SlideShare a Scribd company logo

Stupid iptables tricks

Download as PPTX, PDF
Jim MacLeod, profile picture
Jim MacLeod

Jim MacLeod discusses using iptables, the Linux kernel firewall, in creative ways beyond basic port blocking. He describes using recency tables to implement port knocking, reverse port knocking, and log suppression. He also discusses using XML policies, policy versioning through comments, and expanding iptables' capabilities through techniques like FWMARK and pattern matching to implement more advanced firewall logic and functions. The talk aims to demonstrate overcoming iptables limitations and show "right ways" to solve problems within the firewall.

Technology
1 of 61
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Stupid iptables TricksJim MacLeod@shewfigBsides Las Vegas 7/28/2010
Who I amNetwork hacker, not OS hackerFavorite language is bashIf a tool exists to do what I want, why re-invent the wheel?Sorry, Frank^2
What I get paid to doRetrofit security onto existing productsTry to keep 80% of you from breaking into my product in less than 1 weekTry to make my job go away by convincing my team to write secure code
OverviewDefining the box:Refresher on what iptables isMeasuring the box:How I learned what’s in this presentationOutside the box:Automating & abstracting policy creationCreating static tables with dynamic elementsPushing full packets to userspace
IptablesUmbrella termLinux kernel-level stateful packet filterPart of Netfilter – “iptables” is user-facing appIntegrates with PBR & other fun toysLinux characteristicsRich set of optionsMoon-man languageUser-friendly, but picky whom it considers a friend
Why we ignore iptables“It’s the Linux firewall, right? We already have a border firewall.”“It’s old technology” – L4, not L7[Insert Linux vs. Proprietaryargument]“Linux is a server”
Why we shouldn’t ignore iptablesStateful packet filter – most common firewall (!)Dynamic (non-destructive) policy updatesRich configuration optionsMultiple complex inter-connected policiesMakes it easy(er) to optimizeNested policiesShorter logic path in common caseVery complex policies for special casesExtensible state tablesExternal hooksPass the entire packet off to a userspace app
LimitationsRules exclusive to L2/L3/L4Iptables / ArptablesVulnerable to IP spoofing“Everything interesting” is at L7Only L7 capability is pattern matchAnyone remember 1st gen IDS?Subject to false positives if not pre-qualified
Overcoming limitationsThe “Wrong Way”TOFU auth (Trust On First Use)Not “meaty” enoughIP spoofing & session stealing can fry TOFUOptional cryptoE.g. SSL cleartext injection / renegotiationDo it all in L7What could possibly go wrong?“Business Logic” != networking
Overcoming limitationsThe “Cheap Way”State machine: is the connection in a state which implies that it has been authenticated?“Stateful” packet filter – ESTABLISHED state(TCP session established)How is this different than TOFU?If you don’t have a GOOD answer, it’s not good enough
Overcoming limitationsThe “Right Way”Strong authNon-persistent: require for every new connectionMandatory cryptoCan’t hijack / inject on properly implemented cryptoCrypto is an implicit auth of the established sessionHowever: crypto does not imply initial auth – anonymous crypto is possibleIPtables can’t do this for you 
Relevance?What does this have to do with iptables?Reminder that no Linux app or service exists in isolationUseful as 1 of multiple layersIPtables can be coupled tightly with additional security tools & methods
Advantages of using IPtablesAdd a bump in the wire before ANY app.If a problem can be “solved” in iptables, the app will inherit the solutionIPtables on-box has insight into the appProcess owner, SElinux context, etc.App can have insight & control of IPtables
Disadvantages of Solving Problems in IPtablesThere is more than one way to do itMany ways are “wrong”Hopefully this talk will show some “right” ways
Origin of this talk: my jobClustered, appliance-based web appProblem: how to add a new node?Fake new node would be “bad”™Pwn node before added -> pwn cluster
Problem 1: Stealth new nodeMust allow “real” inbound connectionsShould not reveal open ports to just anyoneNot enough time to implement auth
Solution 1: Port knockingCreate policy to allow only inbound traffic which behaves like a real clusterSpecific order:ICMP pingTCP echoBack-end portDatabase portProfit!If not in order, later ports won’t open
Implementation 1 (Step 1)iptables -A INPUT -p icmp --icmp-type 8 -m recent --name seenping --set-j ACCEPT
Implemenation 1 (Step 2)iptables -N ADD_ECHOiptables -A INPUT -p tcp --dport echo-m recent --name seenping --rcheck-j ADD_ECHOiptables -A ADD_ECHO-m recent --name seenecho --set-j ACCEPT(implicit return to INPUT)Can also explicitly specify with -j RETURN
Implementation 1 (Step 3)iptables -N ADD_BACKENDiptables -A INPUT -p tcp --dport 8000-m recent --name seenecho --rcheck--seconds 10-j ADD_BACKENDiptables -A ADD_BACKEND-m recent --name seenbackend --set-j ACCEPT
