Ns3 Projects for B.E/B.Tech M.E/M.Tech PhD Scholars.  Phone-Number:9790238391   E-mail: ns3simulation@gmail.com

How to Implement Multi level Firewall in ns3

To implement the multi-level firewall in ns3 needs to configure the nodes with particular rules to control access based on multiple criteria like IP addresses, ports, and protocols. This is perceived by generating the custom packet filters and implements them to network devices on the nodes that are known as firewalls. The given below is the detailed procedure on how to implement the multi-level firewall in ns3.

Step-by-Step Implementation:

  1. Set Up ns3 Environment

Make certain ns3 is installed in the computer.

  1. Create a New Simulation Script

Create a new C++ script for your simulation. For this example, we’ll use C++.

  1. Include Necessary Headers

Include the necessary ns-3 headers in your script.

#include “ns3/core-module.h”

#include “ns3/network-module.h”

#include “ns3/internet-module.h”

#include “ns3/point-to-point-module.h”

#include “ns3/applications-module.h”

#include “ns3/mobility-module.h”

#include “ns3/ipv4-static-routing-helper.h”

4.      Define the Network Topology

Set up the basic network topology, including nodes, devices, and links. For this example, we’ll set up a simple network with multiple routers acting as firewalls.

using namespace ns3;

NS_LOG_COMPONENT_DEFINE (“MultiLevelFirewallExample”);

bool PacketFilter(Ptr<const Packet> packet, Ptr<Ipv4> ipv4, uint32_t interface);

 

int main (int argc, char *argv[]) {

CommandLine cmd;

cmd.Parse (argc, argv);

// Create nodes

NodeContainer nodes;

nodes.Create (4); // Create 4 nodes: client, server, and 2 routers

// Set up point-to-point links

PointToPointHelper p2p;

p2p.SetDeviceAttribute (“DataRate”, StringValue (“5Mbps”));

p2p.SetChannelAttribute (“Delay”, StringValue (“2ms”));

NetDeviceContainer devices;

devices.Add (p2p.Install (nodes.Get (0), nodes.Get (2))); // Client to Router 1

devices.Add (p2p.Install (nodes.Get (2), nodes.Get (3))); // Router 1 to Router 2

devices.Add (p2p.Install (nodes.Get (3), nodes.Get (1))); // Router 2 to Server

// Install the internet stack

InternetStackHelper stack;

stack.Install (nodes);

Ipv4AddressHelper address;

address.SetBase (“10.1.1.0”, “255.255.255.0”);

Ipv4InterfaceContainer interfaces = address.Assign (devices.Get (0));

address.SetBase (“10.1.2.0”, “255.255.255.0”);

interfaces.Add (address.Assign (devices.Get (1)));

address.SetBase (“10.1.3.0”, “255.255.255.0”);

interfaces.Add (address.Assign (devices.Get (2)));

// Set up routing

Ipv4StaticRoutingHelper ipv4RoutingHelper;

Ptr<Ipv4StaticRouting> clientStaticRouting = ipv4RoutingHelper.GetStaticRouting (nodes.Get (0)->GetObject<Ipv4> ());

clientStaticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.3.0”), Ipv4Mask (“255.255.255.0”), Ipv4Address (“10.1.1.2”), 1);

Ptr<Ipv4StaticRouting> serverStaticRouting = ipv4RoutingHelper.GetStaticRouting (nodes.Get (1)->GetObject<Ipv4> ());

serverStaticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.1.0”), Ipv4Mask (“255.255.255.0”), Ipv4Address (“10.1.3.2”), 1);

Ptr<Ipv4StaticRouting> router1StaticRouting = ipv4RoutingHelper.GetStaticRouting (nodes.Get (2)->GetObject<Ipv4> ());

router1StaticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.3.0”), Ipv4Mask (“255.255.255.0”), Ipv4Address (“10.1.2.2”), 2);

Ptr<Ipv4StaticRouting> router2StaticRouting = ipv4RoutingHelper.GetStaticRouting (nodes.Get (3)->GetObject<Ipv4> ());

router2StaticRouting->AddNetworkRouteTo (Ipv4Address (“10.1.1.0”), Ipv4Mask (“255.255.255.0”), Ipv4Address (“10.1.2.1”), 1);

// Implement multi-level firewall

// Define allowed port and IP

uint16_t allowedPort = 8080;

Ipv4Address allowedIp(“10.1.1.1”);

// Install a packet filter on the routers

Ptr<Ipv4> ipv4Router1 = nodes.Get(2)->GetObject<Ipv4>();

Ptr<Ipv4> ipv4Router2 = nodes.Get(3)->GetObject<Ipv4>();

ipv4Router1->GetNetDevice(1)->SetReceiveCallback(

MakeCallback([](Ptr<NetDevice> dev, Ptr<const Packet> pkt, uint16_t protocol, const Address &from, const Address &to) {

return PacketFilter(pkt, dev->GetNode()->GetObject<Ipv4>(), dev->GetIfIndex());

})

);

ipv4Router2->GetNetDevice(0)->SetReceiveCallback(

MakeCallback([](Ptr<NetDevice> dev, Ptr<const Packet> pkt, uint16_t protocol, const Address &from, const Address &to) {

return PacketFilter(pkt, dev->GetNode()->GetObject<Ipv4>(), dev->GetIfIndex());

})

);

// Set up mobility (optional)

