Abstract image of a woman sitting on books and studying on a laptop

Chapter 6 firewall

N
newbie2019

A firewall is software or hardware that controls incoming and outgoing network traffic by analyzing the header information in packets and allowing or blocking them based on predefined rules. There are different types of firewalls including host-based, network-based, and cloud firewalls. Under Linux, iptables provides a firewall framework to define rules for the built-in chains INPUT, OUTPUT, and FORWARD using options like source/destination addresses, protocols, and ports. Rules can match packets and target them to user-defined chains for further processing before accepting or dropping them.

Education
1 of 33
Downloaded 42 times
1
2
3
Most read
4
5
6
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
1 Network Security Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id 0856 91 16 15 14 Bandarlampung, Maret 2020 Chapter 6
2 Goals –Gain a better understanding of what a firewall is. –Understand different firewall types. –Understand where firewalls fit. –Firewall implementation using iptables
3 What is a firewall? A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks.
4 What is an attack? Attack covers many things: 1. Someone probing a network for computers. 2. Someone attempting to crash services on a computer. 3. Someone attempting to crash a computer 4. Someone attempting to gain access to a computer to use resources or information.
5 Why use a firewall? • Protect a wide range of machines from general probes and many attacks. • Provides some protection for machines lacking in security.
6 Firewall Type • Host based firewall • Network Based Firewall • Stand-alone Firewall • Cloud Firewall
7 How does a firewall work? Blocks packets based on: Source IP Address or range of addresses. Source IP Port Destination IP Address or range of addresses. Destination IP Port Some allow higher layers up the OSI model. Other protocols (How would you filter DecNET anyway?). Common ports 80 HTTP 443 HTTPS 20 & 21 FTP (didn’t know 20 was for FTP, did you?) 23 Telnet 22 SSH 25 SMTP
Firewall Action • A piece of software which looks at the header of packets as they pass through and decides its fate – DROP – ACCEPT – Or something more complicated. • Under Linux, packet filtering is built into the kernel.
Functions of Firewall • Control – Allow only those packets that you are interested to pass through. • Security – Reject packets from malicious outsiders • Ping of death • telnet from outside • Watchfulness – Log packets to/from outside world
Firewall under Linux • 1st generation – ipfw (from BSD) • 2nd generation – ipfwadm (Linux 2.0) • 3rd generation – ipchains (Linux 2.2) • 4th generation – iptable (Linux 2.4) – In this lecture, we will concentrate on iptable.
Iptables • Kernel starts with three lists of rules called (firewall) chains. – INPUT – OUTPUT – FORWARD • Each rule say “if the packet header looks like this, then here’s what to do”. • If the rule doesn’t match the packet, then the next packet will be consulted.
Forward Input Output Routing Decision Local Process Firewall Chains
-N Create a new chain -X Delete an empty chain -P Change the policy for a built-in chain -L List the rules in a chain -F Flush the rules out of a chain -Z Zero the packet and byte counters on all rules in a chain Operations to manage whole chains
-A Append a new rule to a chain -I Insert a new rule at some position in a chain -R Replace a rule at some position in a chain -D Delete a rule at some position in a chain -D Delete the first rule that matches in a chain Manipulate rules inside a chain
Example – Drop all ICMP packets coming from the IP address 127.0.0.1 # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss #
Filtering Specifications Specifying Source and Destination IP address – Source • -s, --source or –src – Destination • -d, --destination or –dst – IP address can be specified in four ways. • Full name (e.g. www.cse.cuhk.edu.hk) • IP address (e.g. 127.0.0.1)
• Group specification (e.g. 199.95.207.0/24) • Group specification (e.g. 199.95.207.0/255.255.255.0) Specifying Inversion – Many flags, including the ‘–s’ and ‘–d’ flags can have their arguments preceded by ‘!’ (not). – Match address NOT equal to the ones given. – E.g. ‘-s ! localhost’ matches any packet not coming from localhost. Filtering Specifications Cont’d
Based on Interface Physical device for packets to come in • -i, --in-interface – Physical device for packets to go out • -o, --out-interface – Packets traversing the INPUT chain don’t have an output interface • Rule using ‘-o’ in this chain will never match. – Packets traversing the OUPUT chain don’t have an input interface • Rule using ‘-i’ in this chain will never match.
