References

• man ipchains
• /usr/doc/HOWTO/IPCHAINS-HOWTO
• /usr/doc/HOWTO/Firewall-HOWTO
• ipchains --help (as root)

Setting up a firewall

• turn off all non-essential services.
• wrap all essential services.
• patch out all problems.

Chains

• a chain is a sequence of filter instructions that may call other chains as subroutines.
• elements of a chain are patterns to match together with appropriate actions to take.

Using chains:

• design an appropriate set of flows you desire.
• design an appropriate set of chains to accomplish those flows.
• implement each chain as a series of filters.
• activate each chain by entering the filters into kernel memory.

Chaining concepts:

• chokes (limit access)
  • filtering: denying access to certain packets based upon content.
• gates (allow access)
  • proxying: creating a controlled channel to the Internet via a helper program or proxy.
  • masquerading: creating a controlled channel to the Internet by pretending to be only the gateway host.

Ipchains doesn't use files

• filter list is kept in the running kernel.

Filtering

• specifying which hosts can connect to you.
• as short a list as possible.
• ACCEPT and DENY rules.
• first matching rule in chain wins

   conforming packet ----> IPCHAINS ----> ACCEPT forwarded through!
   non-conforming packet->                DENY   stopped dead!
  

• Example

   ipchains --new test 
   ipchains --add test --source 192.168.1.0/24 ACCEPT
   ipchains --add test --source 130.64.0.0/16 ACCEPT
   ipchains --policy test DENY
  

  • accepts all packets from 192.168.1.*.
  • accepts all packets from 130.64...
  • denies all packets from elsewhere.

     ipchains --list test 
    

  • shows what you've done.
• To make this actually take effect, on an input chain, install it:

   ipchains --add input --protocol tcp --jump test
   ipchains --policy input ACCEPT
  

  • if you get a tcp packet, jump to 'test' chain.
  • if you don't, just accept it.
• Effect: non-conforming TCP packets get bounced.

Caveat:

• IPCHAINS works on the IP level.
• You think on the SERVICE level.
• There has to be some INTERFACE to make it clear what you're doing.
• Recall /etc/services (list of port numbers)

Proxies

• Your server acts on the Internet on your behalf.
• You give a request to the server, it passes it on, and you get the result from the server:

   you                     proxy (2 IP's)             server
   192.168.1.15:?     192.168.1.1 130.64.23.13:?       201.34.2.12:80
     SENDS ----------------> PROXIES --------------->  RECEIVES request
      From 192.168.1.15:X     From 130.64.23.13:Y
      To   192.168.1.1:8080   To   201.34.2.12:80
      YOU GET <------------- REWRITES  <-------------  SENDS answer
                              From 201.34.2.12:80        From 201.34.2.12:80
                              To   192.168.1.15:X        To   130.64.23.13:Y
   you                     proxy (2 IP's)                server
   give me http://foo.com->give me http://foo.com---->sends file
   gets from proxy<--------gets from server<----------
   192.168.1.15:?    192.168.1.1:8080 130.64.23.13:?       201.34.2.12:80
  

• Setting up a simple proxy (http)
  • number internal network on a private address scheme (RFC1597: 10..., 172.16..* or 192.168.*.*)
  • number external network on a public address scheme provided by your ISP.
  • deny all access to http straight through the firewall.

     ipchains --new http
     ipchains --add http --destination 192.168.0.0/16 --source-port 80 DENY
     ipchains --add http --source 192.168.0.0/16 --destination-port 80 DENY
     ipchains --add http --jump RETURN 
     ipchains --add input --jump http 
    

    • http is a subroutine.
    • any thing from internal network to port 80 or from port 80 to internal network gets dumped.
  • Run a proxy server on port 8080 inside the firewall.
    • edit /etc/squid/squid.conf
    • run squid from /etc/rc.d/rc3.d. (I turned it off!)
  • Set your browser to proxy to the firewall on port 8080.