MobilityHelper mobility;

mobility.SetMobilityModel (“ns3::ConstantPositionMobilityModel”);

mobility.Install (nodes);

// Install applications

// Client: Send a UDP packet to the server on the allowed port and on a blocked port

UdpEchoClientHelper echoClient (interfaces.GetAddress (1), allowedPort);

echoClient.SetAttribute (“MaxPackets”, UintegerValue (1));

echoClient.SetAttribute (“Interval”, TimeValue (Seconds (1.0)));

echoClient.SetAttribute (“PacketSize”, UintegerValue (1024));

ApplicationContainer clientApps = echoClient.Install (nodes.Get (0));

clientApps.Start (Seconds (2.0));

clientApps.Stop (Seconds (10.0));

UdpEchoClientHelper echoClientBlocked (interfaces.GetAddress (1), 9090);

echoClientBlocked.SetAttribute (“MaxPackets”, UintegerValue (1));

echoClientBlocked.SetAttribute (“Interval”, TimeValue (Seconds (1.0)));

echoClientBlocked.SetAttribute (“PacketSize”, UintegerValue (1024));

ApplicationContainer clientAppsBlocked = echoClientBlocked.Install (nodes.Get (0));

clientAppsBlocked.Start (Seconds (3.0));

clientAppsBlocked.Stop (Seconds (10.0));

// Server: Echo server to receive UDP packets on the allowed port

UdpEchoServerHelper echoServer (allowedPort);

ApplicationContainer serverApps = echoServer.Install (nodes.Get (1));

serverApps.Start (Seconds (1.0));

serverApps.Stop (Seconds (10.0));

// Enable pcap tracing

p2p.EnablePcapAll (“multi-level-firewall”);

// Run simulation

Simulator::Stop (Seconds (10.0));

Simulator::Run ();

Simulator::Destroy ();

return 0;

}

// Define the packet filter function

bool PacketFilter(Ptr<const Packet> packet, Ptr<Ipv4> ipv4, uint32_t interface) {

PppHeader pppHeader;

Ipv4Header ipv4Header;

UdpHeader udpHeader;

TcpHeader tcpHeader;

packet->PeekHeader(pppHeader);

packet->PeekHeader(ipv4Header);

if (ipv4Header.GetSource() == Ipv4Address(“10.1.1.1”)) { // Check source IP

if (ipv4Header.GetProtocol() == UdpL4Protocol::PROT_NUMBER) {

packet->PeekHeader(udpHeader);

if (udpHeader.GetDestinationPort() == 8080) { // Check destination port

return true;

}

} else if (ipv4Header.GetProtocol() == TcpL4Protocol::PROT_NUMBER) {

packet->PeekHeader(tcpHeader);

if (tcpHeader.GetDestinationPort() == 8080) { // Check destination port

return true;

}

}

}

return false;

}

Explanation

  • Network Topology: The script sets up a simple network with four nodes: a client, two routers acting as firewalls, and a server.
  • Point-to-Point Links: The client and server are connected through the two routers.
  • Internet Stack: The InternetStackHelper is used to install the IP stack on all nodes.
  • Routing: Static routing is configured to ensure proper packet forwarding between the client and server through the routers.
  • Multi-Level Firewall: A custom packet filter function is defined to allow packets only if they match specific criteria such as source IP and destination port. This filter is installed on the routers’ network devices.
  • Applications: A UDP echo client is installed on the client node to send packets to the server on both allowed and blocked ports. A UDP echo server is installed on the server node to receive packets on the allowed port.
  • PCAP Tracing: PCAP tracing is enabled to capture packets for analysis.

5.      Build and Run the Script

Save the script and build it using the ns-3 build system (waf).

./waf configure

./waf build

./waf –run multi-level-firewall

Extending the Example

Below is the extend sample to contain more complex scenarios, such as:

  • Dynamic Firewall Rules: Implement dynamic firewall rules that change based on network conditions or time.
  • Advanced Packet Filtering: Use more advanced packet filtering techniques to block or allow packets based on various criteria such as source IP, destination IP, protocol type, etc.
  • Intrusion Detection System (IDS): Implement IDS to detect and block malicious traffic.
  • Stateful Firewalls: Implement stateful firewalls that track the state of network connections and allow or block packets based on the connection state.

Here is an example of setting up dynamic firewall rules:

bool PacketFilter(Ptr<const Packet> packet, Ptr<Ipv4> ipv4, uint32_t interface) {

PppHeader pppHeader;

Ipv4Header ipv4Header;

UdpHeader udpHeader;

TcpHeader tcpHeader;

packet->PeekHeader(pppHeader);

packet->PeekHeader(ipv4Header);

if (ipv4Header.GetSource() == Ipv4Address(“10.1.1.1”)) { // Check source IP

if (ipv4Header.GetProtocol() == UdpL4Protocol::PROT_NUMBER) {

packet->PeekHeader(udpHeader);

if (udpHeader.GetDestinationPort() == 8080) { // Check destination port

return true;

}

} else if (ipv4Header.GetProtocol() == TcpL4Protocol::PROT_NUMBER) {

packet->PeekHeader(tcpHeader);

if (tcpHeader.GetDestinationPort() == 8080) { // Check destination port

return true;

}

}

}

return false;

}

As we discussed earlier about how the multi-level firewall will perform in ns3 tool and we help to provide further information about how the multi-level firewall will adapt in different Scenarios.

Multi-level firewall in ns3 along with implementation support are aided by our team, stay in touch with us for your project performance results.