One of the great strengths of VNS3 has always been the ease with which you can look at your network traffic, a necessity for troubleshooting connectivity issues or attesting to correct packet flow. With our release of VNS3 5.0 we have added some big functional improvements that make our network sniffer even better.
Firewall Overview with VNS3
This is part 1 of an overview of firewall rules and capabilities with VNS3. Stay tuned for more advanced VNS3 firewall scenarios: Network Address Translation (NAT-ing), Port Forwarding, Netmapping, SNMP Support, and Copying Traffic to a Device.
A Super fast Firewall Overview
Firewall = network security system that monitors and controls the incoming and outgoing network traffic based on a set of security rules.
Firewalls act as a barrier between a trusted, secure network and another network, like the public Internet
2 Types of Firewalls:
- network firewalls: protect the perimeter of a network by watching traffic that enters and leaves
- host-based firewalls: protect individual devices regardless of the broader network
IP addresses and firewalls
You can use a firewall to control access to a server or network, or to selectively tailor a client’s response to each request for criteria.
Firewalls examine each packet in TCP/IP traffic. Firewalls determine whether to drop packets or forward packets to the destination. Packets contain 3 key sections: IP header, TCP / UDP header, and data (payload).
NAT Firewalls, IP address translation, and NAT-ing
Network address translator (NAT) can act as an intermediary agent on behalf of clients. The real originating IP address might be masked from the server receiving a request. A common practice is to have a NAT mask a large number of devices in a private network. Only the “outside” interface(s) of the NAT needs to have an Internet-routable address.
Commonly, the NAT device maps TCP / UDP port numbers from public networks to individual private addresses on the masqueraded network. In a typical NAT, only the valid IP address is assigned to the firewall. All other device IP addresses are behind firewall, and their internal IP addresses are only valid on the private network.
Home networks scenario:
NAT functions are usually implemented in a residential gateway device, typically one marketed as a “router”. In this scenario, the computers connected to the router would have private IP addresses and the router would have a public address to communicate on the Internet. This type of router allows several computers to share one public IP address.
When a device on the private network needs to communicate with the outside world, the device sends its request to the firewall. The firewall then places the request on behalf of the device that actually made the request. When the response to the request comes back, the request arrives at the firewall, and then the firewall sends the response to the appropriate computer on the private network.
Firewalls in VNS3
VNS3 acts as an application-layer firewall. It’s a great tool to layer your firewall security on top of lower-level firewalls like AWS Security Groups or Azure Network Security Groups. VNS3 is a layer 4 – 7 firewall for your cloud based application. We like to highlight how it allows you more control over your cloud deployments – Only you can control your VNS3 firewall rules.
Set up that VNS3 Firewall
Once you set up and configure your VNS3 instance, add firewall rules to allow or reject packets.
Navigate to Connections > Firewalls to enter firewall rules. Click Save and Activate.
Notes on VNS3 Firewall syntax
VNS3 Firewall features are controlled using IPTables syntax. For more information see http://linux.die.net/man/8/iptables and look for the PARAMETERS section. Another useful guide is available here: http:// www.thegeekstuff.com/2011/06/iptables-rules-examples/
The order of rules matter – rules are applied from top to bottom until the first match. If no match is found, the packet is allowed to continue on.
In addition to the standard security and firewall features of VNS3 you can create your own rules to restrict traffic to and through the VNS3 Controller. Write a specification for a packet to match, then specify what to do with the packet.These are “customer” rules and are applied as appropriate in the overall firewall rule structure on the VNS3 Controller.
If your customer rules don’t reject a packet, it will be allowed by default. However, this “default” is fairly restrictive. Traffic is allowed from “known” VLANS. Known VLANs are VLANS that are listed in IPSec tunnel rules, and the VNS3 virtual VLAN. Allowing traffic from other sources requires adding firewall rules to accept that traffic.
VNS3 Firewall examples: the basics
Drop all packets from 184.108.40.206 to 220.127.116.11:
INPUT_CUST -s 18.104.22.168 -d 22.214.171.124 -j DROP
Drop all traffic from 192.168.3.0/24 (entire subnet) except 192.168.3.11:
INPUT_CUST -s 192.168.3.11/32 -j ACCEPT
INPUT_CUST -s 192.168.3.0/24 -j DROP
Drop tcp traffic from 172.31.1.1 on port 8000 (Stop overlay clients from using the overlay IP of 172.31.1.1 with port 8000).
INPUT_CUST -p tcp -s 172.31.1.1/32 –dport 8000 -m state –state NEW,ESTABLISHED -j DROP
INPUT_CUST -p tcp –sport 8000 -m state –state ESTABLISHED -j DROP
VNS3 Firewall Warning
The VNS3 firewall allows customers complete control of the INPUT, OUTPUT, FORWARDING, PREROUTING and POSTROUTING behavior of traffic as it first enters the VNS3 Controller and as it exits the VNS3 Controller.
The VNS3 internal firewall is still there to “protect” the internal mechanisms of VNS3, however, customer rules can be created that have undesirable effects. Essentially rules that ACCEPT or REJECT/DROP all traffic are likely to create a device that is un-reachable or one that is too permissive in accepting traffic.
Customer rules are evaluated and if there is not a match in the _CUST chains, then they flow through into the interior VNS3 chains which are quite restrictive. Accepting all traffic prevents most of the interior rules from being evaluated which might block unsafe traffic. Blocking all traffic prevents most of the interior rules from being evaluated which accept necessary traffic such as the API and WebUI management utilities. (Blocking port 8000 from all traffic will make the VNS3 instance un-manageable.)
Do not have rules of either of the following forms:
INPUT_CUST –dport 8000 -j REJECT
INPUT_CUST -j REJECT
INPUT_CUST -j ACCEPT
Up next, we’ll look at more advanced VNS3 firewall scenarios including: Network Address Translation (NAT-ing), Port Forwarding, Netmapping, SNMP Support, and Copying Traffic to a Device.