CS 498 Lecture 11 Netfilter

Jennifer Hou Department of Computer Science University of Illinois at Urbana-Champaign

Reading: 1. Oskar Andreasson, Iptable Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/ 2. Linux Netfilter Hacking HOWTO

Outline
Functionality Architecture Introduction to the Iptable command An real-life example

Netfilter Architecture
The Hooks
z z

A kernel module can register with netfilter to see packets at various points in the stack Five hooks defined in IPv4: z PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING. Each hook can inspect/alter packets and return NF_DROP, NF_ACCEPT, NF_QUEUE, NF_REPEAT or NF_STOLEN.

Netfilter Hooks
PRE_ROUTING
z

Incoming packets pass this hook in ip_rcv() before routing All incoming packets addressed to the local host pass this hook in ip_local_deliver() All incoming packets not addressed to the local host pass this hook in ip_forward() All outgoing packets created by this local computer pass this hook in ip_build_and_send_pkt() All outgoing packets (forwarded or locally created) will pass this hook in ip_finish_output()

LOCAL_IN
z

FORWARD
z

LOCAL_OUT
z

POST_ROUTING
z

Internet Protocol Implementation in Linux

Higher Higher Layers Layers ip_input.c ip_input.c ip_output.c ip_output.c ip_queue_xmit ip_local_deliver IP_LOCAL_INPUT IP_LOCAL_INPUT ip_local_deliver ip_forward ip_rcv_finish IP_PRE_ROUTING IP_PRE_ROUTING ip_rcv dev.c dev.c net_rx_action MULTICAST MULTICAST ... ip_mr_input IP_FORWARD IP_FORWARD ip_forward.c ip_forward.c ip_forward_finish ip_fragment IP_LOCAL_OUTPUT IP_LOCAL_OUTPUT ip_queue_xmit2 ip_output ip_finish_output IP_POST_ROUTING IP_POST_ROUTING ip_finish_output2 dev.c dev.c dev_queue_xmit

ROUTING Forwarding Information Base ip_route_input

ARP ARP ARP neigh_resolve_ output

Netfilter Hooks (cont.)

PRE_ROUTING POST_ROUTING

FORWARD

LOCAL_IN

LOCAL_OUT

Netfilter Functionality
IP packet filter Stateful firewalling NAT Packet mangling

Basic functionality - IP Packet Filter

IP Filter
z z z z

Used to filter packets The command to enter a rule is called iptables The framework inside the kernel is called netfilter Full matching on IP, TCP, UDP and ICMP packet headers Insertion point Match Target

IP Filter rules
z z z

IP Packet Filter Example

# ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --1 packets transmitted, 0 packets received, 100% packet loss #

Basic functionality - Stateful Firewalling

Full state matching z TCP, UDP, ICMP Uses a generic connection tracking module, conntrack
z

Conntrack manages individual connections and serves to allocate incoming,outgoing and forwarded IP packets to existing connection. A new connection entry is generated as soon as the connectiontracking module registers a connection-establishment packet.

This enables the NAT implementation to figure out exactly whether an incoming packet needs a free IP address and port number or one of the addresses and port numbers previously assigned can be used.

Basic functionality - Stateful Firewalling

Certain protocols are "complex and require extra modules called "conntrack helpers"
z

One example is FTP. z The client initially establishes a control connection to TCP port 21 at the server, and transmits FTP commands and replies. z As soon as a file has to be transmitted, FTP server opens an additional data connection in the reverse direction (from TCP port 20 in the server to a dynamically selected client port (which the client sends to the server)).

Basic functionality - Stateful Firewalling (cont.)

Userland states
z

NEW
z z

All new connections Includes Non SYN TCP packets All connections that has seen traffic in both directions All connections/packets related to other connections Examples: ICMP errors, FTP-Data, DCC Certain invalid packets depending on states E.g. FIN/ACK when no FIN was sent

z z

ESTABLISHED
z

RELATED
z z

INVALID
z z

# iptables -A FORWARD -i ppp0 -m state ! --state NEW -j DROP

Basic functionality - NAT

NAT - Network Address Translation
z

The science of switching Source or Destination Addresses Netfilter NAT Fast NAT Making a LAN look as if it came from a single source (the firewall) Creating separate servers with a single IP DNAT - Destination Network Address Translation SNAT - Source Network Address Translation Requires Connection tracking to keep states and expectations

Two types of NAT in Linux 2.4

z z

Usages
z z

Netfilter NAT
z z z

NAT Example
SNAT ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 DNAT ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -j DNAT --to 5.6.7.8:8080

Basic functionality - Packet Mangling

Mangling packets going through the firewall Gives you the ability to a multitude of possibilities. Example usages
z z z z z z z

Strip all IP options Change TOS values Change TTL values Strip ECN values Clamp MSS to PMTU Mark packets within kernel Mark connections within kernel

