THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Transcription

1 THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering ENG 224 Information Technology Laboratory 6: Internet Connection Sharing Objectives: Build a private network that uses a single shared Internet connection Enable incoming Internet traffic forwarded to hosts in private network Tools: 1) 1 PC with 2 network interface cards and Ubuntu Linux 5 preloaded 2) 1 PC with 1 network interface card and Ubuntu Linux 5 preloaded 3) A cross-over cable connecting the two PCs Introduction For a typical small-office environment, the number of Intern et connections is very limited. It is therefore desirable to provide a shared Internet connection when there are multiple PCs requiring Internet access (Fig. 1). There are many ways to accomplish this, in the form of hardware or software. One simple way is to setup a gateway by using the standard service included in Linux packages called Dynamic Host Configuration Protocol Daemon (dhcpd). In this exercise, you are requested to set up a gateway for a private network similar to the one shown in Fig. 2, which is a simplified version of a typical small-office network in Fig. 1. A Linux box (PC gateway, or just PCG) is a gateway having an Internet connection through a network interface card (NIC). There is another PC (PC1) connected to the second NIC of the Linux PCG. You need an Internet connection for this gateway and a local area network interface device for connecting PC1. In addition, you have to set up the IP addresses, gateway address, network mask, and other parameters for each machine appropriately. Internet Internet PC as Gateway Hub Modem Public address from ISP Private address PCG NIC_G1 NIC_G2 NIC_1 Public address Private address Private network / PC1 Private network / PC Laptop Figure 1: Internet connection sharing. Figure 2: Internet connection sharing. Page 1

2 Network Address Translator (NAT) We are fast exhausting all available IP addresses under IPv4, and this has become a major problem of the Internet. Placing a network address translator (NAT) at the border of a stub domain (i.e. a private network that uses IP addresses internally) enables the use of one public IP address for a large number of PCs. NAT uses multiplexing facility of TCP/IP protocols to multiplex traffic from internal network and presents it to the public Internet as if all the traffic comes from the NAT machine itself. See RFC1631 for details [1]. Dynamic Host Configuration Protocol (DHCP) DHCP (Dynamic Host Configuration Protocol) is a communications protocol which allows network administrators manage and assign Internet Protocol (IP) addresses in an automatic way. In DHCP, a DHCP server in a network receives DHCP requests from a client. Once the request is received, the server will allocate an IP address back to the requesting client. Without DHCP, the IP address must be updated manually at each computer whenever there is a change in the network. See RFC 2131 for details [2]. Address Ranges For assigning addresses for hosts inside a private network, it is recommended [3] that we use three private address ranges of which no Internet router will route to/from: to ( with subnet mask ) to ( with subnet mask ) to ( with subnet mask ) You should not assign IP addresses other than those listed above to any host inside a private network. (See Appendix I for more details on IP subnetting. IP subnetting is also covered in the main lecture.) Internetworking Utilities Ping? A small utility that uses the Internet Control Message Protocol (ICMP) echo function. It sends a packet (64 bytes each) with sequence number to the target host through the network, and waits for a reply. Echoes will be received if both computers and their connection are running properly. Ping also tells us the number of routers between the two parties and the round-trip time. Traceroute (in Linux) or Tracert (in Windows)? Can be used to trace the route an IP packet travels from the source host to the destination host. Tracking the routes between hosts in the Internet can be very difficult. Traceroute achieves this by sending a series of IP packets with very small time-tolive value. A. Basic network configuration In this section, you are requested to configure the private network, including PCG and PC1. Original Configuration 1. Boot PCG and PC1. Login both machine as student and switch user to root in the terminal. Make sure one of the NICs of the PCG is connected to the Internet while the other one is connected to PC1. 2. On PCG, enter the network setting by selecting System->Administration->Networking. Write down the original network TCP/IP configuration of both NICs. 3. a. NIC_G1: IP address: Subnet mask: Default gateway: Page 2

3 DNS server(s): b. NIC_G2: IP address: Subnet mask: Default gateway(s): DNS server(s): Figure 3: Network Settings in Linux 4. On PC1, enter the network setting by selecting System->Administration->Networking. Write down the original network TCP/IP configuration of the NIC. a. NIC_1: IP address: Subnet mask: Default gateway: DNS server(s): 5. On PCG, Keep all the IP addresses associated with the network interface card NIC_G1 (the one connecting to the internet): a. NIC_G1: IP addres s: Original configuration Subnet mask: Original configuration Page 3