Implementation 1 (Step 4)iptables -A INPUT -p tcp --dport 3306-m recent --name seenbackend --rcheck-j ACCEPT
Problem 2: Database syncDatabase sync uses 2 opposite (A->B, B->A) TCP connectionsConnection from old to new: see Problem1Empty database, no interesting dataConnection from new to old: Family jewels exposedMust not open port to just anyone(yes, we’re using auth…)
Solution 2: Quid Pro QuoAka “Reverse Port Knocking”Old node connects to database outboundIPtables tracks outbound connectionExplicitly allows inbound connection
Implementation 2On existing node:iptables -A OUTPUT -p tcp --dport 3306-m recent --name dbout --rdest-j ACCEPTiptables -A INPUT -p tcp --dport 3306-m recent --name dbout --rcheck-j ACCEPT
Problem 3: Log ClogFirewall exceptions “should” be loggedSome protocols are really chattyWindows broadcastsLots of background noiseIPtables doesn’t have rich logging solutionSyslog as kernel messageHard to filter kernel facility“Previous message repeated 5 million times”
Solution 3: Seen-It SuppressionAdd source address to specific recency tableLog first time, ignore for next ‘n’ minutesSuppress the log clogDoesn’t log # of ignored packetsSorry, Marcus
Implementation 3iptables -A INPUT -p udp --dport 138-m recent --name udp-138 --rcheck --seconds 300-j DROPiptables -A INPUT -p udp --dport 138-m recent --name udp-138 --setiptables -A INPUT -j LOG --log-prefix “INPUT-drop”iptables -A INPUT -j DROP
Recap (So far)Recency tables for:Port knockingReverse port knockingLog suppressionAll withinIPtables
Version 1.3: Data-driven FirewallPlug-In architectureEach app might open different ports in/outEndpoints might be dynamicE.g. defined by user in in GUI
Version 1.3 SolutionXML firewall policy filesDefine inbound/outbound per-plug-inDefinition can also be database entryWatchdog to scan for changesChanges in filesPoll database for changesVersioning of policiesPolicy updates can be dynamic: insert/remove policies
Version 1.3 Implementation[1 KLOC of perl] - watchdog[1 KLOC of bash] - policy-checker[1 KLOC of perl] - XML-policy-parser[1 KLOC of bash] - iptables policy generator
Revisiting Problem 1: Add AuthPort knocking is an “open secret”Watch the wire & learn the comboCreate auth “shim” layerConnect to 1 port for authService adds permission for client to connect to “real” port use “-m recent” in iptables policyecho IP > /proc/net/xt_recent/[name]Note: must run as root 
Persistent PoliciesConfession: my data-driven firewall doesn’t actually intelligently modify the policyFlush tables, bulk pushFlushes ESTABLISHED and RELATED tables tooRules will re-add existing connectionsonly if packets come from client to serverWhat about packets from server to client?“Destination” and “Source” are a matter of perspective and initial state
Implementing Persistent PoliciesPolicy:iptables -p tcp --dport 8000 -j ACCEPTPersistent reverse policy:iptables -s [local IP] -p tcp --sport 8000--tcp-flags SYN NONE -j ACCEPTAllow packet in the “wrong” direction if it’s not the start of a TCP sessionDangerous territory: can reduce stealth“nmap -sA” will waltz right through if ‘-s’ omitted
Policy VersioningQuick hack: use commentsiptables -A PUSHDATE -m comment--comment `date ‘+%s’`Embed the date the policy is pushed as a commentChain PUSHDATE (0 references)num target prot opt source destination 1 all -- 0.0.0.0/0 0.0.0.0/0 /* 1280187751 */
Expanding the boxaka “what I haven’t actually done yet”Policy logicPattern matching less blindlyQ&D blocking IDSURL filtering per user
Policy LogicEach chain can call other chainse.g. -j ADD_PINGChains can return to their callere.g. -j RETURNDoesn’t this sound like function calls?recency tables =~ variablesSo is FWMARK
Canonical Firewall PolicyFirewall access rulesadmins can ssh inFirewall stealth ruleNo one else can access the firewallSeries of access/stealth rulesServers, subnets, “3-Tier”, etc.Outbound accessLog/Drop all
Optimized Firewall PolicyRule of thumb: more policies = more latencyAll packets to firewall go to separate chain-j FIREWALLImplement access / stealth / log / drop / smiteReduce the # of policies for each packet: reduce the overall latency
More “Policy Programming”FWMARKAdd “mark” to packet in kernellocal scope: only in the box, not on the wireiptables -j MARK --set-mark [unsigned int]iptables -m mark --mark [unsigned int]FWMARK is also recognized by:ip rule / policy-based routingipvs (L3 load balancer)
FWMARK exampleBind multiple protocols / ports together in a load balancer policyTypical web site: front page is http:80login is https:443content is http:80 againspawn whiteboard http:9012All connections from same client will go to same back end server
FWMARK vs. recencyRecency tables store IP & timestampsuseful for applying rules to an address that has been seen before in a different connectionno port numbers or protocolsFWMARK is per-packetno concept of connectionPotentially interesting in combinationmark all packets from a recent IPApply PBR
Pattern MatchingArbitrary pattern matches are too coarsePattern with offset:Helps if pattern GUARANTEED to be at that locationTCP options, encapsulation, etc. can move offsetUse chains to pre-qualify dataPort 80? That’s the HTTP_PATTERNS chain…DISCLAIMER:I have no actual knowledge of pattern matchingin iptables
