The Best Damn Firewall Book Period

A Linux firewall can inform you about the number of packets it has processed, in addition to blocking and logging attacks. The process of counting packets is often called packet accounting. Many companies are very interested in determining how much traffic a department or network has generated. This can help them determine the type of equipment necessary to support the department further. Such information can also help a company determine how much it can bill a client or department. In many situations, the firewall is an ideal place to gather such statistics. If you have the following two networks, these rules will count packets that pass between the two:

ipchains -A forward -p icmp -s 192.168.1.0/24 -d 10.100.100.0/24

The preceding rule will identify all of the traffic passing from the 192.168.1.0/24 network to the 10.100.100.0/24 network.

If you are using Iptables, you have many additional options. For example, you can identify specific ICMP packets that are forwarded by the firewall:

iptables -A FORWARD -m icmp -p icmp –f -j LOG

To gather information about a more specific element of ICMP, you could issue the following command:

iptables -A FORWARD -m icmp -p icmp --sports echo-request -j LOG

This rule will count all icmp echo-request packets (icmp 0). The following command discovers all of the icmp-reply packets that have been forwarded:

iptables -A FORWARD -m icmp -p icmp --sports echo-reply -j LOG

You are not limited to ICMP packets. If, for example, you wanted to gather information about the HTTP packets being forwarded, you would enter the following:

iptables -A FORWARD -p tcp --sports 80,443 -j LOG

To determine the amount of HTTP traffic passing between two networks, you would issue the following command:

iptables -A FORWARD s 192.168.1.0/24 -d 10.100.100.0/24 -p tcp --sports 80,443 / -j LOG

Listing and Resetting Counters

To list the counter information, you can issue either of the following commands from a terminal:

ipchains -L -v iptables -L -v

You can save this information using the ipchains-save and iptables-save commands. The following commands reset the counters:

ipchains -L -Z iptables -L -Z

Setting Type of Service (ToS) in a Linux Router

Many routers, including Linux routers using Ipchains or Iptables, are capable of shaping traffic as it passes through. The IP header for all packets has a special field called the Type of Service (ToS) field, which allows you to prioritize traffic as it passes through the router. Using the ToS field, you can make certain types of traffic (for example, SMTP and POP3) take precedence over others (for example, SSH and Telnet). Packets that are marked will be treated differently at the router. Setting the ToS field occurs at the network layer (Layer 3 of the OSI/RM). You can learn more about how ToS works by consulting RFC1349.

Usually, assigning priority for packets is a secondary concern when configuring a firewall. In some situations, however, you will find it useful for a firewall to "double up" and offer both services. The main reason why you would set the ToS field in network traffic is to cut down on network congestion, especially in networks that have high amounts of traffic.

Note

Do not confuse Type of Service (ToS) with Quality of Service (QoS). QoS refers to the ability of physical devices (switches, routers) to transmit packets according to ToS values found in IP packets. QoS concerns might include whether the packet is delivered via Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet, Synchronous Optical Network (SONET), and so forth. Because ToS refers to the ability to mark certain packets so that they have a higher priority than others do, these markings determine whether they are available for QoS routing.

Service Values

The normal-service value is 0 (or, 0x00 in the actual packet). Table 5.6 lists the four different options available to you when marking a packet.

Table 5.6: ToS Field Options

Service Value

Description

Minimum delay

The minimum delay field reduces the time a datagram takes to get from the router to the host. The minimum delay option is ideal for protocols that require speed when building initial connections, or when transferring control data. Traffic such as the ftp-control port (20), Telnet, and SSH benefits from this setting.Marking this traffic will reduce latency (the time interval between a request and a reply) at the router. The ToS field bit is 10 (0x10 in the actual packet).

Maximum throughput

This value is appropriate for the ftp-data port (20) and for large file transfers via HTTP. Networks that use the X Windows system to export displays between systems should consider using this bit as well. The ToS field bit is 8 (0x08 in the actual packet). If you anticipate large volume transfers via POP3, you could consider this option as well.