Based on Protocol – The protocol can be specified with the ‘-p’ flag. – Protocol can be a number if you know the numeric protocol values for IP. – Protocol can be a name for special cases of • TCP • UDP • ICMP – Case insensitive (e.g. tcp works as well as TCP) – Can be prefixed by a ‘!’, e.g. ‘–p ! TCP’
Based on Fragments – Sometimes a packet is too large • Divided into fragments • Sent as multiple packets. – IP header contains in the first segment only. – Impossible to look inside the packet for protocol headers such as TCP, UDP, ICMP. – This means that the first fragment is treated like any other packet. Second and further fragments won’t be.
– E.g ‘-p TCP -sport www’ (specifying a source port of ‘www’), will never match a fragment other than the first fragment. – You can specify a rule specifically for second and further fragments, using the ‘-f’ (or –fragment) flag. – E.g. The following rule will drop any fragments going to 192.168.1.1 – # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP Based on Fragments cont’d
TCP extensions – Automatically loaded if ‘--protocol tcp’ is specified. – --tcp-flags • Allows you to filter on specific TCP flags. • The first string of flags is the mask • The second string of flags tells which one(s) should be set. • E.g. # iptables -A INPUT –protocol tcp –tcp-flags ALL SYN,ACK –j DROP
• Indicates that all flags should be examined • ALL is synonymous with ‘SYN,ACK,FIN,RST,URG,PSH’ • But only SYN and ACK should be set. • There is also an argument ‘NONE’ meaning no flags. – --syn • Optionally preceded by a ‘!’. • Shorthand for --tcp-flags SYN,RST,ACK SYN’. – --source-port • Single port or range of ports • Can be specified by names listed in /etc/services
– --sport • Synonymous with ‘--source-port’. – --destination-port or --dport • Specify the destination port. – --tcp-option • Followed by an optional ‘!’ and a number. • Matches a packet with a TCP option equaling that number. – E.g. – Specify TCP connection attempts from 192.168.1.1 -p TCP –s 192.168.1.1 --syn
• UDP Extensions – Loaded if ‘--protocol udp’ is specified. – Provides the following options • --source-port • --sport • --destination-port • --dport • ICMP Extensions – Loaded if ‘--protocol icmp’ is specified. – --icmp-type • Specify ICMP type (numeric type or name)
Other Match Extension – Invoked with the ‘-m’ option. – Mac • Specified with ‘-m mac’ or –match mac’ • Used for matching incoming packet's source Ethernet address. (MAC). • Only one option ‘--mac-source’ • E.g. –mac-source 00:60:08:91:CC:B7 – Limit • Specified with ‘-m limit’ or --match limit’. • Restrict the rate of matches, such as for suppressing log messages.
– Two options • --limit – Followed by a number – Specifies the maximum average number of matches to allow per second. – Can specify other unit such as ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’. – E.g. --limit 5/second or --limit 5/s • --limit-burst – Followed by a number. – The maximum initial number of packets to match. – This number gets recharged by one every time the limit specified above is not reached. – Often used with the LOG target. • Default 3 matches per hour, with a burst of 5 • E.g. iptables –A FORWARD –m limit –j LOG
– Specifying ‘-m state’ allows an additional ‘--state’ option. – NEW • A packet which creates a new connection. – ESTABLISHED • A packet which belongs to an existing connection – RELATED • A packet which is related to, but not part of, an existing connection such as ICMP error. – INVALID • A packet which could not be identified for some reasons.
ons – Two built-in targets • DROP • ACCEPT – Extensions • LOG – --log-level » Specify the level of log 0 to 7. – --log-prefix » Followed by a string up to 14 chars » Sent at the start of the log • REJECT – DROP + send an ICMP port unreachable error message
User-defined chains User can create new chains. – By convention, user-defined chains are lower-case. – Packet matches rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. – If that chain doesn’t decide the fate of the packet, then once traversal of that chain has finished, traversal resumes on the next rule on the current chain.
Rule1: -p ICMP –j DROP Rule2: -p TCP –j test Rule3: -p UDP –j DROP Rule1: -s 192.168.1.1 Rule2: -d 192.168.1.1 INPUT test User-defined chains can jump to other user-defined chains. Your packets will be dropped if they are found to be in a loop. User-defined chains cont’d
What's Next ?
33

