by January 11, 2000 0 comments

Ipchains is a packet-filtering firewall package. You can findan RPM of Ipchains in RedHat/RPMS in the latest PC Quest RedHat CD. First youhave to check whether the Linux kernel supports Ipchains. For this, look for afile named ip_fwchains in /proc/net. If it’s not there, then you will have torecompile your kernel. The KERNEL-HOWTO and IP CHAINS-HOWTO will help you. Ifthe file exists, then you can check whether Ipchains is already installed.

As root, type

rpm —qa | grep ipchains

If you do not get any output then you must install thepackage from the RedHat/RPMS directory in the CD using the command:

rpm —ivh ipchains*

Why the name Ipchains?
Ipchains is so called because it deals with IP packets at the Network Layer, andthe rules defined in it are based on three inbuilt chains called input chain,output chain and forward chain. A rule can be something like “if the sourceof the packet is Sachin’s machine, then deny access”. Packets arriving atthe machine running Ipchains are compared against rules defined in the inputchain. If these packets are destined for another machine, they are redirectedafter being compared against rules in the forward chain. The output chainprocesses packets going out of the firewall. Apart from these three, you canalso have your own user-defined chains. The rules for each chain define accesscontrol based on source, destination, port, protocol or other informationcontained in IP headers.

Configuring Ipchains
To block all packets from a particular source, issue the following commandat the Linux shell prompt:

ipchains —A input —i eth0 —s hackers.com -j DENY

Here —A is to add a rule (to deny any packets fromhackers.com) to the input chain. It’s assumed that this Linux box is connectedto the Internet over the Ethernet network. So the packets will arrive on theEthernet card interface named eth0 specified by —i eth0. If you have more thanone ethernet card, omitting the -i option will mean all interfaces includingnon-Ethernet interfaces like the PPP interface for a dial-up Internetconnection. All Ethernet interfaces can be included with —i eth+. Next,—sstands for the source of packets, which in this case is hackers.com. You canalso use the IP address instead of a domain name. Finally, the —j DENY optioninstructs Ipchains to deny such packets. When you use DENY, the packets aresimply trashed without giving any error message to the source. The source doesn’tknow anything about what happened to the incoming request. We can use REJECT inplace of DENY to tell the source that a packet has been discarded. The Oppositeof DENY and REJECT is ACCEPT. Note that we are not using any port number, whichmeans that access will be denied to all packets from any port.

This was for someone from hackers. com trying to access yournetwork. Now, if you don’t want users in your network to access hackers.comthen add a rule to the output chain:

ipchains —A output —i eth0 -d hackers.com -j REJECT

Here —d specifies the destination address.

Now, suppose one of the machines in your network, with IPaddress 192.168.1. 10, has very sensitive data, which is used by people in yourprivate network, but that machine must not be accessed by anyone from theInternet–that is, from outside the range of IP addresses assigned to localnetwork. A rule added to the input chain as below protects 192.168.1.10.

ipchains —A input —s ! 192.168.1.0/255.255.255.0 —d192.168.1.10 —j DENY

The ! (NOT) specifies that if the source of the packets isnot between 192.168.1.1 to 192.168.1.254, then access is to be denied.

Telnet and ftp are important, but insecure services. You canblock access to these services to users other than in your private network.Suppose the machine 192.168.1.15 on your network provides Telnet and FTP accessto others.

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 telnet —j REJECT

ipchains —A input —p tcp —s ! 192.168.1.0/255.255.255.0—d 192.168.1.15 ftp —j REJECT

These rules specify that, if the machine sending the requestis not between 192.168.1.1 to 192.168.1.254 and if the destination is the Telnet(first command) or FTP port (second command) of the destination (192.168.1.15),then reject the packets. Since Telnet and FTP use TCP protocol, you must specifythe protocol with the —p option.

In place of the words telnet and ftp you can specify the portnumbers (23 for Telnet and 21 for FTP). You can look into the /etc/services filefor the well-known ports and their names.

Ports below 1024 are used by standard or defined serviceslike HTTP, FTP, Telnet, SMTP etc.; and ports above 1024 are used by non-standardservices, for example, by Instant Messengers like ICQ and streaming audio/videolike Realaudio and Realvideo. Now, if you don’t want your network users to usenon-standard services then you can block access (incoming as well as outgoing)to these ports with:

ipchains -A input —p tcp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p tcp —d 0/0 ! 0:1024 —j REJECT

ipchains -A input —p udp -s 0/0 ! 0:1024 —j REJECT

ipchains —A output —p udp -d 0/0 ! 0:1024 —j REJECT

Since we are concerned with blocking the incoming as well asoutgoing packets using the non-standard ports, we add rules in both the inputand output chains. The services, whether standard or non-standard, use eitherTCP or UDP protocol. The protocol is specified by the —p option. Next, asource 0/0 and a destination 0/0 is specified where 0/0 means any machine.Finally the port range is specified as<starting-port>:<ending-port>. And our command is about packets NOT(!) falling within the specified range.

