 So let's look at an example of how we could implement firewall rules in a Linux based operating system and the software that Linux commonly uses is referred to as IP tables or the software that the administrator uses to manipulate the firewall is IP tables. So I'll have a quick explanation and then I'll show some examples of how we create some rules. Just the concepts. In Linux operating systems there's actually two components of a firewall. One's called net filter. Net filter is inside the core of the operating system in the kernel that filters out packets. That's what a firewall does. Packet comes in, it checks the conditions and then takes some action, does some filtering. But the administrator of the firewall, you, the user of the computer, you use some software to tell net filter what to filter, what to allow, what to drop. And that software is called IP tables. Now to do anything with IP tables you need to be the computer administrator so we'll use sudo to use IP tables. The normal user cannot necessarily use it. The idea is that here's our network interface card, our LAN card or our Wi-Fi card. Packets come in here into the hardware and of course go out there. And at the top we have our applications like our web server, our browser, our secure shell client and so on, our network applications. The normal mode, ignoring the firewall, is that our application sends a packet out. It goes through the operating system or the core of the operating system referred as the kernel, the Linux kernel. It goes through the Linux kernel and then is sent out of your network interface card. And as someone sends a packet to you it comes into your network interface card through the kernel to your application like your web browser. Part of the Linux kernel is this module called net filter. And net filter essentially is a firewall. As packets go through the Linux kernel net filter can look at them and take some action with them like drop them. So we need to configure net filter to take some actions like drop packets that meet particular conditions. And the software that the human user uses normally one of them is called IP tables. So what we will use is IP tables will tell net filter which packets to accept and which ones to drop. In short we will use IP tables to create our firewall rules. And the rules will be implemented in the kernel by net filter and as packets are sent out before they get to the network interface card net filter may take some action like drop the packet. Now with regards to IP tables it has some different terminology. It talks about tables of filters and there are different tables of filters. The one that we will use in our examples today and maybe only in the homework is just the default filter table. But net IP tables allows you to do things other than just filter packets. Filtering means really allowing or dropping. IP tables allows you to modify packets, mangle packets. That is you send a packet out from your application and it has a particular data inside that packet. IP tables can modify that before it is sent out of your computer. Or network address translation. You send out a packet. The source address is 1.2.3.4. With network address translation I can change the source address to something else. And in your denial of service homework task you are actually using IP tables to create a fake source address. One of the commands sets a fake source address and it uses IP tables in the network address translation mode. We are just going to use the default table called the filter table. A table contains chains and the chains are a little bit confusing so we will just talk about three of them at the moment. The first three input, output and forward. The idea is with respect to the packets processed by our computer we can treat them differently. We can have different rules depending on whether the packets are coming to my computer, input to my computer, were created by my computer, output of my computer or are going through my computer, forwarded by my computer. When does a packet go through your computer? Some of you have taken the lab on Monday yesterday. When does a packet go through your computer? What type of computer? Who took the lab? When does a packet go through your computer? By through it means a packet comes to your computer, your computer sends it on to someone else. Not necessarily just for ping. What type of computer allows a packet to come in and then it goes out? A router. A router packets we say go through. A packet is sent to the router, the router looks at it and sends it on to someone else. Going through we refer to we forward the packet. So in IP tables we can treat packets differently depending upon whether they are coming in to our computer, destined to me, coming out of my computer, I created them, or going through my computer I am forwarding the packets. And these are referred to as chains. There are a couple of other changes as well. These are mainly used for modifying packets, network address translation before we make a routing decision and after we make a routing decision. If our firewall is running on a router then we normally use the forward chain. So that's what we'll see in the example. With IP tables we can create rules and we create rules by specifying which conditions to match. And there is some syntax which is summarised here but easier seen from some examples. The first example, I want to drop ping packets, or more generally drop ICMP packets. I have created a virtual network with three nodes. Node 1, IP address 1921681.11, the green one. Node 2 has two interfaces. We'll see. It will be the firewall. And node 3, 1921682.21. So the set up of my network, we have node 1 which is IP address 1921681.11. And we have a node 2 and node 3 which has IP address 1921682.21. This is the firewall