Q&D blocking IDShttp://www.snowman.net/projects/ipt_recent/Example 1: block annoyance for 60 secondsiptables -A FORWARD -m recent --name noplacelike--rcheck--seconds 60 -j DROPiptables -A FORWARD -i eth0 -d 127.0.0.0/8-m recent --name noplacelike --set -j DROPExample 2: rolling blockiptables -A FORWARD -m recent --name noplacelike--update --seconds 60 -j DROPiptables -A FORWARD -i eth0 -d 127.0.0.0/8-m recent --name noplacelike --set -j DROP
URL FilteringTransparent Proxy is your friendhttp://www.ex-parrot.com/pete/upside-down-ternet.htmlTransparent Proxy uses iptablesiptables -t nat -A PREROUTING -s192.168.0.0/255.255.255.0-p tcp --dport 80 -j REDIRECT --to-port 8080Userecency tables to redirect some IPsiptables -t nat -A PREROUTING-m recent --name kittenwar-p tcp --dport 80 -j REDIRECT --to-port 8081Use with user auth, “guest” access, or annoyance triggers
Captive Portal“Yes I won’t hack you” page on WiFiiptables -m recent --name allowed -p tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000Captive Portal site will add IP to “allowed” list
Stealth ServicesUse iptables to snag traffic before it hits the real serviceiptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --name secretweb -j REDIRECT --to-ports 84Simple way to run multiple VirtualHosts with 1 IP and a border firewall allowing 1 inbound portInteresting application of pattern match: HTTP Host header
Anti-Spam BlacklistingPre-populaterecency table with RBNiptables -p tcp --dport 25 -m recent --name spammer --rcheck -j REJECT
Anti-Spam Q&DGraylistingBlock initially, allow connect after 2 minutesiptables -p tcp --dport 25 -m recent --name smtpdelay --rcheck --seconds 120 -j DROPiptables -p tcp --dport 25 -m recent --name smtpdelay --rcheck ‘!’ --seconds 120 -j ALLOWiptables -p tcp --dport 25 -m recent --name smtpdelay --set -j DROP
Box?What box?Expandingiptables with -j QUEUEPass entire packet to userspace appWhole new world to extend iptablesCan only be one app running for this!!!If multiple “tricks” in place, app must use input validation to determine what is appropriate for which packet.
QUEUE tutorialhttp://michael.toren.net/slides/ipqueue/slide001.htmlOld (2003) but excellent!
Application: Packet Rewriting(Stolen blatantly from http://michael.toren.net/slides/ipqueue/slide025.html )my ($dns, $err) = Net::DNS::Packet->new(\$udp->{data}); ... for my $section qw(answer authority additional) { my @rr; while (my $i = $dns->pop($section)) { if ($i->class eq "IN" && $i->type eq "A" && $i->name eq "slashdot.org") { $i->{address} = "127.0.0.1"; } push @rr, $i; } while (my $i = pop @rr) { $dns->push($section, $i); } }
QUEUE example: countertraceAdd “imaginary” hopsOptionally add latencyLow-priority users get slower net accessQuick & dirty honeynet / tarpit
Reject with TTL ExpiredThe “ultimate” unreachable responseAlternatives:TCP RST: host exists, port not listening to youICMP port / host / net unreachableBlack-hole routeThrow away packetTTL expired implies you can’t get there from hereSo stop trying
Application AwarenessWindows Firewall has exceptions per-app“Outlook” can use internet, “Notepad” can’tIptables is port-focused onlyNo app awarenessCreate queue handler to look up app for the socket, whitelist apps.
Application Awareness example(Stolen blatantly from http://michael.toren.net/slides/ipqueue/slide017.html ) my %approved = qw( 561c1c9071e8c5723c641273e725c1e3 /usr/bin/telnet 9dc35c04c16d3f2ce2a8537961980913 /usr/bin/nc ); ... my ($user, $pid) = getuserfromtcp $ip, $tcp; open EXE, "/proc/$pid/exe"; my $md5 = Digest::MD5->new->addfile(*EXE)->hexdigest; close EXE; if ($pid > 0 && ! $approved{$md5}) { $ipq->set_verdict($msg->packet_id, NF_DROP);syslog "warning", "Blocking outbound connection attempt by unauthorized program"; } else { $ipq->set_verdict($msg->packet_id, NF_ACCEPT); }
Theoretical - 4D Box
Local DarknetMultipoint VPV to avoid eavesdroppingMulticast goes everywhere locally, plus potentially through routersDetect outbound multicast & splitIptables TEE targetCreate duplicate of packet & send someplace elseMay require patching iptables, maybe kernel
NAT’d host IDFingerprint incoming packets to differentiate a single host behind a shared NAT addressBase on super-session state: already seen connections?TOFU again
“Signed” TCPTCP includes a checksum – why not a MD?Add transparent proxy at each endUse REDIRECT or just QUEUESlightly more intrusive with netcat / ssh / etc.“Signature” is H(checksum + SEQ + PW)Easy to generate, easy to verify (re-generate)Password can be negotiated on first connectHash mismatch -> discard packetNo session hijack possible?Easier than IPSec, and “might” survive NAT.
Closing the Boxiptables is almost a programming languageIf iptables isn’t enough of a programming language, write a program to config itIf it can be done to a packet, it can likely be done in iptablesIf it can’t be done in iptables, it can be done externally

