CS529- Firewalls

Dr. Modi Chirag N

[email protected]
 Firewalls
Firewall is software based network security system (or a special
hardware) that controls the incoming and outgoing network
traffic by analyzing the data packets.
Firewall is treated as the first line of defense.
It denies or allows IP addresses, ports and protocols.
It can control the data traffic at the level of TCP/IP ports. E.g., a
firewall can limit access to a port that is not used by any
standard service

03/07/2025 Chirag N. Modi 2

 Static Packet Filtering Firewall (Packet Filters)
Static packet filtering firewall provides access control
functionality for host address and communication sessions.
Such firewall is known as stateless inspection firewall, which
does not keep track of traffic flow states.
Packet filtering firewall is not concerned about the content of
packets.
Here, access control functionality is governed by a set of
directives, called as a ruleset.
Packet filtering capabilities are built into operating systems and
network devices that are capable of routing.
For example, network router provides network access control
based on several information contained in a packet, such as
packet’s source IP address, destination IP address, source port,
destination port etc.
03/07/2025 Chirag N. Modi 3
 Static Packet Filtering Firewall (Packet Filters)
Access control list (ACL) in static filtering firewall allows
network traffic destined for port 80 (WWW) and blocks
network traffic for port 22.
Static filtering firewall does not check the states of the
connection, and therefore it is vulnerable to spoofing attack
and fragmentation attack that take advantage of the TCP/IP
specification.

03/07/2025 Chirag N. Modi 4

 Static Packet Filtering Firewall (Packet Filters)
Simplest of components
Uses transport-layer information only
– IP Source Address, Destination Address
– Protocol/Next Header (TCP, UDP, ICMP, etc)
– TCP or UDP source & destination ports
– TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
– ICMP message type
Examples
– DNS uses port 53
– No incoming port 53 packets except known trusted servers

03/07/2025 Chirag N. Modi 5

 Static Packet Filtering Firewall (Packet Filters)
Filtering with incoming or outgoing interfaces
– E.g., Ingress filtering of spoofed IP addresses
– Egress filtering
Permits or denies certain services
– Requires intimate knowledge of TCP and UDP port utilization on a
number of operating systems
Pros–Fast
– operate on IP addresses and TCP/UDP port numbers alone, ignoring the
data part of packets.
– Application independence
– Least expensive
– Packet filtering rules are relatively easy to configure.
– No configuration changes in workstations.

03/07/2025 Chirag N. Modi 6

 Static Packet Filtering Firewall (Packet Filters)
Cons
– Allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited.
– There is no screening of packet payload available.
– Logging of network traffic includes only IP addresses and TCP/UDP port
numbers, no packet payload information is available.
– Complex firewall policies are difficult to implement using filtering rules
alone.
– Rely on IP addresses for authentication rather than user authentication.

03/07/2025 Chirag N. Modi 7

 Stateful Packet Filtering Firewall
Stateful packet filtering firewall is an enhancement over static
packet filtering firewalls.
It keeps track of the state of network connections (such as TCP
streams or UDP communication) and is able to hold significant
attributes of each connection in memory.
Attributes include IP addresses, ports, the sequence numbers of
the packets etc.
All the states (in state tables) can be maintained in hardware
(or software).
Stateful firewall manages the state table dynamically based on
the current traffic.

03/07/2025 Chirag N. Modi 8

 Stateful Packet Filtering Firewall
It blocks any inbound traffic to IP address “172.16.2.187” (system A).
Let system A initiates the HTTP request destined to “192.168.2.101”
The system having IP address “192.168.2.101” sends acknowledgement to
system A.
Since A initiated the request, stateful firewall adds a filtering rule
(dynamically) specifying that connection using a TCP protocol from
“192.168.2.101” to system A is allowed.
This creates an exclusive permission for this connection.
When connection termination request is made, Stateful firewall will remove
the exclusive rule.

