Logging Packets at the Firewall


As discussed earlier, the Iptables –l option allows you to log matching packets. You can insert –l into any rule, as long as you do not interrupt a particular option. For example, the following command logs all matching TCP packets that are rejected:

ipchains –I input –i eth0 –p tcp –s 0.0.0.0/0 –y –l –j REJECT

However, the following command would be a mistake, because Ipchains would think that –l is an argument for the source of a packet:

ipchains –I input –i eth0 –p tcp –s –l 0.0.0.0/0 –y –j REJECT

Once you establish logging, you can view Ipchains output in the /var/log/messages file.

Iptables allows you to log packets, as well, but in a much more sophisticated way. This is because Iptables uses the LOG target, which you specify just like DROP or ACCEPT. For example, to reject and also log all initial TCP traffic, you would issue the following two commands:

iptables –A INPUT –i eth0 –p tcp –s 0.0.0.0/0 –syn –j LOG iptables –A INPUT –i eth0 –p tcp –s 0.0.0.0/0 –syn –j DROP

As with Iptables, you can view the results of your logging in the /var/log/messages file.

Setting Log Limits

By default, Iptables will limit logging of packets. The default limit rate is three logging instances an hour. Each time a logging instance starts, only the first five packets will be logged by default. This behavior is meant to ensure that log files do not get too large. You can change the default logging rate by specifying the –limit and –limit-burst flags. The –limit flag allows you to determine the limit rate by second, minute, hour, or day. The –limit-burst figure allows you to determine how many initial packets will be logged. For example, to log ICMP packets at a rate of two per minute, you would issue the following command:

iptables –A INPUT –i eth0 –p icmp –s 0.0.0.0/0 –limit 2/min      –limit-burst 2 –j LOG

Notice also that the limit-burst value is set to 2.

Note

Be careful not to log too many packets. You will quickly consume hard drive space if you log all packets passing through your firewall interfaces.

Adding and Removing Packet Filtering Rules

Thus far, you have created a masquerading router. However, you have not yet invoked any packet filtering. Following are some examples of packet-filtering rules you may want to create on your system. First, consider the following Ipchains and Iptables commands:

ipchains –P input DENY ipchains –A input –I eth0 –p tcp  -s 0/0 –d 0/0 22 –j ACCEPT

Now, consider the equivalent series of Iptables commands:

iptables –P INPUT DROP iptables –P FORWARD DROP iptables –A FORWARD –i eth0 –p tcp –dport 22 –j ACCEPT

These commands effectively prohibit every service from entering your firewall, except for SSH, which uses port 22. No other service can access your network. Notice that Ipchains refers to the input chain in lowercase, whereas Iptables uses the FORWARD chain in uppercase. Iptables always refers to chains in uppercase. In addition, Iptables does not use the INPUT chain for packets destined for the internal network. In Iptables, the INPUT chain refers only to packets destined for the local system. Thus, in Iptables, you should explicitly drop all packets to the INPUT interface, unless you want to allow access to your firewall, say by SSH or another relatively secure administration method. Your firewall will still forward packets on the nat table using the FORWARD, POSTROUTING, and PREROUTING chains.

Notice also that Ipchains uses DENY as a target name, whereas Iptables uses DROP. The difference is in the way source and destination are specified. This difference is actually not necessary; both Ipchains and Iptables can use –s and –d, or the –dport option. When using –dport or –sport, if you do not specify a source or destination, both Iptables and Ipchains assume the first local interface. The –I option in Ipchains specifies a particular interface (in this case, the eth0 interface), whereas in Iptables, the –I option specifies the incoming interface.

The preceding configuration is both extremely simple and restrictive. It allows outside hosts to access SSH users to access only SSH, and will not allow any user interactively logged in to the system to check e-mail or any other Internet-based service. This is because the rule is designed to lock down the firewall as much as possible.

ICMP Types

Notice that with Iptables, you can reject specific ICMP types. Table 5.5 explains some of the additional types, including the numbers assigned in RFC792, which is the document that defines the parameters for all ICMP messages.

Table 5.5: Common ICMP Names and Numbers

Iptables/Ipchains ICMP Message Name

RFC Name and Number

Description

echo-request

8 Echo

The packet sent out by the common ping command

echo-reply

0 Echo Reply

The reply a host gives to the ping command.

destination-unreachable

3 Destination Unreachable

Informs an echo request packet that there is a problem reaching the intended host.

source-quence

4 Source Quench

If a router is too busy and cannot fulfill a client request, it will send back this message to a client.

Redirect

5 Redirect

Sent by a router that has, essentially, discovered a more direct route to the destination than originally found in the network packet sent by the network host.

time-exceeded

11 Time Exceeded

If a datagram is held too long by a router, its Time-To-Live (TTL) field expires. When this occurs, the router is supposed to send a message back to the host informing it of the drop.

parameter-problem

12 Parameter Problem

Sent by either standard hosts or routers, this message informs other hosts that a packet cannot be processed.

You can learn about additional arguments by typing iptables –p icmp –h at any terminal.

