Add lecture `07-os-network-security'.HEADmagister

1 files changed, 395 insertions, 0 deletions

diff --git a/lectures/07-os-network-security.org b/lectures/07-os-network-security.org
new file mode 100644
index 0000000..281cc62
--- /dev/null
+++ b/lectures/07-os-network-security.org
@@ -0,0 +1,395 @@
+#+title: OS Network Security
+#+date: 2026-05-04 Mon
+#+author: W. Kosior
+#+email: wkosior@agh.edu.pl
+
+* Linux Kernel Network Interfaces
+- physical interfaces
+  - ethernet
+  - wlan
+- virtual interfaces
+  - bridges
+  - virtual ethernet
+- tun/tap
+- other (e.g., VPN)
+  - wireguard
+  - ppp
+
+* netfilter (iptables)
+- 1999 (kernel 2.3.15)
+  - superseded ipchains
+    - that superseded ipfwadm (ipfirewall port)
+- https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
+
+* *tables
+- iptables
+- ip6tables
+- arptables
+- ebtables
+
+* =iptables= Command Example
+#+begin_example
+# iptables -L
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination
+
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+#+end_example
+
+* =iptables= Command Example, Cont.
+#+begin_example
+# iptables -A OUTPUT --proto udp --dport 53 --destination 192.168.1.1 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 443 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 587 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 995 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 993 -j ACCEPT
+# iptables -t filter -P OUTPUT DROP
+#+end_example
+
+* =iptables= Command Example, Cont…
+#+begin_example
+# iptables  -L --numeric
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination
+
+Chain OUTPUT (policy DROP)
+target     prot opt source               destination
+ACCEPT     udp  --  0.0.0.0/0            192.168.1.1          udp dpt:53
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
+ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
+#+end_example
+
+* iptables Structure
+- rules
+  - targets
+- chains
+  - default policies
+- *tables*
+
+* =filter= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- "traditional" firewall operations
+
+#+begin_example
+                              ‍+---------+
+in ---> routing decision ---> | FORWARD | -------------------‍+---> out
+                |             ‍+---------+                    |
+                |                                            |
+                V                                            |
+            ‍+-------+                          ‍+--------+    |
+            | INPUT | ------> application ---> | OUTPUT | ---‍+
+            ‍+-------+                          ‍+--------+
+#+end_example
+
+* Linux Kernel Packet Forwarding
+#+begin_example
+# echo 1 > /proc/sys/net/ipv4/ip_forward
+#+end_example
+
+#+begin_example
+# sysctl -w net.ipv4.ip_forward=1
+#+end_example
+
+* Targets & Custom Chains
+- standard targets
+  - =ACCEPT=
+  - =DROP=
+  - =QUEUE=
+  - user-defined chain
+    - =--jump=
+    - =--goto=
+  - =RETURN= (for user-defined chains)
+- target modules targets
+  - =LOG=
+  - =REJECT=
+    - default: =icmp-port-unreachable=
+    - =tcp-reset= (=RST/ACK=)
+
+* =REJECT= & Custom Chain Example
+#+begin_example
+# iptables -N HTTPS-TRAFFIC
+# iptables -A HTTPS-TRAFFIC --destination 1.2.3.4 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 5.6.7.8 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 9.10.11.12 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 13.14.15.16 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 17.18.19.20 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 21.22.23.24 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 25.26.27.28 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --proto tcp -j REJECT --reject-with tcp-reset
+# iptables -A OUTPUT --proto tcp --destination-port 443 -j HTTPS-TRAFFIC
+# iptables -P OUTPUT DROP
+#+end_example
+
+* =REJECT= & Custom Chain Example, Cont.
+#+begin_example
+# iptables -L OUTPUT
+Chain OUTPUT (policy DROP)
+target     prot opt source               destination
+HTTPS-TRAFFIC  tcp  --  anywhere             anywhere             tcp dpt:https
+# iptables -L HTTPS-TRAFFIC
+Chain HTTPS-TRAFFIC (1 references)
+target     prot opt source               destination
+ACCEPT     all  --  anywhere             1.2.3.4
+ACCEPT     all  --  anywhere             5.6.7.8
+ACCEPT     all  --  anywhere             9.10.11.12
+ACCEPT     all  --  anywhere             13.14.15.16
+ACCEPT     all  --  anywhere             17.18.19.20
+ACCEPT     all  --  anywhere             21.22.23.24
+ACCEPT     all  --  anywhere             25.26.27.28
+ACCEPT     all  --  anywhere             29.30.31.32
+REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
+#+end_example
+
+* =nat= Table
+- =PREROUTING=
+- =OUTPUT=
+- =POSTROUTING=
+- *only first connection packet*
+
+* Address Translation Targets
+- =SNAT=
+  - =OUTPUT= & =POSTROUTING=
+- =MASQUERADE=
+  - =OUTPUT= & =POSTROUTING=
+- =DNAT=
+  - =PREROUTING=
+
+* Ordinary NAT Example (=MASQUERADE=), Cont.
+#+begin_example
+# iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
+# iptables -t nat -L
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+
+Chain POSTROUTING (policy ACCEPT)
+target     prot opt source               destination
+MASQUERADE  all  --  anywhere             anywhere
+#+end_example
+
+* Ordinary NAT Example (=MASQUERADE=), Cont.