More Related Content

PDF
Pertemuan 9 intrusion detection system
newbie2019
 
PPTX
Ccna rse chp9 nat fo i_pv4
newbie2019
 
PPTX
Dynamic Host Configuration Protocol
newbie2019
 
PPTX
Ccna rse chp2
newbie2019
 
PDF
Ccna rse chp7 Access Control List (ACL)
newbie2019
 
PPTX
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
PPTX
Iptables the Linux Firewall
Syed fawad Gillani
 
PPTX
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
Pertemuan 9 intrusion detection system
newbie2019
 
Ccna rse chp9 nat fo i_pv4
newbie2019
 
Dynamic Host Configuration Protocol
newbie2019
 
Ccna rse chp2
newbie2019
 
Ccna rse chp7 Access Control List (ACL)
newbie2019
 
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
Iptables the Linux Firewall
Syed fawad Gillani
 
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 

What's hot (20)

PPTX
Sca nv6 instructorppt_chapter2
newbie2019
 
PPT
CCNA Network Services
Dsunte Wilson
 
PPT
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
PDF
EIGRP
newbie2019
 
PPT
05 06 ike
Babaa Naya
 
PDF
It nv51 instructor_ppt_ch9
newbie2019
 
PDF
pfSense firewall workshop guide
Sopon Tumchota
 
PDF
Iptables presentation
Emin Abdul Azeez
 
PDF
ether channel_hsrp
newbie2019
 
PDF
Asa packet-flow-00
vinaydewangan11
 
PPT
CCNA Advanced Routing Protocols
Dsunte Wilson
 
PPT
CCNA Router and IOS Basics
Dsunte Wilson
 
PDF
It nv51 instructor_ppt_ch5
newbie2019
 
PPT
Iptables in linux
Mandeep Singh
 
PPTX
ASA Failover
NetProtocol Xpert
 
PDF
Iptables Configuration
stom123
 
PDF
5 initial access to palo alto using cli
Mostafa El Lathy
 
PPT
CCNA Advanced Switching
Dsunte Wilson
 
PPT
CCNA Router Startup and Configuration
Dsunte Wilson
 
PPT
Wireshark
ashiesh0007
 
Sca nv6 instructorppt_chapter2
newbie2019
 
CCNA Network Services
Dsunte Wilson
 
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
EIGRP
newbie2019
 
05 06 ike
Babaa Naya
 
It nv51 instructor_ppt_ch9
newbie2019
 
pfSense firewall workshop guide
Sopon Tumchota
 
Iptables presentation
Emin Abdul Azeez
 
ether channel_hsrp
newbie2019
 
Asa packet-flow-00
vinaydewangan11
 
CCNA Advanced Routing Protocols
Dsunte Wilson
 
CCNA Router and IOS Basics
Dsunte Wilson
 
It nv51 instructor_ppt_ch5
newbie2019
 
Iptables in linux
Mandeep Singh
 
ASA Failover
NetProtocol Xpert
 
Iptables Configuration
stom123
 
5 initial access to palo alto using cli
Mostafa El Lathy
 
CCNA Advanced Switching
Dsunte Wilson
 
CCNA Router Startup and Configuration
Dsunte Wilson
 
Wireshark
ashiesh0007
 
Ad

Similar to Chapter 6 firewall (20)