More Related Content

PDF
netfilter programming
Gopi Krishnan S
 
PPT
Iptables in linux
Mandeep Singh
 
PPTX
Iptables the Linux Firewall
Syed fawad Gillani
 
PDF
Iptables Configuration
stom123
 
PPT
IP tables
aamodt
 
PDF
Pertemuan 9 intrusion detection system
newbie2019
 
ODP
nftables - the evolution of Linux Firewall
Marian Marinov
 
PDF
SGX Trusted Execution Environment
Kernel TLV
 
netfilter programming
Gopi Krishnan S
 
Iptables in linux
Mandeep Singh
 
Iptables the Linux Firewall
Syed fawad Gillani
 
Iptables Configuration
stom123
 
IP tables
aamodt
 
Pertemuan 9 intrusion detection system
newbie2019
 
nftables - the evolution of Linux Firewall
Marian Marinov
 
SGX Trusted Execution Environment
Kernel TLV
 

What's hot (20)

PPTX
Understanding iptables
Denys Haryachyy
 
PPT
Iptables
leminhvuong
 
PPT
Wireshark
ashiesh0007
 
PDF
Introduction to firewalls through Iptables
Bud Siddhisena
 
PDF
Iptables fundamentals
ram_b17
 
PDF
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Anne Nicolas
 
PDF
Packet Filtering Using Iptables
Ahmed Mekkawy
 
PDF
IP Tables Primer - Part 1
n|u - The Open Security Community
 
PDF
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
PPTX
Network testing course
tcpipguru
 
PDF
BPF - All your packets belong to me
_xhr_
 
PPT
Ip6 tables in linux
Mandeep Singh
 
PDF
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
PDF
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
PPTX
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Adam Dunkels
 
PPTX
Introduction to tcp ip linux networking
Sreenatha Reddy K R
 
PPTX
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
PDF
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
PDF
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
PPTX
Wireshark
btohara
 
Understanding iptables
Denys Haryachyy
 
Iptables
leminhvuong
 
Wireshark
ashiesh0007
 
Introduction to firewalls through Iptables
Bud Siddhisena
 
Iptables fundamentals
ram_b17
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Anne Nicolas
 
Packet Filtering Using Iptables
Ahmed Mekkawy
 
IP Tables Primer - Part 1
n|u - The Open Security Community
 
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
Network testing course
tcpipguru
 
BPF - All your packets belong to me
_xhr_
 
Ip6 tables in linux
Mandeep Singh
 
Kernel Recipes 2019 - Metrics are money
Anne Nicolas
 
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Building the Internet of Things with Thingsquare and Contiki - day 2 part 1
Adam Dunkels
 
Introduction to tcp ip linux networking
Sreenatha Reddy K R
 
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
Alessio Lama - Development and testing of a safety network protocol
linuxlab_conf
 
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Wireshark
btohara
 
Ad

Viewers also liked (12)

