Chapter 8

File: Steve/Courses/2014/s2/its332/firewalls.tex, r3455

This lab will introduce you to a common security mechanism used in networks: firewalls. A firewall is a device (usually implemented in software) that controls what traffic can enter and leave a network. If an organisation wants to protect there network, then a firewall between their internal network and all external networks (“the rest of the Internet”) will be configured to inspect the traffic entering/leaving the network, and only allow the traffic that meets the organisations policies. We will setup our own simple firewall—in practice, real firewalls will be much more complex, and often require specialised network equipment.

8.1 Understanding Firewalls

Firewalls are network devices that control what packets enter and leave a computer network. Typically a company (and more recently, a home user) will use a firewall to stop people outside the company network (that is, everyone on the external Internet) from accessing computers and resources inside the company network (e.g. the SIIT network). For example:

The firewall can also be used to control what computers inside the network access. For example:


Figure 8.1: An organisation views their network as inside, and all other networks as outside

The firewall is usually a specialised router that acts as a gateway between the local network and the outside networks. That is, all traffic goes through the firewall. However, in this lab, we will see that we can configure the Ubuntu Linux computers to act as a simple firewall.

8.1.1 How Do Firewalls Work?

A gateway router (that is, the router between the inside and outside networks) normally receives an IP packet, looks at the destination IP address, looks up its routing table to determine where to sends the packet, and sends (or forwards) the packet.

A firewall is hardware or software running on the gateway router that provides additional functionality:

  1. When the IP packet is received, the firewall looks at the packet and compares it to a set of rules stored in a firewall table. An example rule may be: “Drop all packets destined to IP address
  2. When a rule matches, the corresponding action is taken. The action is usually DROP (discard, do not let the packet through) or ACCEPT (forward, let the packet through). In the above rule, if the IP destination address was, then the packet would be dropped.
  3. If the packet is not dropped, then the gateway router follows its normal procedures (e.g. look up routing table and send the packet).

8.1.2 Firewall Rules

The rules used by firewalls are the most important aspect. They can be very simple (e.g. “drop all packets destined to the local network”) or very complex (e.g. 1000’s of rules).

Packet-filtering firewalls usually create the rules using the following information:

Using the above conditions, a reasonably good firewall can be built that can filter packets based on where the packets are coming from, where they are going to, and what applications are being used (remember, if a destination port number is 80, we can assume that a web browsing application is being used—if SIIT wanted to stop all web browsing, then they could drop all packets destined to port 80).

More complex firewalls (application-level firewalls) can be created by not only looking at the TCP/IP packet information, but also looking at the content of the messages. For example:

Figure 8.2 shows an example set of rules for a firewall (on router R). Each row in the table specifies a rule. When a packet arrives at R (the firewall) the packet will be DROPPED if a rule matches. If no rules match, then the packet is ACCEPTED (forwarded).


Figure 8.2: Example firewall rules

The example rules specify:

As a result, no-one outside the network could FTP to the inside network. And no-one inside the network using and address on the network could send an email.

8.1.3 Firewalls and Servers

Most applications operate in a Client/Server mode, where a Client inside a network accesses a Server outside the network. Most computers inside the network DO NOT run servers accessible to the outside network. For example, there is no need for a SIIT staff or student’s PC to run a web server accessible to someone outside SIIT.

Therefore, it is common for firewalls to be setup that will:

Although the above cases can become quite complex in practice, very basic rules can be used to implement a simplified firewall that performs this functionality. You will do this in the Lab tasks.

8.1.4 Firewalls on Linux: iptables

iptables is a program on Linux that can be used to create a firewall. It allows the user to create a set of rules. Then when packets are received by the computer, the rules are processed. The packet is only sent if accepted by the rules.

iptables defines three basic classes of rules (or chains), based on where the packet is from/going to:

  1. INPUT: processed if a packet is destined to this computer (e.g. the destination is this computer)
  2. OUTPUT: processed if a packet is created to be sent by this computer (e.g. this computer is the source)
  3. FORWARD: processed if a packet is to be forwarded by this computer (e.g. the packet is not destined to or from this computer, but this computer is acting as a router).


Figure 8.3: Chains in iptables

The most common way to use iptables is illustrated below (you need to execute with super-user privileges using sudo):

$ iptables -A CHAIN [CONDITIONS]


Some of the optional CONDITIONS are:

-s source_IP_address (e.g. 
-d destination_IP_address 
-i input_interface (e.g. eth0) 
-o output_interface 
-p protocol (e.g. tcp, udp, icmp) 
-j action (e.g. ACCEPT, DROP)

Each protocol (e.g. tcp, udp) also have their own set of options: e.g. --sport, --dport.

There are many other options that you can read from the man pages.

So one way to create the 3rd rule/row in Figure 8.2 is:

$ iptables -A FORWARD -s -p tcp --dport 25 -i eth1 -j DROP

The -A option specifies to append the rule to the table. You can also use a -I (insert) and -D (delete) options in a similar way.

To view all the rules in your table run:

$ iptables -L [CHAIN]

where [CHAIN] is INPUT, OUTPUT, FORWARD—if omitted then all rules are shown.

To delete (or flush) all rules in your table, run:

$ iptables -F [CHAIN]

8.2 Tasks

In the following tasks you should record your firewall design, as well as tests that show that the firewall works as intended. You should also use Wireshark to observe what happens. Each task is independent: after creating firewall rules in the first task, they should be deleted before attempting the second task.

Task 8.1. Create different firewall rule(s) that will prevent ping from working. Try using different chains.

Task 8.2. Create firewall rule(s) that will drop TCP packets destined to a specific computer on the Lab network (e.g. your neighbours computer).

Task 8.3. Create an internet with two subnets: on one subnet is a single PC1; and on the other subnet is two PCs (PC2 and PC3). PC1 should run both a web server and SSH server and a netcat server. Create a firewall on the router that allows the following: Any computer can connect to the web server on PC1; Only PC2 can connect to the SSH server on PC1; No computers can connect to any other servers (e.g. netcat, FTP, Email) on PC1.