Netfilter

Denis Ducamp / Hervé Schauer Consultants - English translation: Frédéric Lavecot

1. Introduction

This talk will present the following aspects :

• IP packet filtering

• address translation
  • As well as presenting certain technical points

1.1 Historical

• Linux 1.1 (end of 1994), Alan Cox ports ipfw from BSD.

• Linux 2.0, Jos Vos and some others enhance it and create ipfwadm.

• Linux 2.2 (mid 1998), Rusty Russel and Michael Neuling rewrite the packet fitering and create ipchains.

• Linux 2.4 (mid 1999), Rusty Russel rewrites again the packet filtering (netfilter for the kernel part) and creates iptables (user configuration)
  • Version 1.1.0 : july 2000 / linux 2.3.99-pre8

Rusty Russel works at watchguard http://www.watchguard.com editor of security solutions around the Firebox

2. Packet Filtering

• The notion of chains

• Filtering

• Connection tracing

• Example

• Technical tests

• Other possibilities

2.1 The notion of chains

• chains   programs

• a packet matching a rule will be directed to a chain

• a packet always goes trough one of these 3 chains :
  • Input : a packet going to the system incoming in an interface
  • Output : a packet generated by the system leaving an interface
  • Forward : a packet going though the system

• The following chains cannot be redefinned
  • ACCEPT : the packet is accepted
  • DROP : the packet is ignored
  • RETURN : end of the current program or application of the default policy for Input, Output and Forward
  • REJECT : the packet is rejected without any error message
  • LOG : the packet is logged
  • QUEUE : the packet is forwarded to a user program which will decide of it's fate

2.2 Filtering possibilities

• on input or output of an interface
  • INPUT: always on the interface input
  • OUTPUT: always on the interface output
  • FORWARD: on the interface input or output

• on source or destination address with or without a netmask

• service type

• protocol

• fragments or not

• ICMP type and code

• TCP and UDP: source and destination port with or without a range

• TCP
  • tcp options: SYN, ACK, FIN, RST, URG et PSH
  • connection requets or data transfers

2.3 Connexion tracing

• tracing of TCP, UDP and ICMP connections

• available options:
  • INVALID: packet is invalid
    • internal error while processing the packet
    • ICMP error packet not corresponding to any connection

  • ESTABLISHED: packet is part of an established connection

  • RELATED:
    • error packet matching an existing communication (reset / icmp)
    • a packet matching a request for a ftp data connection (active or passive mode)

  • NEW : packet does not match any know connection (not necessarily a new connection)

• list of the logged connections : cat /proc/net/ip_conntrack

• Number of connection (by default 8184) :

  echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max

2.4 Technical tests

• ICMP (ping):
  • an echo-reply from the server does not match a connection and is ignored
  • an echo-request from the client opens a "connection" for 30s
  • any echo-request from the client reinitializes the countdown for 30s

• UDP:
  • an UDP packet from the server not matching a connection is ignored
  • an UDP packet from the client opens a connection in the state "UNREPLIED" for 30s
    • an UDP packet from the client reinitializes the countdown for 30s
  • an UDP packet from the server brings the connection in "CONNECTED" state for 180s
  • An ICMP port unreachable doesn't close the connection.

• TCP:
  • before the client sends a SYN or SYN-FIN : no packet goes through
  • a SYN or SYN-FIN packet opens a connection in the state : "SYN_SENT"
  • a RST or SYN-RST:
    • from the client closes the connection without being transfered
    • from the server puts the connection in the state : "CLOSE" for 10 seconds wihout being transfered
  • a SYN-ACK from the server puts the connection in the state : "ESTABLISHED". The coutdown is set to 432000 second (5 days)
    • any RST or SYN-RST packet immediately closes the connection without being transfered
    • a FIN-ACK packet from one of the stations puts the connection in the state "CLOSE_WAIT" for 60s
    • a FIN_ACK from the other puts the connection in the state : "TIME WAIT" for 120s

2.5 Drawbacks

• As soon as the connection table is full, it becomes impossible to connect. SYN_FLOOD on open ports is possible because only the two packets are necessary to put the connection in the "ESTABLISHED" state.
  • Has been corrected: A connexion is concidered established only after the third packet has been seen.

• Sequence numbers are not controlled.
  • Has been corrected:
    • Rusty's poor-man's sequence track : sequence numbers are checked for the first three pakets.

    • Jozsef Kadlecsik has written a ptach based on the document "Real Stateful TCP Packet Filtering in IP Filter" written by Guido van Rooij describing the stateful implementation of IP Filter

      This patch breaks NAT for FTP and IRC modules for the time.