ODP
Logs
Stefan Fodor
 
PDF
Iptablesrocks
qwer_asdf
 
PPTX
Iptables
rohit verma
 
PPT
Personality development new slides
Mehak Vaswani
 
KEY
Fosscon 2012 firewall workshop
jvehent
 
PPT
Personality development presentation
Mehak Vaswani
 
PPTX
Personality development- A PATH TO SUCCESS
sree navya
 
PPS
Presentation On Personality
Seyed Ali Marjaie
 
PPTX
PERSONALITY DEVELOPMENT
Dr. Nancy Prasanna Joseph
 
PPT
Personality Development
Ashwin
 
PPS
Personality Development
Shabbar Suterwala
 
PPTX
Personality ppt
Radhika Goyal
 
Logs
Stefan Fodor
 
Iptablesrocks
qwer_asdf
 
Iptables
rohit verma
 
Personality development new slides
Mehak Vaswani
 
Fosscon 2012 firewall workshop
jvehent
 
Personality development presentation
Mehak Vaswani
 
Personality development- A PATH TO SUCCESS
sree navya
 
Presentation On Personality
Seyed Ali Marjaie
 
PERSONALITY DEVELOPMENT
Dr. Nancy Prasanna Joseph
 
Personality Development
Ashwin
 
Personality Development
Shabbar Suterwala
 
Personality ppt
Radhika Goyal
 
Ad

Similar to Stupid iptables tricks (20)

ODP
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 
PPTX
Firewall
khalid abdelazim
 
DOCX
Creating a firewall in UBUNTU
Mumbai University
 
PPTX
types of firewalls ppt computer networks
KavithaMs10
 
ODP
A look at computer security
Ahmed Mekkawy
 
PPT
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
PPTX
Linux routing and firewall for beginners
n|u - The Open Security Community
 
PPT
Firewalls (1056778990099000000000000).ppt
TamilArasan564275
 
PPTX
Linux – routing and firewall for beginners v 1.0
Sriram Narayanan
 
PDF
Iptables presentation
Emin Abdul Azeez
 
PDF
Firewall Facts
DAVID RAUDALES
 
DOCX
25 most frequently used linux ip tables rules examples
Teja Bheemanapally
 
DOCX
25 most frequently used linux ip tables rules examples
Teja Bheemanapally
 
PDF
Chapter 6 firewall
newbie2019
 
PDF
Linux firewall
chanmyaeag
 
PDF
Infrastructure Security
UTD Computer Security Group
 
PPTX
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
PPT
firewall
ahmad amiruddin
 
PDF
25 most frequently used linux ip tables rules examples
chinkshady
 
PPT
Firewall basics ron
MariYappan4
 
Firewalld : A New Interface to Your Netfilter Stack
Mahmoud Shiri Varamini
 
Firewall
khalid abdelazim
 
Creating a firewall in UBUNTU
Mumbai University
 
types of firewalls ppt computer networks
KavithaMs10
 
A look at computer security
Ahmed Mekkawy
 
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
Linux routing and firewall for beginners
n|u - The Open Security Community
 
Firewalls (1056778990099000000000000).ppt
TamilArasan564275
 
Linux – routing and firewall for beginners v 1.0
Sriram Narayanan
 
Iptables presentation
Emin Abdul Azeez
 
Firewall Facts
DAVID RAUDALES
 
25 most frequently used linux ip tables rules examples
Teja Bheemanapally
 
25 most frequently used linux ip tables rules examples
Teja Bheemanapally
 
Chapter 6 firewall
newbie2019
 
Linux firewall
chanmyaeag
 
Infrastructure Security
UTD Computer Security Group
 
How to convert your Linux box into Security Gateway - Part 1
n|u - The Open Security Community
 
firewall
ahmad amiruddin
 
25 most frequently used linux ip tables rules examples
chinkshady
 
Firewall basics ron
MariYappan4
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

