netkit lab network address translation 1.0 Massimo Rimondini Version Author(s)

Similar documents
netkit lab static-routing Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

netkit lab single-host Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

netkit lab MPLS VPNs with overlapping address spaces 1.0 S.Filippi, L.Ricci, F.Antonini Version Author(s)

netkit lab two-hosts Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

netkit lab bgp: multi-homed Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

netkit lab Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version 1.

walkthrough Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version 1.

netkit lab load balancer dns 1.2 Massimo Rimondini Version Author(s)

Version Author(s) Web Description

netkit lab Traffic Engineering with MPLS for Linux Version Author(s) F. Di Ciccio, F. Antonini (Kasko Networks S.r.l.)

Linux TCP/IP Network Management

netkit lab web server and browser 1.2 Giuseppe Di Battista, Maurizio Patrignani, Massimo Rimondini Version Author(s)

netkit lab bgp: prefix-filtering Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group

Introduction to NetGUI

VM-Series Firewall Deployment Tech Note PAN-OS 5.0

BASIC TCP/IP NETWORKING

IP Address: the per-network unique identifier used to find you on a network

Host Configuration (Linux)

Workshop on Scientific Applications for the Internet of Things (IoT) March

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

L3DSR Overcoming Layer 2 Limitations of Direct Server Return Load Balancing

Topic 7 DHCP and NAT. Networking BAsics.

TCP/IP Network Essentials. Linux System Administration and IP Services

Tcpdump Lab: Wired Network Traffic Sniffing

+ iptables. packet filtering && firewall

Configuring Static and Dynamic NAT Simultaneously

IP network tools & troubleshooting. AFCHIX 2010 Nairobi, Kenya October 2010

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

A virtual network laboratory for learning IP networking

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Lab Objectives & Turn In

CS Computer and Network Security: Firewalls

BASIC ANALYSIS OF TCP/IP NETWORKS

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Sample Configuration Using the ip nat outside source list C

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

CS Computer and Network Security: Firewalls

Configuration of Cisco Routers. Mario Baldi

Load Balancing Clearswift Secure Web Gateway

Assignment 3 Firewalls

Guideline for setting up a functional VPN

CSC574 - Computer and Network Security Module: Firewalls

Bridgewalling - Using Netfilter in Bridge Mode

Note: Guide not yet tested in the SFU Surrey Linux Lab (SUR4080). Some changes may be needed.

Configuring the PIX Firewall with PDM

CELLTRACKS ANALYZER II. Networking Guide J40169EN

Routing concepts in Cyberoam

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

How To Install Openstack On Ubuntu (Amd64)

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

LAB THREE STATIC ROUTING

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

bigbluebutton Open Source Web Conferencing

CS244A Review Session Routing and DNS

Written by Saif ur Rab Monday, 07 December :19 - Last Updated Monday, 27 December :19

3. The Domain Name Service

Sample Configuration Using the ip nat outside source static

Linux Routers and Community Networks

Linux Networking. How Networking Works Configuring Networking in Linux Using redhat-config-network Network debugging Wireless networking IPv6

Corso di Configurazione e Gestione di Reti Locali

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Lab Exercise Configure the PIX Firewall and a Cisco Router

HIGH AVAILABILITY (HA) WITH OPENSIPS

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Network Protocol Configuration

QualNet 4.5 Network Emulation Interface Model Library

Homework 3 TCP/IP Network Monitoring and Management

Network Diagnostic Tools. Jijesh Kalliyat Sr.Technical Account Manager, Red Hat 15th Nov 2014

1.0 Basic Principles of TCP/IP Network Communications

High Availability in Linux Firewalls using VRRP

Network Administration and Monitoring

CSE543 - Computer and Network Security Module: Firewalls

Virtual Systems with qemu

FIREWALL AND NAT Lecture 7a

Policy Based Forwarding

Advanced SSH Tunneling by Bill Brassfield, Dev Ops Technical Consultant, Taos

Linux Networking Basics

Firewalls. Pehr Söderman KTH-CSC

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

ICS 351: Today's plan

DCB Ethernet Tunnel Family Configuration Guide

21.4 Network Address Translation (NAT) NAT concept

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Load Balancing Sophos Web Gateway. Deployment Guide

Part 4: Virtual Private Networks

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Firewalls. Chien-Chung Shen

Firewall Troubleshooting

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Network Management and Debugging. Jing Zhou

IPv6.marceln.org.

