summaryrefslogtreecommitdiff
path: root/lectures/07-os-network-security.org
diff options
context:
space:
mode:
Diffstat (limited to 'lectures/07-os-network-security.org')
-rw-r--r--lectures/07-os-network-security.org395
1 files changed, 395 insertions, 0 deletions
diff --git a/lectures/07-os-network-security.org b/lectures/07-os-network-security.org
new file mode 100644
index 0000000..281cc62
--- /dev/null
+++ b/lectures/07-os-network-security.org
@@ -0,0 +1,395 @@
+#+title: OS Network Security
+#+date: 2026-05-04 Mon
+#+author: W. Kosior
+#+email: wkosior@agh.edu.pl
+
+* Linux Kernel Network Interfaces
+- physical interfaces
+ - ethernet
+ - wlan
+- virtual interfaces
+ - bridges
+ - virtual ethernet
+- tun/tap
+- other (e.g., VPN)
+ - wireguard
+ - ppp
+
+* netfilter (iptables)
+- 1999 (kernel 2.3.15)
+ - superseded ipchains
+ - that superseded ipfwadm (ipfirewall port)
+- https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
+
+* *tables
+- iptables
+- ip6tables
+- arptables
+- ebtables
+
+* =iptables= Command Example
+#+begin_example
+# iptables -L
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+#+end_example
+
+* =iptables= Command Example, Cont.
+#+begin_example
+# iptables -A OUTPUT --proto udp --dport 53 --destination 192.168.1.1 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 443 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 587 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 995 -j ACCEPT
+# iptables -t filter -A OUTPUT --proto tcp --dport 993 -j ACCEPT
+# iptables -t filter -P OUTPUT DROP
+#+end_example
+
+* =iptables= Command Example, Cont…
+#+begin_example
+# iptables -L --numeric
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy DROP)
+target prot opt source destination
+ACCEPT udp -- 0.0.0.0/0 192.168.1.1 udp dpt:53
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
+#+end_example
+
+* iptables Structure
+- rules
+ - targets
+- chains
+ - default policies
+- *tables*
+
+* =filter= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- "traditional" firewall operations
+
+#+begin_example
+ ‍+---------+
+in ---> routing decision ---> | FORWARD | -------------------‍+---> out
+ | ‍+---------+ |
+ | |
+ V |
+ ‍+-------+ ‍+--------+ |
+ | INPUT | ------> application ---> | OUTPUT | ---‍+
+ ‍+-------+ ‍+--------+
+#+end_example
+
+* Linux Kernel Packet Forwarding
+#+begin_example
+# echo 1 > /proc/sys/net/ipv4/ip_forward
+#+end_example
+
+#+begin_example
+# sysctl -w net.ipv4.ip_forward=1
+#+end_example
+
+* Targets & Custom Chains
+- standard targets
+ - =ACCEPT=
+ - =DROP=
+ - =QUEUE=
+ - user-defined chain
+ - =--jump=
+ - =--goto=
+ - =RETURN= (for user-defined chains)
+- target modules targets
+ - =LOG=
+ - =REJECT=
+ - default: =icmp-port-unreachable=
+ - =tcp-reset= (=RST/ACK=)
+
+* =REJECT= & Custom Chain Example
+#+begin_example
+# iptables -N HTTPS-TRAFFIC
+# iptables -A HTTPS-TRAFFIC --destination 1.2.3.4 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 5.6.7.8 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 9.10.11.12 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 13.14.15.16 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 17.18.19.20 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 21.22.23.24 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --destination 25.26.27.28 -j ACCEPT
+# iptables -A HTTPS-TRAFFIC --proto tcp -j REJECT --reject-with tcp-reset
+# iptables -A OUTPUT --proto tcp --destination-port 443 -j HTTPS-TRAFFIC
+# iptables -P OUTPUT DROP
+#+end_example
+
+* =REJECT= & Custom Chain Example, Cont.
+#+begin_example
+# iptables -L OUTPUT
+Chain OUTPUT (policy DROP)
+target prot opt source destination
+HTTPS-TRAFFIC tcp -- anywhere anywhere tcp dpt:https
+# iptables -L HTTPS-TRAFFIC
+Chain HTTPS-TRAFFIC (1 references)
+target prot opt source destination
+ACCEPT all -- anywhere 1.2.3.4
+ACCEPT all -- anywhere 5.6.7.8
+ACCEPT all -- anywhere 9.10.11.12
+ACCEPT all -- anywhere 13.14.15.16
+ACCEPT all -- anywhere 17.18.19.20
+ACCEPT all -- anywhere 21.22.23.24
+ACCEPT all -- anywhere 25.26.27.28
+ACCEPT all -- anywhere 29.30.31.32
+REJECT tcp -- anywhere anywhere reject-with tcp-reset
+#+end_example
+
+* =nat= Table
+- =PREROUTING=
+- =OUTPUT=
+- =POSTROUTING=
+- *only first connection packet*
+
+* Address Translation Targets
+- =SNAT=
+ - =OUTPUT= & =POSTROUTING=
+- =MASQUERADE=
+ - =OUTPUT= & =POSTROUTING=
+- =DNAT=
+ - =PREROUTING=
+
+* Ordinary NAT Example (=MASQUERADE=), Cont.
+#+begin_example
+# iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
+# iptables -t nat -L
+Chain PREROUTING (policy ACCEPT)
+target prot opt source destination
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+MASQUERADE all -- anywhere anywhere
+#+end_example
+
+* Ordinary NAT Example (=MASQUERADE=), Cont.
