Professional Documents
Culture Documents
IPTable Firewall
IPTable Firewall
Assignment
Iptable Firewall
TABLE OF CONTENT
Executive Summary.....................................................................................................3
1
Firewall design...................................................Error: Reference source not found4
1.What is a firewall…………………………………………………………………...5
2. Requirements of the firewall........................Error: Reference source not found5
3. Implementation of the firewall.....................Error: Reference source not found6
Testing of firewall.........................................................................................................7
1. ICMP Test………………………………………………………………………….8
2. HTTP Test………………………………………………………………………….8
3. VSFTPTest.…………………………………………………..…………….………8
4. SSH Test……………………………………………………………………………9
Attacks...........................................................................................................................9
1. Ping flooding...........................................................................................................10
2. SYN flood................................................................................................................11
3 Port scan using nmap..............................................................................................12
4. Port scan using SYN SET......................................................................................12
Conclusion…………………………………………………………………………...14
References……………………………………………………………...……………15
EXECUTIVE SUMMARY
The purpose of this report is to build a firewall and demonstrate it’s use in mitigating
attacks on a computer network. Network security is a priority of every network. Most
common solutions used for network security are antivirus software’s and firewalls.
Firewalls are good tools to make a security-based network. One of the open source
2
firewall is iptables. Iptables are freely available with standard Linux distribution and
they help system administrators to configure the net filters, tables, chains and rules to
make a secure access based network.
Here I have made use of VMware Workstation with Red Hat Linux to build my
network environment. I have tried to secure the network by using iptables based
firewall to protect the network. In the latter part I have testified its working. At the
end I have launched some major attacks to demonstrate that this firewall would be
able to protect the network from some major attacks and at the same time it will
provide access to major services which were the basic requirements for this network.
NETWORK DESIGN
3
External Host
(Attacker)[XP O.S.]
100.100.100.2 / 24
eth2
eth1
192.168.1.2 / 24
Firewall
eth0
Firewall Interfaces
eth0 192.168.2.1 / 24
Internal LAN
eth1 192.168.1.1 / 24
eth2 100.100.100.1 / 24
To simulate the network I have made use of three Red Hat hosts and one host machine
which is the remote machine or can be considered the external machine. There are
three separate networks: 100.100.100.0/24, 192.168.1.0/24, 192.168.2.0/24. Network
100.100.100.0/24 is used as outer network and is connected to the host machine.
192.168.2.0/24 is the company’s internal network and network 192.168.1.0/24 is used
for placing a server, which is running some basic services like HTTP, SSH AND
VSFTP that is the requirement of this company’s network.
Firewall will be used on the gateway host to provide security to internal network.
Routing function on Red Hat Linux gateway can be enabled using the following
command.
FIREWALL DESIGN
What is a firewall?
Definition:
A system designed to prevent unauthorized access to or from a private network.
Firewalls can be implemented in both hardware and software, or a combination of
both. Firewalls are frequently used to prevent unauthorized Internet users from
4
accessing private networks connected to the Internet, especially intranets. All
messages entering or leaving the intranet pass through the firewall, which examines
each message and blocks those that do not meet the specified security criteria.
(Wikipedia, n.d.)
• Server provides HTTP, SSH and TFTP service to external and internal
network.
• Internal networks can request any kind of services, which are provided by
external network.
• Block the ping from external network to internal networks, just allow ping
reply from outside.
• Block ping flooding and SYN flooding from all the networks.
• Legitimate hosts in external network can login to the gateway by using SSH.
At the beginning we shall delete all the default rules in iptables and flush all the
entries from the table. I have created a script for this process.
Flush.sh
5
iptables -F
The above commands will set the default policy to Drop everything except the
OUTPUT chain.
Now the next step is to stop pings from outside network to inside network, and
also the rules should be set in such a manner that they should deny the possible
attack of ping flooding at the same time. This can be accomplished by making
icmp_p chain, that will deny the ICMP request from outside as well as limit
the number of requests allowed per second from the internal network to the
internal server.The rules applied are as follows:
iptables -N icmp_one
In a similar manner bad_tcp packets will be activated when the server receives a
TCP packet. Here to the maximum of 5 packets will be allowed per minute, the
rest shall be dropped.
iptables -N bad_tcp
6
iptables -A bad_tcp -p tcp --syn -m state --state NEW -j DROP
The below mentioned chain is the allowed chain which will contain all the
allowed tcp packets
The tcp_chain gives us information of the services which we can run from the
internal and the external network. Additional services can be easily incorporated
in this structure. Here tcp port 22(ssh) and port 80(http) are allowed.
Similarly the Udp_chain will control the udp services that we shall implement on
the servers. Here udp port 69(tftp) is allowed.
This will allow all the packets from 192.168.0.0/16 subnet whose states are either
ESTABLISHED or RELATED. Rest of the packets from other destinations shall be
dropped.