PPT
Packet_Filteringfgasdgasdgsagdsgsagasg.ppt
VerdiFerdiansyah1
 
PPTX
Firewall
khalid abdelazim
 
PPT
IPTABLES
Tan Huynh Cong
 
PPT
Iptables
leminhvuong
 
PPTX
Firewalls rules using iptables in linux
aamir lucky
 
PDF
iptable casestudy by sans.pdf
Admin621695
 
PPTX
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
PPTX
Security Onion Advance
Kaustubh Padwad
 
PPTX
Stupid iptables tricks
Jim MacLeod
 
PPTX
12 - System Security in Red Hat
Shafaan Khaliq Bhatti
 
PDF
IPTABLES_linux_Firewall_Administration (1).pdf
mpassword
 
PPT
Ip6 tables in linux
Mandeep Singh
 
PPTX
CCNA
Abhishek Parihari
 
PDF
Linux iptables Pocket Reference 1st Edition Gregor N. Purdy download pdf
sariyealpire
 
PDF
IP Tables Getting Started - Part 2
n|u - The Open Security Community
 
PDF
IPTables Primer - Part 2
Nishanth Kumar Pathi
 
PDF
Iptables fundamentals
ram_b17
 
PDF
How Secure is TCP/IP - A review of Network Protocol
ssuserc49ec4
 
PPTX
Linux and firewall
Mhmud Khraibene
 
PPT
Modul 3 Firewalll.ppt
cemporku
 
Packet_Filteringfgasdgasdgsagdsgsagasg.ppt
VerdiFerdiansyah1
 
Firewall
khalid abdelazim
 
IPTABLES
Tan Huynh Cong
 
Iptables
leminhvuong
 
Firewalls rules using iptables in linux
aamir lucky
 
iptable casestudy by sans.pdf
Admin621695
 
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
Security Onion Advance
Kaustubh Padwad
 
Stupid iptables tricks
Jim MacLeod
 
12 - System Security in Red Hat
Shafaan Khaliq Bhatti
 
IPTABLES_linux_Firewall_Administration (1).pdf
mpassword
 
Ip6 tables in linux
Mandeep Singh
 
CCNA
Abhishek Parihari
 
Linux iptables Pocket Reference 1st Edition Gregor N. Purdy download pdf
sariyealpire
 
IP Tables Getting Started - Part 2
n|u - The Open Security Community
 
IPTables Primer - Part 2
Nishanth Kumar Pathi
 
Iptables fundamentals
ram_b17
 
How Secure is TCP/IP - A review of Network Protocol
ssuserc49ec4
 
Linux and firewall
Mhmud Khraibene
 
Modul 3 Firewalll.ppt
cemporku
 
Ad

More from newbie2019 (20)

PDF
Digital forensic principles and procedure
newbie2019
 
PDF
Fundamental digital forensik
newbie2019
 
PDF
Pendahuluan it forensik
newbie2019
 
PDF
Chapter 15 incident handling
newbie2019
 
PDF
Chapter 14 sql injection
newbie2019
 
PDF
Chapter 13 web security
newbie2019
 
PDF
NIST Framework for Information System
newbie2019
 
PDF
Nist.sp.800 37r2
newbie2019
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PDF
Chapter 10 security standart
newbie2019
 
PDF
Chapter 8 cryptography lanjutan
newbie2019
 
PDF
Pertemuan 7 cryptography
newbie2019
 
PDF
Chapter 6 information hiding (steganography)
newbie2019
 
PDF
Vulnerability threat and attack
newbie2019
 
PDF
Chapter 4 vulnerability threat and attack
newbie2019
 
PDF
C02
newbie2019
 
PDF
Chapter 3 security principals
newbie2019
 
PDF
Chapter 2 konsep dasar keamanan
newbie2019
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
PDF
Chapter 1 introduction
newbie2019
 
