Firewall

files: https://github.com/frankwxu/digital-forensics-lab/tree/main/Networking_Forensics/lab_files/firewall
What is Firewall
• A firewall is a network security device that acts as a barrier between a
private network and the public internet or other networks.
• Its primary purpose is to monitor and control incoming and outgoing
network traffic based on predetermined security rules.
• Intrusion detection and prevention
• Malware detection, and content filtering.

U of Baltimore Internet

Network-based
The importance of a firewall
• Protect the network from unauthorized access, data breaches, and
other security threats.
• Approach
• Blocking or allowing traffic based on specific criteria, such as IP addresses,
ports, protocols, and applications
Firewalls Deploying Methods
• Network-based firewall
• A device that sits between the internal network and the external network (usually the internet)
and filters traffic based on predefined rules.
• It provides a centralized security solution for the entire network and can control traffic from
multiple hosts.
• Network-based firewalls are effective at protecting against external threats, such as hackers and
malware, but they may not be as effective at controlling internal traffic.
• Host-based firewall
• installed on individual hosts (such as servers or workstations) and filters traffic on a per-host
basis.
• It provides a more granular level of control and can be customized for each host's specific needs.
• Host-based firewalls are effective at protecting against internal threats, such as unauthorized
access by insiders or malware that has already infected a host, but they may not be as effective
at protecting against external threats.
Linux Firewall (iptables)
 Host-based Routing Process
We focus on
Host-based Firewall
 reject X

Linux Firewall and iptable In Accept

modify
/
• iptables is a software firewall
• pre-installed on most Linux-based operating systems.
• Linux Firewall defines a set of rules that determine how network traffic is
allowed or blocked on a system
• These rules are organized into chains, which are lists of rules that are evaluated in
sequence.
• Each rule can match packets based on various criteria
• such as the source or destination IP address, the protocol, and the port number.
• When a rule matches a packet, it can perform an action
• such as accepting, rejecting, or modifying the packet.
• The "iptables" command-line utility is used to manage the firewall rules
• it provides a powerful and flexible way to control network traffic on a Linux system.
iptables vs. ufw
Create the directory first

• UFW (Uncomplicated Firewall) is a front-end tool for managing iptables firewall

rules on a Linux system.
• UFW does not have its own set of rules separate from iptables
• it translates the rules into iptables commands and applies them to the firewall.
• it provides a simplified interface to manage iptables, which is a command-line utility for
configuring netfilter firewall rules in the Linux kernel.

disable ufw to
void conflits
with iptables
before the lab
Chains in iptables

iptables defines classes of rules called chains). Rules from

each chain are applied based on where the packet is from/going
to
Rules in iptables
• Packet match conditions:
• IP source address
• IP destination address
• TCP/UDP source port number
• TCP/UDP destination port number
• Other IP/TCP/UDP header fields
• Direction of traffic:
• Is the packet coming from outside (to inside) or is it coming from inside (to
outside)
• Actions:
• ACCEPT or DROP
Host-Based Firewall running on
1.1.1.12
Add rules to iptables
Show current rules in iptables

Input/forward/output chains
 Add a firewall rule to Kali
Adds a new rule to the INPUT chain that matches incoming traffic from the IP address
136.160.215.15 and sends it to a Netfilter queue with ID 1 for further processing.

• sudo - runs the command as the superuser, which is necessary since iptables requires elevated privileges
to modify the firewall rules.
• iptables – a command-line tool to configure Netfilter, the Linux firewall system.
• -A INPUT - appends a new rule to the INPUT chain.
• -s 136.160.215.15 - the source IP address for the rule. The rule will only match traffic that comes from
this IP address.
• -j NFQUEUE - the target for the rule. The NFQUEUE target sends matching packets to a Netfilter queue
for further processing.
• --queue-num 1 - the ID of the Netfilter queue to use. In this case, we're using queue ID 1.
View the newly added firewall rule

• -S INPUT: List INPUT chain

Delete the rule

MUST be the exact same rule

specification
Block a HTTP request
using a rule
Intercept and manipulate network
packets
• netfilter framework is a set of hooks that can be used to
intercept and modify network traffic as it passes through the kernel.
• netfilter framework is a part of the Linux kernel
• NetfilterQueue library provides a Python interface to the
netfilter framework, allowing you to intercept and modify network
packets using Python code.
NetfilterQueue
• netfilterQueue is useful for a variety of purposes
• implementing a firewall,
• a packet sniffer, or
• a network intrusion detection system.
• How netfilterQueue works
• creating a userspace application that sets up a netfilter queue and waits
for packets to be intercepted and passed to the userspace.
• Once a packet is intercepted, it can be modified, dropped, or passed on to its
destination, depending on the needs of the application.
 Install NetfilterQueue
Note: To execute this commands as they are perform them on CSI-Linux.
As you will need to understand some tasks to get this command executed directly.
 A simple traffic monitor that Uses
NetfilterQueue

Intercept the drop packets based on incoming packets’ IP address

wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Networking_Forensics/lab_files/firewall/iptables_handle_packets_drop.py
Intercept the drop packets if a packet’s IP address 136.160.215.194

1. Listening and
intercepting. It will
generate a rule

2. Generating http with

ip.src=136.160.215.194
ip.dst=136.160.215.15

Replace ip.src with your windows machine

ip
Replace ip.dst with your kali machine ip
3. observe that packets
are dropped
 bind the rule with the callback function

Callback function when a rule is triggered

Converting the packet from the
NetfilterQueue format to the
Scapy format, which allows us to use
the Scapy library's functionality to
extract information from the packet.

• The packet object in this program is an instance of the netfilterqueue.Packet class,

which is provided by the NetfilterQueue library.
• The NetfilterQueue library allows you to intercept and modify network packets using a
userspace application. The Packet class represents a network packet that has been
intercepted and passed to the userspace application for processing.
• packet.get_payload() method is being used to extract the payload data of the intercepted
packet and pass it as an argument to the IP() constructor, which creates an IP object from
the packet data.
 Debug: In case failed to bind filters
Show all python processes

Kill old python processes

Block a webpage
Create a web page

wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Networking_Forensics/lab_files/firewall/hello.html
sudo cp hello.html /var/www/html/.
 Make sure to use
Before enable a rule of firewall to drop package private windows to
avoid caches
 Start the firewall and trigger the rule!

Open a new tab at each host.

.194 is blocked
.15 is allow
Homework
• Capture traffic generated by curl command
• curl from a different machine and observe the results