Frame/Packet Filtering

Frame/Packet Filtering
A Very Brief Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Packet Filter

Defined:
- Software that looks at the header of packets to decide the "fate" of the entire packet
Possible "Fates":
- Deny - discard the packet
- Accept
- Reject - discard but inform the source

Why Filter Packets?

Control/Management:
- Allow/disallow incoming packets from certain locations
- Allow/disallow outgoing packets to certain locations
Security:
- Limit access to services
- Log abnormal events

Packet Filtering in Linux

How?
- In the kernel
- Controlled using iptables
Configuration Using iptables -t filter:
- -A INPUT
- -A OUTPUT
- -s source address
- -d destination address
- -i incoming interface
- -o outgoing interface
- -p tcp | udp | icmp
- -m mac -mac source MAC address
- -j ACCEPT | DROP | REJECT | LOG

Packet Filtering in Linux (cont.)

An Example

unixexamples/security/filtering.txt

#---------------------------------------------------------------
# If a packet doesn't match one of the built-in chains, then
# the policy should be to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP

#---------------------------------------------------------------
# The loopback interface should accept all traffic necessary for
# X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A OUTPUT -o lo -j ACCEPT

#---------------------------------------------------------------
# We’ll allow incoming icmp (ping) messages for now although we 
# might want to disable this later
#---------------------------------------------------------------
iptables -A INPUT -p icmp -j ACCEPT 

#---------------------------------------------------------------
# Allow DNS traffic
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 53 -j ACCEPT 
iptables -A INPUT -p udp --dport 53 -j ACCEPT 

#---------------------------------------------------------------
# Log and reject non-local access to MySQL
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 3306 -j LOG 
iptables -A INPUT -p tcp --dport 3306 -j REJECT 
iptables -A INPUT -p udp --dport 3306 -j LOG 
iptables -A INPUT -p udp --dport 3306 -j REJECT 

#---------------------------------------------------------------
# Disallow access to low ports with SYN bit set
# Note: ! is used for negation
#---------------------------------------------------------------
iptables -A INPUT -p tcp  ! --syn --dport  :1023 -j ACCEPT

#---------------------------------------------------------------
# Open up access to high ports (necessary for web browsing)
#---------------------------------------------------------------
iptables -A INPUT -p tcp --dport 1024: -J ACCEPT
iptables -A INPUT -p udp --dport 1024: -J ACCEPT

TCP Wrapper

Purpose:
- Handle security of packets that have passed through the filter
Configuration:
- There are two files, hosts.allow and hosts.deny that include lists of services and who can/can't use them