Digital forensic principles and procedure
newbie2019
 
Fundamental digital forensik
newbie2019
 
Pendahuluan it forensik
newbie2019
 
Chapter 15 incident handling
newbie2019
 
Chapter 14 sql injection
newbie2019
 
Chapter 13 web security
newbie2019
 
NIST Framework for Information System
newbie2019
 
Nist.sp.800 37r2
newbie2019
 
Chapter 12 iso 27001 awareness
newbie2019
 
Chapter 10 security standart
newbie2019
 
Chapter 8 cryptography lanjutan
newbie2019
 
Pertemuan 7 cryptography
newbie2019
 
Chapter 6 information hiding (steganography)
newbie2019
 
Vulnerability threat and attack
newbie2019
 
Chapter 4 vulnerability threat and attack
newbie2019
 
C02
newbie2019
 
Chapter 3 security principals
newbie2019
 
Chapter 2 konsep dasar keamanan
newbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
newbie2019
 
Chapter 1 introduction
newbie2019
 

Recently uploaded (20)

PDF
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
PPTX
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
PDF
Farming Based Livelihood Systems English Notes
Akhil Agriculture
 
PPTX
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PDF
Hospital Case Study .architecture design
Amlan Priyadarshan
 
PPTX
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
PDF
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 
PDF
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2015).pdf
Nay Aung
 
PDF
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
PPTX
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
PDF
Controlled Drug Delivery System-NDDS UNIT-1 B.Pharm 7th sem
gpspharma784
 
PPTX
BSCE 2 NIGHT (CHAPTER 2) just cases.pptx
TristanLimotan
 
PDF
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
PDF
Solved Past paper of Pediatric Health Nursing PHN BS Nursing 5th Semester
shaukatkhan0798
 
PDF
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PPTX
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
PDF
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
PDF
Civil Department's presentation Your score increases as you pick a category
OperaVill
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PDF
THE CHILD AND ADOLESCENT LEARNERS & LEARNING PRINCIPLES
MJDuyan
 
Journal of Dental Science - UDMY (2021).pdf
Nay Aung
 
UNIT_2-__LIPIDS[1].pptx.................
Akanksha Kotangale
 
Farming Based Livelihood Systems English Notes
Akhil Agriculture
 
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
Hospital Case Study .architecture design
Amlan Priyadarshan
 
What’s under the hood: Parsing standardized learning content for AI
Rustici Software
 
Literature_Review_methods_ BRACU_MKT426 course material
mokoto4834
 
Myanmar Dental Journal, The Journal of the Myanmar Dental Association (2015).pdf
Nay Aung
 
LIFE & LIVING TRILOGY- PART (1) WHO ARE WE.pdf
sureshkumarsoni26
 
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
Controlled Drug Delivery System-NDDS UNIT-1 B.Pharm 7th sem
gpspharma784
 
BSCE 2 NIGHT (CHAPTER 2) just cases.pptx
TristanLimotan
 
Journal of Dental Science - UDMY (2020).pdf
Nay Aung
 
Solved Past paper of Pediatric Health Nursing PHN BS Nursing 5th Semester
shaukatkhan0798
 
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
1.Salivary gland disease.pdf 3.Bleeding and Clotting Disorders.pdf important
MichaelShawky5
 
Civil Department's presentation Your score increases as you pick a category
OperaVill
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
THE CHILD AND ADOLESCENT LEARNERS & LEARNING PRINCIPLES
MJDuyan
 