2.6 Other filtering possibilities

• mac: check the source mac address

• limit: put a limit on the use of a rule (max 3h)
  • limit the number of packets logged per second:
    iptables -A FORWARD -m limit --limit 3/s -j LOG
  • limit the number of SYN packets per second:
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  • limit the efficiency of port scanners
  • limit the number of echo-request icmp query per second

• owner : match a packet created locally
  • filter by uid,gid,pid,sid
  owner can only be applied to the OUTPUT chain
  some packets have no owner : icmp reply ...

3. Address translation

• concerned chains

• source translation

• destination translation

• behaviour

3.1 Concerned chains

3 chains are concerned by the Address translation

• PREROUTING : destination address is translated for incoming packets

• POSTROUTING : source adress is translated for outgoing packets

• OUTPUT : translation of the destination address for packets created locally

• Observations :
  • Source address translation is always done in last. Masquerading is source adress translation.

  • Destination address translation is always done in first. Port forwarding, load sharing and transparent proxying are destination address translation.

3.2 Source address translation

• Source address translation is always done in last by the chain POSTROUTING
  • routing and filtering see the packet unchanged

• Examples:
  • #Change source addresses to 1.2.3.4.
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

  • # Masquerade tcp out eth0 using a range of source ports
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -p tcp --to 2222-3333

3.3 Destination address translation

• Destination address translation done first:
  • either in the OUTPUT chain if the packet was created locally

  • either in the PREROUTING chain for incoming packets

• Examples:
  • # Change destination addresses to 5.6.7.8
    iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8

  • # Change destination addresses of web traffic to 5.6.7.8, port 8080.
    iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 5.6.7.8:8080

  • # Send incoming port-80 web traffic to our squid (transparent) proxy
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

• Connexions created by local processes are not redirected.

3.4 Behaviour

• translation towards a group of addresses
  • the address assigned is the less used one
  • very basic load balancing (if a server fails then new requests are refused)
• translation of source port : source port is not modified by default, only if the address:port source and destination combination is already used.

4. Conclusion

• Not ready for production
  • netfilter and iptables are still in developpement
  • so is linux 2.4
• New and complicated syntax
• Does not apply good old habits:
  • application filtering : tcpwrapper
  • kernel functionnality : rp_filter
  • Unique options : filtering depending on the user, group, process or session
  • Will soon reach numerous professional offers
    • filtering state is not perfect ... but often good enough.

    • numerous proxy exist for ipchains and will be ported to netfilter

5. References

• official page: http://www.samba.org/netfilter/

• mailing list netfilter / iptables: echo "subscribe netfilter" | mail listproc@samba.org

• archive: http://lists.samba.org/listproc/netfilter/

• cvs site for netfilter / iptables :
  cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login
  password : cvs
  cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co netfilter
  update of the directories : cvs update -d -P

• cvsweb: http://www.samba.org/cgi-bin/cvsweb/netfilter/

• Kernel mailing list (200 messages a day / 0,5 Mb)
  echo "subscribe linux-kernel your_email@your_ISP" | mail majordomo@vger.rutgers.edu
  echo "subscribe linux-kernel-digest your_email@your_ISP" | mail majordomo@vger.rutgers.edu

• weekly summary: http://kt.linuxcare.com/kernel-traffic/back-issues.epl

6. Documentation

• Linux Networking-concepts HOWTO:
  http://www.samba.org/netfilter/unreliable-guides/networking-concepts-HOWTO.html
  Rusty Russel
  This document describes what a network (such as the Internet) is, and the very basics of how it works.

• Linux 2.4 Packet Filtering HOWTO
  http://www.samba.org/netfilter/unreliable-guides/packet-filtering-HOWTO.html
  Rusty Russel
  This document describes how to use iptables to filter out bad packets for the 2.4 Linux kernels.

• Linux 2.4 NAT HOWTO
  http://www.samba.org/netfilter/unreliable-guides/NAT-HOWTO.html
  Rusty Russel
  This document describes how to do masquerading, transparent proxying, port forwarding, and other forms of Network

• Linux netfilter Hacking HOWTO
  http://www.samba.org/netfilter/unreliable-guides/netfilter-hacking-HOWTO.html
  Rusty Russel
  This document describes the netfilter architecture for Linux, how to hack it, and some of the major systems which sit on top of it, such as packet filtering, connection tracking and Network Address Translation.

® © Hervé Schauer Consultants 2000 - 4 bis, rue de la gare - 92300 Levallois-Perret
Phone : +33 141 409 700 - Fax : +33 141 409 709 - Email : <secretariat@hsc.fr>