A Personal Firewall Example

Suppose that you want to create a personal firewall for a system that you use as a desktop. You would modify the previous Ipchains commands as follows:

ipchains –P input DENY ipchains –A input –I eth0 –p tcp  -s 0/0 –d 0/0 22 –j ACCEPT

To create a personal firewall system using Iptables, you would issue the following commands:

iptables –P INPUT DROP iptables –A INPUT –I eth0 –p tcp –dport 22 –j ACCEPT iptables –A INPUT –I eth0 –p tcp –dport 1023 –j ACCEPT iptables –A INPUT –I eth0 –p udp –dport 1023 –j ACCEPT 

The preceding commands allow SSH, but no other service. However, now a user can browse the Web, contact DNS servers, and so forth, and use the system with a reasonable degree of security. This system now cannot even be pinged, which helps to protect it against distributed DoS and ping scanning attacks.

Exercise: Creating a Personal Firewall and Creating a User-Defined Chain

  1. Using either Ipchains or Iptables, add the following rules to your INPUT table to create a personal firewall:

    • Deny all incoming ICMP traffic, and make sure the denial is logged

    • Deny all incoming FTP traffic

    • Deny all incoming DNS traffic

    • Deny Telnet

    • Deny SMTP and POP3

  2. If you are using Iptables on a standard system with one interface, you would issue the following commands:

    iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j LOG iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 20 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 21 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 53 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p udp –dport 53 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 21 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 25 –j DROP iptables –A INPUT –s 0/0 –d 0/0 –p tcp –dport 110 –j DROP

    Of course, there is more than one way to do this. For example, you could create a user-defined chain and handle all SMTP and POP3 there:

    iptables –N icmptraffic iptables –A icmptraffic –s 0/0 –d 0/0 –p icmp –j DROP iptables –A icmptraffic –s 0/0 –d 0/0 –p icmp –j LOG iptables –A INPUT –s 0/0 –d 0/0 –p icmp –j icmp
  3. List the INPUT chain. If you created a user-defined chain, list this as well.

  4. Save your configuration for the sake of backup. If you are using Iptables, use the following command:

    iptables-save > iptables.txt 
  5. Flush all of the rules you created. If you are using Iptables, issue the following command:

    iptables –F
  6. List the INPUT chain (and any other) to verify that you have in fact flushed this chain.

  7. Use the iptables-restore (or ipchains-restore) command along with the text file you created to restore your Iptables chains:

    iptables-restore iptables.txt
  8. List your tables and chains again to verify that your rules have been restored.

  9. Thus far, you have created a personal firewall that starts with a "wide open" policy, and then proceeds to lock down ports. Now, use the –P option to block all traffic, and then allow only SSH, or any other protocol(s) of your choice. If, for example, you are using Iptables, issue the following commands:

    iptables –P INPUT DROP iptables –A INPUT–p tcp --dport 22 –j ACCEPT iptables –A INPUT–p tcp --dport 1023: –j ACCEPT iptables –A INPUT–p udp --dport 1023: –j ACCEPT

    You can specify –i eth0, if you wish. However, if you only have one interface, both Ipchains and Iptables will default to using this interface. Remember, you should open up the ephemeral TCP and UDP ports so that you can still do things like checking your e-mail, and so forth. If, of course, you do not want any services open on your network, you could omit the —dport 22 line altogether.

  10. Now, log all traffic that attempts to connect to your system. If you are using Iptables, issue the following command:

    iptables –A INPUT–p udp --dport 1023: –j LOG iptables –A INPUT–p tcp --dport 1023: –j LOG

    This feature may log too much information for your server, depending on your system's activity. Make sure you check your log files regularly.

  11. Log all attempts to scan the standard ports for Microsoft networking. If you are using Iptables, issue the following command:

    iptables –A INPUT–p tcp --multiport  --destination-port     135,137,138,139 –j LOG iptables –A INPUT–p udp --multiport  --destination-port      137,138,139 –j LOG

    The —multiport —destination-port option allows you to specify a range of ports. You can read more about these options in the Iptables man page.

  12. If your server needs to support additional protocols, experiment with adding them.

Redirecting Ports in Ipchains and Iptables

Port redirection is where a packet destined for a certain port (say, port 80) is received by an interface, and is then sent to another port. Redirecting ports is common in networks that use proxy servers. To redirect a port in Ipchains to the local system's eth0 interface, you could issue the following command:

ipchains –A input –i eth1 –s 0/0 –d 0/0 –p tcp 80 –j REDIRECT 8080 ipchains –A input –i eth1 –s 0/0 –d 0/0 –p tcp 443 –j REDIRECT 8080

In Iptables, you must use the REDIRECT target from the nat table:

iptables –t nat -A PREROUTING -i eth1 -s 0/0 -d 0/0 –p      tcp 80 –j REDIRECT /  --to-ports 8080     iptables –t nat -A PREROUTING -i eth1 -s 0/0 -d 0/0 –p     tcp 443 –j REDIRECT /  --to-ports 8080

These rules ensure that any hosts that try to bypass your proxy server by specifying your firewall are redirected to a proxy server on the firewall. Another strategy is to deny all requests to ports 80 and 443, and then make sure that all Web clients are configured to access your proxy server.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net