Chapter 6 firewall

  • 1. 1 Network Security Jupriyadi, S.Kom. M.T. [email protected] 0856 91 16 15 14 Bandarlampung, Maret 2020 Chapter 6
  • 2. 2 Goals –Gain a better understanding of what a firewall is. –Understand different firewall types. –Understand where firewalls fit. –Firewall implementation using iptables
  • 3. 3 What is a firewall? A firewall is a device (or software feature) designed to control the flow of traffic into and out-of a network. In general, firewalls are installed to prevent attacks.
  • 4. 4 What is an attack? Attack covers many things: 1. Someone probing a network for computers. 2. Someone attempting to crash services on a computer. 3. Someone attempting to crash a computer 4. Someone attempting to gain access to a computer to use resources or information.
  • 5. 5 Why use a firewall? • Protect a wide range of machines from general probes and many attacks. • Provides some protection for machines lacking in security.
  • 6. 6 Firewall Type • Host based firewall • Network Based Firewall • Stand-alone Firewall • Cloud Firewall
  • 7. 7 How does a firewall work? Blocks packets based on: Source IP Address or range of addresses. Source IP Port Destination IP Address or range of addresses. Destination IP Port Some allow higher layers up the OSI model. Other protocols (How would you filter DecNET anyway?). Common ports 80 HTTP 443 HTTPS 20 & 21 FTP (didn’t know 20 was for FTP, did you?) 23 Telnet 22 SSH 25 SMTP
  • 8. Firewall Action • A piece of software which looks at the header of packets as they pass through and decides its fate – DROP – ACCEPT – Or something more complicated. • Under Linux, packet filtering is built into the kernel.
  • 9. Functions of Firewall • Control – Allow only those packets that you are interested to pass through. • Security – Reject packets from malicious outsiders • Ping of death • telnet from outside • Watchfulness – Log packets to/from outside world
  • 10. Firewall under Linux • 1st generation – ipfw (from BSD) • 2nd generation – ipfwadm (Linux 2.0) • 3rd generation – ipchains (Linux 2.2) • 4th generation – iptable (Linux 2.4) – In this lecture, we will concentrate on iptable.
  • 11. Iptables • Kernel starts with three lists of rules called (firewall) chains. – INPUT – OUTPUT – FORWARD • Each rule say “if the packet header looks like this, then here’s what to do”. • If the rule doesn’t match the packet, then the next packet will be consulted.
  • 13. -N Create a new chain -X Delete an empty chain -P Change the policy for a built-in chain -L List the rules in a chain -F Flush the rules out of a chain -Z Zero the packet and byte counters on all rules in a chain Operations to manage whole chains
  • 14. -A Append a new rule to a chain -I Insert a new rule at some position in a chain -R Replace a rule at some position in a chain -D Delete a rule at some position in a chain -D Delete the first rule that matches in a chain Manipulate rules inside a chain
  • 15. Example – Drop all ICMP packets coming from the IP address 127.0.0.1 # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss #
  • 16. Filtering Specifications Specifying Source and Destination IP address – Source • -s, --source or –src – Destination • -d, --destination or –dst – IP address can be specified in four ways. • Full name (e.g. www.cse.cuhk.edu.hk) • IP address (e.g. 127.0.0.1)
  • 17. • Group specification (e.g. 199.95.207.0/24) • Group specification (e.g. 199.95.207.0/255.255.255.0) Specifying Inversion – Many flags, including the ‘–s’ and ‘–d’ flags can have their arguments preceded by ‘!’ (not). – Match address NOT equal to the ones given. – E.g. ‘-s ! localhost’ matches any packet not coming from localhost. Filtering Specifications Cont’d
  • 18. Based on Interface Physical device for packets to come in • -i, --in-interface – Physical device for packets to go out • -o, --out-interface – Packets traversing the INPUT chain don’t have an output interface • Rule using ‘-o’ in this chain will never match. – Packets traversing the OUPUT chain don’t have an input interface • Rule using ‘-i’ in this chain will never match.
  • 19. Based on Protocol – The protocol can be specified with the ‘-p’ flag. – Protocol can be a number if you know the numeric protocol values for IP. – Protocol can be a name for special cases of • TCP • UDP • ICMP – Case insensitive (e.g. tcp works as well as TCP) – Can be prefixed by a ‘!’, e.g. ‘–p ! TCP’
