Scribd Logo
Carica

Benvenuto in Scribd!

  • Adolf Presentation

    Caricato da

    Maria_Mpes
    11 visualizzazioni42 pagine

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    11 visualizzazioni42 pagine

    Adolf Presentation

    Caricato da

    Maria_Mpes

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 42

    Linux Packet Filtering

    Netfilter / iptables

    ADOLF

    Firewalls

    Linux Packet Filtering

    .
    (
    ) .
    (
    ).

    Linux Packet Filtering


    Web browser

    TCP

    IP

    Ethernet

    Linux Packet Filtering


    Web browser

    Application level

    TCP
    Network protocol
    IP

    Ethernet

    link-level protocol

    Linux Packet Filtering

    IP o

    Packet header (20 bytes)

    Version

    IHL

    Type of

    Service
    Identification
    Time To Live

    Protocol

    Total Length
    Flags

    Fragment Offset
    Header Checksum

    Source Address
    Destination Address

    Linux Packet Filtering

    IP o

    TCP header (+20 bytes)


    Source Port

    Destination Port
    Sequence Number

    Acknowledgment Number
    Data
    offset

    Reserved
    Checksum

    Packet body

    Negotiation
    flags

    Window
    Urgent Pointer

    Packet filtering

    (ACCEPT)

    (DROP)

    Stateless

    Stateful

    Linux Packet Filtering

    Linux Packet Filtering

    Linux Packet filtering

    1994 ipfw, Alan Cox.


    Port BSD.
    Linux 1.1
    199? ipfwadm, Jos Vos and others.
    Linux 2.0
    1998 ipchains, Rusty Russell and Michael
    Neuling.
    Linux 2.2
    1999 iptables, Rusty Russell.
    Linux 2.4+

    http://www.netfilter.org/

    Netfilter

    Linux Packet Filtering

    stateless packet filtering (IPv4 IPv6)

    stateful packet filtering (IPv4 IPv6)

    network address port


    translation, .. NAT/NAPT ( IPv4)

    API layers extensions

    plugins/modules

    Netfilter

    Linux Packet Filtering

    stateless stateful packet filtering based


    firewalls.
    NAT masquerading
    internet.
    headers
    (mangling).

    Netfilter

    Netfilter

    Linux Packet Filtering

    Packet mangling framework

    kernel space.
    BSD socket interface
    (INET).

    Netfilter

    iptables

    Linux Packet Filtering

    iptables

    user space command line administration


    program.

    ip_tables / IP tables

    generic table structure


    .
    IP table
    (iptables
    matches)...
    ...

    Netfilter

    Linux Packet Filtering

    hook functions.
    register
    hooks.

    NF_DROP

    NF_ACCEPT

    NF_STOLEN

    NF_REPEAT

    NF_QUEUE

    Queued packets -> Userspace (ip_queue)

    Netfilter

    Linux Packet Filtering

    IPv4 & IPv6 hooks


    1

    Route

    4
    Route

    2
    5
    1: NF_IP_PRE_ROUTING 4: NF_IP_POST_ROUTING
    2: NF_IP_LOCAL_IN
    3: NF_IP_FORWARD

    5: NF_IP_LOCAL_OUT

    Netfilter

    Linux Packet Filtering

    Packet Selection: IP tables

    kernel module register


    IP table iptables framework,
    hooks
    traverse.
    register hooks Netfilter.
    Netfilter
    hook.
    To module iptables.
    To iptables callback functions
    match .

    Netfilter

    Linux Packet Filtering

    Packet filtering: filter


    1

    Route

    4
    Route

    2
    5
    1: NF_IP_PRE_ROUTING 4: NF_IP_POST_ROUTING
    2: NF_IP_LOCAL_IN
    3: NF_IP_FORWARD

    5: NF_IP_LOCAL_OUT

    Netfilter

    Linux Packet Filtering

    NAT: nat
    1

    Route

    4
    Route

    2
    5
    1: NF_IP_PRE_ROUTING 4: NF_IP_POST_ROUTING
    2: NF_IP_LOCAL_IN
    3: NF_IP_FORWARD

    5: NF_IP_LOCAL_OUT

    Netfilter

    Linux Packet Filtering

    Packet mangling: mangle


    1

    Route

    4
    Route

    2
    5
    1: NF_IP_PRE_ROUTING 4: NF_IP_POST_ROUTING
    2: NF_IP_LOCAL_IN
    3: NF_IP_FORWARD

    5: NF_IP_LOCAL_OUT

    Netfilter

    Userspace

    Linux Packet Filtering

    IP tables management:

    Shared library: libiptc.

    iptables command line utility.

