THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering



Similar documents
1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

IP Address: the per-network unique identifier used to find you on a network

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Technical Support Information Belkin internal use only

1 PC to WX64 direction connection with crossover cable or hub/switch

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

Linux Firewalls (Ubuntu IPTables) II

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Basic Network Configuration

Linux Routers and Community Networks

Multi-Homing Dual WAN Firewall Router

Computer Networks I Laboratory Exercise 1

+ iptables. packet filtering && firewall

Part A:Background/Preparation

pp=pod number, xxx=static IP address assigned to your pod

TCP/IP Network Essentials. Linux System Administration and IP Services

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Hands-on MESH Network Exercise Workbook

LAB THREE STATIC ROUTING

Linux Networking Basics

Linux Firewall Wizardry. By Nemus

Chapter 2 Preparing Your Network

Linux as an IPv6 dual stack Firewall

Debugging Network Communications. 1 Check the Network Cabling

Lab Configuring Access Policies and DMZ Settings

IP Addressing A Simplified Tutorial

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Load Balancing Trend Micro InterScan Web Gateway

Load Balancing Sophos Web Gateway. Deployment Guide

Lab Objectives & Turn In

Firewalls. Chien-Chung Shen

1.0 Basic Principles of TCP/IP Network Communications

50.XXX is based on your station number

Chapter 7 Troubleshooting

Pre-lab and In-class Laboratory Exercise 10 (L10)

Load Balancing Clearswift Secure Web Gateway

Lab PC Network TCP/IP Configuration

Lab 1: Introduction to the network lab

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Home Networking In Linux

Linux Networking: IP Packet Filter Firewalling

Guideline for setting up a functional VPN

TCP/IP works on 3 types of services (cont.): TCP/IP protocols are divided into three categories:

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Savvius Insight Initial Configuration

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Chapter 7. Firewalls

Lab IP Addressing Overview

Assignment 3 Firewalls

Cork Institute of Technology Master of Science in Computing in Education National Framework of Qualifications Level 9

Load Balancing Bloxx Web Filter. Deployment Guide

Networking Basics for Automation Engineers

Broadband Router ESG-103. User s Guide

Instructor Notes for Lab 3

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Smoothwall Web Filter Deployment Guide

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Load Balancing Smoothwall Secure Web Gateway

Corso di Configurazione e Gestione di Reti Locali

Internetworking and IP Address

Evaluation guide. Vyatta Quick Evaluation Guide

2. IP Networks, IP Hosts and IP Ports

PC/POLL SYSTEMS Version 7 Polling SPS2000 Cash Register TCP/IP Communications

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Multi-Homing Security Gateway

Appliance Quick Start Guide. v7.6

IPv6.marceln.org.

Definition of firewall

ipchains and iptables for Firewalling and Routing

1. Hardware Installation

Load Balancing McAfee Web Gateway. Deployment Guide

Load Balancing Router. User s Guide

BASIC TCP/IP NETWORKING

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

ICS 351: Today's plan

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Hands On Activities: TCP/IP Network Monitoring and Management

Chapter 10 Troubleshooting

DSL-G604T Install Guides

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Configuration Guide. DHCP Server. LAN client

3.1 RS-232/422/485 Pinout:PORT1-4(RJ-45) RJ-45 RS-232 RS-422 RS-485 PIN1 TXD PIN2 RXD PIN3 GND PIN4 PIN5 T PIN6 T PIN7 R+ PIN8 R-

Broadband Router User s Manual

Homework 3 TCP/IP Network Monitoring and Management

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Load Balancer LB-2. User s Guide

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

BR Load Balancing Router. Manual

ClusterLoad ESX Virtual Appliance quick start guide v6.3

Application Notes for the Ingate SIParator with Avaya Converged Communication Server (CCS) - Issue 1.0

LAN TCP/IP and DHCP Setup

How To Configure A Network Monitor Probe On A Network Wire On A Microsoft Ipv6 (Networking) Device (Netware) On A Pc Or Ipv4 (Network) On An Ipv2 (Netnet) Or Ip

Chapter 15: Advanced Networks

Lab Configuring the PIX Firewall as a DHCP Server

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Transcription:

