Вы находитесь на странице: 1из 11

Firewall

definition and usage in the context of ebtables,


arptables, iptables and xtables-addons

author: Przemysław Piotrowski


Table of Contents
INTRODUCTION:....................................................................................................................................2
HISTORY:..................................................................................................................................................2
First generation of firewall:........................................................................................................................3
Second generation of firewall:...................................................................................................................3
Third generation of firewall:......................................................................................................................3
FIREWALL - CONCEPTS:.......................................................................................................................3
1. Filtering..................................................................................................................................................3
So how does packet filtering work?...........................................................................................................4
2. Header modification...............................................................................................................................4
IP Masquerading........................................................................................................................................4
3. Payload modification.............................................................................................................................4
OSI MODEL:.............................................................................................................................................5
EBTABLES:...............................................................................................................................................5
Rules & chains & tables:............................................................................................................................5
Targets:.......................................................................................................................................................6
Bridge:........................................................................................................................................................6
Example:....................................................................................................................................................7
ARPTABLES.............................................................................................................................................8
Tables:........................................................................................................................................................8
Example:....................................................................................................................................................8
IPTABLES:................................................................................................................................................9
Features:.....................................................................................................................................................9
Tables:........................................................................................................................................................9
Connection state:........................................................................................................................................9
NAT:...........................................................................................................................................................9
NAPT:......................................................................................................................................................10
Masquerading example:...........................................................................................................................10
Limit:........................................................................................................................................................10
Syn-flood protection example:.................................................................................................................11
XTABLES-ADDONS:.............................................................................................................................11

INTRODUCTION:

The topic of this paper is firewall. To fully understand this subject first we have to answer a
question - what is firewall? A person might say that firewall is a hardware or software that prevents
unauthorized access to or from a network, but this definition is vague and unclear. Firewall provides a
whole variety of tools necessary for safe and successful exchange of information between hosts in
networks.

HISTORY:

Before we go into detail, let's talk a little about history of firewall. The need for firewall
emerged in the late 1980s, when internet was still new technology in terms of its global use. In 1988
one of the first internet viruses called Morris Worm got widespread media attention due to the damage
it caused, bringing attention to the need of improving security in the Internet.

First generation of firewall:

First firewall was developed in 1988 in the form of packet filter. This form of firewall filters
packets based on the contents of packet headers, that is based on IP addresses, MAC addresses,
protocols used (TCP, UDP, ICMP etc.) and TCP/UDP ports. Packet filters can work on layers 2 (Data
link), 3 (Network) and 4 (Transport) of OSI model.

Examples of this type of firewall are: ebtables and arptables.

Second generation of firewall:

The difference to the first generation is that the second generation allows to make Stateful packet
filtering, which means that packets can be filtered based on their connection state. I will speak about it
later in detail. An example of this type of firewall is: iptables.

Third generation of firewall:

Third generation is application layer firewall. Previous generations were working on the first 3 layers
of the OSI model, where this one works also on the latter 3, up to application layer. This allows to
control network traffic regarding a specific application or sevice. I will not talk about this type of
firewall in detail, in this presentation I will focus on the first 2 generations of firewall.

FIREWALL - CONCEPTS:

Firewall works based on 3 concepts:


1. Filtering of frames and ARP messages (in OSI layer 2) and packets (in OSI layer 3)
2. Modification of headers (IP addresses, MAC addresses, ports)
3.

Modification of payload

1. Filtering
Filtering is the most common use of firewall. As an example we can provide this situation: we
want to filter packets based on their destination port. In the provided picture firewall is set up in such a
way, that it blocks every incoming packet or frame, with the exception of the ones using port 80. This
allows the web server to successfully receive and send HTTP requests and responses.

Filtering can be done based on: MAC addresses in OSI layer 2, IP addresses in OSI layer 3,
ports in OSI layer 4, the protocol that is being used, like UDP, ICMP etc. This is in OSI layers 2 to 4.
Also it can be based on the interface on which the packet or frame is received, the presence of
fragmentation, and finally based on the content of a message.