4 Default gateway: Original configuration DNS server: Original configuration 6. Then, in the Network Configuration of PCG, Deactivate the NIC_G2 (the one connecting to PC1). Modify the NIC_G2's IP address with the followings : a. NIC_G2: IP address: : Subnet mask: Default gateway: <IP address of NIC_G1> 7. Activate the new IP address by clicking the Activate button. Verify your setting by typing ifconfig eth1 in a terminal. (In this example, eth1 is the NIC_G2) 8. On PC1, in the Network Configuration, Deactivate the NIC_1. Modify its connection settings from statistic IP address to DHCP. 9. Click OK and activate the NIC_1. Setting up the DHCP Daemon [4] Open a terminal on PCG, switch user to root, edit the dhcpd.conf in the /etc/ directory. Create one if it does not exist. Edit the dhcpd.conf as follow: subnet netmask { range ; option domain-name-servers , ; option domain-name "cf004.eie.polyu.edu.hk"; option routers ; option broadcast-address ; default-lease-time 600; max-lease-time 7200; } Save and exit after editing. Edit file /etc/default/dhcp. Look for INTERFACES="" Replace that with INTERFACES="eth1" This setting is to make the dhcp server works on the interface eth1 (NIC-G2). Make sure you have switched to root account by the "su" command. In the terminal use the command "/etc/init.d/dhcp restart" to restart the DHCP Daemon. Setting up the iptables and enable the routing [5] Edit the file 00-firewall under the directory /etc/network/if-up.d/. The 00-firewall is a script file used to configure the iptables. Every file in the directory /if-up.d/ will be activated once the network adaptor has been activated on bootup. Create one if it does not exist. Edit the file as following Page 4

5 #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin #Remove all existing rules in the iptables iptables -F iptables -t nat -F iptables -t mangle -F iptables -X #Change all policies to ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #ACCEPT loop back iptables -A INPUT -i lo -j ACCEPT #ACCEPT INPUT connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT #ACCEPT packet forwarding iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #IP Masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Enable IP forward echo 1 > /proc/sys/net/ipv4/ip_forward To activate the script, change the permission to 711 by the command chmod. Activate the script by entering./00-firewall in the terminal. Edit the file "options" under the directory /etc/network/ as following. ip_forward=yes spoofprotect=yes syncookies=no Restart the PC. Testing for connectivity To test whether gateway has been set up correctly, we may use the commands ping and traceroute. In the ping tests, if you receive error messages such as Request time out, your settings in the previous section are most probably incorrect. Go back to check all the settings before proceeding to the next section. 1. Use ping to test the connectivity PC1<-> PCG<-> the Internet: a. Open a terminal window on PC1. Enter ping c 2 <IP of NIC_G2>, and write down the results below. Page 5

6 b. Open a command prompt in PCG (from Programs on the Start menu). Type ping c 2 <IP of NIC_1>, and write down the result below. c. Also from PCG, type ping <IP of Test Machine>, and write down the result below. (Hint: A simple choice of Test Machine is the local DNS server, whose IP address is at the time of writing this document.) 2. Use traceroute to trace the routing path from your PC to the destination machine: a. From PCG, type traceroute <IP of Test Machine> and write down the result: b. Open a command prompt in PC1. Type traceroute <IP of Test Machine>, and write down the result: c. Note the number of hops required in each case. What is the difference between the results in (a) and (b)? Why is there such a difference? 3. Browse the homepage of PolyU using PC1. Show your result to your tutor. B. Serving Internet Users In the previous section you have set up a gateway that allows users in the private network to use the single Internet connection on PCG. In this section, you are requested to set up a web server on a host in the private network and then configure the gateway to redirect HTTP service requests from Page 6

