Contents Linux Firewalls Third Edition STEVE SUEHRING ROBERT ZIEGLER Published by Pearson Education,Inc. 800 East 96th Street,Indianapolis,Indiana 46240 USA Linux Firewalls,Third Edition ACQUISITIONS EDITOR Linda Bump Harrison Copyright © 2006 by Pearson Education,Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval sys- DEVELOPMENT tem, or transmitted by any means, electronic, mechanical, photocopying, recording, or EDITOR otherwise, without written permission from the publisher. No patent liability is assumed Scott Meyers with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no MANAGING EDITOR responsibility for errors or omissions. Nor is any liability assumed for damages resulting Charlotte Clapp from the use of the information contained herein. International Standard Book Number: 0-672-32771-6 PROJECT EDITOR Library of Congress Catalog Card Number: 2004098792 Mandie Frank Printed in the United States of America COPY EDITOR First Printing: September 2005 Cheri Clark 08 07 06 05 4 3 2 1 INDEXER Trademarks Erika Millen All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Novell Press cannot attest to the accuracy of this PROOFREADER information. Use of a term in this book should not be regarded as affecting the validity Kathy Bidwell of any trademark or service mark. Novell is a registered trademark, and Novell Press and the Novell Press logo are trade- TECHNICAL EDITOR marks of Novell, Inc. in the United States and other countries. All brand names and A.J.Prowant product names used in this book are trade names, service marks, trademarks, or regis- tered trademarks of their respective owners. PUBLISHING COORDINATOR Warning and Disclaimer Vanessa Evans Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. BOOK DESIGNER The author(s) and the publisher shall have neither liability nor responsibility to any per- Gary Adair son or entity with respect to any loss or damages arising from the information contained in this book. PAGE LAYOUT Special and Bulk Sales Julie Parks Pearson offers excellent discounts on this book when ordered in quantity for bulk pur- chases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside of the U.S., please contact International Sales [email protected] Novell Press is the exclusive publisher of trade computer technology books that have been authorized by Novell,Inc.Novell Press books are written and reviewed by the world’s leading authorities on Novell and related technologies,and are edited,produced,and distributed by the Que/Sams Publishing group of Pearson Education,the worldwide leader in integrated education and computer technology publishing.For more information on Novell Press and Novell Press books,please go to www.novellpress.com. Associate Publisher Program Manager, Marketing Manager Mark Taber Novell,Inc. Doug Ingersoll Darrin Vandenbos ii Contents at a Glance Introduction 1 PART I: Packet-Filtering and Basic Security Measures CHAPTER 1: Preliminary Concepts Underlying Packet-Filtering Firewalls 7 CHAPTER 2: Packet-Filtering Concepts 31 CHAPTER 3: iptables:The Linux Firewall Administration Program 63 CHAPTER 4: Building and Installing a Standalone Firewall 101 PART II: Advanced Issues,Multiple Firewalls,and Perimeter Networks CHAPTER 5: Firewall Optimization 181 CHAPTER 6: Packet Forwarding 213 CHAPTER 7: NAT—Network Address Translation 261 CHAPTER 8: Debugging the Firewall Rules 281 PART III: Beyond iptables CHAPTER 9: Intrusion Detection and Response 315 CHAPTER 10: Intrusion-Detection Tools 329 CHAPTER 11: Network Monitoring and Attack Detection 345 CHAPTER 12: Filesystem Integrity 381 CHAPTER 13: Kernel Enhancements 399 PART IV: Appendices APPENDIX A: Security Resources 425 APPENDIX B: Firewall Examples and Support Scripts 427 APPENDIX C: VPNs 475 APPENDIX D: Glossary 487 INDEX 499 iii Table of Contents Introduction 1 The Purpose of This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Linux Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Errors in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Companion Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 PART I: Packet-Filtering and Basic Security Measures CHAPTER 1: Preliminary Concepts Underlying Packet-Filtering Firewalls 7 The OSI Networking Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Connectionless Versus Connection-Oriented Protocols . . . . . . . . . 11 Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 The IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 IP Addressing and Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 IP Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Broadcasting and Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Transport Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Don’t Forget ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Hostnames and IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 IP Addresses and Ethernet Addresses . . . . . . . . . . . . . . . . . . . . . . 24 Routing: Getting a Packet from Here to There . . . . . . . . . . . . . . . . . . . . 25 Service Ports: The Door to the Programs on Your System . . . . . . . . . . . . 25 A Typical TCP Connection: Visiting a Remote Website . . . . . . . . . . 27 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 iv CHAPTER 2: Packet-Filtering Concepts 31 A Packet-Filtering Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Choosing a Default Packet-Filtering Policy . . . . . . . . . . . . . . . . . . . . . . . 35 Rejecting Versus Denying a Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Filtering Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Remote Source Address Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 38 Local Destination Address Filtering . . . . . . . . . . . . . . . . . . . . . . . 42 Remote Source Port Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Local Destination Port Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Incoming TCP Connection-State Filtering . . . . . . . . . . . . . . . . . . . 43 Probes and Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Source-Routed Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Filtering Outgoing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Local Source Address Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Remote Destination Address Filtering . . . . . . . . . . . . . . . . . . . . . . 57 Local Source Port Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Remote Destination Port Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 58 Outgoing TCP Connection-State Filtering . . . . . . . . . . . . . . . . . . . 59 Private Versus Public Network Services . . . . . . . . . . . . . . . . . . . . . . . . . 59 Protecting Nonsecure Local Services . . . . . . . . . . . . . . . . . . . . . . . 60 Selecting Services to Run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 CHAPTER 3: iptables:The Linux Firewall Administration Program 63 Differences Between IPFW and Netfilter Firewall Mechanisms . . . . . . . . 64 IPFW Packet Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Netfilter Packet Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Basic iptables Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 iptables Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 NAT Table Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 mangleTable Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 v Linux Firewalls iptables Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 filterTable Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 filterTable Target Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 80 filterTable Match Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 82 NAT Table Target Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 mangleTable Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 CHAPTER 4: Building and Installing a Standalone Firewall 101 iptables: The Linux Firewall Administration Program . . . . . . . . . . . . . . 102 Build Versus Buy: The Linux Kernel . . . . . . . . . . . . . . . . . . . . . . 104 Source and Destination Addressing Options . . . . . . . . . . . . . . . . 104 Initializing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Symbolic Constants Used in the Firewall Examples . . . . . . . . . . . 107 Enabling Kernel-Monitoring Support . . . . . . . . . . . . . . . . . . . . . 108 Removing Any Preexisting Rules . . . . . . . . . . . . . . . . . . . . . . . . . 109 Resetting Default Policies and Stopping the Firewall . . . . . . . . . . 110 Enabling the loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . 111 Defining the Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Stealth Scans and TCP State Flags . . . . . . . . . . . . . . . . . . . . . . . . 112 Using Connection State to Bypass Rule Checking . . . . . . . . . . . . 113 Source Address Spoofing and Other Bad Addresses . . . . . . . . . . . 114 Protecting Services on Assigned Unprivileged Ports . . . . . . . . . . . . . . . 119 Common Local TCP Services Assigned to Unprivileged Ports . . . . 120 Common Local UDP Services Assigned to Unprivileged Ports . . . 122 Enabling Basic, Required Internet Services . . . . . . . . . . . . . . . . . . . . . . 124 Allowing DNS (UDP/TCP Port 53) . . . . . . . . . . . . . . . . . . . . . . . 124 Filtering the AUTHUser Identification Service (TCP Port 113) . . . . 130 Enabling Common TCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Email (TCP SMTP Port 25, POP Port 110, IMAP Port 143) . . . . . . 133 Accessing Usenet News Services (TCP NNTP Port 119) . . . . . . . . 142 Telnet (TCP Port 23) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 vi Contents SSH (TCP Port 22) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 FTP (TCP Ports 21,20) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Whois (TCP Port 43) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 RealAudio, RealVideo, and QuickTime (TCP Ports 554 and7070) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Enabling Common UDP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 traceroute(UDP Port 33434) . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Accessing Your ISP’s DHCP Server (UDP Ports 67,68) . . . . . . . . . 162 Accessing Remote Network Time Servers (UDP Port 123) . . . . . . 165 Filtering ICMP Control and Status Messages . . . . . . . . . . . . . . . . . . . . 166 Error Status and Control Messages . . . . . . . . . . . . . . . . . . . . . . . 167 pingEcho Request (Type 8) and Echo Reply (Type 0) Control Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Logging Dropped Incoming Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Logging Dropped Outgoing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Denying Access to Problem Sites Up Front . . . . . . . . . . . . . . . . . . . . . 