When browsing the Internet, you will want to connect tomachines on the Internet but would not want to allow them to connect to (asdifferent from accessing) your machines. TCP packets which initialize aconnection, have the SYN flag set (to 1) in their header. So, we have to blockall the incoming TCP packets, which have this flag set. This is done as follows:

ipchains —A input —i eth1 -p tcp -s !192.168.1.0/255.255.255.0 —y —j REJECT

This will deny connection to all the TCP-based services likeTelnet, FTP, HTTP. Substitute eth1 with the name of the external interface (theinterface to the Internet). The —y option checks for SYN flag set. For dial-upconnections, the external interface would be ppp0.

The following rule can be used by a desktop user using adial-up connection to deny connections to his machine.

ipchains —A input —i ppp0 -p tcp —s 0/0 —y —jREJECT

The machine acting as your Internet gateway has an (static ordynamic) IP address provided by your ISP. The other machines in your network–whichdo not have an ISP assigned IP–use this machine to connect to the Internet.The gateway transfers the IP packets from the private network to the Internetreplacing the source address of each packet with its own IP address. In case ofincoming packets from the Internet, it replaces their IP address with the IPaddress of the destination machine on the private network. This substitution ofIP addresses is called IP Masquerading. You can setup IP masquerading usingIpchains by inserting the following rule in the forward chain.

ipchains -A forward -i eth1 -s 192.1.8.1.0/255.255.255.0 —d! 192.168.1.0/255.255.255.0 -j MASQ

Note that here masquerading is done only if the destinationis outside the private network.

If you are using the machine as a HTTP proxy server, then youneed to go through the hassle of configuring all the machines with the IPaddress and port of the proxy server. An easy way out is transparent proxying.Using Ipchains, you can redirect all the TCP requests at port 80 (named www) tothe port (say port 8000) to which the proxy server is listening to. This is doneusing the REDIRECT option as follows:

ipchains -A input -p tcp -d 0/0 www -j REDIRECT 8000

Closed and Open chains

What we had been working on so far is open chains and we wereDENYing access to specific services. An open output chain is specified as:

ipchains —P output ACCEPT

A closed chain is one in which you deny access to everything.Subsequently you can allow access (using ACCEPT option) to the requiredservices. A closed input chain is specified with the —P (policy) option as:

ipchains —P input DENY

You can also use REJECT in place of DENY.

Testing and debugging

We can list all the rules in all the chains using —Loption. To see the rules defined in a particular chain:

ipchains —n —L output

This displays all the rules for the output chain. If you wantto see machine names instead of their IP addresses, remove the —n option.

We can use the —C option to simulate an actual transactionto test the integrity of the rules defined in Ipchains. To test the examplewhere we were denying access to the machine 192.168.1.10, we send a udp packetfrom a source 202.54.90. 63 (an address outside the range of your privatenetwork) to the machine 192.168.1.10. We must use a source and a destinationport ( for example 8888) This is done as below:

ipchains —C input —i eth0 —p udp —s 202.54.90.63 8888—d 192.168.1.10 8888

You will get a "denied" message, which proves thatthe rule works.

If you use the —l option while adding a rule, before the—A option, then all the packets which match the rule are logged. For example,to log the matching packets for the rule specified in example of IPmasquerading:

ipchains —l -A forward -i eth1 -s 192.168.1.0/255.255.255.0—d ! 192.168.1.0 /255.255.255.0 -j MASQ

You can view the log using:

dmesg | grep "Packet log"

You can delete a rule in a chain using —D option. You caneither specify the number of the rule in the chain. For example, we can deletethe fifth rule in the output chain as:

ipchains —D output 5

This can easily lead to errors. So, a more specific method isto type the entire rule, as when adding a rule, but replacing —A with —D.

To delete all the rules in a chain use the —F option.

ipchains —F <name-of-the-chain>

Here <name-of-the-chain> can be input, output orforward.

Note that after a reboot, all the rules that are entered atthe command prompt are lost. Hence you need to type the rules in a start upscript.

Shekhar Govindarajan

Simply speaking, a firewall is something that stands betweentwo entities and controls access between them. These entities can be yourprivate network on one side and a public network, like the Internet, on theother. They can also be your desktop PC or your network server on one side andhackers on the other. There are both software and hardware firewalls. While theformer sits on computers, the latter is built into routers and Internetgateways. In this article, we’ll look at the types of firewalls and how theywork.

