Firewall Evasion Flashcards
Read/ Firewalls can be too restrictive, making it inconvenient for users. For example, many
companies and schools enforce egress filtering, which blocks users inside of their
networks from reaching out to certain websites or Internet services, such as game
and social network sites.
* There are many ways to evade firewalls. A typical approach is to use the tunneling
technique, which hides the real purposes of network traffic.
* There are a number of ways to establish tunnels. The two most common tunneling
techniques are Virtual Private Network (VPN) and port forwarding.
done
Setup:Firewall Rules
// Ingress filtering: only allows SSH traffic
iptables -A FORWARD -i eth0 -p tcp -m conntrack \
–ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp –dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -j DROP
// Egress filtering: block www.example.com
iptables -A FORWARD -i eth1 -d 93.184.216.0/24 -j DROP
what does it do?
-Allows TCP packets to come in if they belong to an established or related connection (stateful firewall rule).
-Allows SSH
-Drops all other TCP packets if they do not satisfy the first or the second rule.
-Egress firewall rule, and it prevents the internal hosts from sending packets to 93.184.216.0/24 (www.example.com)
Setup: VPN Tunneling: Ingress Firewall
Set Up A VPN Tunnel:
* Client: Home
* Server: Apollo
ssh -w 0:0 root@192.168.60.5 \
-o “PermitLocalCommand=yes” \
-o “LocalCommand= ip addr add 192.168.53.88/24 dev tun0 && \
ip link set tun0 up” \
-o “RemoteCommand=ip addr add 192.168.53.99/24 dev tun0 && \
ip link set tun0 up”
what is LocalCommand and RemoteCommand
The LocalCommand entry specifies the command
running on the VPN client side. It configures the
client-side TUN interface
The RemoteCommand entry specifies the command
running on the VPN server side. It configures the
server-side TUN interface
ssh -w 0:0 root@192.168.60.5 \
-o “PermitLocalCommand=yes” \
-o “LocalCommand= ip addr add 192.168.53.88/24 dev tun0 && \
ip link set tun0 up” \
-o “RemoteCommand=ip addr add 192.168.53.99/24 dev tun0 && \
ip link set tun0 up”
what does it do?
This SSH command creates a point-to-point VPN tunnel using tun0 on both the client and the server.
It uses LocalCommand to configure the client’s tun0 interface, and RemoteCommand to configure the server’s tun0 interface with IP addresses 192.168.53.88 and 192.168.53.99 respectively.
ip route replace 192.168.60.0/24 dev tun0
This command routes all traffic to the 192.168.60.0/24 network through the VPN tunnel (tun0).
ip route add 192.168.60.5/32 via 10.9.0.11
This command ensures that traffic to the VPN server (192.168.60.5) goes through the regular network, not the VPN tunnel, to avoid breaking the SSH connection.
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
This command enables NAT on the server. It makes traffic from the VPN client appear as if it’s coming from the server’s IP address before going out to the internet.
ssh -4NT -L 8000:192.168.60.6:23 seed@192.168.60.5
This command sets up local port forwarding. It allows the Home machine to access 192.168.60.6:23 (Work) through Apollo by connecting to localhost:8000.
ssh -4NT -L 8000:www.example.com:80 seed@10.9.0.5
This command sets up a local port forwarding tunnel from Apollo to www.example.com:80 through Home. It is used to bypass an Egress Firewall that blocks access to the website.
curl –proxy localhost:8000 http://www.example.com
here you can access the blocked site
ssh -4NT -R 0.0.0.0:8000:192.168.60.6:80 seed@10.9.0.5
This command creates a reverse SSH tunnel from Apollo to Home. It allows the Home machine to access the internal web server (192.168.60.6:80) through port 8000 on localhost.
This is useful for bypassing an ingress firewall that blocks direct access to the web server.
What is Static Port Forwarding?
- Destinations are fixed
- One tunnel for each destination
Q: What is Dynamic Port Forwarding (SOCKS5 Tunnel)?
- Destinations are NOT fixed
- One tunnel for many destinations
- Therefore, typically called Proxy
Q: What does the command ssh -4NT -D 9000 seed@10.9.0.5 do?
It creates a SOCKS5 proxy on Apollo at port 9000, allowing traffic to be routed through Home (10.9.0.5).
curl –proxy socks5h://localhost:9000 https://www.example.com
Use localhost:9000 as a proxy and you can access the website
How does the dynamic port forwarding work?
- The destination is not specified
- The client must tell the proxy the destination information
- The client and proxy use a protocol for that purpose
SOCKS protocol
- Socket secure, version 5 (SOCKS5)
- The client must have a native support of SOCKS protocol
nc -lv 8080
start a server: we will access it via a proxy
What Happens Between Client and Proxy
- Client and Proxy establish a TCP connection
- Using the TCP connection, Client and Proxy initiate the SOCKS protocol.
- Client tells Proxy the destination of the port forwarding (10.9.0.5:8080).
- The port forwarding setup is complete
- Proxy forwards the traffic from one end of the tunnel to the other end,
from where the data will be further forwarded to the final destination (10.9.0.5:8080)
Q: What are SOCKS5 and VPN both used for?
- Bypassing firewall
- Protecting communication
Q: Is SOCKS5 proxy transparent?
No, it is not transparent. You must configure each application to use it.
Q: Is VPN transparent?
Yes, it is system-wide and doesn’t need per-app configuration.
Which is easier to set up: SOCKS5 or VPN?
SOCKS5 is easier. VPN is more complex.
