This section will introduce students to firewalls through the use of Iptables. Their use as a first (and often only) line of defense for most computers has made them a popular buzzword, however as we will see, they can be used for more than just keeping bad traffic out.

A firewall is nothing more than a set of rules that determine the handling of IP packets. This can limit who can access your computer, as well as which ports they can connect to (and as a result, *how* they can access your computer). The metaphor of a wall is quite fitting, since in essence you are creating a wall around your computer and adding discrete entrances. This drastically reduces the number of entry points you must secure.

Iptables is the successor to Ipchains, and is the default built in firewall administration tool on Linux. Note that this is not the firewall itself. The firewall itself is built into the kernel. It has several tables, or "chains", with unique sets of rules for each. By default there is an INPUT, an OUTPUT, and a FORWARD chain, though more can be created as needed. When a packet is passed to a chain, it reads down the conditions of the rules in order until it finds one that matches it, at which it follows the correlating instructions. Note that only the *first* matching rule is followed, and thus the order of the rules is very important. Not *technically* required, but necessary for effective use, the last rule of every chain should be to drop all packets. This way anything not specifically handled is not trusted. For usage instructions, see both the man pages and [1].

Say that our firewall is designed to only allow input traffic destined for port 22 (ssh). Now assume we want to surf the web. Our browser binds to some high port number and attempts to connect to port 80 on the webserver. We're only letting in traffic to port 22, which is certainly not a "high port number", so what happens when the webserver tries to acknowledge the connection? Of course our connection fails and we can't view the desired webpage. The issue is our (only) rule is stateless, i.e. it does not check to see if the packet is something we requested. To allow users to establish connections on any port they desire, we use stateful rules.

Packets are classified as being in one of four states: NEW if the packet is a SYN packet, RELATED if it is either a SYN/ACK or ACK, ESTABLISHED if the three way handshake is complete, and INVALID if the packet does not fall into the other three categories[2]. A stateful firewall, which most firewalls are these days, keeps these states for all connections in a table. Returning to our example, if we added a rule that allowed RELATED and ESTABLISHED incoming traffic, we can connect to any type of server we want on any port while still blocking any attempts from the outside world to initiate a connection.

Back in the network layer section, we established that there simply aren't enough IPv4 addresses for the number of computers in the world. How do we allow addresses to be reused without destroying the framework of the internet? With local IP addresses! IP addresses starting 10.1 or 192.169 are considered "local IP addresses", which are functional within but not without a local network. Since these addresses aren't valid outside, they must use a global address for outgoing connections.

NAT, network address translation, usually takes place in a router or gateway device and can be done with Iptables. By using a "masquerade" option, Iptables modifies the source and port fields of outgoing packets. Then, when it receives traffic destined for that address/port, it converts it back to the original before sending it along. To illustrate this, take a typical home network with a router connected to a cable modem to the outside world. Unless the homeowner paid extra, they were probably issued only a single static address (or even none, if NATing occurs at the ISP). If the address is assigned to the router, all computers connected to it must be given local addresses, and the router NATs traffic as described. The reason we must modify the port as well as the address should now be clear, since we would otherwise run into conflicts when two computers both used the same source port.

The NAT process is invisible to both parties, and depending on whether the global address is static or not, this can also provide some security since attackers have no address to directly connect to within the network. For example, if our computer is set up on the Marlboro network and we wish to connect to it from home, we'd need to connect first to one with a static global address, such as cs.marlboro.edu. From there we can make another connection using a local address to our machine. Conversely, a would-be attacker would first have to compromise cs before moving on to ours.

Another common, useful, and often frustrating use of firewalls is for bandwidth shaping. This means prioritizing traffic based on port numbers (or more specifically the services certain ports are typically used for). By specifying a drop rate for certain services, the firewall allows "good" or "work-related" traffic like http, smtp, or ssh to utilize more of the bandwidth while making "bad" or "pleasure-related" traffic like file sharing or gaming barely usable.

1) http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
2) http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

http://cs.marlboro.edu/ courses/ fall2006/networking/ private/ tableofcontents/ Firewalls
last modified Tuesday December 12 2006 4:10 am EST