03/07/2025 Chirag N. Modi 9

 Stateful Inspection Firewall
Stateful inspection firewall keeps track of the state of connections (in
state table) and blocks packets that deviate from the expected state.
This is accomplished by incorporating greater awareness of the
transport layer.
It examines TCP headers to monitor the state of each connection.
TCP header of each new packet is compared with the states in state
table to determine if the packet’s state contradicts its expected state.
For example, an attacker could generate a packet with a header,
indicating it is part of an established connection.
Here, stateful inspection firewall will first verify that the packet is
part of an established connection and allows that packet, if it is a part
of an open connection (listed in the state table).

03/07/2025 Chirag N. Modi 10

 Stateful Inspection Firewall
If any system (having IP address “192.168.2.100”) attempts to
connect with system A (IP: 172.16.2.187), the connection attempt
is first checked to see if it is permitted by the firewall ruleset.
If it is permitted, an entry is added to the state table that indicates
a new session is being initiated.
If 192.168.2.100 and 172.16.2.187 complete the three-way TCP
handshake, the connection state will change to “established” and
all subsequent traffic matching the entry will be allowed to system
A.

03/07/2025 Chirag N. Modi 11

 Stateful Inspection Firewall
Pros
– Offers improved security over basic packet filters due to packet
examination.
– Offers a degree of application independence, based on level of stateful
packet examination.
– Better logging of activities over basic packet filters.
– Good performance.
– Configuration changes to the protected workstations are unnecessary.
Cons
– Allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited.
– No hiding of your private systems.
– Setting up stateful packet examination rules is more complicated.
– Only supported protocols at the application layer.
– No user authentication.
03/07/2025 Chirag N. Modi 12
 Application Layer Firewall (Proxy)
Proxy firewall contains a proxy server that acts as an intermediary
between two systems that wish to communicate with each other, and
never allows a direct connection.
It creates two separate connections-one between the client and the proxy
server, and another between the proxy server and the actual destination.
Since external systems communicate only with the proxy server, internal
IP addresses are not visible.
The proxy server interfaces with the firewall ruleset to determine whether
a given instance of network traffic should be allowed to transit the
firewall.
Firewall runs set of proxy programs
– Proxies filter incoming, outgoing packets
– All incoming traffic directed to firewall
– All outgoing traffic appears to come from firewall
– Policy embedded in proxy programs
03/07/2025 Chirag N. Modi 13
 Application Layer Firewall (Proxy)
when any client (over the Internet) wants to communicate with System B, it
sends communication request to proxy server (IP: “208.142.13.1”).
Proxy server allows (or denies) such request based on rules.
If it is allowed, then proxy server will send communication request to destination
system (System B).
System B sends response of such request to proxy server, and then proxy server
will send response to client.

03/07/2025 Chirag N. Modi 14

 Application Layer Firewall (Proxy)
Has full access to protocol
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
Need separate proxies for each service
– E.g., SMTP (E-Mail)
– NNTP (Net news)
– DNS (Domain Name System)
– NTP (Network Time Protocol)
– custom services generally not supported

03/07/2025 Chirag N. Modi 15

 Application Layer Firewall (Proxy)
End points do not communicate directly with one another.
Provide content filtering capability.
Hide internal addresses.
Web Proxy often do caching to improve response and
reduce load on the Internet link
Robust user authentication.
Offers logging and auditing of user’s activities on the
Internet .
Policy rules are usually easier than packet filtering rules.

03/07/2025 Chirag N. Modi 16

 Application Layer Firewall (Proxy)
Cons
– Performance problems; much slower than the other two
– Must have a proxy for every protocol.
– Failure to have a proxy may prevent a protocol from being
handled correctly by the firewall.
– Limited transparency, clients may need to be modified. Setting
up the proxy server in a browser, for example.
– No protection from all protocol weaknesses.

03/07/2025 Chirag N. Modi 17

 Virtual Firewall
A virtual firewall (VF) is a network firewall service or appliance
running entirely within a virtualized environment and which
provides the usual packet filtering and monitoring provided via
a physical network firewall.
The VF can be realized as a traditional software firewall on a
guest virtual machine already running, a purpose-built virtual
security appliance designed with virtual network security in
mind, a virtual switch with additional security capabilities, or a
managed kernel process running within the host hypervisor.