What We Use It For

Currently there are three tables: filter, nat, mangle. filter table used by packet filtering system
z

hooks in at LOCAL_IN (INPUT), FORWARD, LOCAL_OUT (OUTPUT) iptable_filter hooks in at those points and passes all packets to the table default table operated on by iptables program

The Hooks of filter

The nat Table

nat table used to control nat
hooks in at LOCAL_OUT (OUTPUT), PREROUTING, POSTROUTING z iptable_nat hooks in and passes packets whose connections have not seen NAT table to the table
z

The Hooks of nat

The mangle Table

mangle table used for special effects
hooks in at LOCAL_OUT (OUTPUT), PREROUTING z iptable_mangle hooks in and passes all packets to the table
z

Basic iptables syntax

iptables [table] [command] [options] <matches> <target> Commands: z append, insert, replace, delete, list, policy, etc. Options: z verbose, line numbers, exact, etc. Matches: z dport, dst, sport, src, states, TCP options, owner, etc. Targets: z ACCEPT, DROP, REJECT, SNAT, DNAT, TOS, LOG, etc.

Iptables syntax - A few matches

Protocol -p, --protocol [!] [protocol]
z z z

tcp, udp, icmp or all Numeric value /etc/protocols

Destination IP & Port -d, --destination [!] address[/mask]

z z

Destination address Resolvable (/etc/resolve.conf) Destination port Numeric or resolvable (/etc/services) Port range

--dport, --destination-port [!] port[:port]

z z z

Iptables syntax - A few matches (cont.)

Source IP & Port -s, --source [!] address[/mask]
Source address z Resolvable (/etc/resolve.conf)
z

--sport, --source-port [!] port[:port]

Source port z Numeric or resolvable (/etc/services) z Port range
z

Iptables syntax - A few matches (cont.)

Incoming and Outgoing interface -i, --in-interface [!] interface -o, --out-interface [!] interface

Iptables syntax - Some targets

ACCEPT
z z z z

Accepts the packet Ends further processing of the specific chain Ends processing of all previous chains Except other main chains and tables Drops the packet No reply Ends all further processing

DROP
z z z

Iptables syntax - Some targets (cont.)

REJECT
z z

Drops packet Returns a reply

z z z

User specified reply Calculated reply TCP-RST or ICMP errors

Ends all further processing Returns from a chain to the calling chain

RETURN
z

Example
Input Rule1: -p ICMP j DROP Rule2: -p TCP j test Rule3: -p UDP j DROP What happens to a TCP packet with the source address192.168.1.1 and the destination address 1.2.3.4? test Rule1: -s 192.168.1.1 Rule2: -d 192.168.1.1

Iptables syntax - ... and a few simple rules

iptables -A INPUT -p tcp -m state --state NEW ! -syn -j REJECT --reject-with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP

Iptables syntax
Listing the rules z -L, --list [chain] -F, --flush [chain] z Flushes (erases) all rules in a chain z Or a table -N, --new chain z Creates a user-specified chain z There must be no target with that name previously -X, --delete-chain [chain] z Deletes a user-created chain z No rules may reference the chain z Can delete all user-created chains in a table

Iptables syntax - Creating & Deleting user-created chains

Creating...
z

iptables -t filter -N badtcppackets iptables -t filter -X badtcppackets iptables -t filter -X

and Deleting a chain

z

and Deleting all user-created chains

z

A simple example ruleset The Goals

The firewall
z z

Will act as its own firewall Incoming:

z z z

ICMP Echo request & reply Identd requests HTTP requests Everything generated by the host Except "nonet" group

Outgoing:
z z

And a LAN
z

From Internet to LAN

z z

Related traffic Established traffic Everything

From LAN to Internet

z

A simple example ruleset - The technical details

Firewall
LAN on eth0 z LAN IP 192.168.1.1 z Internet on eth1 z Internet IP 10.0.0.1/32
z

LAN
z

IP range 192.168.1.0/24

A simple example ruleset - The POSTROUTING chain

We need SNAT to let our LAN out on the Internet. Without this, the Internet dont know where to route the packets
z

iptables -t nat -A POSTROUTING -i eth0 -o eth1 -j SNAT --to-source 10.0.0.1

A simple example ruleset - The INPUT chain

Need to allow all incoming traffic specified in goals Need to allow return traffic for everything we send Default to DROP iptables -P INPUT DROP iptables -A INPUT -p tcp --dport 113 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

A simple example ruleset - The OUTPUT chain

Accept everything except the nonet group to leave
z

iptables -A OUTPUT -m owner --gid-owner nonet -j DROP

A simple example ruleset - The FORWARD chain

Everything from LAN to Internet ICMP replies, related and Established traffic from Internet to LAN
iptables -P FORWARD DROP z iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT z iptables -A FORWARD -i eth1 -m state -state ESTABLISHED,RELATED -j ACCEPT
z

Examples
iptables -A INPUT -p tcp -m state --state NEW ! -syn -j REJECT --reject-with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP