Monday, April 28, 2008

Intrusion Detection and Firewall Security


The virtual network


The FORWARDING chain belonging to the filter table is responsible for filtering all forwarded traffic. What is to be allowed to pass through your firewall and back is defined here.

Compared to the INPUT and OUTPUT chain, this chain has an option both for the incoming interface and the outgoing:

This rule will forward any incoming traffic on interface $LOCAL_IFACE claiming to be from a local IP address to the outside. Half the job is done. Next we have to make sure the returning packets get back in again. This is not the case as of now.
This rule opens for related and established packages that are going back in again. Whith these two rules, we have build a firewall that allows any connection to the outside, but no connections from the outside in. A typical solution for home networks.

This does not automaticly open up the firewall. After specifying the rules we have to actually enable packet forwarding in the kernel:

echo 1 > /proc/sys/net/ipv4/ip_forward

The question remaining now is: do you really want all new connections from the inside to slip out?
If you want, then you can leave the rules like that. If not, you have to be more spesific about what is allowed outside.
The rule for the returning packets is OK, but does not help if you want to actually let some services be publicly available, like WWW or SSH. For that you will need a spesific rule for each service, just like in the personal firewall.

What can enter the firewall, what shall be forwarded?

The traffic we allow for forwarding is not the same we allow to access the firewall itself. You can perfectly well drop WWW requests destined for your firewall but forward all WWW requests to other machines.
Important point:
All packages with the destination IP matching your firewall, will go to the INPUT chain.
All packages coming to your firewall but with another destination address then the firewall itself will go to your FORWARD chain.

It is crucial that you understand this point.

Pop question: How is it possible, that my machine gets packets that is intended for another IP address even if the network interface is not in promiscous mode?

This widens your system policy somewhat. Is it safe to allow SSH access to your firewall from the outside? One solution is to forward all incoming SSH to one special machine on the inside. This mechanism is called port forwarding.

Other firewall functions

This addresses some of the additional features one relates to firewalls. While the typical task is packet filtering, modification of packet headers is increasingly common. Iptables has many of these additional features in the nat and mangle tables. Although most organisational networks don't have any use for these features it is crucial to know about them when looking at network traffic. Some of these features show you, that you cannot make any conclusions about a host based entirely on its IP address, nor can you expect a host on the other side of a connection to identify your machines correctly based on the IP address it sees.


Network address translation is about modifying the address fields of packets as they enter or leave your firewall. The purpose of this is potentially two-fold:
  • To separate the network behind the firewall into a separate subnet.
  • To obscure the addresses of devices behind the firewall to the outside world.
There are three ranges of private adresses which can be used as adresses within the local net. These IP-adresses will not be forwarded to the internet by a proper working router.     -  ( - ( - (
We divide NAT into three categories:
  • Traditional NAT
    This is the classic variant, where we interchange the outgoing packets source field with the firewalls. Since the outside only sees one machine, no one from the outside can connect directly to the machines on the inside. The address seen by the outside world can be the firewall's IP address, or it can be chosen to be another official IP address used by the organization. This can be configured as a matter of policy.

    If the firewall also changes the source port number, then we call it Network Address and Port Translation (NAPT). This strategy is commonly used by organizations to extend the number of hosts they can have attached to the Internet, with only a limited number of public IP addresses.

  • Bidirectional NAT
    This is a two-way address translation. A one-to-one mapping between a public address and a machine on the inside with an private address. This way the machine on the inside is publicly available. This form of NAT can be used for failover or load-balancing.
  • Twice NAT
    Here we both interchange the source and destination fields of the packets. This is a very exotic variant, often used to mend conflicting subnets. (Pretend you never heard this!)
It's important to distinguish between forwarding and Network Address Translation. You can forward without changing any source or destination fields (this is what a router does). You can even forward without changing the MAC address (this is what a bridge does). More on that later.

The most used form of NAT is both source and port translation. This is formerly known as Masquerading. An packet coming from the LAN will get the source address field swapped with that of the firewall's external interface.

Traditional NAT

Traditional NAT is the most common variant and used in most home networks. Without NAT the way packets are sendt is as shown in the following example:
If the internal LAN uses private adresses, the last gateway must perform NAT as shown in the following example of traditional NAT:

iptables and NAT

Iptables supports all three types of NAT as defined in RFC 2663. The forwarding and NAT are separated in iptables. The forwarding part, as we already have seen, is done by the FORWARDING chain of the filter table.

