Packet Filtering

1
Packet Filtering

• CS-480b
• Dick Steflik

2
Stateless Packet Filters

• A border router configured to pass or reject
  packets based on information in the header of
  each individual packet
• can theoretically be configured to pass/reject
  based on any field
• but usually done based on
• protocol type
• IP address
• TCP/UDP port
• Fragment number
• Source routing information

3
Protocol Filtering

• Filtering based on the IP protocol field allows
  rejecting of entire protocol suites
• UDP
• TCP
• ICMP
• IGMP
• This is almost too general
• ex suppose you block UDP then any TCP based
  application wont be able to convert host/domain
  to IP address
• so it is seldom used.

4
IP Address Filtering

• Pass/reject packets based on membership in a set
  of acceptable IP addresses
• Usually not used to block specific hosts
• oscar is frequently blocked so corporate users
  can use AIM
• same for some disk backup services
• Usually block source routed packets
• big security hole (explained later)
• If a hacker knows an address that the filter will
  pass they can easily forge a packet that will
  pass through the filter

5
Port Filtering

• Most commonly used filtering method
• can also be thought of as protocol filtering as
  most ports below 1024 relate to specific high
  level protocols
• pass all but those specified
• reject all but those specified
• Important ports/protocol to block
• telent
• NetBIOS
• POP
• NFS
• X Windows
• Windows Terminal Services
• pcAnywhere and VNC

6
Source Route Filtering

• Source routed packed should never be allowed into
  your network
• Source routing was added to IP to accommodate
  debugging
• Allows you to specify the path a packet will take
  through your network
• Strict Source Routing
• Specifies the exact path to be taken
• Loose Source Routing
• Indicates one or more hosts the packet must go
  through
• A hacker can plug in their own address and force
  packets to travel through a machine that they can
  sniff

7
Loose Source Routing

• A packet is given a list of hops to be taken
• Each packet carries same source address,
  destination is whatever the next IP in the hop
  path is the hop path is in the IP Option field.
• 131 is the type for Loose Source Routing
• Length total length of the option
• Offset byte offset to next IP to hop to

IP Option field 1 byte 1 byte 1byte 4 bytes 4
bytes Type Length offset IP 1 IP2 131
8
Loose Source Routed Example
For example, if a packet was generated from
10.1.1.1, with a final destination of 172.16.1.1
via a hop to 192.168.1.1, the intial packet
would have a source of 10.1.1.1, a dest of
192.168.1.1, and an IP option with a length of
7, an offset of 4, and the IP address starting at
byte 4 of 172.16.1.1. If 192.168.1.1 forwards
LSR packets, it would re-emit the packet with a
source of 10.1.1.1, dest of 172.16.1.1, offset of
8, and the IP address at offset 4 of
192.168.1.1.
10.1.1.1
192.168.1.1
172.16.1.1
Initial source10.1.1.1 dest.
192.168.1.1 IP Option 131,7,4,172.16.1.1
Initial source10.1.1.1 dest.
172.16.1.1 IP Option 131,8,4,192.168.1.1
Problem with loose source routing is that some
stacks will reverse the source route when
responding to a source routed packet, this would
make it trivial for a hacker to spoof a packet
coming from a trusted source and insert their own
address in the source route. The hacker can then
sniff on it the unsuspecting victim would then
send return traffic to the spoofed source but LSR
it through the attacker
9
Fragmentation Filtering

• Fragmentation was added to IP to facilitate
  passing through a network that only supports
  small packet sizes
• Any router in the path can break a large packet
  up into smaller pieces
• problem is that the port number is only in the
  first fragment meaning that filtering on TCP or
  UDP is lost

10
Problems with Stateless Filters

• Effectiveness of stateless filters is limited due
  to
• They cannot check the payload of the packets
• service related filtering can only be done by
  application level proxies
• They do not retain the state of the connections

11
Stateful Packet Filtering

• Record the state of all connections flowing
  through the firewall and use the connection state
  as the basis for dropping packets
• create an in memory state table for the state of
  all Network and session layers
• pass only packets relating to allowed
  (configured) ports that are currently in the
  state table.
• Drop entries when the TCP close session happens
  or after a few minutes, this insures that the
  table stays clean and without holes in in it
• Newer Firewalls all provide Stateful packet
  filtering
• some also provide higher level protocol proxying

12
Hacking Through Packet Filters

• The following exploits are common
• TCP can only be filtered in the 0th fragment
• setting the fragment number to 1 the packet will
  usually passe through the packet filter
• Older packet filters only filter ports below 1024
• used to be that only HTTP used higher numbered
  ports for passing data back to web browsers, many
  new applications use ports above 1024 for normal
  communication
• Public services must be forwarded
• services like the updating of web pages via
  Netscape Composer must be controlled (possibly bt
  IP address) to limit public access
• Trojan horses can defeat packet filters using NAT

13
Best Practices

• Use a proxy
• physically breaks the network path
• Use Stateful Packet Filters
• cant be bypassed like stateless filters
• Disable all Ports by Default
• enable only what is absolutely needed
• if a Trojan Horse get in it will most likely set
  up a server that the hacker can then attach to,
  it the port is blocked, this cant happen
• Secure the Base Operating System (Hardening)
• apply all patches provided by vendor
• check the vendor web site frequently
• always use a hardened protocol stack

14
IP Chains

• Stateless packet filter
• optionally built into the Linux kernel
• will pass or deny packets based on a rule set
  applied against IP header fields
• used in v 2.2 kernels, replaced by IPTables in
  2.4 kernels