Maximum reliability

Used in an attempt to reduce retransmissions. Sometimes, UDP protocols such as DNS (port 53) and SNMP (ports 161 and 162) receive this option. However, TCP-based protocols such as SMTP also benefit from this ToS option, because systems can waste bandwidth to keep retransmitting this protocol. The ToS bit value is 4 (0x04 in the actual packet).

Minimum cost

This option is often only implemented by commercial products. The ToS field bit is 2 (0x02 in the actual packet).

It may be useful to consider these four options in terms of common network tasks. Client hosts (hosts that use X, SSH, FTP, HTTP, and other protocols) may benefit from either maximum throughput or minimum delay settings. Servers generally benefit from maximum throughput, depending on the traffic they generate.

Setting ToS Values in Ipchains and Iptables

To set ToS values in Ipchains, add the following values to the end of any rule:

-t andmask xormask

The andmask value is usually 01, because this value compares, or "ands" the original TOS value, and then allows you to make a change to the packet. The xormask value can be any of the service values found in Table 5.6 (for example, 08 for maximizing throughput). This second field is evaluated as an "or" value, meaning that if the value you specify is different from the original value, the one you specify will be set.

For example, to mark the ToS field for maximum throughput for HTTP (port 80) for all packets being sent out to all remote systems, you would do the following:

ipchains -A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80 -p 6 -t 01 08

The –p 6 option specifies TCP as the protocol. You would never set a ToS value on a packet that will eventually be dropped. Following are some additional examples of the ToS value being set on additional protocols:

ipchains-A output -s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 21 -p 6 -t 01 04 ipchains-A output -s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 20 -p 6 -t 01 08 ipchains-A output-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 22:22-p 6 -t 01 10 ipchains-A output-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 25:25-p 6 -t 01 04 ipchains-A output-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 53:53-p 6 -t 01 04 ipchains-A output-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 80:80 -p 6-t 01 08 ipchains-A output-s0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 110:110-p 6-t 01 08 ipchains-A output-s0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 143:143-p 6-t 01 04 ipchains-A output-s0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0 443:443-p 6-t 01 04

Additional ToS Options in Iptables

Iptables, as you might suspect, adds several options and uses some different terminology. First, you can set your router to either match packets with certain ToS options set, or you can have the router set the actual ToS options. These are two very different things. One allows the router to handle packets with the ToS value already set, whereas the other actually sets the values. To create a rule that matches a ToS field, you would use the -m option, complete with its arguments:

-m tos --TOS tos_value -j TARGET

In the preceding syntax, the tos_value number is any ToS bit found in Table 5.6 (for example, 08 for maximum throughput). As far as target value is concerned, you can specify any target you want (ACCEPT, a user-defined chain, and so forth). For example, the following rule accepts packets from port 80 with the ToS value set to 08:

iptables -A INPUT -p tcp -m tos 0x08 -j ACCEPT

As far as setting ToS values is concerned, you can only set them in the FORWARD and OUTPUT chains. The syntax is as follows:

-j TOS --set-tos tos_value

For example, to set the ToS value to maximum throughput for all outgoing Web traffic, you would do the following:

iptables -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08

Following are some additional examples where Iptables has been used to set ToS fields for various traffic:

iptables A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos 0x04 iptables A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 iptables -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x010 iptables -A OUTPUT -p tcp -m tcp --dport 25 -j TOS --set-tos 0x04 iptables -A OUTPUT -p tcp -m tcp --dport 53 -j TOS --set-tos 0x04 iptables -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 iptables -A OUTPUT -p tcp -m tcp --dport 110 -j TOS --set-tos 0x08 iptables -A OUTPUT -p tcp -m tcp --dport 143 -j TOS --set-tos 0x04 iptables -A OUTPUT -p tcp -m tcp --dport 443 -j TOS --set-tos 0x04

Категории