Lab Configuring Access Policies and DMZ Settings

Instructor Notes for Lab 3

Packet Sniffing and Spoofing Lab

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Transcription:

netkit lab network address translation Version Author(s) 1.0 Massimo Rimondini E-mail Web Description contact@netkit.org http://www.netkit.org/ A simple lab showing the operation of a NAT gateway using static NAT

copyright notice All the pages/slides in this presentation, including but not limited to, images, photos, animations, videos, sounds, music, and text (hereby referred to as material ) are protected by copyright. This material, with the exception of some multimedia elements licensed by other organizations, is property of the authors and/or organizations appearing in the first slide. This material, or its parts, can be reproduced and used for didactical purposes within universities and schools, provided that this happens for non-profit purposes. Information contained in this material cannot be used within network design projects or other products of any kind. Any other use is prohibited, unless explicitly authorized by the authors on the basis of an explicit agreement. The authors assume no responsibility about this material and provide this material as is, with no implicit or explicit warranty about the correctness and completeness of its contents, which may be subject to changes. This copyright notice must always be redistributed together with the material, or its portions.

nat types rfc 3489 enumerates four treatments observed in implementations : full cone restricted cone port restricted cone symmetric obsoleted by rfc 5389, because many NATs did not fit cleanly into the types defined there anyway...

nat types (from rfc 3489) full cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) full cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) full cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host can send a packet to the internal host, by using its mapped external address

nat types (from rfc 3489) full cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host can send a packet to the internal host, by using its mapped external address

nat types (from rfc 3489) full cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host can send a packet to the internal host, by using its mapped external address

nat types (from rfc 3489) (address) restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) (address) restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) (address) restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,*) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,*)

nat types (from rfc 3489) (address) restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,*) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,*)

nat types (from rfc 3489) (address) restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,*) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,*)

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,H port ) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,H port )

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,H port ) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,H port )

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,H port ) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,H port )

nat types (from rfc 3489) port restricted cone nat requests from the same internal (I IP,I port ) are mapped to the same external (E IP,E port ) server1 NAT box any external host (H IP,H port ) can send a packet to the internal host, only if the latter has previously sent a packet to (H IP,H port )

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) server1 NAT box

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) NAT server1 box packets from the same (I IP,I port ) but with a different destination are mapped to a different (E IP,E port )

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) NAT server1 box packets from the same (I IP,I port ) but with a different destination are mapped to a different (E IP,E port )

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) NAT server1 box packets from the same (I IP,I port ) but with a different destination are mapped to a different (E IP,E port ) only replies can be sent back to (I IP,I port )

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) NAT server1 box packets from the same (I IP,I port ) but with a different destination are mapped to a different (E IP,E port ) only replies can be sent back to (I IP,I port )

nat types symmetric nat requests from the same internal (I IP,I port ) to the same destination (D IP,D port ) are mapped to the same external (E IP,E port ) NAT server1 box packets from the same (I IP,I port ) but with a different destination are mapped to a different (E IP,E port ) only replies can be sent back to (I IP,I port )

lab topology 2 eth1 65 eth1 1 eth1 14,15 16,17 eth1 server1 3 eth1 gateway 103 eth1 host2 10.0.0.0/24 193.204.161.0/24 A B

lab description hosts really have no setup just a default route pointing to the gateway.startup ifconfig ifconfig eth0 eth0 10.0.0.2 10.0.0.2 netmask netmask 255.255.255.0 255.255.255.0 up up route route add add default default gw gw 10.0.0.1 10.0.0.1 host2.startup ifconfig ifconfig eth0 eth0 10.0.0.3 10.0.0.3 netmask netmask 255.255.255.0 255.255.255.0 up up route route add add default default gw gw 10.0.0.1 10.0.0.1

lab description servers servers just because they have a public address have an empty configuration (really!) automatically launch a sniffer to easily see the traffic server1.startup ifconfig ifconfig eth0 eth0 193.204.161.65 193.204.161.65 up up touch touch /hostlab/$hostname.ready cd cd /root /root screen screen -c -c /root/screenrc /root/screenrc these statements simply split the machine s terminal to to keep the sniffer handy.startup ifconfig ifconfig eth0 eth0 193.204.161.103 193.204.161.103 up up touch touch /hostlab/$hostname.ready cd cd /root /root screen screen -c -c /root/screenrc /root/screenrc

lab description gateway uses iptables to implement the various nat types by default, implements a full cone nat nat type can be switched by using set_nat_type.sh gateway root@gateway:/root#./set_nat_type.sh Usage:./set_nat_type.sh nat_type where nat_type is one of the following, self-explaining, explaining, NAT types: f)ullcone r)estricted p)ortrestricted s)ymmetric root@gateway:/root#