So how does packet filtering work?


Packet filter can do 3 things with an incoming packet. It can accept it, which means to let it
through to it's destination. It can reject it and notify the sender about rejection and it can reject it
without any notification. Packet filter contains a table with specified set of rules which are used to
determine whether a packet should be accepted or rejected. If incoming packet or frame matches the
first rule then the action specified in this rule is performed. If it doesn't match, then the next rule is
checked if it exists. If packet or frame doesn't match any of the rules, then it is rejected without any
notification.

2. Header modification
Firewall can modify information located in headers of packets and frames. One usage example
is IP masquerading.

IP Masquerading
It is a process of modifying packet's source IP address. Is is used in private networks, where IP
Masquerading allows hosts from inside the network that don't have a public IP address to send and
receive packets from the Internet.

On this picture there are 3 enitites. Host 1 is connected to router and it is connected to the
internet. Host 1 wants to send a message to the internet, but it doesn't have a public IP address. So when
host 1 sends a packet to the router, the router changes it's source IP address to router's IP address. That
way, the router will receive the response from the internet and it will forward the response to Host 1.

IP Masquerading was performed inside 'Router', where source IP address of a packet sent from Host 1
was changed.

3. Payload modification
Payload modification takes place mostly in the top layer of OSI model, so I will not talk about it
in detail. NFQUEUE is an example of software enabling payload modification.
OSI MODEL:

In this paper I will focus on firewall in layers 2, 3 and 4. I will write in detail about ebtables and
arptables, which operate on OSI layer 2, iptables which operates on OSI layer 3 and 4 and xtables-
addons, which provides extentions to iptables.

EBTABLES:

The ebtables utility enables basic Ethernet frame filtering on a Linux bridge. It also enables
logging, MAC NAT and brouting. We already know what filtering is. MAC NAT is the ability to
change the MAC Ethernet source and destination address. Brouting means that a bridge can act as a
bridge and router. It means that using firewall rules we can decide if frame should be routed to higher
OSI layers or should it be bridged (OSI layer 3). For example we can specify that frames received on
interface eth0 should be brouted - they will be firewalled in higher OSI layers, for example by iptables.

Rules & chains & tables:


Ebtables uses rules to decide what action to perform with frames. These rules are grouped into
chains, and these are grouped into tables.

First lets look at the biggest groups - tables. In ebtables we have 3 tables:

1. filter - in this table we place rules which filter frames


2. nat - In this table we place rules which should modify frame headers
3. broute - In this table we place rules which should route frames

Now these tables are seperated into chains:


1. Filter
- INPUT chain - frames are filtered by rules in this chain if the destination MAC address of the
frame is on the bridge itself
- FORWARD - frames are filtered by rules in this chain if they are being forwared by the bridge
- OUTPUT - frames are filtered by rules in this chain if they are generated locally or if they are
being brouted

2. NAT
- PREROUTING – frames are directed to this chain as soon as they came in
- OUTPUT - for modifying locally generated or brouted frames before they are bridged
- POSTROUTING - for altering frames as they are about to go out

3. broute
This table has only one chain:
- BROUTING

Apart from that, users can define their own chains, but more on that later.

On this diagram we can follow a frames route as it is directed through specific chains.

Targets:

TARGET specifies what happens to a frame after it matched a rule.

In Ebtables we can choose from 5 targets:


1) ACCEPT – let the frame through
2) DROP – the frame will be dropped
3) CONTINUE – next rule will be checked
4) RETURN – go back to the previous chain and check the next rule
5) Jump to user defined chain

Combinations of using chains and targets will get clearer when we get to rule examples.

Bridge:
To set up ebtables as firewall first we have to create a bridge. A network bridge connects
multiple network segments. To create a bridge on a computer we will use brctl located in bridge-utils
package.