7 Internet users to the web server (PC1) in your private network. The apache web server has been installed on the PC1. Start the web server on PC1 1. The apache server will start automatically after the boot up. 2. Note the location of the web documents (/var/www/apache2-default/), and create a document student.html containing your name and student ID in the web document root. You can check the location of the document root from the configuration file /etc/apache2/sites-enabled/000-default 3. Test the web service by starting a web browser on PC1 to retrieve the URL where is the standard loopback IP address. Do you see the correct web document containing your name and student ID? 4. Test the web service again by opening a web browser on PCG to retrieve the URL of NIC_1>/student.html. Do you see the correct web document containing your name and student ID? Configure Port forwarding in PCG 1. Open a terminal on PCG. 2. Edit the script file "00-firewall" as following. Those lines started with # are just comment. #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin #Remove all existing rules in the iptables iptables -F iptables -t nat -F iptables -t mangle -F iptables -X #Change all policies to ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #ACCEPT loop back iptables -A INPUT -i lo -j ACCEPT #ACCEPT INPUT connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT #ACCEPT packet forwarding iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #ACCEPT INPUT on port 80 iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT #IP forwarding on port 80 Page 7

8 #Please change the IP to your own NIC_G1 IP iptables -t nat -A PREROUTING -d p tcp --dport 80 -j DNAT -- to :80 iptables -t nat -A POSTROUTING -d p tcp --dport 80 -j SNAT -- to iptables -A FORWARD -o eth0 -d p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -s p tcp --sport 80 -m state -- state ESTABLISHED -j ACCEPT #IP Masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Enable IP forward echo 1 > /proc/sys/net/ipv4/ip_forward 3. Activated the script or restart your PC. 4. Make sure you have the root permission. Stop the apache2 service on PCG by the command./apache2 stop under the directory /etc/init.d/. 5. Test the service by opening a browser on a third machine to retrieve the webpage on PC1 at of NIC_G1>/student.html. You should use a PC in a neighboring group for this test. Do you see the correct web document? 6. Show the result to your lab tutor. 7. In PC1, restore the original network TCP/IP configuration for the NIC_1. C. What to hand in Create a new text or Word file and write a brief report about what you have done, observed and learnt in this laboratory exercise. Include your answers to all the questions above in the report. Appendix I - Quick Information on IP Addressing and Subnetting IP Address An IP (Internet Protocol) address is a unique identifier for a node or host on an IP network. An IP address is a 32-bit binary number and usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets, i.e. 8 bits), separated by decimal points. This is known as dotted decimal notation of IP address. Example IP address Dotted decimal: Binary form: IP address is hierarchical. It consists of 2 parts, the first part identifies the network (Network ID) and the remaining part identifies the node (Host ID). Each Network ID on the Internet must be registered to the Internet Assigned Number Authority (IANA). In the example above, the Network ID and Host ID are as follows: IP address Network ID Host ID Page 8

9 Internet routers forward packets to other routers or hosts according to the Network ID. The number of bit in the Network ID determines the size of the network. Fewer number of bits in Network ID implies larger network, because there are more bits left for Host IDs. There are 5 classes of IP address, according to the size of network: Class A addresses begin with 0xxx, or 1 to 126 decimal. Class B addresses begin with 10xx, or 128 to 191 decimal. Class C addresses begin with 110x, or 192 to 223 decimal. Class D addresses begin with 1110, or 224 to 239 decimal. Class E addresses begin with 1111, or 240 to 254 decimal. Subnetting Network administrators can also sub-divide a network into smaller networks called subnets according to their needs. How does a router or node know about the subnets? The answer lies in the subnet mask. A subnet mask is a 32-bit binary number with many leading 1's, followed by a string of 0 s. Applying logical AND to an IP address with the subnet mask bit by bit allows one to identify the Subnet ID. Example: IP address Binary form Network ID Subnet mask Host ID Increasing the number of 1's in the subnet mask allows more possible subnets, each with a smaller size. Network address is usually expressed in the following form: Network ID / Subnet mask Example: The network address / implies that the possible IP addresses in this subnet ranges from to Another form is /23, where 23 indicates the number of leading 1's in the subnet mask. There are three IP network addresses reserved for private networks. No Internet router will forward packets to/from these networks. The reserved network IP addresses are: /8, /12, and /16. Refer to the lecture notes on TCPIP and/or the following references for more details of NAT. References [1] K. Egevang, The IP Network Address Translator (NAT), [2] James F. Kurose, Kwith W. Ross, Computer Networking a top down approach featuring the internet Page 9

10 [3] Y. Rekhter, B. Moskowitz, D. Karrenberg, G.J. de Groot, and E. Lear, Address Allocation for Private Internets, [4] Chua Wen Kiat "Unoffical Ubuntu Starter Guide" [5] Steve "Setting up a simple Debian gateway" -- End -- Page 10