03/07/2025 Chirag N. Modi 18

 Virtual Firewall

03/07/2025 Chirag N. Modi 19

 Designing a Firewall Rule Set
To define a general rule set, examine:
– The expected traffic load of the firewall.
– Rank the traffic types in order.
The Internet service with the largest traffic at
the top of the rule set.
– Place any deny rules pertaining to the protocol.

03/07/2025 Chirag N. Modi 20

 NAT and PAT

NAT: Network Address Translation

PAT: Port Address Translation
A firewall performing NAT or PAT is often
referred to as a masquerading firewall

03/07/2025 Chirag N. Modi 21

 NAT
NAT firewall hides internal IP addresses by
replacing internal source IP address of an
outgoing packet to that of the firewall device
(e.g. –200.24.5.8).
Allow hosts with private IP addresses (not-
Internet-registered) to access the Internet.

03/07/2025 Chirag N. Modi 22

 NAT
Replaces the source IP address in an outgoing
packet by its own address
Saves some information to enable reverse
translation for the reply packet

03/07/2025 Chirag N. Modi 23

 NAT

03/07/2025 Chirag N. Modi 24

 Load Balancing
A single IP address and port is translated to a
pool of identically configured servers so that a
single public address can be served by a
number of servers.

03/07/2025 Chirag N. Modi 25

 Routers
In order to share an Internet connection between multiple
computers, routers must distinguish which pieces of data need
to go to which computer.
The process of separating the data acts as a kind of firewall: if
unwanted data comes in, the router will not identify it as
belonging to any computer, and thus will discard it.
This level of protection serves adequately for home use; along
with a software firewall, it's also enough for many business
networks that don't require high security.
However, routers generally lack the options and advanced
features that dedicated hardware firewalls offer.

03/07/2025 Chirag N. Modi 26

 Combining Firewalls
Using a single software firewall along with a router or
hardware firewall will strengthen network security
without posing any compatibility issues.
Using multiple software firewalls, however, can cause
conflicts, hampering proper operation.
Businesses highly concerned with network security
can put together multiple hardware firewalls,
minimizing any weaknesses in each, but this requires
careful expert setup to avoid incompatibilities and
blocking of legitimate data

03/07/2025 Chirag N. Modi 27

 iptables
iptables is a command-line firewall utility that
uses policy chains to allow or block traffic.
When a connection tries to establish itself on
your system, iptables looks for a rule in its list
to match it to.
If it doesn’t find one, it resorts to the default
action.
– sudo apt‐get install iptables

03/07/2025 Chirag N. Modi 28

 Types of Chains
input, forward, and output
Input – This chain is used to control the behavior for incoming
connections.
– For example, if a user attempts to SSH into your PC/server, iptables will
attempt to match the IP address and port to a rule in the input chain
Forward – This chain is used for incoming connections that
aren’t actually being delivered locally. Think of a router – data
is always being sent to it but rarely actually destined for the
router itself; the data is just forwarded to its target.
– Unless you’re doing some kind of routing, NATing, or

something else on your system that requires forwarding,

you won’t even use this chain.

03/07/2025 Chirag N. Modi 29

 Types of Chains
To check whether or not your system uses/needs the forward
chain- iptables ‐L ‐v

Output – This chain is used for outgoing connections. For

example, if you try to ping howtogeek.com, iptables will check
its output chain to see what the rules are regarding ping and
howtogeek.com before making a decision to allow or deny the
connection attempt
03/07/2025 Chirag N. Modi 30
 Overview of the Linux packet filter framework

The packet filter framework on Linux is divided

into two parts:
–Netfilter/Xtables —the kernel-space portion
–iptables —the user-space portion
Generally speaking, we tend to refer to them
collectively as just “iptables”.

03/07/2025 Chirag N. Modi 31

 Netfilter/Xtables --Tables
filter table
– for doing the actual packet filtering. This is the
default table if you do not specify one when
entering rules.
nat table
– for rewriting packet source and/or destination
mangle table
– for altering packet headers and/or contents

03/07/2025 Chirag N. Modi 32

 Built in Chains
INPUT chain
– present in the mangle and filter tables.
Only packets terminating on localhosttraverse this
–

chain.
OUTPUT chain
– present in the nat, mangle and filter tables.
– Only packets originating on localhosttraverse this chain.
FORWARD chain
– present in the mangle and filter tables.
– Only packets that neither originate nor terminate at the
local host traverse this chain.