Stupid iptables tricks

  • 1. Stupid iptables TricksJim MacLeod@shewfigBsides Las Vegas 7/28/2010
  • 2. Who I amNetwork hacker, not OS hackerFavorite language is bashIf a tool exists to do what I want, why re-invent the wheel?Sorry, Frank^2
  • 3. What I get paid to doRetrofit security onto existing productsTry to keep 80% of you from breaking into my product in less than 1 weekTry to make my job go away by convincing my team to write secure code
  • 4. OverviewDefining the box:Refresher on what iptables isMeasuring the box:How I learned what’s in this presentationOutside the box:Automating & abstracting policy creationCreating static tables with dynamic elementsPushing full packets to userspace
  • 5. IptablesUmbrella termLinux kernel-level stateful packet filterPart of Netfilter – “iptables” is user-facing appIntegrates with PBR & other fun toysLinux characteristicsRich set of optionsMoon-man languageUser-friendly, but picky whom it considers a friend
  • 6. Why we ignore iptables“It’s the Linux firewall, right? We already have a border firewall.”“It’s old technology” – L4, not L7[Insert Linux vs. Proprietaryargument]“Linux is a server”
  • 7. Why we shouldn’t ignore iptablesStateful packet filter – most common firewall (!)Dynamic (non-destructive) policy updatesRich configuration optionsMultiple complex inter-connected policiesMakes it easy(er) to optimizeNested policiesShorter logic path in common caseVery complex policies for special casesExtensible state tablesExternal hooksPass the entire packet off to a userspace app
  • 8. LimitationsRules exclusive to L2/L3/L4Iptables / ArptablesVulnerable to IP spoofing“Everything interesting” is at L7Only L7 capability is pattern matchAnyone remember 1st gen IDS?Subject to false positives if not pre-qualified
  • 9. Overcoming limitationsThe “Wrong Way”TOFU auth (Trust On First Use)Not “meaty” enoughIP spoofing & session stealing can fry TOFUOptional cryptoE.g. SSL cleartext injection / renegotiationDo it all in L7What could possibly go wrong?“Business Logic” != networking
  • 10. Overcoming limitationsThe “Cheap Way”State machine: is the connection in a state which implies that it has been authenticated?“Stateful” packet filter – ESTABLISHED state(TCP session established)How is this different than TOFU?If you don’t have a GOOD answer, it’s not good enough
  • 11. Overcoming limitationsThe “Right Way”Strong authNon-persistent: require for every new connectionMandatory cryptoCan’t hijack / inject on properly implemented cryptoCrypto is an implicit auth of the established sessionHowever: crypto does not imply initial auth – anonymous crypto is possibleIPtables can’t do this for you 
  • 12. Relevance?What does this have to do with iptables?Reminder that no Linux app or service exists in isolationUseful as 1 of multiple layersIPtables can be coupled tightly with additional security tools & methods
  • 13. Advantages of using IPtablesAdd a bump in the wire before ANY app.If a problem can be “solved” in iptables, the app will inherit the solutionIPtables on-box has insight into the appProcess owner, SElinux context, etc.App can have insight & control of IPtables
  • 14. Disadvantages of Solving Problems in IPtablesThere is more than one way to do itMany ways are “wrong”Hopefully this talk will show some “right” ways
  • 15. Origin of this talk: my jobClustered, appliance-based web appProblem: how to add a new node?Fake new node would be “bad”™Pwn node before added -> pwn cluster
  • 16. Problem 1: Stealth new nodeMust allow “real” inbound connectionsShould not reveal open ports to just anyoneNot enough time to implement auth
  • 17. Solution 1: Port knockingCreate policy to allow only inbound traffic which behaves like a real clusterSpecific order:ICMP pingTCP echoBack-end portDatabase portProfit!If not in order, later ports won’t open
  • 18. Implementation 1 (Step 1)iptables -A INPUT -p icmp --icmp-type 8 -m recent --name seenping --set-j ACCEPT
  • 19. Implemenation 1 (Step 2)iptables -N ADD_ECHOiptables -A INPUT -p tcp --dport echo-m recent --name seenping --rcheck-j ADD_ECHOiptables -A ADD_ECHO-m recent --name seenecho --set-j ACCEPT(implicit return to INPUT)Can also explicitly specify with -j RETURN
  • 20. Implementation 1 (Step 3)iptables -N ADD_BACKENDiptables -A INPUT -p tcp --dport 8000-m recent --name seenecho --rcheck--seconds 10-j ADD_BACKENDiptables -A ADD_BACKEND-m recent --name seenbackend --set-j ACCEPT
  • 21. Implementation 1 (Step 4)iptables -A INPUT -p tcp --dport 3306-m recent --name seenbackend --rcheck-j ACCEPT
  • 22. Problem 2: Database syncDatabase sync uses 2 opposite (A->B, B->A) TCP connectionsConnection from old to new: see Problem1Empty database, no interesting dataConnection from new to old: Family jewels exposedMust not open port to just anyone(yes, we’re using auth…)
  • 23. Solution 2: Quid Pro QuoAka “Reverse Port Knocking”Old node connects to database outboundIPtables tracks outbound connectionExplicitly allows inbound connection