lab description gateway iptables rules implementing the nat are shown in real time on the gateway

lab description gateway gateway s external interface (eth1) is assigned multiple IP addresses by using aliases these address make up the pool of public addresses to which private addresses are mapped gateway gateway:~# ifconfig grep -A 1 eth1 eth1 Link encap:ethernet HWaddr de:c3:bf:f8:7a:aa inet addr:193.204.161.14 Bcast:193.204.161.255 Mask:255.255.255.0 -- eth1:1 Link encap:ethernet HWaddr de:c3:bf:f8:7a:aa inet addr:193.204.161.15 Bcast:193.204.161.255 Mask:255.255.255.0 -- eth1:2 Link encap:ethernet HWaddr de:c3:bf:f8:7a:aa inet addr:193.204.161.16 Bcast:193.204.161.255 Mask:255.255.255.0 -- eth1:3 Link encap:ethernet HWaddr de:c3:bf:f8:7a:aa inet addr:193.204.161.17 Bcast:193.204.161.255 Mask:255.255.255.0

experiment 1 address mapping let s experiment the mapping from a private to a public address (we disregard ports for the moment) go on and ping 193.204.161.65 (server1) :~# ping 193.204.161.65 PING 193.204.161.65 (193.204.161.65) 56(84) bytes of data. 64 bytes from 193.204.161.65: icmp_seq=1 ttl=63 time=0.329 ms 64 bytes from 193.204.161.65: icmp_seq=2 ttl=63 time=0.338 ms 64 bytes from 193.204.161.65: icmp_seq=3 ttl=63 time=0.352 ms do the same from host2

experiment 1 address mapping let s experiment the mapping from a private to a public address (we disregard ports for the moment) go on and ping 193.204.161.65 (server1) interesting note: despite server1 having no no clue in in its its routing table about how to to get to to (10.0.0.2) or or to to a default route, server1 still sends ICMP replies back to to server1 root@server1:/root# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 193.204.161.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 can you tell why the ping works?

experiment 1 address mapping let s experiment the mapping from a private to a public address (we disregard ports for the moment) go on and ping 193.204.161.65 (server1) :~# ping 193.204.161.65 PING 193.204.161.65 (193.204.161.65) 56(84) bytes of data. 64 bytes from 193.204.161.65: icmp_seq=1 ttl=63 time=0.329 ms 64 bytes from 193.204.161.65: icmp_seq=2 ttl=63 time=0.338 ms 64 bytes from 193.204.161.65: icmp_seq=3 ttl=63 time=0.352 ms do the same from host2 by looking at the ready-to-use sniffer on server1, we can learn that is mapped to the external IP address 193.204.161.14 host2 is mapped to the external IP address 193.204.161.15

experiment 1 address mapping gateway is set up to not alter ports therefore, traffic from (,I port ) is always mapped to (193.204.161.14,I port ), and traffic from (host2,i port ) is always mapped to (193.204.161.15,I port ) check it, e.g., by using nc 193.204.161.65 999 p 100 from and host2, using different source port numbers attempt to to establish a TCP TCP connection to to 193.204.161.65 port port 999, 999, using source port port 100 100

experiment 1 address mapping conclusion and host2 are correctly mapped to an external public IP address and host2 are always mapped to the same address port numbers are never changed, obeying nat rules for traffic from the private to the public network exercise: you can perform the same check for other nat types (but for the symmetric one)

experiment 2 full cone let s experiment full cone nat netcat (nc): a simple utility to transfer stdin/stdout over a TCP connection start nc in server mode on :~# nc -l -p 100 listening mode port to to listen on on from, use nc to connect to the server running on root@:/root# nc 193.204.161.14 100 host and port to to connect to to

experiment 2 full cone type any text on s terminal and see it appearing on s terminal :~# nc -l -p 100 root@:/root# nc 193.204.161.14 100

experiment 2 full cone type any text on s terminal and see it appearing on s terminal :~# nc -l -p 100 root@:/root# nc 193.204.161.14 100 hello there

experiment 2 full cone type any text on s terminal and see it appearing on s terminal :~# nc -l -p 100 hello there root@:/root# nc 193.204.161.14 100 hello there

experiment 2 full cone conclusion & exercises can send traffic to even if has never sent traffic to before (yes, we have sent some pings before, but restart the lab if you don t trust ) repeat the check for traffic from to host2, from server1 to, and from server1 to host2, varying the port numbers

experiment 3 restricted let s experiment restricted nat change the nat type on gateway to restricted gateway gateway:~#./set_nat_type.sh restricted gateway:~# you should see iptables rules on gateway change

