Chapter 7 - 03 - Understand Different Types of Firewalls and their Role - 08_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Host-based Firewall Protection with Iptables
O Iptables is a for Linux OSes
O Iptables comes pre-installed on any Linux distribution. However, you can update/install it with sudo
- i ‘ command

alice@alice-Virtual-Machine: ~/Oetktop Q =
top$ iptables -h
1ptadles vi1.8.3

Usage: iptables -[ACD] chain rule-specification [options)

Sheta]otemenrale:
chain rulenun rule- t tons)
ptions 2 - iptables -A-
ip INPUT -p- tcp ! | - --syn --m state ! --state
tptables - ; Filtering non TCP packets =
tptables -[L5] [chaln [rutenca]] (v!::xlms] 8 P NEW -j DROP
iptables -[FZ] [chatn) [opticas)
1ptadbles -
1ptables - old-chaln-nane n
iptables -P chain target [options
1ptadbles -h (print this help infornation)

Blocking XMAS scan Attack iptables -A INPUT -p tcp --tcp-flags ALL -j DROP
or short optlons are allowed.
A chaln Append to chaln
-C chatn Check for the extstence of a rul

--delete
REOD
-Dchatn rulenun
CEDOEID D ETR Drop any NULL packets iptables -A INPUT -f -j DROP
Delete rule rulenun (1 = first)
from chatn
--insert -I chaln [rulenun)
Insert in chaln as rulenun (defa
ult 1efirst) Drop any fragmented packets iptables -A INPUT -f -j DROP
--replace -R chaln rulenun
Replace rule rulenun (1 - first)

' Copyright © by EC-Comncil.
All Rights Reserved. Reproduction
s Strictly Prohibited.

Host-based Firewall Protection with Iptables (Cont’d)

Q root@alice-Virtual-Machine: /home/alice

root@alice-Virtual-Machine: /hone/alices {ptables -L -n -v
Chaln INPUT (policy ACCEPT 97 packets, 7270 bytes)
pkts bytes target prot opt in out source destination

Existing rules can be checked using Chatn FORWARD (policy ACCEPT © packets, © bytes)
2 pkts bytes target prot opt in out source destination
sudo iptables -L -n -v
command Chain OUTPUT (policy ACCEPT O packets, 0 bytes)
pkts bytes target prot opt in out source destination

] © DROP alt.- ¢ etho 0.0.0.0/0 0.0.0.0/0
owner UID match 1001
root@alice-Virtual-Machine: /home/alices l

| I -
L1 1
| -

Specific IP address can be block using root@alice-Virtual-Machine: fhome/alice M = = [
Iptables Firewall
root@alice-Virtual-Machine:/hone/alices iptables -A INPUT -s 10.10.10.55 -j DROP
iptables —-A INUPT -s root@alice-Virtual-Machine: /home/alices ]
10.10.10.55 -3j DROP

v Copyright
© by EC-Comncil Al Rights Reserved. Reproductionis
Strictly Prohibited.

Host-based Firewall Protection with Iptables
Host-based firewalls provide enhanced security against threats. Linux systems support a kernel-
based packet filter that is suitable for using host-based firewalls.

Module 07 Page 795 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Iptables
Iptables is a command-line firewall utility that can allow or deny traffic. Iptables is preinstalled
in a Linux system. In order to update or install iptables, the user needs to regain the iptables
package using the command:
sudo apt-get install iptables

Every packet traversing through the filter system is assigned to an appropriate table depending
on the tasks performed by the packet. The table contains chains that display the details of the
destination of the packet. The tables can be used to create rules and the user has the facility to
create their own chains and link them from the built-in chains. This facilitates the ability to
create complex rules. However, the user needs to be extra alert while using the iptables
command as any small error in the command can lock the system and may require the user to
fix the error manually.
There are three different types of chains:
= |nput: The input chain verifies the incoming connections and its behavior. Iptables
compares the IP address and port of the incoming connection to a rule in the chain.
* Forward: The forward chain mainly forwards the incoming connections to its destination.
The command iptables -L -v verifies whether an incoming connection needs a
forward chain.
= Qutput: The output chain is used for output connections, wherein the chain checks for the
output chain and decides whether to allow or deny the output request.

gl alice@alice-Virtual-Machine: ~/Desktop Q

S iptables
iptables vi1.8.3

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rul
e
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first)
from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (defa
ult 1=first)
--replace -R chain rulenum
lace rule rulenum

Figure 7.53: iptables chain

Module 07 Page 796 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Example iptables firewall rules:
* Check the existing rules using the sudo iptables -L -n —-vcommand.
|

Q root@alice-Virtual-Machine: fhome/alice
root@alice-Virtual-Machine:/hone/alice# iptables -L -n -v
Chain INPUT (policy ACCEPT 97 packets, 7270 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT © packets, 0 bytes)
pkts bytes target prot opt in out source destination

chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

] © DROP alt.- ¢ ethe 0.0.0.0/0 0.0.0.0/0
owner UID match 1001
root@alice-Virtual-Machine: /hone/alices I

Figure 7.54: iptables firewall rules

= Check the rules for a specific table using the command # iptables -t nat -L -v
-n.