Transparent Proxy

• users don't like configuring that !@#%^& proxy on their browsers.
• we can arrange instead for transparent proxy of requests.
• this requires rewriting requests at the firewall (which BTW must be routing traffic anyway).

   you                     proxy (2 IP's)             server
   192.168.1.15:?     192.168.1.1 130.64.23.13:?       201.34.2.12:80
     SENDS ----------------> REWRITES
      From 192.168.1.15:X     From 192.168.1.15:X
      To   201.34.2.12:80     To   192.168.1.1:8080
                             PROXIES --------------->  RECEIVES request
                              From 130.64.23.13:Y
                              To   201.34.2.12:80
      YOU GET <------------- REWRITES  <-------------  SENDS answer
                              From 201.34.2.12:80        From 201.34.2.12:80
                              To   192.168.1.15:X        To   130.64.23.13:Z
  

• naive host inside network just tries to send directly to an external host.
• This won't work, as there's a block up.
• Instead, the firewall rewrites the packet so that it seems to be a proxy request.
• Thus it becomes proxied without anyone having to set the browser differently.
• Thus the packet can be routed and reach its destination.
• Upon return, the firewall REWRITES THE RETURN PACKET to go to the appropriate target.
• Example:

   ipchains --new http
   ipchains --add http --destination 192.168.0.0/16 --source-port 80 DENY
   ipchains --add http --source 192.168.0.0/16 --destination-port 80 \
      --jump REDIRECT 8080
   ipchains --add http --jump RETURN 
   ipchains --add input --jump http 
  

Masquerading

• In some conditions, transparent proxying is 'too much trouble'.
  • protocol difficult to proxy (e.g., ftp)
  • everyone trusted behind the firewall (e.g., connecting to an external ISP)
• Can instead instruct the firewall to 'pretend' that it is you.
• It maintains tables of how to map between inside and outside.

   you                     masquerader                server
   192.168.1.15:?     192.168.1.1 130.64.23.13:?       201.34.2.12:80
     SENDS ----------------> REWRITES -------------->  RECEIVES
      From 192.168.1.15:X     From 130.64.23.13:Z
      To   201.34.2.12:Y      To   201.34.2.12:Y 
                             REWRITES  <-------------  SENDS
                              From 201.34.2.12:Y        From 201.34.2.12:Y
                              To   192.168.1.15:X       To   130.64.23.13:Z
  

• Example:

   ipchains --new http
   ipchains --add http --source 192.168.0.0/16 --destination-port 80 \
      --jump MASQ 
   ipchains --add http --jump RETURN 
   ipchains --add input --jump http 
  

Principles of gate design

• Everything not allowed is denied

Patterns

• --protocol <protocol>
  • selects protocol of incoming/outgoing packet
  • protocols include tcp, udp, icmp, all
  • --protocol tcp - select tcp
  • --protocol ! icmp - select non-icmp
• --source <address/mask>
  • matches originating address.
  • --source 192.168.1.0/255.255.255.0 - our subnet
  • --source 192.168.1/24 - also our subnet
  • --source ! 192.168.1.1/255.255.255.255 - any host but tcp
  • --source ! 192.168.1.1/32 - also any host but tcp
• --source-port <port> - the source port number.
• --destination <address/mask>
  • matches receipt address.
  • --destination 192.168.1.0/255.255.255.0 - our subnet
  • --destination 192.168.1/24 - also our subnet
  • --destination ! 192.168.1.1/255.255.255.255 - any host but tcp
  • --destination ! 192.168.1.1/32 - also any host but tcp
• --destination-port <port> - the destination port number.
• --icmp-type <typename> - matches the type of ICMP request.

   [root@tcp /root]# /sbin/ipchains -help icmp
   ipchains 1.3.8, 27-Oct-1998
   
   Valid ICMP Types:
   echo-reply (pong)
   destination-unreachable
      network-unreachable
      host-unreachable
      protocol-unreachable
      port-unreachable
      fragmentation-needed
      source-route-failed
      network-unknown
      host-unknown
      network-prohibited
      host-prohibited
      TOS-network-unreachable
      TOS-host-unreachable
      communication-prohibited
      host-precedence-violation
      precedence-cutoff
   source-quench
   redirect
      network-redirect
      host-redirect
      TOS-network-redirect
      TOS-host-redirect
   echo-request (ping)
   router-advertisement
   router-solicitation
   time-exceeded (ttl-exceeded)
      ttl-zero-during-transit
      ttl-zero-during-reassembly
   parameter-problem
      ip-header-bad
      required-option-missing
   timestamp-request
   timestamp-reply
   address-mask-request
   address-mask-reply
  

• --interface <interface-name> - interface (eth0) through which a packet is received.
• --jump <action> - action to take if there's a match.