and this is another computer. Let's say node 3 is outside. Doesn't matter for the first example. And they have links between them. Let's assume node 1 is inside, internal to our network and node 3 is external, outside. This is our firewall. So we're going to create rules on the firewall to achieve some aims. And because it's also a router, when we create our rules, the packets which arrive at node 2 are going to be normally forwarded under node 3. So we need to use what's called the forward chain. We need to specify with IP tables, apply our rules to packets which are forwarded by this computer. So the first case is I want to stop ping from working. Computer 1 will ping computer 3. Then I'll create a rule that stops ping working, to block ping. The default action at this stage is to accept. The default policy, just the initial set up is accept. Accept everything. Drop what we specify by the rules. Let's ping. We're going to ping from node 1 to node 3. Ping is working, fine. So ping is working, it will go forever. Now let's set our firewall up so that ping stops working. Ping is running. Now let's try our firewall. And we use IP tables. We need to be administrator to run IP tables. So we need to have sudo. And the syntax is a bit complicated after when you first use it, but you quickly get used to it. We want to add a rule to our table. So we think our firewall has a list of rules or a table of rules. And we want to have a process when we forward packets only. Add a rule minus a for add for the packets which are forwarded by this computer. And now we specify some conditions. To drop ping, what is the condition we want to meet? What transport protocol does ping use? ICMP. So the protocol minus P protocol ICMP. I don't care who the source is, who the destination is, in my firewall just drop all the ping packets. Or drop all the ICMP packets. And now we jump to the action. Minus J to jump to the action. And the action drop. So add a rule to the forward chain. The conditions are if the protocol, the transport protocol is ICMP, then take the action to drop the packets. Enter, watch the ping. Got the password wrong? Because I've got caps lock on. There we go. Ping stopped. So it stopped. The ICMP request 133 is no longer pinging. Because what's happening is computer one sending an ICMP packet. It gets to the firewall. The firewall rule drops it. And let's see a little bit more details. We can list the rules. List the rules. We only add one. And let's add the details. You'll see the details. Let's maybe make some space. The firewall says there's a rule. So it's a table. These are the columns. If the source is anyone, if the destination is anyone, and the protocol is ICMP, the target or the action is to drop the packet. And it's currently dropped 47 packets. So these are some statistics of what it's done. If I run it again, it's now dropped 81 packets. Because my ping is still running, but the ping packets are getting to the firewall and the firewall is dropping them. So that's a quick example of using IP tables to drop ping. We can delete the rule. Instead of minus a to add, minus d to delete. Ping is working again. It's back to 240. So we lost 100 packets because of the firewall. We'll stop ping. Let's try to drop some TCP packets. And we'll use a netcat server. On computer three, we'll listen. And on computer one, we'll use netcat to connect using TCP. So netcat allows us to create a TCP connection from 192.1682 or 1.11 to 2.21. Listening on port 1, 2, 3, 4, 5. So the blue one's the server, the green one's the client. They can communicate. Let's add a rule to stop them. Again, for packets which are forwarded through my firewall, what protocol should we stop? TCP. Lower case. All TCP? How do we stop just that netcat communications? I want to allow other things like web browsers. I don't want to allow them to use netcat in the way that they're using it. What could I do to block that particular one? Look at the way that I started the netcat server. The port number we could use to identify that particular application. Destination port is a sub-option of TCP is 1, 2, 3, 4, 5. If it's going to port 1, 2, 3, 4, 5, drop the packet. Currently we can talk. Now we add the rule. And now when I send a message from the client to the server, there's nothing received because the firewall is dropping those packets. Let's see the statistics. The firewall rule, sorry it wraps. Destination port 1, 2, 3, 4, 5, drop packets. It's currently dropped 8 packets. It's still dropped. Can the node 3 send a back message? Node 3 can send back because we specified the destination port to be 1, 2, 3, 4, 5. The blue one is the destination port 1, 2, 3, 4, 5. But the green one has a different port. So when we send from blue to green, the destination port is not 1, 2, 3, 4, 5. So we can send from server to client, but not from client to server. We can delete the rule. Watch what happens when we delete. Do we get any messages? We may have lost our TCP connection. So what we did is we blocked our packets. Here they come. The beauty of TCP is that packets which didn't get through are eventually retransmitted. So the packets which I blocked before with the firewall, are you there? Hello. Sent from node 1 to node 3. When I disabled the firewall, the feature of TCP is it retransmits. So eventually retransmits those messages and they do get through. So that's the retransmission feature of TCP. So a very quick introduction to the syntax of using IP tables to implement a firewall. You can see on these slides some other examples and it explains the general syntax, examples of accessing a website or viewing the rules, deleting rules, and more complicated examples. So your next homework will involve you using IP tables to build up some rules and to implement some security policy.