When writing NAT and forwarding rules, it is essential to know the packet flow through iptables which is as follows.

The mangle table is not considered but it has chains in all the 5 different locations. If we more specifically considers the traffic through one of the gateways(fw07 in the figure) the packetflow throug the firewall can be picutered like this:

Network Address Translation is done by the nat table and its PREROUTING, POSTROUTING and OUTPUT chains. The translation can therefore take place either before or after the routing of the packet. Source NAT (SNAT) is done in POSTROUTING after the filtering and routing is done and OUTPUT for locally generated packets. Destination NAT (DNAT) is done on the PREROUTING chain before routing. This can be somewhat tricky, since the packet will have the new destionation address when routed in the FORWARDING or INPUT chain.

IPtables needs only one rule to specify a NAT-rule. When a response comes in from the outside, it is automatically translated to match its intended target on the inside. So we end up with three rules for NAT to work: two rules in the FORWARDING chain (one for each direction), and only one rule in the nat table.

Source NAT

There are two types of Source NAT: SNAT and MASQUERADE.
  • SNAT
    Regular Source NAT. Packets can be given a IP address from a range of free ones for the duration of the connection. We can also assign port ranges to choose between.
    iptables -t nat -A POSTROUTING -o outgoing-interface [ eventual protocol specifications ] \
    -j SNAT --to-source address[-address][:port-port]

    iptables -t nat -A POSTROUTING -o $EXTERNAL_IFACE -p tcp -s $LAN_ADDRESSES --dport 80 \
    -j SNAT --to-source $MY_EXTERNAL_IP
    This one works almost similar, but is intended for outgoing interfaces who have a dynamically assigned address. Home networks with a modem connection will use MASQUERADE instead of SNAT. When using the MASQUERADE target, we don't specify the source address to use. It is understood by the firewall, that we want to use the same address as the outgoing interface of the firewall.
    iptables -t nat -A POSTROUTING -o outgoing-interface [ eventual protocol specifications ] \
    -j MASQUERADE [--to-ports port[-port]]
    In home networks and the like, we usually want to translate everything that leaves the firewall for the Internet to have the firewalls external address:

Destination NAT

Also here, we have the choice between two targets: DNAT and REDIRECT.
  • DNAT
    This is the typical destination NAT. You use this for port-forwarding to a machine on the inside. The target is allowed for the PREROUTING and OUTPUT chain.
    iptables -t nat -A PREROUTING -i incoming-interface [ eventual protocol specifications ] \
    -j DNAT --to-destination address[-address][:port[-port]]
    iptables -t nat -A PREROUTING -i $EXTERNAL_IFACE -p tcp --dport 80 \
    -j DNAT --to-destination $INTERNAL-WEB:80
    In this rule, we make sure that every incoming HTTP-request ends up at our local webserver.
    A special type of DNAT, where we want to redirect incoming traffic to a port on the firewall or outgoing traffic to the loopback device. This target can be applied for both the PREROUTING and the OUTGOING chain.
    iptables -t nat -A PREROUTING -i incoming-interface [ eventual protocol specifications ] \
    -j REDIRECT [--to-ports port[-port]]

Level 2 Forwarding

When a packet gets forwarded by your firewall or a router, the MAC address field of the packet will be changed to that of the latest network interface. When connecting several machins in a LAN with only switches and hubs between them, the MAC-address stays untouched.

Some systems want to avoid this, since it shows that the packet just passed through a router or firewall.

The same kan be achieved with a so-called level 2 firewall or bridge firewall. Honeynets are typical for having a bridge firewall since they want to hide the fact that all packets to certain lures (honeypots) pass through a firewall with intrusion detection capablility. There will be more on honeypots later in this course.

An important point concerning a brige firewall, is that it looses its ability to route traffic between subnets. As a bridge, the interfaces have no IP address and communicate only on the network layer (i.e ethernet). With no IP address, other hosts fail to use it as a gateway in their routing tables.

Second, with no IP address, how do you connect to the firewall for maintainance or reconfiguration? The answer is a third interface with an IP address that is not engaged in any routing.

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.