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering ENG 224 Information Technology Laboratory 6: Internet Connection Sharing Objectives: Build a private network that uses a single shared Internet connection Enable incoming Internet traffic forwarded to hosts in private network Tools: 1) 1 PC with 2 network interface cards and Ubuntu Linux 5 preloaded 2) 1 PC with 1 network interface card and Ubuntu Linux 5 preloaded 3) A cross-over cable connecting the two PCs Introduction For a typical small-office environment, the number of Intern et connections is very limited. It is therefore desirable to provide a shared Internet connection when there are multiple PCs requiring Internet access (Fig. 1). There are many ways to accomplish this, in the form of hardware or software. One simple way is to setup a gateway by using the standard service included in Linux packages called Dynamic Host Configuration Protocol Daemon (dhcpd). In this exercise, you are requested to set up a gateway for a private network similar to the one shown in Fig. 2, which is a simplified version of a typical small-office network in Fig. 1. A Linux box (PC gateway, or just PCG) is a gateway having an Internet connection through a network interface card (NIC). There is another PC (PC1) connected to the second NIC of the Linux PCG. You need an Internet connection for this gateway and a local area network interface device for connecting PC1. In addition, you have to set up the IP addresses, gateway address, network mask, and other parameters for each machine appropriately. Internet Internet PC as Gateway Hub Modem Public address from ISP 158.132.149.1 Private address 10.0.0.1 PCG NIC_G1 NIC_G2 NIC_1 Public address 158.132.149.1 Private address 10.0.0.1 Private network 10.0.0.0/255.0.0.0 PC1 Private network 10.0.0.0/255.0.0.0 PC Laptop Figure 1: Internet connection sharing. Figure 2: Internet connection sharing. Page 1

Network Address Translator (NAT) We are fast exhausting all available IP addresses under IPv4, and this has become a major problem of the Internet. Placing a network address translator (NAT) at the border of a stub domain (i.e. a private network that uses IP addresses internally) enables the use of one public IP address for a large number of PCs. NAT uses multiplexing facility of TCP/IP protocols to multiplex traffic from internal network and presents it to the public Internet as if all the traffic comes from the NAT machine itself. See RFC1631 for details [1]. Dynamic Host Configuration Protocol (DHCP) DHCP (Dynamic Host Configuration Protocol) is a communications protocol which allows network administrators manage and assign Internet Protocol (IP) addresses in an automatic way. In DHCP, a DHCP server in a network receives DHCP requests from a client. Once the request is received, the server will allocate an IP address back to the requesting client. Without DHCP, the IP address must be updated manually at each computer whenever there is a change in the network. See RFC 2131 for details [2]. Address Ranges For assigning addresses for hosts inside a private network, it is recommended [3] that we use three private address ranges of which no Internet router will route to/from: 10.0.0.0 to 10.255.255.255 (10.0.0.0 with subnet mask 255.0.0.0) 172.16.0.0 to 172.31.255.255 (172.16.0.0 with subnet mask 255.240.0.0) 192.168.0.0 to 192.168.255.255 (192.168.0.0 with subnet mask 255.255.0.0) You should not assign IP addresses other than those listed above to any host inside a private network. (See Appendix I for more details on IP subnetting. IP subnetting is also covered in the main lecture.) Internetworking Utilities Ping? A small utility that uses the Internet Control Message Protocol (ICMP) echo function. It sends a packet (64 bytes each) with sequence number to the target host through the network, and waits for a reply. Echoes will be received if both computers and their connection are running properly. Ping also tells us the number of routers between the two parties and the round-trip time. Traceroute (in Linux) or Tracert (in Windows)? Can be used to trace the route an IP packet travels from the source host to the destination host. Tracking the routes between hosts in the Internet can be very difficult. Traceroute achieves this by sending a series of IP packets with very small time-tolive value. A. Basic network configuration In this section, you are requested to configure the private network, including PCG and PC1. Original Configuration 1. Boot PCG and PC1. Login both machine as student and switch user to root in the terminal. Make sure one of the NICs of the PCG is connected to the Internet while the other one is connected to PC1. 2. On PCG, enter the network setting by selecting System->Administration->Networking. Write down the original network TCP/IP configuration of both NICs. 3. a. NIC_G1: IP address: Subnet mask: Default gateway: Page 2

DNS server(s): b. NIC_G2: IP address: Subnet mask: Default gateway(s): DNS server(s): Figure 3: Network Settings in Linux 4. On PC1, enter the network setting by selecting System->Administration->Networking. Write down the original network TCP/IP configuration of the NIC. a. NIC_1: IP address: Subnet mask: Default gateway: DNS server(s): 5. On PCG, Keep all the IP addresses associated with the network interface card NIC_G1 (the one connecting to the internet): a. NIC_G1: IP addres s: Original configuration Subnet mask: Original configuration Page 3

