CEG 499/699:
Internet Security


College of Engineering & CS
Wright State University
Dayton, Ohio 45435-0001

Packet Filtering
 

Prabhaker Mateti
 
Abstract:  Packet filtering is a technique for improving network security. This lecture describes how packet filtering is done and describes the setup of a filter based on Linux.
 
This work is supported in part by NSF DUE-9951380.
  05/03/01

Table of Contents

  1. Educational Objectives
  2. Lab Experiment
  3. Acknowledgements
  4. References

Educational Objectives

  1. Understand the core component of what are called firewalls.
  2. Be able to set up filtering rules based on requirements

Packet Filtering

An IP packet is a sequence of bytes containing

In packet filtering, only the protocol and the address information of each packet is examined. Its contents and context (its relation to other packets and to the intended application) are ignored.  Filtering consists of examining incoming or outgoing packets and allowing or disallowing their transmission or acceptance on the basis of a set of configurable rules, called policies.

Packet filtering policies may be based upon any of the following:

This is the original and most basic type of firewall.

Packet filtering alone is not foolproof security.  Its weaknesses are:

An advantage of packet filtering is its relative simplicity and ease of implementation.

Packet Filtering Rules

Generally, the filtering rules are expressed as a table of conditions and actions that are applied in a certain order until a decision to route or drop the packet is reached. When a particular packet meets all the conditions specified in a given row S of the table, the action specified in S (whether to route or drop the packet) is carried out.   Some systems apply the rules in the sequence specified by the administrator until  they find a rule that applies. Others enforce a particular order of rule application based on the criteria in the rules, such as source and destination address, regardless of the order in which the rules were specified by the administrator.

An "outbound connection" is a connection initiated from a client process on an internal machine to a server on an external machine.  Note that while the connection as a whole is outbound, it includes both outbound  packets  (internal client to the external server) and inbound packets (those from the external server to the internal client). Similarly, an "inbound connection" is a connection initiated from a client on an external machine to a server on an internal machine. The "inbound interface" for a packet is the interface on the filtering router that the packet appeared on, while the "outbound interface" is the interface the packet will go out on if it isn't denied by the application of the filtering rules.

Filtering Chains

tbd

Masquerading

tbd

A packet filtering example

This example is Linux kernel 2.2.x based, and is taken from the ipchains-howto.  Linux kernels 2.4.x have a different mechanism called IP-tables, and uses a program called iptables to set up the filtering rules.

Depending on your background in Unix administrative details, you may or may not understand every bit of the following.  Even so, this example is worth studying.

The Arrangement: Masqueraded internal network (various operating systems), which we call "GOOD"; Exposed servers in a separate network (called "DMZ" for Demilitarized Zone); PPP Connection to the Internet (called "BAD"). 


          External Network (BAD)
                  |
                  |
              ppp0|
           ---------------
           | 192.84.219.1|             Server Network (DMZ)
           |             |eth0
           |  Filter     |----------------------------------------------
           |    Box      |192.84.219.250 |             |              |
           |             |               |             |              |
           |192.168.1.250|               |             |              |
           ---------------          --------       -------        -------
                  | eth1            | SMTP |       | DNS |        | WWW |
                  |                 --------       -------        -------
                  |              192.84.219.128  192.84.219.129  192.84.218.130
                  |
          Internal Network (GOOD)

Goals

  1. Packet Filter box: ping  any network This is useful to tell if a machine is down. traceroute any network Once again, useful for diagnosis. Access DNS. To make ping  more useful.
  2. Mail server. SMTP to external. Accept SMTP from internal and external. Accept POP-3 from internal
  3. Name Server. Send DNS to external. Accept DNS from internal, external and packet filter box
  4. Web server. Accept HTTP from internal and external. Rsync access from internal
  5. Internal: Allow WWW, ftp, traceroute, ssh to external These are fairly standard things to allow: some places start by allowing the internal machines to do just about everything.
  6. Allow SMTP to Mail server Obviously, we want them to be able to send mail out.
  7. Allow POP-3 to Mail server This is how they read their mail.
  8. Allow DNS to Name server They need to be able to look up external names for WWW, ftp, traceroute and ssh.
  9. Allow rsync to Web server This is how they synchronize the external web server with the internal one.
  10. Allow WWW to Web server Obviously, they should be able to connect to our external web server.
  11. Allow ping to packet filter box. This is a courteous thing to allow: it means that they can test if the firewall box is down (so we don't get blamed if an external site is broken).