+#+begin_example
+# iptables -t nat -S
+-P PREROUTING ACCEPT
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P POSTROUTING ACCEPT
+-A POSTROUTING -o eth0 -j MASQUERADE
+#+end_example
+
+* Connection Tracking
+#+begin_example
+# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+#+end_example
+
+- protocol + source addr + source port + destination addr + destination port
+- =nat= table → first connection packet
+- other tables → all packets
+
+* =mangle= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- =PREROUTING=
+- =POSTROUTING=
+- packet header changes
+- marks
+  - =MARK=
+  - =CONNMARK=
+  - =SEC*MARK=
+
+* NAT with Exposed Service Example
+#+begin_example
+# iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
+# iptables -t nat -A PREROUTING --proto tcp --destination 12.34.56.78 \
+>     --dport 587 -j DNAT --to-destination 192.168.7.205:25
+# iptables -t mangle -A PREROUTING --in-interface \!eth0  --proto tcp \
+>     --destination 12.34.56.78 --dport 587 -j MARK --set-mark 0x400
+# iptables -t nat -A POSTROUTING --proto tcp -m mark --mark 0x400 -j MASQUERADE
+#+end_example
+
+* NAT with Exposed Service Example, Cont.
+#+begin_example
+# iptables -t mangle -L | sed 's/ \{8\}/  /g;s/ \{5\}/  /g'
+Chain PREROUTING (policy ACCEPT)
+target  prot opt source      destination
+MARK    tcp  --  anywhere    12.34.56.78    tcp dpt:submission MARK set 0x400
+
+Chain INPUT (policy ACCEPT)
+target  prot opt source      destination
+
+Chain FORWARD (policy ACCEPT)
+target  prot opt source      destination
+
+Chain OUTPUT (policy ACCEPT)
+target  prot opt source      destination
+
+Chain POSTROUTING (policy ACCEPT)
+target  prot opt source      destination
+#+end_example
+
+* NAT with Exposed Service Example, Cont…
+#+begin_example
+# iptables -t nat -L | sed 's/\t/        /g;s/  \+/  /g;'
+Chain PREROUTING (policy ACCEPT)
+target  prot opt source  destination
+DNAT  tcp  --  anywhere  12.34.56.78  tcp dpt:submission to:192.168.7.205:25
+
+Chain INPUT (policy ACCEPT)
+target  prot opt source  destination
+
+Chain OUTPUT (policy ACCEPT)
+target  prot opt source  destination
+
+Chain POSTROUTING (policy ACCEPT)
+target  prot opt source  destination
+MASQUERADE  all  --  anywhere  anywhere
+MASQUERADE  tcp  --  anywhere  anywhere  mark match 0x400
+#+end_example
+
+* =raw= Table
+- =OUTPUT=
+- =REROUTING=
+- disabling conntrack
+
+* =security= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- specicific marks
+  - =SECMARK= & =CONNSECMARK=
+  - SELinux
+  - initially through =mangle= only
+
+* Packet Couting
+#+begin_example
+sudo iptables -vL
+Chain INPUT (policy ACCEPT 7025 packets, 4955K bytes)
+ pkts bytes target     prot opt in     out     source               destination
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+
+Chain OUTPUT (policy ACCEPT 4625 packets, 648K bytes)
+ pkts bytes target     prot opt in     out     source               destination
+#+end_example
+
+* iptables Rate Limiting Example
+#+begin_example
+# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
+>     --seconds 120 --hitcount 10 -j DROP
+#+end_example
+
+/from: https://www.baeldung.com/linux/iptables-packet-rate-limit/
+
+* iptables Persistence
+- iptables-save
+- iptables-restore
+  - guaranteed atomic
+
+* nftables
+- 2014 (kernel TODO)
+- VM (like BPF)
+- hooks
+  - https://people.netfilter.org/pablo/nf-hooks.png
+
+* nftables differences
+- no builtin tables
+- no builtin chains
+- user-created chains attached to *hooks*
+- =iptables-legacy=, =iptables-nft=
+
+* Firewalls & NAT in Other OSes
+- Packet Filter (BSDs & macOS)
+  - originated: OpenBSD
+  - superseded ipfw
+- IP Filter (Solaris family)
+- Windows Firewall
+
+/note: FreeBSD TCP/IP stack as base for macOS & Windows NT/
+
+* DNS
+- DHCP/static
+- =/etc/resolv.conf=
+- resolvers
+- DoT, DoH
+  - move power from ISP to Google/Cloudflare 🤔
+- DNSSEC
+  - typical setup: verification by resolver only
+  - DANE (with SMTP)
+- mDNS
+
+* dnsmasq
+- DHCP+TFTP+DNS
+- caching
+- *filtering/redirections*
+
+* Proxy Setup Approaches
+- application-specific (e.g., GUI)
+- environment variables
+- =LD_PRELOAD=
+  - e.g. proxychains tool
+  - applications w/out proxy support
+  - *NOT* a security measure (bypassable)
+- firewall redirection
+- eBPF
+
+* TLS & Operating System
+- certs supplied by
+  - OS
+  - adminitrator
+  - application (e.g., Mozilla certs)
+- kTLS
+  - not really relevant here but let's know this exists
+
+* HTTPS proxies
+- implementations in dedicated firewall/router hw
+  - e.g., FortiGate
+- ordinary software
+  - e.g., mitmproxy
+- policy: all traffic goes through proxy
+  - enforcement: block of other traffic (firewall)
+
+* Selected VPN technologies
+- IPSec
+- PPTP
+- *OpenVPN*
+- *WireGuard*
+
+* OpenVPN
+- TLS
+- authentication
+  - x.509
+  - shared secret
+  - login/password
+- =tun=​/​=tap=
+- TCP/UDP
+
+* WireGuard
+- 2020 (kernel 5.6)
+  - 2015 (patched kernel)
+- in-kernel
+  - later: cross-platform clients
+- custom protocol
+  - public keys (aka SSH)
+  - PFS
+  - optional additional shared secret
+- =wg= interface
+- UDP