The basic principle

To understand how firewalls work, let’s take Internetconnectivity as an example. Any machine–be it a desktop PC, a network server,or even a hardware router–can connect to the Internet using an IP address.Once connected, it communicates using the TCP/IP protocol stack, which consistsof a number of protocols like HTTP, FTP, and Telnet. These protocols work onspecific port numbers with each having its default port number (HTTP uses 80,Telnet uses 23, etc). If any of these is left unguarded, a hacker can useumpteen different tools and techniques to access your network or PC. This iswhere a firewall comes into the picture. It controls access to all protocols andport numbers so that nothing suspicious can get through. In addition, it canalso grant or deny access based on usernames, machine names, and IP addresses.It can also control non-TCP/IP protocols like IPX/SPX.

Firewalls can be broadly classified into application proxyand packet-filtering firewalls. Let’s understand what they mean and do.

Application proxy firewalls

This type of firewall is implemented in proxy servers. Anyonewanting to access anything outside your network must go through the proxyserver. The proxy firewall will grant or block access depending upon a set ofpredefined rules. These rules can be defined based on user name, machine’s IPaddress, or protocols like TCP/IP, UDP, ICMP, etc. You can also define access byport numbers. Proxy servers work at the application layer of theseven-"layered OSI network model. A proxy server can, therefore,distinguish between application-specific data flowing across it. For example, itcan distinguish between an MP3 file and a ZIP file. The access rules are definedbased on network applications like FTP, Telnet, Network News Transport Protocol(NNTP). The distinct feature of a proxy firewall is that it doesn’t allowdirect communication. The machines on either side of it (on the trusted oruntrusted network) can only see the proxy and not each other. So when aconnection is requested, the proxy server connects to the destination node onbehalf of the requesting machine. To use a proxy, all client machines have to bespecifically configured for it.

Packet-filtering firewalls

Packet-filtering firewalls work at the network layer of theOSI model and are thus faster than proxy firewalls. A packet-filtering firewallgrants or denies access based on information contained in the packet header. Alldata traveling through a network is fragmented into smaller chunks calledpackets. Each packet consists of information like its source, destination,protocol, port, and some flags (data fields that are set (1) or reset (0)). If apacket is allowed access by the packet-filtering firewall, it’s directlyrouted to the destination. One drawback of such a firewall is that it does notlook into the packet contents. So a packet containing malicious data could beallowed access, which will then go through and create havoc. Packet-filteringfirewalls are generally implemented in hardware routers called screeningrouters. Some hybrid firewalls, which combine both the proxy andpacket-filtering capabilities, also exist.

Firewall setups

Firewalls can be setup in two ways: Dual Homed andDemilitarized Zone (DMZ) setups. In a Dual Homed setup, one firewall standsbetween the trusted and untrusted networks. It has two interfaces, internal forthe trusted, and external for the untrusted network. These interfaces can benetwork cards on the same machine or ports on a router. All packets that have totraverse between these two networks, must go through the firewall. So a packetcoming from the untrusted network will first land at the external interface. Thefirewall will then compare it against the pre-defined access rules. If allowedaccess, the firewall will route the packet to the private network through theinternal interface. The machine on which the firewall is setup is called aBastion host. In this setup the Bastion host presents a single point of attack.Anyone who can break into the Bastion host can access your private network. Sothe Bastion host must have a robust security policy.

The DMZ setup is used when you have a private network, whichmust be shielded from the Internet, but at the same time you provide someservices like Web access, e-mail facilities, etc. to the public through theInternet. In such a case, the Web, mail and news servers must be allowedcomparatively lenient access, but the machines in your private network must beprotected by strict access-control rules. Thus the public servers reside in anarea called the demilitarized zone. This area is surrounded by two firewalls asshown in the diagram. The first firewall, F1, provides lenient access controlrules so that people across the Internet can access the public servers. But thesecond firewall, F2, defines strict access control rules. If, by chance, anyoneexploits a hole in the firewall F1 and gains privileged access to the machineshosting the public services, the person will still be retarded by the strongrules defined by firewall F2.

Personal firewalls

Apart from enterprise networks, you may need a firewall evenif you are browsing the Internet through a single desktop computer at home. Ifyou use Internet applications like ICQ, and if these applications have someweaknesses or bugs, then an anonymous person can exploit it to bring yourcomputer down. If you are one of those who blindly accept files from anonymouspersons (may be when chatting), you may unknowingly accept a file that can be aninstaller of a service that may continuously run on a port. The sender of thefile can simply connect to it and issue commands to breakdown your computer.This is how a popular Trojan called Back Orifice works. In case of homecomputers, a simple firewall called personal firewall can be used. This firewallis like Conseal PC firewall and VirusMD Personal firewall given on this month’sCD.

The central idea is that if firewalls are deployedeffectively they will keep your network secure. Discussion in this article issupplemented by articles in this issue that explain how to setup firewallcapabilities in ISA server on Windows 2000, configuring Ipchains, and firewallsfor Linux.

Shekhar Govindrajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.