Default gateway: Original configuration DNS server: Original configuration 6. Then, in the Network Configuration of PCG, Deactivate the NIC_G2 (the one connecting to PC1). Modify the NIC_G2's IP address with the followings : a. NIC_G2: IP address: : 192.168.0.1 Subnet mask: 255.255.255.0 Default gateway: <IP address of NIC_G1> 7. Activate the new IP address by clicking the Activate button. Verify your setting by typing ifconfig eth1 in a terminal. (In this example, eth1 is the NIC_G2) 8. On PC1, in the Network Configuration, Deactivate the NIC_1. Modify its connection settings from statistic IP address to DHCP. 9. Click OK and activate the NIC_1. Setting up the DHCP Daemon [4] Open a terminal on PCG, switch user to root, edit the dhcpd.conf in the /etc/ directory. Create one if it does not exist. Edit the dhcpd.conf as follow: subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.2 192.168.0.254; option domain-name-servers 158.132.209.254, 158.132.18.1; option domain-name "cf004.eie.polyu.edu.hk"; option routers 192.168.0.1; option broadcast-address 192.168.0.255; default-lease-time 600; max-lease-time 7200; } Save and exit after editing. Edit file /etc/default/dhcp. Look for INTERFACES="" Replace that with INTERFACES="eth1" This setting is to make the dhcp server works on the interface eth1 (NIC-G2). Make sure you have switched to root account by the "su" command. In the terminal use the command "/etc/init.d/dhcp restart" to restart the DHCP Daemon. Setting up the iptables and enable the routing [5] Edit the file 00-firewall under the directory /etc/network/if-up.d/. The 00-firewall is a script file used to configure the iptables. Every file in the directory /if-up.d/ will be activated once the network adaptor has been activated on bootup. Create one if it does not exist. Edit the file as following Page 4

#!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin #Remove all existing rules in the iptables iptables -F iptables -t nat -F iptables -t mangle -F iptables -X #Change all policies to ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #ACCEPT loop back iptables -A INPUT -i lo -j ACCEPT #ACCEPT INPUT connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT #ACCEPT packet forwarding iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #IP Masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Enable IP forward echo 1 > /proc/sys/net/ipv4/ip_forward To activate the script, change the permission to 711 by the command chmod. Activate the script by entering./00-firewall in the terminal. Edit the file "options" under the directory /etc/network/ as following. ip_forward=yes spoofprotect=yes syncookies=no Restart the PC. Testing for connectivity To test whether gateway has been set up correctly, we may use the commands ping and traceroute. In the ping tests, if you receive error messages such as Request time out, your settings in the previous section are most probably incorrect. Go back to check all the settings before proceeding to the next section. 1. Use ping to test the connectivity PC1<-> PCG<-> the Internet: a. Open a terminal window on PC1. Enter ping c 2 <IP of NIC_G2>, and write down the results below. Page 5

b. Open a command prompt in PCG (from Programs on the Start menu). Type ping c 2 <IP of NIC_1>, and write down the result below. c. Also from PCG, type ping <IP of Test Machine>, and write down the result below. (Hint: A simple choice of Test Machine is the local DNS server, whose IP address is 158.132.209.254 at the time of writing this document.) 2. Use traceroute to trace the routing path from your PC to the destination machine: a. From PCG, type traceroute <IP of Test Machine> and write down the result: b. Open a command prompt in PC1. Type traceroute <IP of Test Machine>, and write down the result: c. Note the number of hops required in each case. What is the difference between the results in (a) and (b)? Why is there such a difference? 3. Browse the homepage of PolyU using PC1. Show your result to your tutor. B. Serving Internet Users In the previous section you have set up a gateway that allows users in the private network to use the single Internet connection on PCG. In this section, you are requested to set up a web server on a host in the private network and then configure the gateway to redirect HTTP service requests from Page 6