Rule modifiers

• --bidirectional - simulate writing another rule with source and destination reversed.
• --syn - only match tcp initiation packets; used to create assymetrical filters.
• --verbose - tell what you're doing at each step.
• --numeric - don't use DNS or service names in reporting output.
• --log - turn on kernel logging on matching packets.

Packet chain actions

• <chain name> - call a new (user-defined) chain.
• ACCEPT - let packet through.
• DENY - drop packet.
• REJECT - drop packet and send ICMP deny.
• MASQ - masquerade as local host.
  • only legal for input and user chains.
  • resets source IP address to that of local host.
• REDIRECT - redirect to local port even if targeted for remote host.
  • only legal for input and user chains.
  • resets destination IP address to that of local host.
• RETURN - return from a call chain to a previous one.

Editing chains

• ipchains are stored in the running kernel.
• to access, use command /sbin/ipchains.

   [root@tcp /root]# /sbin/ipchains -help
   ipchains 1.3.8, 27-Oct-1998
   
   Usage: /sbin/ipchains -[ADC] chain rule-specification [options]
          /sbin/ipchains -[RI] chain rulenum rule-specification [options]
          /sbin/ipchains -D chain rulenum [options]
          /sbin/ipchains -[LFZNX] [chain] [options]
          /sbin/ipchains -P chain target [options]
          /sbin/ipchains -M [ -L | -S ] [options]
          /sbin/ipchains -h [icmp] (print this help information, or ICMP list)
   
   Commands:
   Either long or short options are allowed.
     --add     -A chain            Append to chain
     --delete  -D chain            Delete matching rule from chain
     --delete  -D chain rulenum
                                   Delete rule rulenum (1 = first) from chain
     --insert  -I chain [rulenum]
                                   Insert in chain as rulenum (default 1=first)
     --replace -R chain rulenum
                                   Replace rule rulenum (1 = first) in chain
     --list    -L [chain]          List the rules in a chain or all chains
     --flush   -F [chain]          Delete all rules in  chain or all chains
     --zero    -Z [chain]          Zero counters in chain or all chains
     --check   -C chain            Test this packet on chain
     --new     -N chain            Create a new user-defined chain
     --delete  -X chain            Delete a user-defined chain
     --policy  -P chain target
                                   Change policy on chain to target
     --masquerade -M -L            List current masqerading connections
     --masquerade -M -S tcp tcpfin udp
                                   Set masquerading timeout values
   
   Options:
     --bidirectional -b            insert two rules: one with -s & -d reversed
     --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
     --source      -s [!] address[/mask] [!] [port[:port]]
                                   source specification
     --source-port [!] [port[:port]]
                                   source port specification
     --destination -d [!] address[/mask] [!] [port[:port]]
                                   destination specification
     --destination-port [!] [port[:port]]
                                   destination port specification
     --icmp-type [!] typename      specify ICMP type
     --interface   -i [!] name[+]
                                   network interface name ([+] for wildcard)
     --jump        -j target [port]
                                   target for rule ([port] for REDIRECT)
     --mark        -m [+-]mark     number to mark on matching packet
     --numeric     -n              numeric output of addresses and ports
     --log         -l              turn on kernel logging for matching packets
     --output      -o [maxsize]    output matching packet to netlink device
     --TOS         -t and xor      and/xor masks for TOS field
     --verbose     -v              verbose mode
     --exact       -x              expand numbers (display exact values)
   [!] --fragment  -f              match second or further fragments only
   [!] --syn       -y              match TCP packets only when SYN set
   [!] --version   -V              print package version.
   [root@tcp /root]# 
  

Ipchains commands

• --new <chain> makes a new user-defined chain.
• --delete <chain> destroys a user-defined chain.
• --add <chain> <filter> adds a new filter to the chain at the end.
• --delete <chain> <rulenum> deletes a filter from the chain by number.
• --insert <chain> <rulenum> <filter> inserts a filter in the middle of the chain.
• --replace <chain> <rulenum> <filter> replaces a filter.
• --list <chain> lists filters in a chain.
• --policy <chain> <action> sets default policy for a chain.

where

• <chain> - chain number:
  • input - packets received.
  • output - packets ready to transmit out.
  • forward - packets being routed from one subnet to another.
  • a number means a user-defined chain.
• <filter> - a filter specification as above.
• <rulenum> - the number for the rule in the last listing.
• <action> - an action to take by default (if no rules match).

A quick note on laziness

• short abbreviations are fine
• except when your job is on the line.
• use long names to know what you're doing!