+#+begin_example
+# iptables -t nat -S
+-P PREROUTING ACCEPT
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P POSTROUTING ACCEPT
+-A POSTROUTING -o eth0 -j MASQUERADE
+#+end_example
+
+* Connection Tracking
+#+begin_example
+# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+#+end_example
+
+- protocol + source addr + source port + destination addr + destination port
+- =nat= table → first connection packet
+- other tables → all packets
+
+* =mangle= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- =PREROUTING=
+- =POSTROUTING=
+- packet header changes
+- marks
+ - =MARK=
+ - =CONNMARK=
+ - =SEC*MARK=
+
+* NAT with Exposed Service Example
+#+begin_example
+# iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
+# iptables -t nat -A PREROUTING --proto tcp --destination 12.34.56.78 \
+> --dport 587 -j DNAT --to-destination 192.168.7.205:25
+# iptables -t mangle -A PREROUTING --in-interface \!eth0 --proto tcp \
+> --destination 12.34.56.78 --dport 587 -j MARK --set-mark 0x400
+# iptables -t nat -A POSTROUTING --proto tcp -m mark --mark 0x400 -j MASQUERADE
+#+end_example
+
+* NAT with Exposed Service Example, Cont.
+#+begin_example
+# iptables -t mangle -L | sed 's/ \{8\}/ /g;s/ \{5\}/ /g'
+Chain PREROUTING (policy ACCEPT)
+target prot opt source destination
+MARK tcp -- anywhere 12.34.56.78 tcp dpt:submission MARK set 0x400
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+#+end_example
+
+* NAT with Exposed Service Example, Cont…
+#+begin_example
+# iptables -t nat -L | sed 's/\t/ /g;s/ \+/ /g;'
+Chain PREROUTING (policy ACCEPT)
+target prot opt source destination
+DNAT tcp -- anywhere 12.34.56.78 tcp dpt:submission to:192.168.7.205:25
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+MASQUERADE all -- anywhere anywhere
+MASQUERADE tcp -- anywhere anywhere mark match 0x400
+#+end_example
+
+* =raw= Table
+- =OUTPUT=
+- =REROUTING=
+- disabling conntrack
+
+* =security= Table
+- =INPUT=
+- =OUTPUT=
+- =FORWARD=
+- specicific marks
+ - =SECMARK= & =CONNSECMARK=
+ - SELinux
+ - initially through =mangle= only
+
+* Packet Couting
+#+begin_example
+sudo iptables -vL
+Chain INPUT (policy ACCEPT 7025 packets, 4955K bytes)
+ pkts bytes target prot opt in out source destination
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+Chain OUTPUT (policy ACCEPT 4625 packets, 648K bytes)
+ pkts bytes target prot opt in out source destination
+#+end_example
+
+* iptables Rate Limiting Example
+#+begin_example
+# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
+# iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
+> --seconds 120 --hitcount 10 -j DROP
+#+end_example
+
+/from: https://www.baeldung.com/linux/iptables-packet-rate-limit/
+
+* iptables Persistence
+- iptables-save
+- iptables-restore
+ - guaranteed atomic
+
+* nftables
+- 2014 (kernel TODO)
+- VM (like BPF)
+- hooks
+ - https://people.netfilter.org/pablo/nf-hooks.png
+
+* nftables differences
+- no builtin tables
+- no builtin chains
+- user-created chains attached to *hooks*
+- =iptables-legacy=, =iptables-nft=
+
+* Firewalls & NAT in Other OSes
+- Packet Filter (BSDs & macOS)
+ - originated: OpenBSD
+ - superseded ipfw
+- IP Filter (Solaris family)
+- Windows Firewall
+
+/note: FreeBSD TCP/IP stack as base for macOS & Windows NT/
+
+* DNS
+- DHCP/static
+- =/etc/resolv.conf=
+- resolvers
+- DoT, DoH
+ - move power from ISP to Google/Cloudflare 🤔
+- DNSSEC
+ - typical setup: verification by resolver only
+ - DANE (with SMTP)
+- mDNS
+
+* dnsmasq
+- DHCP+TFTP+DNS
+- caching
+- *filtering/redirections*
+
+* Proxy Setup Approaches
+- application-specific (e.g., GUI)
+- environment variables
+- =LD_PRELOAD=
+ - e.g. proxychains tool
+ - applications w/out proxy support
+ - *NOT* a security measure (bypassable)
+- firewall redirection
+- eBPF
+
+* TLS & Operating System
+- certs supplied by
+ - OS
+ - adminitrator
+ - application (e.g., Mozilla certs)
+- kTLS
+ - not really relevant here but let's know this exists
+
+* HTTPS proxies
+- implementations in dedicated firewall/router hw
+ - e.g., FortiGate
+- ordinary software
+ - e.g., mitmproxy
+- policy: all traffic goes through proxy
+ - enforcement: block of other traffic (firewall)
+
+* Selected VPN technologies
+- IPSec
+- PPTP
+- *OpenVPN*
+- *WireGuard*
+
+* OpenVPN
+- TLS
+- authentication
+ - x.509
+ - shared secret
+ - login/password
+- =tun=​/​=tap=
+- TCP/UDP
+
+* WireGuard
+- 2020 (kernel 5.6)
+ - 2015 (patched kernel)
+- in-kernel
+ - later: cross-platform clients
+- custom protocol
+ - public keys (aka SSH)
+ - PFS
+ - optional additional shared secret
+- =wg= interface
+- UDP
generated by cgit