15
IPChains Flow
lo interface
IP Packet
checksum
sanity
Input Chain
Route Decision
Forward Chain
Output Chain
ACCEPT
Local
DENY
DENY
DENY
Demasquerade
16
IPChains Commands
Command Description -A Add rule to
chain -D Delete rule from chain -I Insert
rule -R Replace rule -F Flush all rules -L
List all rules -N Create new chain -X
Delete user defined chain -P Set default
targe
17
IPChains Command Options
Command Option Description -s Source address
of packet -d Destination address of packet -i
Interface packet is arriving from -p
Protocol -j Target to send packet to -y
For -p tcp. Packet is SYN packet. --icmp-type
For -p icmp. -l Log the packet to
syslog. /var/log/messages Available in Red Hat
6.0 kernel
18
IPChains Targets
System targets Description (policy) ACCEPT
Let packet through DENY Deny packet REJECT
Deny packet and notify sender MASQ Forward
chain masquerade REDIRECT Send to different
port RETURN Handled by default targets
19
IPChains- Chain Types
IP input chain IP output chain IP
forwarding chain User defined chains (just give
it a new name instead of the built-in names
input, output or forward)
20
IPChains Example
Flush Rules ipchains -F forward ipchains -F
output ipchains -F input Set default to deny
all ipchains -P input DENY ipchains -P output
DENY ipchains -P forward DENY Add Rules
Accept packets from itself (localhost) (s)ource
to itself (d)estination Keeps system logging,
X-Windows or any socket based service working.
ipchains -A input -j ACCEPT -p all -s localhost
-d localhost -i lo ipchains -A output -j ACCEPT
-p all -s localhost -d localhost -i lo Deny
and log (option -l) spoofed packets from external
network (eth0) which mimic internal IP addresses
ipchains -A input -j REJECT -p all -s
192.168.10.0/24 -i eth0 -l Accept
requests/responses from/to your own firewall
machine ipchains -A input -j ACCEPT -p all -d
XXX.XXX.XXX.XXX -i eth0ipchains -A output -j
ACCEPT -p all -s XXX.XXX.XXX.XXX -i eth0 Allow
outgoing packets source (s) to destination
(d)ipchains -A input -j ACCEPT -p all -s
192.168.10.0/24 -i eth1ipchains -A output -j
ACCEPT -p all -s 192.168.10.0/24 -i eth1 Deny
and log (option -l) outside packets from internet
which claim to be from your loopback
interfaceipchains -A input -j REJECT -p all -s
localhost -i eth0 -lipchains -A forward -s
192.168.10.0/24 -j MASQipchains -A forward -i
eth1 -j MASQ Enable packet forwarding echo 1 gt
/proc/sys/net/ipv4/ip_forward
21
IPTables Commands
-A , --append Append rule to chain -D ,
--delete Delete rule from chain -I , --insert
Insert rule at beginning or at specified
sequence number in
chain. -R , --replace Replace rule -F , --flush
Flush all rules -Z , --zero Zero byte
counters in all chains -L , --list List all
rules. Add option --line-numbers
for rule number. -N ,
--new-chain Create new chain -X , --delete-chain
Delete user defined chain -P , --policy Set
default policy for a chain -E , --rename-chain
Rename a chain
22
IPTables Command Options
-s , --source Source address of packet -d ,
--destination Destination address of packet -I ,
--in-interface Interface packet is arriving
from -o , --out-interface Interface packet is
going to -p , --protocol Protocol tcp --spo
rt portport --dport portport --syn ud
p icmp mac -j , --jump Target to send
packet to -f , --fragment Fragment matching -c
, --set-counters Set packet/byte counter -m tcp
, --match tcp --source-port portport
(port or range
) --destination-port portport --tcp-fl
ags -m state , --match state --state ESTABLISH
ED RELATED NEW INVALID (Push content,
not expected to recieve this packet.)
23
IPTables Defined Policies
Defined Policies Description ACCEPT Let packet
through DROP Deny packet with no reply REJECT
Deny packet and notify sender RETURN Handled
by default targets MARK Used for error
response. Use with option --reject-with
type MASQUERADE Used with nat table and
DHCP. LOG Log to file and specify
message --log-level --log-prefix
"prefix" --log-tcp-sequence --log-tcp-opti
ons --log-ip-options ULOG Log to file and
specify userpace logging messages SNAT Valid in
PREROUTING chain. Used by nat. REDIRECT Used
with nat table. Output. DNAT Valid in
POSTROUTING chain. Output. QUEUE Pass packet to
userspace.
24
IPTables Example
Simple firewall for the desktop Linux system
iptables -P INPUT DROP iptables -P FORWARD
DROP iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT
-i lo -j ACCEPT iptables -A OUTPUT -o lo -j
ACCEPT Allow network connections which have
already been established (started by host) and
related to your connection. FTP requires this as
it may use various ports in support of the file
transfer.) Allow network input/output from self
(lo).
25
more
Allow loopback access. This rule must come
before the rules denying port access!!iptables
-A INPUT -i lo -p all -j ACCEPT - Rule for your
computer to be able to access itself via the
loopback iptables -A OUTPUT -o lo -p all -j
ACCEPT iptables -A INPUT -p tcp -s 0/0 -d 0/0
--dport 2049 -j DROP - Block NFS iptables -A
INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP -
Block NFS iptables -A INPUT -p tcp -s 0/0 -d 0/0
--dport 60006009 -j DROP - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport
7100 -j DROP - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport
515 -j DROP - Block printer port iptables -A
INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP -
Block printer port iptables -A INPUT -p tcp -s
0/0 -d 0/0 --dport 111 -j DROP - Block Sun
rpc/NFS iptables -A INPUT -p udp -s 0/0 -d 0/0
--dport 111 -j DROP - Block Sun rpc/NFS iptables
-A INPUT -p all -s localhost -i eth0 -j DROP -
Deny packets which claim to be from your loopback
interface.