    IP tables userspace handling:

    Shared library: libnetfilter_queue.

    pre-2.6.14 ip_queue/libipq

    Netfilter

    Linux Packet Filtering

    staticstructnf_hook_opshook_in;
    /*prototypeisfoundinside<linux/netfilter>*/
    unsignedintmy_hook(unsignedinthooknum,struct...
    {returnNF_DROP;}
    intinit_module()
    {
    hook_in.hook
    = my_hook;
    hook_in.pf
    = PF_INET;
    hook_in.hooknum = NF_IP_PRE_ROUTING;
    hook_in.priority = NF_IP_PRI_FIRST;
    nf_register_hook(&hook_in);
    return0;
    }
    voidcleanup()
    {
    nf_unregister_hook(&hook_in);
    }

    ADesktopOrientedLinuxFirewall

    http://rainbow.cs.unipi.gr/projects/adolf

    ADOLF

    Concept

    Linux Packet Filtering

    Linux.
    interfaces
    .
    .
    ,
    ,

    .

    iptables, match, target, userspace, terminal,
    configuration GUI wrapper, vi, /etc/init.d/foo ..
    , :

    ADOLF

    Linux Packet Filtering

    () :

    (desktop)

    .

    Linux .

    ADOLF

    Screenshots

    Linux Packet Filtering

    ADOLF

    Screenshots

    Linux Packet Filtering

    ADOLF

    Linux Packet Filtering

    Realtime ,
    .
    Roaming .
    UID
    local process.

    local process. (!)
    Connection tracking aware TCP
    UDP.

    ADOLF

    Linux Packet Filtering

    Unattended , servers.
    Heavy load systems (.. peer-to-peer
    traffic)
    Realtime (..
    )

    Window managers system tray.

    IPv6 .

    UPNP.

    ADOLF

    Kernel module

    Daemon

    Client applications

    Command line utilities

    Desktop applet

    Linux Packet Filtering

    ADOLF

    Linux Packet Filtering

    /dev/firewall

    UNIX

    ADOLF

    Kernel module

    Linux Packet Filtering

    register Netfilter :

    NF_FORWARD

    NF_LOCAL_IN

    NF_LOCAL_OUT

    misc device

    root privileged char device /dev/firewall.

    ioctl, read, write.


    userspace.

    ADOLF

    Daemon

    Linux Packet Filtering

    attach char device.



    :

    source destination hosts.

    local process (UID,


    command).

    DNS resolving / netdb.

    .
    ,

    .

    ADOLF

    Daemon

    Linux Packet Filtering

    clients UNIX
    socket.
    Thread-safe . (7 threads +
    2/client)

    clients.
    API
    . (C/C++)

    ADOLF

    Linux Packet Filtering

    Command line utilities

    API.


    shell script:
    #!/bin/sh
    firewallStatus
    if[$?eq1];then
    firewallEnable
    firewallStatus
    fi

    ADOLF

    Linux Packet Filtering

    Desktop application

    Qt4.

    C++ API.

    system tray.

    interface
    ,
    ,
    .

    .

    ADOLF

    Context menu

    Linux Packet Filtering

    ADOLF

    Linux Packet Filtering

    Control Panel (Wizard)

    ADOLF

    Linux Packet Filtering

    ADOLF

    Counters

    Linux Packet Filtering

    ADOLF

    Identified roles

    Linux Packet Filtering

    ADOLF

    Future work

    clients
    .

    documentation .

    API shared library.

    Linux Packet Filtering

    port kernel module libnetfilter_queue


    libipq.
    dbus
    .

    art desktop application.

    Agents time constants.

    IPv6.

    Hotplug shell scripts.

    ADOLF

    Credits

    Linux Packet Filtering

    To 2005,

    .
    .


    .
    ,
    2007.
    ADOLF, open
    source project,
    .

    Potrebbero piacerti anche