As an example, we will create a bridge in a network presented on the diagram:

root@Bridge:# ifconfig eth0 0.0.0.0


root@Bridge:# ifconfig eth1 0.0.0.0
root@Bridge:# brctl addbr br0
root@Bridge:# brctl addif br0 eth0
root@Bridge:# brctl addif br0 eth1
root@Bridge:# ifconfig br0 up

Now when we have built a bridge on a machine called Bridge, we are ready to set up ebtables as
firewall.

Ebtables installation: root@Bridge:# apt-get install ebtables

Example:
We want to block ARP messages going through the bridge.

root@192.168.1.2:# arping 192.168.2.1


ARPING 192.168.2.1 from 192.168.1.2 eth0
Unicast reply from 192.168.2.1 [B8:54:E5:34:1A:E4] 0.950ms
Unicast reply from 192.168.2.1 [B8:54:E5:34:1A:E4] 1.055ms

We see that ARP messages are going through.

We add an ebtables rule.


root@Bridge:# ebtables -t filter -A FORWARD -p ARP -j DROP

We specify a table “filter”, because we want to filter messages. Then we specify a chain to
“FORWARD”, because we want to filter messages when they are being forwarded by a bridge. Then
we specify protocol used as ARP, and finally we set the target as DROP.
root@192.168.1.2:# arping 192.168.2.1 -c 5
ARPING 192.168.2.1 from 192.168.1.2 eth0
Sent 5 probes (5 broadcast(s))
Received 0 response(s)

We are blocking ARP messages - firewall works.

ARPTABLES
Configuration of arptables is very similar to ebtables, so I will omit some subjects that are the same.
The difference is that arptables is not limited to bridges and that it is designed to work specifically with
ARP messages.

Tables:
In arptables there is only one “filter” table. The definitions of chains are as follows:
- INPUT chain - for frames destined for the host
- OUTPUT chain - for locally-generated frames
- FORWARD chain - for frames being forwarded by the bridge (this chain is not available in
Linux kernel 2.4.X)

Example:
Harvey sends valuable data to Router and wants to protect himself from Computer1 ARP Spoofing
How will Harvey protect itself from ARP Spoofing? Using arptables it will manually associate
Computer1 IP address with it's MAC address. This way, all ARP messages coming from IP address of
Computer1 but from MAC address not associated with Computer1 will be dropped. The same goes for
sending ARP messages. All ARP messages sent to Computer1 IP addresss but to MAC address not
associated with Computer1 will be dropped.

root@Harvey:# arptables -A INPUT -s 192.168.2.1 --source-mac ! AA:AA:AA:AA:AA:AA -j DROP


root@Harvey:# arptables -A OUTPUT -d 192.168.2.1 --destination-mac ! AA:AA:AA:AA:AA:AA -j
DROP

In the first rule we specify: if ARP message destined to this machine comes from IP address
192.168.2.1 but has different MAC address than AA:AA:AA:AA:AA:AA then it is dropped.
Similar principle applies for the second rule.

Here we list added rules and see they were added correctly.

root@Harvey:# arptables -L
Chain INPUT (policy ACCEPT)
-j DROP -s 192.168.2.1 ! --src-mac aa:aa:aa:aa:aa:aa

Chain OUTPUT (policy ACCEPT)


-j DROP -d 192.168.2.1 ! --dst-mac aa:aa:aa:aa:aa:aa
Chain FORWARD (policy ACCEPT)

IPTABLES:
Iptables is a firewall operating on OSI layers 3 and 4. It is a successor of ipchains and ipfilter. Iptables
works on the same principles as ebtables and arptables, with new features, which are a result of
operating on different OSI layers.

Features:
- Stateless packet filtering. It's the same concept as in ebtables and arptables.
- Stateful packet filtering. This concept means that iptables is able to recognize the connection state of a
packet. This adds new packet filtering capabilities based on packet's connection state. I will explain
more in a minute.
- NAPT - which means Network Address and Port Translation. This feature allows iptables to modify
packet headers including IP addresses and ports.

Tables:
There are 4 tables, 2 of which I've already talked about earlier and that is filter and nat. These are the
tables we already know. The other two are mangle and raw.
Mangle table is used for specialized packet modification, for example if we want to change Type of
service field in a packet header.
Raw table is used for rules that should apply before connection tracking takes place.