= Block the specified IP address using iptables firewall.
Iptables —A INUPT -s 10.10.10.55 —3j DROP

Q root@alice-Virtual-Machine: /home/alice

root@alice-virtual-Machine: /home/alicen iptables -A INPUT -s 10.10.10.55 -j DROP
root@alice-Virtual-Machine: /home/alice# [}

Figure 7.55: Blocking specific IP address

= Block specific port on iptables firewall using the command # iptables -A OUTPUT -
p tcp --dport xxx -3j DROP.

= Block Facebook on Iptables firewall using the command # iptables -A OUTPUT -p
tecp -d 66.220.144.0/20 -3 DROP.

Task Iptables Commands.. iptables -A INPUT -p tcp ! --syn -m state --state NEW -
Filtering non-TCP packets j DROP
Blocking XMAS scan attack iptables -A INPUT -p tcp --tcp-flags ALL -j DROP
Drop any NULL packets iptables -A INPUT -f -j DROP
Drop any fragmented packets | iptables -A INPUT -f -j DROP
Block network flood on Apache | iptables -A INPUT -p tcp --dport 80 -m limit --limit
port 100/minute =--limit-burst 200 -3j ACCEPT

Block incoming ping requests # iptables -A INPUT -p icmp -i eth0 -j DROP
Block access to a specific MAC | iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00
address -j DROP
Block connection on network. D CONNELION Q5 NEtWo iptables -A INPUT -i eth(0 -s xxx.xxx.xxx.xxx -j DROP
interface
Disable outgoing mails iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT

Table 7.4: Other iptables commands for various tasks

Module 07 Page 797 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

UFW
UFW (uncomplicated firewall) is an interface to iptables. For beginners, it is difficult to use
iptables for configuring a firewall. UFW can help them by simplifying the process of configuring
a firewall to make the system secure in the network. Enable UFW to protect unusual traffic
Steps to Set Up a Firewall with UFW
=* |nstall UFW
Install using the sudo
UFW using sudo apt-get install ufwcommand.

A
[+ alice@alice-Virtual-Machine: ~/Desktop Q = -— m) X

$ sudo apt-get install ufw
Reading package lists... Done
Building dependency tree
Reading state information... Done
ufw is already the newest version (0.36-1ubuntu3).
0 upgraded, © newly installed, 0 to remove and 30 not upgraded.
: $)

Figure 7.56: Installing UFW

* Check the status of UFW using the sudo ufw status verbose command. The
output will be active or inactive. The default status of UFW is disabled.
|

[+ alice@alice-virtual-Machine: ~/Desktop
alice@alice-Virtual-Machine: Q = =- 0m] X

S sudo ufw status verbose
Status: inactive
$

Figure 7.57: Checking status of UFW

=* Enable UFW using the sudo ufw enable command.
|1
[+ alice@alice-Virtual-Machine:
alice@alice-Virtual-Machine: ~/Desktop
~/Desktop Q =- -=

S sudo ufw enable
Firewall is active and enabled on system startup
$

Figure 7.58: Enabling UFW

= Set default policies using the following commands.
sudo ufw default deny incoming

sudo ufw default allow outgoing

Add UFW
UFW Rules
There are two ways to add rules: denoting the port number and using the service name.

Module 07 Page 798 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

A few examples and corresponding commands are discussed below.
= Allow both incoming and outcoming connections on port 22 for SSH.
sudo ufw allow ssh

[+ alice@alice-Virtual-Machine: ~/Desktop

S sudo ufw allow ssh
Rule added
Rule added (vé6)

Figure 7.59: Adding UFW rules

(or)
sudo ufw allow 2000

[+ alice@alice-Virtual-Machine: ~/Desktop Q = = m]

S sudo ufw allow 2000
Rule added
Rule added (v6)
os |l|

Figure 7.60: Adding UFW rules

= Deny traffic on a specific port.
sudo ufw deny 22.

= Allow packets based on TCP or UDP.
sudo ufw allow 80/tcp
sudo ufw allow http/tcp
sudo ufw allow 1725/udp

= Allow connections from an IP address.
sudo ufw allow from 10.10.10.25

[+ alice@alice-Virtual-Machine: ~/Desktop

$S sudo ufw allow from 10.160.10.25
10.10.10.25}
Rule added
o |

Figure 7.61: Allowing connections

= Deny connections from an IP address
Sudo ufw deny from 10.10.10.24.

Module 07 Page 799 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

[+ alice@alice-Virtual-Machine: ~/Desktop Q = -= m]m] X

$S sudo ufw deny from 10.10.10.24|
Rule added
N
s |

Figure 7.62: Denying
Denying connections

= Allow connections from a specific subnet.
sudo ufw allow from 198.51.100.0/24

= Allow a specific IP address/port combination.
sudo ufw allow from 198.51.100.0 to any port 22 proto tcp

= When
When more advanced or specific rules need to be added/removed:
o Add the rules to the /etc/ufw/before.rules
(before6.rules
(beforeé6.rules for
for IPv6) file to
execute the rules.

o There exists after.rule and an afteré6.rule
after6.rule files to add any rules that would
need to be added after UFW runs the command-line-added rules.

o An additional configuration file that is located at /etc/default/ufw allows the
user to disable or enable IPv6, to set default rules, and set UFW to manage built-in
firewall chains.

Remove UFW Rules

Delete rules using port number or service name. Use delete in the command while removing a
rule. For example, the command to delete allowing HTTP traffic from port number 80 is sudo
ufw delete allow 80.

Module 07 Page 800 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.