  • 24. Implementation 2On existing node:iptables -A OUTPUT -p tcp --dport 3306-m recent --name dbout --rdest-j ACCEPTiptables -A INPUT -p tcp --dport 3306-m recent --name dbout --rcheck-j ACCEPT
  • 25. Problem 3: Log ClogFirewall exceptions “should” be loggedSome protocols are really chattyWindows broadcastsLots of background noiseIPtables doesn’t have rich logging solutionSyslog as kernel messageHard to filter kernel facility“Previous message repeated 5 million times”
  • 26. Solution 3: Seen-It SuppressionAdd source address to specific recency tableLog first time, ignore for next ‘n’ minutesSuppress the log clogDoesn’t log # of ignored packetsSorry, Marcus
  • 27. Implementation 3iptables -A INPUT -p udp --dport 138-m recent --name udp-138 --rcheck --seconds 300-j DROPiptables -A INPUT -p udp --dport 138-m recent --name udp-138 --setiptables -A INPUT -j LOG --log-prefix “INPUT-drop”iptables -A INPUT -j DROP
  • 28. Recap (So far)Recency tables for:Port knockingReverse port knockingLog suppressionAll withinIPtables
  • 29. Version 1.3: Data-driven FirewallPlug-In architectureEach app might open different ports in/outEndpoints might be dynamicE.g. defined by user in in GUI
  • 30. Version 1.3 SolutionXML firewall policy filesDefine inbound/outbound per-plug-inDefinition can also be database entryWatchdog to scan for changesChanges in filesPoll database for changesVersioning of policiesPolicy updates can be dynamic: insert/remove policies
  • 31. Version 1.3 Implementation[1 KLOC of perl] - watchdog[1 KLOC of bash] - policy-checker[1 KLOC of perl] - XML-policy-parser[1 KLOC of bash] - iptables policy generator
  • 32. Revisiting Problem 1: Add AuthPort knocking is an “open secret”Watch the wire & learn the comboCreate auth “shim” layerConnect to 1 port for authService adds permission for client to connect to “real” port use “-m recent” in iptables policyecho IP > /proc/net/xt_recent/[name]Note: must run as root 
  • 33. Persistent PoliciesConfession: my data-driven firewall doesn’t actually intelligently modify the policyFlush tables, bulk pushFlushes ESTABLISHED and RELATED tables tooRules will re-add existing connectionsonly if packets come from client to serverWhat about packets from server to client?“Destination” and “Source” are a matter of perspective and initial state
  • 34. Implementing Persistent PoliciesPolicy:iptables -p tcp --dport 8000 -j ACCEPTPersistent reverse policy:iptables -s [local IP] -p tcp --sport 8000--tcp-flags SYN NONE -j ACCEPTAllow packet in the “wrong” direction if it’s not the start of a TCP sessionDangerous territory: can reduce stealth“nmap -sA” will waltz right through if ‘-s’ omitted
  • 35. Policy VersioningQuick hack: use commentsiptables -A PUSHDATE -m comment--comment `date ‘+%s’`Embed the date the policy is pushed as a commentChain PUSHDATE (0 references)num target prot opt source destination 1 all -- 0.0.0.0/0 0.0.0.0/0 /* 1280187751 */
  • 36. Expanding the boxaka “what I haven’t actually done yet”Policy logicPattern matching less blindlyQ&D blocking IDSURL filtering per user
  • 37. Policy LogicEach chain can call other chainse.g. -j ADD_PINGChains can return to their callere.g. -j RETURNDoesn’t this sound like function calls?recency tables =~ variablesSo is FWMARK
  • 38. Canonical Firewall PolicyFirewall access rulesadmins can ssh inFirewall stealth ruleNo one else can access the firewallSeries of access/stealth rulesServers, subnets, “3-Tier”, etc.Outbound accessLog/Drop all
  • 39. Optimized Firewall PolicyRule of thumb: more policies = more latencyAll packets to firewall go to separate chain-j FIREWALLImplement access / stealth / log / drop / smiteReduce the # of policies for each packet: reduce the overall latency
  • 40. More “Policy Programming”FWMARKAdd “mark” to packet in kernellocal scope: only in the box, not on the wireiptables -j MARK --set-mark [unsigned int]iptables -m mark --mark [unsigned int]FWMARK is also recognized by:ip rule / policy-based routingipvs (L3 load balancer)
  • 41. FWMARK exampleBind multiple protocols / ports together in a load balancer policyTypical web site: front page is http:80login is https:443content is http:80 againspawn whiteboard http:9012All connections from same client will go to same back end server
  • 42. FWMARK vs. recencyRecency tables store IP & timestampsuseful for applying rules to an address that has been seen before in a different connectionno port numbers or protocolsFWMARK is per-packetno concept of connectionPotentially interesting in combinationmark all packets from a recent IPApply PBR
  • 43. Pattern MatchingArbitrary pattern matches are too coarsePattern with offset:Helps if pattern GUARANTEED to be at that locationTCP options, encapsulation, etc. can move offsetUse chains to pre-qualify dataPort 80? That’s the HTTP_PATTERNS chain…DISCLAIMER:I have no actual knowledge of pattern matchingin iptables
