Troubleshooting Linux Firewalls

AUTHORS Michael Shinn is managing partner of the Prometheus Group, an IT security consulting firm. He was formerly a member of Cisco's Advanced Network Security Research group and a senior software developer and founding member of the firm's Signatures and Exploits Development Team. Scott Shinn co-founded Plesk, a server management firm. He was formerly a senior network security engineer specializing in penetration testing for Fortune 50 clients at Wheelgroup, a firm later acquired by Cisco. Both authors served on the White House technology staff, specializing in security and penetration testing of both internal and Internet-connected systems. © Copyright Pearson Education. All rights reserved.

I. GETTING STARTED.

1. Introduction.

    Why We Wrote This Book

    How This Book Is Organized

    Goals of This Book

    The Methodical Approach and the Need for a Methodology

    Firewalls, Security, and Risk Management

    How to Think About Risk Management

    Computer Security Principles

    Firewall Recommendations and Definitions

    Why Do I Need a Firewall?

    Do I Need More Than a Firewall?

    What Kinds of Firewalls Are There?

      Firewall Types

    The Myth of "Trustworthy" or "Secure" Software

    Know Your Vulnerabilities

    Creating Security Policies

    Training

    Defense in Depth

    Summary

2. Getting Started.

    Risk Management

    Basic Elements of Risk Management

    Seven Steps to Managing Risk

    Phase I: Analyze

      Inventory

      Quantify the Value of the Asset

      Threat Analysis

    Phase II: Document

      Create Your Plan

      Create a Security Policy

      Create Security Procedures

    Phase III: Secure the Enterprise

      Implement Policies

      Implement Procedures

      Deploy Security Technology and Counter Measures

      Securing the Firewall Itself

      Isolating Assets

      Filtering

      Ingress/Egress Filtering

    Phase IV: Implement Monitoring

    Phase V: Test

    Phase VI: Integrate

    Phase VII: Improve

    Summary

3. Local Firewall Security.

    The Importance of Keeping Your Software Up to Date

      yum

      red carpet

      up2date

      emerge

      apt-get

    Over Reliance on Patching

    Turning Off Services

      Using TCP Wrappers and Firewall Rules

      Running Services with Least Privilege

      Restricting the File System

    Security Tools to Install

      Log Monitoring Tools

      Network Intrusion Detection

      Host Intrusion Detection

      Remote Logging

      Correctly Configure the Software You Are Using

      Use a Hardened Kernel

      Other Hardening Steps 

    Summary

4. Troubleshooting Methodology.

    Problem Solving Methodology 

    Recognize, Define, and Isolate the Problem

    Gather Facts

    Define What the "End State" Should Be

    Develop Possible Solutions and Create an Action Plan

    Analyze and Compare Possible Solutions

    Select and Implement the Solution

    Critically Analyze the Solution for Effectiveness

    Repeat the Process Until You Resolve the Problem

      Finding the Answers or...Why Search Engines Are Your Friend

      Websites

    Summary

II. TOOLS AND INTERNALS.

5. The OSI Model: Start from the Beginning.

    Internet Protocols at a Glance

      Understanding the Internet Protocol (IP)

      Understanding ICMP

      Understanding TCP

      Understanding UDP

      Troubleshooting with This Perspective in Mind

    Summary

6. netfilter and iptables Overview.

    How netfilter Works

      How netfilter Parses Rules 

      Netfilter States

      What about Fragmentation?

      Taking a Closer Look at the State Engine

    Summary

7. Using iptables.

    Proper iptables Syntax

      Examples of How the Connection Tracking Engine Works  

      Applying What Has Been Covered So Far by Implementing Good Rules

    Setting Up an Example Firewall

      Kernel Options

      iptables Modules

      Firewall Rules

      Quality of Service Rules

      Port Scan Rules

      Bad Flag Rules

      Bad IP Options Rules

      Small Packets and Rules to Deal with Them

      Rules To Detect Data in Packets Using the String Module

      Invalid Packets and Rules to Drop Them

      A Quick Word on Fragments

      SYN Floods

      Polite Rules

      Odd Port Detection and Rules to Deny Connections to Them

      Silently Drop Packets You Don't Care About

      Enforcement Rules

      IP Spoofing Rules

      Egress Filtering

      Send TCP Reset for AUTH Connections

      Playing Around with TTL Values

      State Tracking Rules

      STEALTH Rules

      Shunning Bad Guys

      ACCEPT Rules

    Summary

8. A Tour of Our Collective Toolbox.

    Old Faithful

    Sniffers

      Analyzing Traffic Utilization

      Network Traffic Analyzers

    Useful Control Tools

      Network Probes

      Probing Tools

    Firewall Management and Rule Building

    Summary

9. Diagnostics.

    Diagnostic Logging

      Scripts To Do This for You

      The catch all Logging Rule

      The iptables TRACE Patch

    Checking the Network

    Using a Sniffer to Diagnose Firewall Problems

    Memory Load Diagnostics

    Summary

III. DIAGNOSTICS.

10. Testing Your Firewall Rules (for Security!).

      INSIDE->OUT Testing with nmap and iplog

      Interpreting the Output from an INSIDE->OUT Scan

      Testing from the OUTSIDE->IN

      Reading Output from nmap

      Testing your Firewall with fragrouter

    VLANs

    Summary

11. Layer 2/Inline Filtering.

    Common Questions

    Tools Discussed in this Part

    Building an Inline Transparent Bridging Firewall with ebtables (Stealth Firewalls)