Before Packet Filtering

Anti-spoofing Since we don't have any asymmetric routing, we can simply turn on anti-spoofing for all interfaces.

# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

Set filtering rules to DENY all: We still allow local  loopback traffic, but deny anything else.

# ipchains -A input -i ! lo -j DENY
# ipchains -A output -i ! lo -j DENY
# ipchains -A forward -j DENY

Set Up Interfaces This is usually done in the boot scripts. Make sure the above steps are done before the interfaces are configured, to prevent packet leakage before the rules are set up.

Insert per-protocol masquerading modules. We need to insert into the Linux kernel the masquerading module for FTP, so that active and passive FTP `just work' from the internal network.

# insmod ip_masq_ftp

Packet Filtering for Through Packets.  Create several new chains.

# ipchains -N good-dmz
# ipchains -N bad-dmz
# ipchains -N good-bad
# ipchains -N dmz-good
# ipchains -N dmz-bad
# ipchains -N bad-good
With masquerading, it's best to filter in the forward chain. We will split the forward chain into the above chains depending on source/destination interfaces; this breaks the problem down into manageable chunks.

ACCEPTing standard error ICMPs is a common thing to do, so we create a chain for it.

# ipchains -N icmp-acc
Set Up Jumps From forward Chain Unfortunately, we only know (in the forward chain) the outgoing interface. Thus, to figure out what interface the packet came in on, we use the source address (the anti-spoofing prevents address faking). Note that we log anything which doesn't match any of these (obviously, this should never happen). 
 ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz
 ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad
 ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad
 ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good
 ipchains -A forward -i eth0 -j bad-dmz
 ipchains -A forward -i eth1 -j bad-good
 ipchains -A forward -j DENY -l
Define the icmp-acc Chain Packets which are one of the error ICMPs that get ACCEPTed, otherwise, control will pass back to the calling chain. 
 ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
 ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
Good (Internal) to DMZ (Servers) Internal restrictions: Allow WWW, ftp, traceroute, ssh to external. Allow SMTP to Mail server. Allow POP-3 to Mail server. Allow DNS to Name server. Allow rsync to Web server. Allow WWW to Web server. Allow ping to packet filter box Could do masquerading from internal network into DMZ, but here we don't. Since no one in the internal network should be trying to do evil things, we log any packets that get denied. 

 ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
 ipchains -A good-dmz -p tcp -d 192.84.219.128 pop-3 -j ACCEPT
 ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
 ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
 ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
 ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT
 ipchains -A good-dmz -p icmp -j icmp-acc
 ipchains -A good-dmz -j DENY -l
Bad (external) to DMZ (servers). DMZ restrictions:. Mail server. SMTP to external. Accept SMTP from internal and external. Accept POP-3 from internal. Name server. Send DNS to external. Accept DNS from internal, external and packet filter box. Web server. Accept HTTP from internal and external. Rsync access from internal. Things we allow from external network to DMZ. Don't log violations, as they may happen. 
 ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT
 ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT
 ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT
 ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT
 ipchains -A bad-dmz -p icmp -j icmp-acc
 ipchains -A bad-dmz -j DENY
Good (internal) to Bad (external). Internal restrictions:. Allow WWW, ftp, traceroute, ssh to external. Allow SMTP to Mail server. Allow POP-3 to Mail server. Allow DNS to Name server. Allow rsync to Web server. Allow WWW to Web server. Allow ping to packet filter box. Many people allow everything from the internal to external networks, then add restrictions. We're being fascist. Log violations. Passive FTP handled by masq. module. 

 ipchains -A good-bad -p tcp --dport www -j MASQ
 ipchains -A good-bad -p tcp --dport ssh -j MASQ
 ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
 ipchains -A good-bad -p tcp --dport ftp --j MASQ
 ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
 ipchains -A good-bad -j REJECT -l
DMZ to Good (internal). Internal restrictions:. Allow WWW, ftp, traceroute, ssh to external. Allow SMTP to Mail server. Allow POP-3 to Mail server. Allow DNS to Name server. Allow rsync to Web server. Allow WWW to Web server. Allow ping to packet filter box. If we were masquerading from the internal network to the DMZ, simply refuse any packets coming the other way. As it is, only allow packets which might be part of an established connection. 

 ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT
 ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT
 ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT
 ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
 ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT
 ipchains -A dmz-good -p icmp -j icmp-acc
 ipchains -A dmz-bad -j DENY -l
DMZ to bad (external). DMZ restrictions:. Mail server. SMTP to external. Accept SMTP from internal and external. Accept POP-3 from internal. Name server. Send DNS to external. Accept DNS from internal, external and packet filter box. Web server. Accept HTTP from internal and external. Rsync access from internal o 
 ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT
 ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT
 ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT
 ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT
 ipchains -A dmz-bad -p icmp -j icmp-acc
 ipchains -A dmz-bad -j DENY -l
Bad (external) to Good (internal). We don't allow anything (non-masqueraded) from the external network to the internal network

ipchains -A bad-good -j REJECT

Packet Filtering for the Linux Box Itself. If we want to use packet filtering on packets coming into the box itself, we need to do filtering in the input chain. We create one chain for each destination interface:

  ipchains -N bad-if
 ipchains -N dmz-if
 ipchains -N good-if

Create jumps to them: 
 ipchains -A input -d 192.84.219.1 -j bad-if
 ipchains -A input -d 192.84.219.250 -j dmz-if
 ipchains -A input -d 192.168.1.250 -j good-if
Bad (external) interface. Packet Filter box:. PING any network. TRACEROUTE any network. Access DNS. External interface also receives replies to masqueraded packets, and ICMP errors for them and PING replies. 
  ipchains -A bad-if -i ! ppp0 -j DENY -l
  ipchains -A bad-if -p TCP --dport 61000:65096 -j ACCEPT
  ipchains -A bad-if -p UDP --dport 61000:65096 -j ACCEPT
  ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
  ipchains -A bad-if -j icmp-acc
  ipchains -A bad-if -j DENY
DMZ interface. Packet Filter box restrictions:. PING any network. TRACEROUTE any network. Access DNS. DMZ interface receives DNS replies, ping replies and ICMP errors. 
 ipchains -A dmz-if -i ! eth0 -j DENY
 ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT
 ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT
 ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
 ipchains -A dmz-if -j icmp-acc
 ipchains -A dmz-if -j DENY -l
Good (internal) interface. Packet Filter box restrictions:. PING any network. TRACEROUTE any network. Access DNS. Internal restrictions:. Allow WWW, ftp, traceroute, ssh to external. Allow SMTP to Mail server. Allow POP-3 to Mail server. Allow DNS to Name server. Allow rsync to Web server. Allow WWW to Web server. Allow ping to packet filter box. Internal interface receives pings, ping replies and ICMP errors. 
       ipchains -A good-if -i ! eth1 -j DENY
       ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT
       ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT
       ipchains -A good-if -j icmp-acc
       ipchains -A good-if -j DENY -l
Finally  Delete blocking rules: 
       ipchains -D input 1
       ipchains -D forward 1
       ipchains -D output 1

Lab Experiment

All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ.   Use any of the PCs numbered 19 to 30.  No other WSU facilities are allowed. 

Objective: Setup a simple packet filter.  In this lab, you will be setting up one of the Linux machines as a firewall based on IP filtering. 

  1. Read the IP filtering How To.  Skim the man pages for ipchains, inetd, and services.
  2. Setup a network in OSIS Lab of at least four PCs; let us call them P0, P1, P2, and P3.  P0, P1, P2 should be on one network, say 192.168.17.0.  You will use a switch, and three RJ45 straight (non-crossover) cables to connect the PCs with the switch. 
  3. P2 and P3 are on another network, say 192.168.99.0.  Connect these two PCs with one RJ45 crossover cable.
  4. Set P2 up as a router. Any two machines should be able to ping each other.
  5. Verify that all of the following work:  telnet, ftp, finger from {P0, P1} to P3, and finger from P3 to {P0, P1}
  6. Set up filtering on P2 so that
    1. P1 can no longer telnet to P3
    2. P0 can continue to telnet to P3
    3. P3 can no longer telnet to P0, P2
    4. P3 can continue to telnet to P1
    5. P3 cannot finger  P0, P1, P2
  7. Set up telnet service on P0 on port number 9999 so that any of P1, P2, P3 can telnet to it, while the above blocks are still in effect.
  8. Turnin a description of your setup, a script of the filtering rules, and a witness report.

Acknowledgements

The packet filtering example is taken from the ipchains-howto.

References

  1. D. Brent Chapman, "Network (In)Security Through IP Packet Filtering," Third USENIX UNIX Security Symposium; Baltimore, MD; September, 1992.  [Local copy .ps] Recommended Reading.
  2. Paul Russell, Linux IPCHAINS-HOWTO,  v1.0.7, 12 March 1999.  www.rustcorp.com/ linux/ipchains/HOWTO.html   [Local copy .txt]  Required skimming..
05/03/01 12:33:21 PM
Copyright © 2001 pmateti@cs.wright.edu