Author: Ben

Preface

The major enterprises and government agencies consecutively implement electroniclization upon official document and workflow on the premise of efficient management and productivity improvement. Meanwhile, because of commercial interests or self-superiority, various Internet attacks such as hacker intrusion, Trojans, computer virus and Worm occur very frequently. Thus, network security is gradually taken seriously by many major enterprises and agencies in recent years.

Network security involves a considerable majority on security policy regulation, contingency planning, security device purchase and complete implementation. Security policy regulation and contingency planning are somehow belonging to an abstract concept that would influent the decision of ultimate security device based on enterprise attribute and cost limits. As far as an information manager and an engineer concerned, they may need to accomplish the best network security implementation under limited budget and have to understand the essential knowledge and technique of each network device respectively. Thus, in this magazine, we will introduce various network security devices each to each. First, let’s start from Firewall.

Equipment:

1. Linux machine

Software:

1. iptables (source code can be downloaded from www.netfilter.org)

Essential knowledge:

1. OSI model
2. IP addressing, broadcast address, subnet mask
3. TCP Three-way Handshake, UDP
4. iptables command line

Firewall definition

Firewall in our daily life is used to prevent fire spread. Thus, this concept can be metaphorically applied to Internet that we also want to prevent the spread of malicious traffic into network.

A typical Firewall can detect packet content below OSI Layer 4 (Transport Layer), i.e. Fast Ethernet, TCP/IP and UDP protocol.

Firewall classification

Firewall comprises two major categories: stateful and stateless. Stateless Firewall can detect each packet (packet filter) but unable to further analyze connection among each packet. Stateful Firewall, on the other hand, can record packet information, e.g. SYN and ACK on TCP Header, so as to connect interrelation of different packets. Thus, Stateful Firewall is able to differentiate separate session to do more sophisticated preventive.

Besides, in recent years, in order to improve the usability of single Firewall, the major Firewall manufacturers successively develop two major important functions: Virtual Firewall and Transparent Firewall (Layer 2 Firewall). This improvement can make client easily and quickly implement Firewall. Lately we will utilize Cisco ASA and PIX Firewall to explain these two functions. Coming soon!

About Linux Firewall

From kernel v2.2.x ipchains to kernel v2.4.x & v2.6.x iptables, Linux Firewall really improves very much. Ipchains is belonging to Stateless Firewall while iptables is a recompiled Stateful Firewall which is non-related to ipchains.

Therefore, for those who are still using ipchains to develop Firewall, We strongly recommend you may learn iptables based on the following three reasons:

1. iptables is Statefull Firewall.
2. iptables comprises three separate tables (filter, nat, mangle) used to detect the packets with different attributes.
3. iptables has more chains to be chosen.

Linux Firewall preparation

Readers can learn the basic Firewall configuration in CCNA or Linux LPI course. Thus, due to page limitation, here we won’t explain it again. If for any needs, in the following articles, we will make an introduction in details toward Linux Firewall configuration.

How to determine whether kernel supports Netfilter?

1. Examine if the standard output of dmesg involves “ip_” word string. If yes, this kernel has supported Netfilter.
2. If Netfilter is configured as module, we can see if there is Netfilter directory under “/lib/modules//kernel/net/ipv4”.

Lab

In Linux Guide Issue 12, we have introduced “Implement dynamic routing between Cisco and Linux router”. In the present document, we will develop Linux Firewall based on the previous lab environment which has involved dynamic routing protocol. See the following network topology:

There are two iptables-built Linux routers and one Cisco 2600 router for Firewall application in different platforms.

We will also list the routing table of each machine in making the readers who don’t know how to use dynamic routing add static routing manually.

In the following figure, we represent three Linux routing tables run by ‘route’, ‘netstat’ and ‘ip route’ respectively:

Routing table in Cisco 2600 router:

Three Linux routing tables run by ‘route’, ‘netstat’ and ‘ip route’:

Here we would like to remind you that we can only know where routing is from and which routing protocol is learned by running ip route.

Objective

Suppose we are in a SME network environment in which Linux_NAT is used to connect external network while Linux_router is used to connect associate partners. Thus, according to the enterprise network policy and regulation, we can utilize Linux Netfilter to control network traffic. However, here we want to emphasize that Firewall is only a tool eventually but security policy is the key to decide which devices to be used.

Suppose the enterprise network security policy is as follows:

1. Internal employees can connect to Internet via Linux_NAT.
2. Associate partners cannot connect to Internet via company network so as to ensure smooth external traffic.
3. Associate partners are only allowed to browse in internal web server (IP address: 192.168.10.100).