      Filtering on MAC Address Bound to a Specific IP Address with ebtables

      Filtering Out Specific Ports with ebtables

    Building an Inline Transparent Bridging Firewall with iptables (Stealth Firewalls)

    MAC Address Filtering with iptables

    DHCP Filtering with ebtables

    Summary

12. NAT (Network Address Translation) and IP Forwarding.

    Common Questions about Linux NAT

    Tools/Methods Discussed in this Part

      Diagnostic Logging

      Viewing NAT Connections with netstat-nat

      Listing Current NAT Entries with iptables

      Listing Current NAT and Rule Packet Counters

      Corrective Actions

    Summary

13. General IP (Layer 3/Layer 4).

    Common Question

    Inbound: Creating a Rule for a New TCP Service

    Inbound: Allowing SSH to a Local System

    Forward: SSH to Another System

    SSH:  Connections Timeout

    telnet: Forwarding telnet Connections to Other Systems

    MySQL: Allowing MySQL Connections

    Summary

14. SMTP (e-mail).

    Common Questions

    Tools Discussed in this Part

    Allowing SMTP to/from Your Firewalls

    Forwarding SMTP to an Internal Mail Server

    Forcing Your Mail Server Traffic to Use a Specific IP Address with an SNAT Rule 

    Blocking Internal Users from Sending Mail Through Your Firewall

    Accept Only SMTP Connections from Specific Hosts (ISP)

    SMTP Server Timeouts/Failures/Numerous Processes

    Small e-Mail Send/Receive Correctly-Large e-Mail Messages Do Not 

    Summary

15. Web Services (Web Servers and Web Proxies).

    Common Questions

    Tools Discussed in this Part

      Inbound: Running a Local Web Server (Basic Rules)

      Inbound: Filter: Incoming Web to Specific Hosts

      Forward: Redirect Local Port 80 to Local Port 8080

      Forwarding Connections from the Firewall to an Internal Web Server

      Forward: To Multiple Internal Servers

      Forward: To a Remote Server on the Internet

      Forward: Filtering Access to a Forwarded Server 

      Outbound: Some Websites Are Inaccessible (ECN)

      Outbound: Block Clients from Accessing Websites

      Transparent Proxy Servers (squid) on Outbound Web Traffic

    Summary

16. File Services (NFS and FTP).

    Tools Discussed in this Part

      NFS: Cannot Get NFS Traffic to Traverse a NAT or IP Forwarding Firewall

      FTP Inbound: Running a Local FTP Server (Basic Rules)

      FTP Inbound: Restricting Access with Firewall Rules

      FTP Inbound: Redirecting FTP Connections to Another Port on the Server

      FTP Forward: Forwarding to an FTP Server Behind the Firewall on a DMZ Segment

      FTP Forward: Forwarding to Multiple FTP Servers Behind the Firewall on a DMZ Segment

      FTP Forward: From One Internet Server to Another Internet Server

      FTP Forward: Restricting FTP Access to a Forwarded Server

      FTP Outbound: Connections are Established, but Directories Cannot Be Listed, and Files Cannot Be Downloaded

    Summary

17. Instant Messaging.

    Common Questions/Problems

    Tools Discussed in This Part

    NetMeeting and GnomeMeeting

      Connecting to a Remote NetMeeting/GnomeMeeting Client from Behind an iptables Firewall (Outbound Calls Only)

      Connecting to a NetMeeting/GnomeMeeting Client Behind a netfilter/iptables Firewall (Inbound/Outbound Calls)

      Directly from the GnomeMeeting Website's Documentation

      Blocking Outbound NetMeeting/GnomeMeeting Traffic 

    MSN Messenger

      Connecting to Other MSN Users

      Blocking MSN Messenger Traffic at the Firewall

    Yahoo Messenger

      Connecting to Yahoo Messenger

      Blocking Yahoo Messenger Traffic

    AOL Instant Messenger (AIM)

      Connecting to AIM

      Blocking AOL Instant Messenger Traffic

    ICQ

      Connecting to ICQ

      Blocking ICQ

    Summary

      Recalling Our Methodology

18. DNS/DHCP.

    Common Questions

    Tools Discussed in this Part

      Forwarding DNS Queries to an Upstream/Remote DNS Server

      DNS Lookups Fail: Internal Hosts Communicating to an External Nameserver

      DNS Lookups Fail: Short DNS Name Lookups Work-Long Name Lookups Do Not

      DNS Lookups Fail: Nameserver Running on the Firewall 

      DNS Lookups Fail: Nameserver Running on the Internal and/or DMZ Network 

      Misleading rDNS Issue: New Mail, or FTP Connections to Remote Systems Take 30 Seconds or More to Start 

      DHCP: Dynamically Updating Firewall Rules with the IP Changes

      Blocking Outbound DHCP

      DHCP: Two Addresses on One External Interface

      DHCP: Redirect DHCP Requests to DMZ

    Summary

19. Virtual Private Networks.

    Things to Consider with IPSEC

    Common Questions/Problems

    Tools Discussed in this Part

      IPSEC: Internal Systems-Behind a NAT/MASQ Firewall Cannot Connect to an External IPSEC Server 

      IPSEC: Firewall Cannot Establish IPSEC VPNs 

      IPSEC: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN

      PPTP: Cannot Establish PPTP Connections Through the Firewall

    Running a PPTP Server Behind a NAT Firewall

      PPTP: Firewall Cannot Establish PPTP VPNs 

      PPTP: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN

      Using a free/openswan VPN to Secure a Wireless Network 

    Summary

Index.