  • 44. Q&D blocking IDShttp://www.snowman.net/projects/ipt_recent/Example 1: block annoyance for 60 secondsiptables -A FORWARD -m recent --name noplacelike--rcheck--seconds 60 -j DROPiptables -A FORWARD -i eth0 -d 127.0.0.0/8-m recent --name noplacelike --set -j DROPExample 2: rolling blockiptables -A FORWARD -m recent --name noplacelike--update --seconds 60 -j DROPiptables -A FORWARD -i eth0 -d 127.0.0.0/8-m recent --name noplacelike --set -j DROP
  • 45. URL FilteringTransparent Proxy is your friendhttp://www.ex-parrot.com/pete/upside-down-ternet.htmlTransparent Proxy uses iptablesiptables -t nat -A PREROUTING -s192.168.0.0/255.255.255.0-p tcp --dport 80 -j REDIRECT --to-port 8080Userecency tables to redirect some IPsiptables -t nat -A PREROUTING-m recent --name kittenwar-p tcp --dport 80 -j REDIRECT --to-port 8081Use with user auth, “guest” access, or annoyance triggers
  • 46. Captive Portal“Yes I won’t hack you” page on WiFiiptables -m recent --name allowed -p tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000Captive Portal site will add IP to “allowed” list
  • 47. Stealth ServicesUse iptables to snag traffic before it hits the real serviceiptables -t nat -A PREROUTING -p tcp --dport 80 -m recent --name secretweb -j REDIRECT --to-ports 84Simple way to run multiple VirtualHosts with 1 IP and a border firewall allowing 1 inbound portInteresting application of pattern match: HTTP Host header
  • 48. Anti-Spam BlacklistingPre-populaterecency table with RBNiptables -p tcp --dport 25 -m recent --name spammer --rcheck -j REJECT
  • 49. Anti-Spam Q&DGraylistingBlock initially, allow connect after 2 minutesiptables -p tcp --dport 25 -m recent --name smtpdelay --rcheck --seconds 120 -j DROPiptables -p tcp --dport 25 -m recent --name smtpdelay --rcheck ‘!’ --seconds 120 -j ALLOWiptables -p tcp --dport 25 -m recent --name smtpdelay --set -j DROP
  • 50. Box?What box?Expandingiptables with -j QUEUEPass entire packet to userspace appWhole new world to extend iptablesCan only be one app running for this!!!If multiple “tricks” in place, app must use input validation to determine what is appropriate for which packet.
  • 52. Application: Packet Rewriting(Stolen blatantly from http://michael.toren.net/slides/ipqueue/slide025.html )my ($dns, $err) = Net::DNS::Packet->new(\$udp->{data}); ... for my $section qw(answer authority additional) { my @rr; while (my $i = $dns->pop($section)) { if ($i->class eq "IN" && $i->type eq "A" && $i->name eq "slashdot.org") { $i->{address} = "127.0.0.1"; } push @rr, $i; } while (my $i = pop @rr) { $dns->push($section, $i); } }
  • 53. QUEUE example: countertraceAdd “imaginary” hopsOptionally add latencyLow-priority users get slower net accessQuick & dirty honeynet / tarpit
  • 54. Reject with TTL ExpiredThe “ultimate” unreachable responseAlternatives:TCP RST: host exists, port not listening to youICMP port / host / net unreachableBlack-hole routeThrow away packetTTL expired implies you can’t get there from hereSo stop trying
  • 55. Application AwarenessWindows Firewall has exceptions per-app“Outlook” can use internet, “Notepad” can’tIptables is port-focused onlyNo app awarenessCreate queue handler to look up app for the socket, whitelist apps.
  • 56. Application Awareness example(Stolen blatantly from http://michael.toren.net/slides/ipqueue/slide017.html ) my %approved = qw( 561c1c9071e8c5723c641273e725c1e3 /usr/bin/telnet 9dc35c04c16d3f2ce2a8537961980913 /usr/bin/nc ); ... my ($user, $pid) = getuserfromtcp $ip, $tcp; open EXE, "/proc/$pid/exe"; my $md5 = Digest::MD5->new->addfile(*EXE)->hexdigest; close EXE; if ($pid > 0 && ! $approved{$md5}) { $ipq->set_verdict($msg->packet_id, NF_DROP);syslog "warning", "Blocking outbound connection attempt by unauthorized program"; } else { $ipq->set_verdict($msg->packet_id, NF_ACCEPT); }
  • 58. Local DarknetMultipoint VPV to avoid eavesdroppingMulticast goes everywhere locally, plus potentially through routersDetect outbound multicast & splitIptables TEE targetCreate duplicate of packet & send someplace elseMay require patching iptables, maybe kernel
  • 59. NAT’d host IDFingerprint incoming packets to differentiate a single host behind a shared NAT addressBase on super-session state: already seen connections?TOFU again
  • 60. “Signed” TCPTCP includes a checksum – why not a MD?Add transparent proxy at each endUse REDIRECT or just QUEUESlightly more intrusive with netcat / ssh / etc.“Signature” is H(checksum + SEQ + PW)Easy to generate, easy to verify (re-generate)Password can be negotiated on first connectHash mismatch -> discard packetNo session hijack possible?Easier than IPSec, and “might” survive NAT.
  • 61. Closing the Boxiptables is almost a programming languageIf iptables isn’t enough of a programming language, write a program to config itIf it can be done to a packet, it can likely be done in iptablesIf it can’t be done in iptables, it can be done externally