Now we develop our Firewall rule each to each according to the policies above.

1. Internal employees can connect to Internet via Linux_NAT.
According to the regulation of RFC 1918 – Address Allocation for Private Addresses and IANA (Internet Assigned Number Authority), 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255 and 192.168.0.0 – 192.168.255.255 are all private IP address. Enterprise can freely use in it (PS: please refer to details in related documents). Accordingly, Linux_NAT is required to translate source IP address toward its transmitted packet so that the packet responded by destination server can be sent back.

(Notice: due to lab environment limits, we cannot use public IP address but only use IP 10.1.32.95 for our example. Nevertheless, its mechanism is the same as NAT.)

We can ping the Chunghwa Telecom DNS server 168.95.1.1 from Cisco 2621 router:

If it appears “…..”, it means we cannot ping this IP address. So we configure the rules of nat table in Netfilter then see whether we can ping 168.95.1.1 from Cisco 2621 router. Command line is as follows:

See whether we can ping 168.95.1.1.

It appears “!!!!!” so we can ping this IP address. So far we have satisfied the demand of the first network policy.

2. Associate partners cannot connect to Internet via company network so as to ensure external bandwidth smooth.

In terms of current situation, associate partner network can connect to Internet through Linux_NAT. We can prove by running “tracert” (Windows routing trace command).

In terms of Netfilter, packet can be divided into the following three types: input, output and forward. These types decide packet route inside kernel. The packet transmitted from associate partner is “forward” for Linux_NAT. To block this packet through Linux_NAT, we have to run drop-out command in filter table.

The default configuration is filter if iptables does not select specific table. No we can try whether the packet transmitted from associate partner whose IP address is 192.168.30.100 can go out to Internet through Linux_NAT.

By running tracert it shows the packet has reached Linux_router (192.168.30.1), Cisco 2621 router (192.168.20.2) and Linux_NAT (192.168.10.1) but blocked in Linux_NAT. That means the Netfilter rule that we’ve just set successfully blocks the packet from associate partner.

Besides, we can also utilize Netfilter to record packet status. The result shows the packet definitely passed through Netfilter in Linux_NAT.

3. Associate partners are only allowed to browse in internal web server (IP address: 192.168.10.100).
We can develop a Firewall rule in Linux_router for the allowance of which associate partner can only access in web server. Before we set rule, associate partner still can ping 192.168.10.1 (Linux_NAT) and 192.168.10.100 (web server).

Now we set two Firewall rules in Linux_router to limit associate partners’ permission in web server.

Rule I only accepts TCP protocol packets transmitted to destination port 80 whose source IP address is 192.168.30/24 and destination IP address is 192.168.10.100. Thus, packets which satisfy Rule I can smoothly pass through and won’t be examined by the next rule whereas packets whose source IP address is in 192.168.30.0/24 will be dropped.

We can see whether the rule is correct by investigating associate partners’ computer. First, we cannot ping 192.168.10.100 because it is blocked by Rule II. However, we can still examine the website from 192.168.10.100 by using lynx browser.

We successfully browse web service from 192.168.10.100.

Introduction to GUI in Linux Firewall

In fact, if readers are not so familiar with iptables command, here we introduce a nice GUI called fwbuilder ((http://www.fwbuilder.org/). We can obtain required edition or source code from http://www.fwbuilder.org/nightly_builds/.

Fwbuilder is a quite flexible Firewall GUI. It can not only produce Netfilter rule but Cisco FWSM (FireWall Service Module used in Cisco 6500 & 7600 Layer 3 Switch) and Pix rule. More interestingly, it will utilize RCS to do version control when we change the configuration of some machines, which is quite useful.

Some samples of GUI are shown as follows:

The above figure tells us fwbuilder-supported Firewalls are FWSM, ipfilter, ipfw, iptables, PF and PIX.

The above figure shows its supported OS: FreeBSD, Cisco FWSM, Linksys/Sevasoft, Linux 2.4/2.6, Mac OS X, OpenBSD, Cisco PIX and Solaris.

The above figure shows fwbuilder is a very nice GUI for easily and rapidly developing Firewall rules.

Conclusion

Linux can make us easily integrate 802.1Q, dynamic routing and Netfilter into one machine so as to provides enterprise with a integrated network security resolution by using coherent protocol in achieving perfect combination with commercial network device via the most economic, stable and convenient way.

Due to the page limitation, we cannot demonstrate all the details but much more foci on fundamental development. The instance in this document is only a small part of Linux application. Linux always has powerful support in any OSI layers and too numerous too enumerate. The last but not the least, the most important thing is whether readers can discover and realize its extensive application.