itemize}
\item PREROUTING: Packet reception
\item INPUT: Locally delivered
\item FORWARD: Forwarding
\item OUTPUT: Locally produced
\item POSTROUTING: Packet send
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Chains (2)}
\begin{itemize}
\item User-defined Chains
\item Simple reuse for multiple projects
\item Separate common Rules
\item Standard Services and Protocols
\begin{itemize}
\item Web-Services
\item Remote Access
\item Virtual Private Network (VPN)
\item NTP
\end{itemize}
\item Standard Behavior
\begin{itemize}
\item LOG and DROP
\item Bandwidth throttling
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Rules (1)}
\begin{itemize}
\item Specification
\begin{itemize}
\item Source/Destination: Address, Mask, and Port
\item In- and Out-Interface
\end{itemize}
\item Match extension
\begin{itemize}
\item protocol specific: icmp, tcp udp, \dots
\item connbytes/-limit/-mark/-track
\item state
\item time
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Rules (2)}
\begin{itemize}
\item Actions (final)
\begin{itemize}
\item ACCEPT
\item REJECT
\item DROP
\end{itemize}
\item Actions (continue)
\begin{itemize}
\item LOG
\item JUMP
\item GOTO
\item RETURN
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}
\frametitle{Workflow}
\begin{figure}[h]
\centering
\includegraphics[scale=0.5]{images/firewall-schema.png}
\end{figure}
\end{frame}
% ----------------------------
\subsubsection{Tools}
\begin{frame}
\frametitle{Tools}
\begin{itemize}
\item Configuration
\begin{itemize}
\item iptables / ip6tables
\item iptables-persistence
\item shorewall
\item fwbuilder
\end{itemize}
\item Analysis
\begin{itemize}
\item Logfile
\item nmap
\item wireshark
\item Kali-Linux
\end{itemize}
\end{itemize}
Note: Use penetration tools \emph{very} carefully!
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{iptables: Commands}
\begin{beamerboxesrounded}[shadow=true]{Show all Chains of Table \emph{filter}:}
\begin{tiny}
\begin{verbatim}
iptables -t filter -L
iptables -L # Table filter is default
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Flush all Chains:}
\begin{tiny}
\begin{verbatim}
iptables -F
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Set default Policies:}
\begin{tiny}
\begin{verbatim}
iptables -P <CHAIN> <ACTION>
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{User-defined Chains:}
\begin{tiny}
\begin{verbatim}
iptables -N <CHAIN> # create new chain
iptables -X <CHAIN> # delete chain
iptables -E <old> <new> # rename chain
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{iptables: Commands}
\begin{beamerboxesrounded}[shadow=true]{Rules:}
\begin{tiny}
\begin{verbatim}
iptables -A <CHAIN> <rule-spec> # append rule to chain
iptables -C <CHAIN> <rule-spec> # find matching rule in chain
iptables -D <CHAIN> <rule-spec> # remove rule from chain
iptables -D <CHAIN> <rule-num>
iptables -I <CHAIN> <rule-num> <rule-spec> # insert rule in chain as rule-num
iptables -R <CHAIN> <rule-num> <rule-spec> # replace rule in chain
iptables -F <CHAIN> # flush all rules in chain
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{iptables: Commands}
\begin{beamerboxesrounded}[shadow=true]{Rule specifications:}
\begin{tiny}
\begin{verbatim}
--source <addr>/<mask> # match source IP/IP-range
--sport <port> # match source port
--destination <addr>/<mask> # match destination IP/IP-range
--dport <port> # match destination port
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\begin{beamerboxesrounded}[shadow=true]{Match extensions:}
\begin{tiny}
\begin{verbatim}
--modprobe <module> # load target or match extension module
--m connstate --ctstate <state> # extension connstate, match state
--m icmp --icmp-type <type> # extension icmp-type, match packet type
--m limit --limit <rate>/<ival> # extension limit, limit to rate per interval
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\subsubsection{Pitfalls}
\begin{frame}
\frametitle{Pitfalls}
\begin{itemize}
\item IPv4 and IPv6
\item complex or multi-port protocols (e.g. FTP)
\item Infrastructure Services (e.g. DHCP, DNS)
\end{itemize}
\end{frame}
% ----------------------------
\subsubsection{Examples}
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{Preparation}
\begin{tiny}
\begin{verbatim}
# set default policy
iptables -P INPUT DROP # opt: REJECT, ACCEPT
iptables -P FORWARD DROP # opt: REJECT, ACCEPT
iptables -P OUTPUT DROP # opt: REJECT, ACCEPT
# flush all tables
iptables -F
...
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{SSH-Client}
\begin{tiny}
\begin{verbatim}
#
# Allow incoming traffic only
# on established connections
#
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{Web-Server}
\begin{tiny}
\begin{verbatim}
#
# Allow outgoing traffic only
# on established connections
#
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{FTP-Server (iptables-persistent script)}
\begin{tiny}
\begin{verbatim}
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# FTP Server
-A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Important: always necessary for iptables-restore
COMMIT
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{User-defined LOGDROP chain}
\begin{tiny}
\begin{verbatim}
# create new chain
iptables -X LOGDROP
iptables -N LOGDROP
iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: " --log-level 7
iptables -A LOGDROP -j DROP
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\begin{frame}[containsverbatim]
\frametitle{Example}
\begin{beamerboxesrounded}[shadow=true]{Trace all outgoing traffic}
\begin{tiny}
\begin{verbatim}
*filter
# create new chain
-N LOGACCEPT
-A LOGACCEPT -j LOG
-A LOGACCEPT -j ACCEPT
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT LOGACCEPT [0:0]
# Important: always necessary for iptables-restore
COMMIT
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}
% ----------------------------
\subsubsection{Related Links}
\begin{frame}
Project Homepage
\begin{itemize}
\item \url{http://www.netfilter.org/projects/iptables/}
\end{itemize}
Tools
\begin{itemize}
\item Firewall Builder \\
\url{http://www.fwbuilder.org/}
\item Shorewall \\
\url{http://shorewall.net/}
\item Kali-Linux \\
\url{http://www.kali.org/}
\end{itemize}
\end{frame}
\subsection{}
\input{tailpres}
|