Connection state:
Packets can be related to tracked connections in four different so called states: NEW, ESTABLISHED,
RELATED and INVALID.
NEW - tells us that the packet is the first packet that we see from a specific connection
ESTABLISHED - next packets from an existing connection
RELATED - new connection created by already ESTABLISHED connection
INVALID - packet not identified

This allows us to specify additional filtering rules based on these connections. In iptables we do that by
adding option -m conntrack to our rule, which permits using --ctstate option. After --ctstate we specify
the connection state we want to filter. Here is an example in which we accept all incoming packets with
connetion state new: iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j ACCEPT

NAT:
There are two types of NAT and that is Source NAT (SNAT) and Destination NAT (DNAT), where
SNAT means changing the source IP address of a packet and DNAT changing destination IP address of
a packet. Here are some examples.

Change the source address of a packet to 1.2.3.4


root@Harvey:# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
Change the destination address of a packet to 1.2.3.4
root@Harvey:# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 1.2.3.4

By specifying table as nat and setting target as SNAT with --to option we change the source address.

NAPT:

Port forwarding - process of forwarding packets, which are being received on a specific port.

Example: we want to forward packets from interface eth0 port 80 to 192.168.1.200 to port 8080
iptables -t nat -A PREROUTING -i eth0 --dport 80 -j DNAT --to-destination 192.168.1.200:8080

Here we specify that packets coming to port 80 will have new destination IP address 192.168.1.200 and
destination port 8080.

Masquerading example:
In the first example I will show how iptables handles masquerading. Let's presume we have a situation
as shown in the diagram:

First we have to enable packet forwarding:


root@Router:# echo 1 > /proc/sys/net/ipv4/ip_forward

Now we create a rule using a special target MASQUERADE.


root@Router:# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
root@Host1:# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=34.5ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=34.0ms

Limit:
For the next example I will use option limit, which is available in iptables but not ebtables or arptables.
Using option -m limit allows the use of the --limit and --limit-burst options. By specifying --limit
option we set what is the rate of packets we want to accept. By specifying --limit-burst we set how
many packets must be processed for the limit to start working. Things will clear out when I will
provide and example and an analogy later.
Example:
iptables -A INPUT -p icmp -m limit --limit 1/min --limit-burst 5 -j DROP

Analogy: We can imagine that limit is a bucket. By specifying --limit-burst we set the size of the
bucket, in our example it would be 5 packets. Also there is a hole in the bucket, which allows packets
to flow out of the bucket. We set how fast packets are flowing out of the bucket with option --limit.
So with 3 packets received, we need 3 minutes for iptables to clear packets out of the bucket.

Syn-flood protection example:


In our 2nd example we will try to block syn-flood attacks. In TCP SYN attack, target's computer is
being flooded with TCP SYN requests. Unprotected system would try to answer each of them, which
would overwhelm the CPU or the network. To resolve this problem we will limit incoming SYN
requests.

First, we create a new chain called syn_flood.


root@Computer:# iptables -N syn_flood

Then, we insert a new rule in the beginning of chain INPUT which forwards packets to our new chain.
root@Computer:# iptables -I INPUT 1 -p tcp -j syn_flood

We create an appropriate rule with --syn option.


root@Computer:# iptables -A syn_flood --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
root@Computer:# iptables -A syn_flood -j DROP

root@Computer:# iptables -L

XTABLES-ADDONS:

xtables-addons is a package containing extensions for iptables. Under ubuntu it's located in a package
called xtables-addons-common, so we can install it using this command: apt-get install xtables-
addons-common

Xtables-addons provides some interesting extensions, here are some examples:


- geoip - allows matching packets based on source's country.
- tarpit - provides additional tools to tcp matching functionality
- account - provides statistics for packets, like counting packets.

Usage example:
iptables -A FORWARD -j ACCOUNT --addr 192.168.1.0/24 --tname sales

Вам также может понравиться