  • 20. Based on Fragments – Sometimes a packet is too large • Divided into fragments • Sent as multiple packets. – IP header contains in the first segment only. – Impossible to look inside the packet for protocol headers such as TCP, UDP, ICMP. – This means that the first fragment is treated like any other packet. Second and further fragments won’t be.
  • 21. – E.g ‘-p TCP -sport www’ (specifying a source port of ‘www’), will never match a fragment other than the first fragment. – You can specify a rule specifically for second and further fragments, using the ‘-f’ (or –fragment) flag. – E.g. The following rule will drop any fragments going to 192.168.1.1 – # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP Based on Fragments cont’d
  • 22. TCP extensions – Automatically loaded if ‘--protocol tcp’ is specified. – --tcp-flags • Allows you to filter on specific TCP flags. • The first string of flags is the mask • The second string of flags tells which one(s) should be set. • E.g. # iptables -A INPUT –protocol tcp –tcp-flags ALL SYN,ACK –j DROP
  • 23. • Indicates that all flags should be examined • ALL is synonymous with ‘SYN,ACK,FIN,RST,URG,PSH’ • But only SYN and ACK should be set. • There is also an argument ‘NONE’ meaning no flags. – --syn • Optionally preceded by a ‘!’. • Shorthand for --tcp-flags SYN,RST,ACK SYN’. – --source-port • Single port or range of ports • Can be specified by names listed in /etc/services
  • 24. – --sport • Synonymous with ‘--source-port’. – --destination-port or --dport • Specify the destination port. – --tcp-option • Followed by an optional ‘!’ and a number. • Matches a packet with a TCP option equaling that number. – E.g. – Specify TCP connection attempts from 192.168.1.1 -p TCP –s 192.168.1.1 --syn
  • 25. • UDP Extensions – Loaded if ‘--protocol udp’ is specified. – Provides the following options • --source-port • --sport • --destination-port • --dport • ICMP Extensions – Loaded if ‘--protocol icmp’ is specified. – --icmp-type • Specify ICMP type (numeric type or name)
  • 26. Other Match Extension – Invoked with the ‘-m’ option. – Mac • Specified with ‘-m mac’ or –match mac’ • Used for matching incoming packet's source Ethernet address. (MAC). • Only one option ‘--mac-source’ • E.g. –mac-source 00:60:08:91:CC:B7 – Limit • Specified with ‘-m limit’ or --match limit’. • Restrict the rate of matches, such as for suppressing log messages.
  • 27. – Two options • --limit – Followed by a number – Specifies the maximum average number of matches to allow per second. – Can specify other unit such as ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’. – E.g. --limit 5/second or --limit 5/s • --limit-burst – Followed by a number. – The maximum initial number of packets to match. – This number gets recharged by one every time the limit specified above is not reached. – Often used with the LOG target. • Default 3 matches per hour, with a burst of 5 • E.g. iptables –A FORWARD –m limit –j LOG
  • 28. – Specifying ‘-m state’ allows an additional ‘--state’ option. – NEW • A packet which creates a new connection. – ESTABLISHED • A packet which belongs to an existing connection – RELATED • A packet which is related to, but not part of, an existing connection such as ICMP error. – INVALID • A packet which could not be identified for some reasons.
  • 29. ons – Two built-in targets • DROP • ACCEPT – Extensions • LOG – --log-level » Specify the level of log 0 to 7. – --log-prefix » Followed by a string up to 14 chars » Sent at the start of the log • REJECT – DROP + send an ICMP port unreachable error message
  • 30. User-defined chains User can create new chains. – By convention, user-defined chains are lower-case. – Packet matches rule whose target is a user-defined chain, the packet begins traversing the rules in that user-defined chain. – If that chain doesn’t decide the fate of the packet, then once traversal of that chain has finished, traversal resumes on the next rule on the current chain.
  • 31. Rule1: -p ICMP –j DROP Rule2: -p TCP –j test Rule3: -p UDP –j DROP Rule1: -s 192.168.1.1 Rule2: -d 192.168.1.1 INPUT test User-defined chains can jump to other user-defined chains. Your packets will be dropped if they are found to be in a loop. User-defined chains cont’d
  • 33. 33