7
iptables -A FORWARD -p tcp -j bad_tcp
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j tcp_p
iptables -A FORWARD -p udp -j udp_p
iptables -A FORWARD -j DROP
More and more services can be added to the tcp and udp chain according to their
compatibility, thus the issue of scalability can be taken care of.
ICMP TEST
ICMP traffic should only be allowed from the internal network, so all the external
hosts cannot send ICMP packets to the server. This is shown below, when
attacker(100.100.100.5) pings server(192.168.1.2).No response from server because
packets are dropped.
HTTP TEST
For testing purpose, the HTTP service is opened on a server. The below mentioned
command will help to start the HTTP service.
8
And start the thttpd service.
The figure below shows the whole process.
VSFTP TEST
Here there is a ftp service called vsftp. Firstly you need to create a directory to hold
the files to be retrieved from and sent to the ftp server. The directory is /home/ftp.
The figure below shows that the vsftp service has been started on the internal server
with the help of vsftp command. Below get nana.txt command is used to get a file
named nana.txt from 192.168.1.2.
9
SSH TEST
The ssh service is started on the internal as well as the external server.
1
ATTACKS
PING FLOODING
A ping flood is a simple denial-of-service attack where the attacker overwhelms the
victim with ICMP Echo Request (ping) packets. It only succeeds if the attacker has
more bandwidth than the victim. (Wikipedia, n.d.). Ping flooding can be harmful for
the network because it may contain large loaded icmp request, which may use whole
processing of GATEWAY or SERVER to make it unavailable for eligible users.
Type: 1
I shall create a ping flood attack from the internal machine (192.168.2.1) to the server
(192.168.1.2).For this purpose I shall use the following command.
ping –f 192.168.1.2
The figure below shows the attacks done on the machine before and after
implementing the firewall. In the first part once the attack is carried out it shows 0%
packet loss and once the firewall is applied and the attack is carried out it shows 90%
packet loss. This is a proof that the firewall has been incorporated in a proper manner.
Type:2
We can launch ping flooding by using HPING command as well and by using HPING
you can add an extra payload to ping as well and can reset any flags as your choice to
make it worse. Like use -I u1000 to create pings per 1000 micro seconds.
1
Hping 192.168.1.2 –i u 1000
To mitigate this kind of attack I will allow only one ping request per second to a host.
This way I can mitigate the possible ping flooding that can occur. If the possible
number of icmp requests are more then one per second , gateway will just discard the
packet.
The figure below shows the delay in response when the Hping attack is implemented.
In the figure its seen that when server (192.168.1.2) is sent a ping then the last column
time shows values like 0.4 or 0.3 milliseconds, but when the Hping attack is carried
out it shows a delayed time period of 16.8 milliseconds( yellow marker).
SYN FLOOD
SYN flooding is a method that the user of a hostile client program can use to conduct
a denial-of-service (DOS) attack on a computer server. The hostile client repeatedly
sends SYN (synchronization) packets to every port on the server, using fake IP
addresses.(Whatis.com)
The firewall drops any external request packets whose destination port are not 22
(SSH) and 80 (HTTP). For the internal network, the firewall uses the same
mechanism as preventing ping flood, which restricts request packet once a minute. If
the number of incoming packets is exceeded, the firewall will drop packets and log
with “Stealth Attack _Syn” prefix. I use the command: hping2 –S to launch the SYN
flood attack.
User either of the following commands:
nmap -sT 192.168.1.2
The figure below shows the state of the firewall once this attack is implemented. Logs
with “Stealth Attack_Syn” can be seen.
1
PORT SCANING USING NMAP
Use nmap to scan the server IP address. It can detect the ports, which are exposed to
the network, and as well as it can check whether the host is running or not. To secure
the SERVER and internal network, the firewall has to close the unnecessary ports
exposed to the outside. According to the result, we can see that only port 22 (SSH)
and port 80 (HTTP) are exposed on the server; for the intranet host, there is no
available port to the external network.
Since Port scanning using nmap is disabled, there is one more way to do port scan.
Attacker can use SYN FLOODING as tool to port scan. Command below can be used
to do port scanning purpose using a packet with SYN BIT set and continuously
appending the destination port.
1
Hping -S 192.168.1.2 –p ++20 -I u1000
Or
nmap –p “1-1024” 192.168.1.2
This will send syn set bit packet to each port appending 21 to the server and what it
got back is only replies from open ports on the server.
CONCLUSION
1
REFERENCES
• Fingerprinting port 80 attacks A look into web server, and web application
attack signatures: Part Two, 2007, cgisecurity.net retrieved from
http://www.cgisecurity.net/papers/fingerprinting-2.shtml on October 22 2008
• Russel. R, 2002,Linux 2.4 Packet Filtering HOWTO , retrieved from
http://www.netfilter.org/documentation/HOWTO//packet-filtering-
HOWTO.html on October 24 2008