experiment 3 restricted (yet another) interesting note: the behavior of of (port) restricted nat does not fit fit well the connection-oriented semantic of of iptables rules as as a consequence, (port) restricted nat is is well known to to be be very hard to to implement in in Linux in the lab, (port) restricted nat is implemented by some hacks gateway:~#./set_nat_type.sh restricted iptables rules are gateway:~# dynamically added according to to the traffic that traverses the gateway rules automatically expire after 30s in the lab, gateway (port) restricted nat is implemented by some hacks

experiment 3 restricted start two instances of nc in server mode on, each listening on a different port :~# nc -l -p 100 & nc -l -p 200 & [1] 522 [2] 523 :~# from, attempt to connect to one of the nc instances on root@:/root# nc 193.204.161.14 100 (UNKNOWN) [193.204.161.14] 100 (?) : Connection refused root@:/root# nc 193.204.161.14 200 (UNKNOWN) [193.204.161.14] 200 (?) : Connection refused

experiment 3 restricted the connection correctly fails until sends some TCP traffic to let s try to send TCP traffic (a connection attempt is enough) to server1 instead the connection from to still does not work :~# nc 193.204.161.65 999 (UNKNOWN) [193.204.161.65] 999 (?) : Connection refused root@:/root# nc 193.204.161.14 100 (UNKNOWN) [193.204.161.14] 100 (?) : Connection refused root@:/root# nc 193.204.161.14 200 (UNKNOWN) [193.204.161.14] 200 (?) : Connection refused

experiment 3 restricted now let s send TCP traffic to :~# nc 193.204.161.103 999 (UNKNOWN) [193.204.161.103] 999 (?) : Connection refused gateway automatically sets a rule for the nat traffic from (any port) to any of s ports is now possible, and messages are delivered by nc after 30 seconds, it is again impossible to initiate a connection from to root@:/root# nc 193.204.161.14 100 test message ^C root@:/root# nc 193.204.161.14 200 another test message ^C

experiment 3 restricted conclusion & exercises traffic can be sent from an external host to an internal one only if the internal host has sent a packet to the external host beforehand check by considering other source-destination pairs and changing port numbers

experiment 4 port restricted let s experiment port restricted nat change the nat type on gateway to portrestricted gateway gateway:~#./set_nat_type.sh portrestricted gateway:~# you should see iptables rules on gateway change

experiment 4 port restricted start nc in server mode (and in background) on :~# nc -l -p 100 & :~# attempt to contact it from root@:/root# nc 193.204.161.14 100 (UNKNOWN) [193.204.161.14] 100 (?) : Connection refused

experiment 4 port restricted send some TCP traffic (a connection attempt is enough) from to and try again :~# nc 193.204.161.103 999 (UNKNOWN) [193.204.161.103] 999 (?) : Connection refused root@:/root# nc 193.204.161.14 100 (UNKNOWN) [193.204.161.14] 100 (?) : Connection refused

experiment 4 port restricted the connection still fails, because the nat is enforcing a restriction also on the port if sends a packet to s port 999, then can only initiate connections to using source port 999 let s try again... :~# nc 193.204.161.103 999 (UNKNOWN) [193.204.161.103] 999 (?) : Connection refused root@:/root# nc 193.204.161.14 100 -p 999 this is a test message ^C now it works!

experiment 4 port restricted conclusion & exercises an external hosts can initiate connections to an internal host only if it has been contacted by the internal host beforehand, and using as source port the port on which it has been contacted try again using other combinations of sourcedestination hosts and ports what happens if attempts to connect to a different port on (using always 999 as source port)?

experiment 5 symmetric let s check that packets from the same source host to different destinations are mapped to different public addresses go on and ping 193.204.161.65 (server1), then 193.204.161.103 () do the same from host2 looking at the sniffer on server1 and it can be seen that is mapped to 193.204.161.14 when contacting server1 is mapped to 193.204.161.15 when contacting host2 is mapped to 193.204.161.16 when contacting server1 host2 is mapped to 193.204.161.17 when contacting this implements the first half of the symmetric nat behavior

experiment 5 symmetric the second half of the symmetric nat behavior is to refuse unsolicited traffic entering the private network (i.e., only replies to packets that have been originated in the private network are sent back to the private network) to check this use nc to try to make a connection from to server1: this should work use nc to try to make a connection from server1 to

experiment 5 symmetric conclusion & exercises there is no way to initiate a connection from an external host to an internal one, because unsolicited traffic to private hosts is always rejected check it by attempting different combinations of connections between the hosts and the servers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information