172 Installing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Tips for Debugging the Firewall Script . . . . . . . . . . . . . . . . . . . . 174 Starting the Firewall on Boot with Red Hat and SUSE . . . . . . . . . 175 Starting the Firewall on Boot with Debian . . . . . . . . . . . . . . . . . . 175 Installing a Firewall with a Dynamic IP Address . . . . . . . . . . . . . 176 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 PART II: Advanced Issues,Multiple Firewalls,and Perimeter Networks CHAPTER 5: Firewall Optimization 181 Rule Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Begin with Rules That Block Traffic on High Ports . . . . . . . . . . . . 182 Use the State Module for ESTABLISHEDand RELATEDMatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Consider the Transport Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 182 Place Firewall Rules for Heavily Used Services as Early as Possible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 vii Linux Firewalls Use the Multiport Module to Specify Port Lists . . . . . . . . . . . . . . 184 Use Traffic Flow to Determine Where to Place Rules for Multiple Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 User-Defined Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Optimized Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 User-Defined Chains in the Script . . . . . . . . . . . . . . . . . . . . . . . . 188 Firewall Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Installing the Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Building the User-Defined EXT-inputandEXT-outputChains . . 195 tcp-state-flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 connection-tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 local_dhcp_client_queryandremote_dhcp_server_response 206 source-address-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 destination-address-check . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Logging Dropped Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 What Did Optimization Buy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 CHAPTER 6: Packet Forwarding 213 The Limitations of a Standalone Firewall . . . . . . . . . . . . . . . . . . . . . . . 213 Basic Gateway Firewall Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 LAN Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Configuration Options for a Trusted Home LAN . . . . . . . . . . . . . . . . . 218 LAN Access to the Gateway Firewall . . . . . . . . . . . . . . . . . . . . . . 220 LAN Access to Other LANs: Forwarding Local Traffic Among Multiple LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Configuration Options for a Larger or Less Trusted LAN . . . . . . . . . . . 222 Dividing Address Space to Create Multiple Networks . . . . . . . . . 223 Selective Internal Access by Host, Address Range, or Port . . . . . . 225 A Formal Screened-Subnet Firewall Example . . . . . . . . . . . . . . . . . . . . 231 Symbolic Constants Used in the Firewall Examples . . . . . . . . . . . 232 Setting the Stage on the Choke Firewall . . . . . . . . . . . . . . . . . . . 234 Removing Any Preexisting Rules from the Choke Firewall . . . . . . 235 Defining the Choke Firewall’s Default Policy . . . . . . . . . . . . . . . . 236 viii Contents Enabling the Choke Machine’s Loopback Interface . . . . . . . . . . . 237 Stealth Scans and TCP State Flags . . . . . . . . . . . . . . . . . . . . . . . . 237 Using Connection State to Bypass Rule Checking . . . . . . . . . . . . 238 Source-Address Spoofing and Other Bad Addresses . . . . . . . . . . . 238 Filtering ICMP Control and Status Messages . . . . . . . . . . . . . . . . 240 Enabling DNS (UDP/TCP Port 53) . . . . . . . . . . . . . . . . . . . . . . . 241 Filtering the AUTHUser Identification Service (TCP Port 113) . . . . 246 Email (TCP SMTP Port 25, POP3 Port 110, IMAP Port 143) . . . . . 246 Accessing Usenet News Services (TCP NNTP Port 119) . . . . . . . . 248 Telnet (TCP Port 23) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 SSH (TCP Port 22) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 FTP (TCP Ports 21and20) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Choke as a Local DHCP Server (UDP Ports 67and68) . . . . . . . . 256 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Converting the Gateway from Local Services to Forwarding . . . . . . . . . 258 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 CHAPTER 7: NAT—Network Address Translation 261 The Conceptual Background of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . 261 iptables NAT Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Examples of SNAT and Private LANs . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Masquerading LAN Traffic to the Internet . . . . . . . . . . . . . . . . . . 271 Applying Standard NAT to LAN Traffic to the Internet . . . . . . . . . 273 Examples of DNAT, LANs, and Proxies . . . . . . . . . . . . . . . . . . . . . . . . 274 Host Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Host Forwarding and Port Redirection . . . . . . . . . . . . . . . . . . . . 275 Host Forwarding to a Server Farm . . . . . . . . . . . . . . . . . . . . . . . 276 Host Forwarding to Servers in a Privately Addressed DMZ . . . . . . 277 Local Port Redirection—Transparent Proxying . . . . . . . . . . . . . . . 279 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 ix