03/07/2025 Chirag N. Modi 33

 Built in Chains
PREROUTING chain
– present in the nat and mangle tables.
– Packets traverse this chain before a routing decision is made
by the kernel.
POSTROUTING chain
– present in the nat and mangle tables.
– Packets traverse this chain after a routing decision is made
by the kernel.

03/07/2025 Chirag N. Modi 34

 Built in Chains
Filter
– INPUT
– OUTPUT
– FORWARD
Nat
– PREROUTING
– OUTPUT
– POSTROUTING
Mangle
– PREROUTING
– OUTPUT
– POSTROUTING
03/07/2025 Chirag N. Modi 35
 iptables command
-A , --append Append rule to chain
-D , --delete Delete rule from chain
-I , --insert Insert rule at beginning or at specified sequence number
in chain.
-R , --replace Replace rule
-F , --flush Flush all rules
-Z , --zero Zero byte counters in all chains
-L , --list List all rules. Add option --line-numbers for rule number.
-N , --new-chain Create new chain
-X , --delete-chain Delete user defined chain
-P , --policy Set default policy for a chain
-E , --rename-chain Rename a chain

03/07/2025 Chirag N. Modi 36

 iptables match options

03/07/2025 Chirag N. Modi 37

 iptables Targets

03/07/2025 Chirag N. Modi 38

 Basic iptables syntax
Add or delete a rule
– iptables [-t table] -[AD] chain rule-spec [options]
Example:
– iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
– iptables -D INPUT -p tcp –d port 22 -j ACCEPT

03/07/2025 Chirag N. Modi 39

 Basic iptables syntax
Insert a rule into a chain
– iptables[-t table] -I chain [rulenum] rule-specs
[options]
Example:
– iptables-I INPUT 2 -p tcp--d port110 -j ACCEPT

This inserts a rule to accept incoming TCP

traffic on port 110 directly before the existing
rule number 2.

03/07/2025 Chirag N. Modi 40

 Basic iptables syntax
Delete a rule from a chain by rule number
– iptables [-t table] -D chain [rulenum] [options]
Example:
– iptables -D INPUT 2
This deletes the rule number 2.
need to use iptables --line-numbers -L to get
the number.

03/07/2025 Chirag N. Modi 41

 Basic iptables syntax
Flush (delete) all rules from a chain
– iptables[-t table] -F chain [options]
Examples:
– iptables-t filter -F INPUT
– iptables-t nat-F POSTROUTING
You can also add the -Z switch to zero the
packet counters as well.
All chains in the specified table will be flushed
if you do not specify a chain.
Default chain is filter if one is not specified.
03/07/2025 Chirag N. Modi 42
 Basic iptables syntax
Set the default chain policy
– iptables [-t table] -P chain target [options]
Example:
– iptables -t filter -P INPUT DROP
The chain policy sets the default action to take
on the packet if it does not match any of the
rules in the chain it traverses.

03/07/2025 Chirag N. Modi 43

 Basic iptables syntax
Create a custom chain
– iptables[-t table] -N chain
Example:
– iptables-t filter -N State
This creates a custom chain called State in the
filter table.
You would jump to it with something like this:
– iptables-t filter -A INPUT -j State

03/07/2025 Chirag N. Modi 44

 Basic iptables syntax
Delete a custom chain
– iptables[-t table] -X chain
Examples:
– iptables-t filter -X State
This deletes the custom State chain.
Note that there must not be any other rules
that jump to a custom chain in order to remove
it.

03/07/2025 Chirag N. Modi 45

 Packet Flowchart

03/07/2025 Chirag N. Modi 46

 Gateway Router

03/07/2025 Chirag N. Modi 47

 Policy Chain Default Behavior
iptables ‐L

03/07/2025 Chirag N. Modi 48

 Practice
• Create your own custom chain in filter table
iptables-t filter -N State
• Check all IPtables Firewall Rules
iptables -L -n –v
• Block Specific IP Address in IPtables Firewall
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
• Unblock IP Address in IPtables Firewall
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
• Block outgoing/incoming SSH Connection
iptables -A OUTPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP

03/07/2025 Chirag N. Modi 49

 Practice
• Allow Multiple Ports
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j
ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -
j ACCEPT
• Block incoming ping request
iptables -A INPUT -p icmp -i eth0 -j DROP
• Block facebook to your computer

• Allow Multiple Ports on IPtables using Multiport

iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j
ACCEPT

03/07/2025 Chirag N. Modi 50

 Practice
• Allow Specific Network Range on Particular Port on Iptables
iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT
• Keep a Log of Dropped Network Packets on Iptables
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables dropped
packets:"
The messages are logged in /var/log/messages
• Block Access to Specific MAC Address on Iptables
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00
-j DROP
• Limit the Number of Concurrent Connections per IP Address
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --
connlimit-above 3 -j REJECT

03/07/2025 Chirag N. Modi 51

 Practice
Search within IPtables Rule
iptables -L INPUT -v -n | grep 192.168.0.100
Save IPtables Rules to a File
iptables-save > ~/iptables.rules
Restore IPtables Rules from a File
iptables-restore < ~/iptables.rules
Disable Outgoing Mails through IPTables
iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
Display INPUT or OUTPUT chain rules
iptables -L OUTPUT -n -v --line-numbers
Open Range of Ports
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport
7000:7010 -j ACCEP

03/07/2025 Chirag N. Modi 52

 Practice
Open Range of IP Addresses
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range
192.168.1.100-192.168.1.200 -j ACCEPT

Blocking Connection from a single IP address

iptables ‐A INPUT ‐s 10.10.10.10 ‐j DROP

block all of the IP addresses in the 10.10.10.0/24 network range

iptables ‐A INPUT ‐s 10.10.10.0/24 ‐j DROP or

iptables ‐A INPUT ‐s 10.10.10.0/255.255.255.0 ‐j DROP

03/07/2025 Chirag N. Modi 53

 Connection to specific port
iptables ‐A INPUT ‐p tcp ‐‐dport ssh ‐s
10.10.10.10 ‐j DROP

block SSH connections from any IP address

iptables ‐A INPUT ‐p tcp ‐‐dport ssh ‐j DROP

03/07/2025 Chirag N. Modi 54

 Connection States
A lot of protocols are going to require two-way communication.
For example, if you want to allow SSH connections to your
system, the input and output chains are going to need a rule
added to them.
But, what if you only want SSH coming into your system to be
allowed? Won’t adding a rule to the output chain also allow
outgoing SSH attempts?
That’s where connection states come in, which give you the
capability you’d need to allow two way communication but
only allow one way connections to be established.
Take a look at this example, where SSH connections FROM
10.10.10.10 are permitted, but SSH connections TO 10.10.10.10
are not.

03/07/2025 Chirag N. Modi 55

 Connection States
However, the system is permitted to send back information
over SSH as long as the session has already been established,
which makes SSH communication possible between these two
hosts.

iptables ‐A INPUT ‐p tcp ‐‐dport ssh ‐s 10.10.10.10 ‐m state ‐‐

state NEW,ESTABLISHED ‐j ACCEPT
iptables ‐A OUTPUT ‐p tcp ‐‐sport 22 ‐d 10.10.10.10 ‐m state ‐‐
state ESTABLISHED ‐j ACCEPT

03/07/2025 Chirag N. Modi 56

 Displaying the Status of Your Firewall
# iptables -L -n –v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0
bytes) pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
03/07/2025 Chirag N. Modi 57
 To inspect firewall with line numbers
# iptables -n -L -v --line-numbers

03/07/2025 Chirag N. Modi 58

 To display INPUT or OUTPUT chain rules

# iptables ‐L INPUT ‐n ‐v
# iptables ‐L OUTPUT ‐n ‐v ‐‐line‐numbers

Stop / Start / Restart the Firewall

# service iptables stop

# service iptables start
# service iptables restart

03/07/2025 Chirag N. Modi 59