Internet users to the web server (PC1) in your private network. The apache web server has been installed on the PC1. Start the web server on PC1 1. The apache server will start automatically after the boot up. 2. Note the location of the web documents (/var/www/apache2-default/), and create a document student.html containing your name and student ID in the web document root. You can check the location of the document root from the configuration file /etc/apache2/sites-enabled/000-default 3. Test the web service by starting a web browser on PC1 to retrieve the URL http://127.0.0.1/student.html, where 127.0.0.1 is the standard loopback IP address. Do you see the correct web document containing your name and student ID? 4. Test the web service again by opening a web browser on PCG to retrieve the URL http://<ip of NIC_1>/student.html. Do you see the correct web document containing your name and student ID? Configure Port forwarding in PCG 1. Open a terminal on PCG. 2. Edit the script file "00-firewall" as following. Those lines started with # are just comment. #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin #Remove all existing rules in the iptables iptables -F iptables -t nat -F iptables -t mangle -F iptables -X #Change all policies to ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #ACCEPT loop back iptables -A INPUT -i lo -j ACCEPT #ACCEPT INPUT connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT #ACCEPT packet forwarding iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #ACCEPT INPUT on port 80 iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT #IP forwarding on port 80 Page 7

#Please change the IP 158.132.150.7 to your own NIC_G1 IP iptables -t nat -A PREROUTING -d 158.132.150.7 -p tcp --dport 80 -j DNAT -- to 192.168.0.2:80 iptables -t nat -A POSTROUTING -d 192.168.0.2 -p tcp --dport 80 -j SNAT -- to 192.168.0.1 iptables -A FORWARD -o eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -s 192.168.0.2 -p tcp --sport 80 -m state -- state ESTABLISHED -j ACCEPT #IP Masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Enable IP forward echo 1 > /proc/sys/net/ipv4/ip_forward 3. Activated the script or restart your PC. 4. Make sure you have the root permission. Stop the apache2 service on PCG by the command./apache2 stop under the directory /etc/init.d/. 5. Test the service by opening a browser on a third machine to retrieve the webpage on PC1 at http://<ip of NIC_G1>/student.html. You should use a PC in a neighboring group for this test. Do you see the correct web document? 6. Show the result to your lab tutor. 7. In PC1, restore the original network TCP/IP configuration for the NIC_1. C. What to hand in Create a new text or Word file and write a brief report about what you have done, observed and learnt in this laboratory exercise. Include your answers to all the questions above in the report. Appendix I - Quick Information on IP Addressing and Subnetting IP Address An IP (Internet Protocol) address is a unique identifier for a node or host on an IP network. An IP address is a 32-bit binary number and usually represented as 4 decimal values, each representing 8 bits, in the range 0 to 255 (known as octets, i.e. 8 bits), separated by decimal points. This is known as dotted decimal notation of IP address. Example IP address 158.132.14.1 Dotted decimal: 158.132.14.1 Binary form: 10011110.10000100.00001110.00000001 IP address is hierarchical. It consists of 2 parts, the first part identifies the network (Network ID) and the remaining part identifies the node (Host ID). Each Network ID on the Internet must be registered to the Internet Assigned Number Authority (IANA). In the example above, the Network ID and Host ID are as follows: IP address 10011110.10000100.00001110.00000001 10011110.10000100. 0000 1110.00000001 Network ID Host ID Page 8

Internet routers forward packets to other routers or hosts according to the Network ID. The number of bit in the Network ID determines the size of the network. Fewer number of bits in Network ID implies larger network, because there are more bits left for Host IDs. There are 5 classes of IP address, according to the size of network: Class A addresses begin with 0xxx, or 1 to 126 decimal. Class B addresses begin with 10xx, or 128 to 191 decimal. Class C addresses begin with 110x, or 192 to 223 decimal. Class D addresses begin with 1110, or 224 to 239 decimal. Class E addresses begin with 1111, or 240 to 254 decimal. Subnetting Network administrators can also sub-divide a network into smaller networks called subnets according to their needs. How does a router or node know about the subnets? The answer lies in the subnet mask. A subnet mask is a 32-bit binary number with many leading 1's, followed by a string of 0 s. Applying logical AND to an IP address with the subnet mask bit by bit allows one to identify the Subnet ID. Example: IP address 158.132.14.1 Binary form 10011110.10000100.00001110.00000001 Network ID 10011110.10000100.00001110.00000000 Subnet mask 11111111.11111111.11111110.00000000 Host ID 00000000.00000000.00000000.00000001 Increasing the number of 1's in the subnet mask allows more possible subnets, each with a smaller size. Network address is usually expressed in the following form: Network ID / Subnet mask Example: The network address 158.132.148.0/255.255.254.0 implies that the possible IP addresses in this subnet ranges from 158.132.148.1 to 158.132.149.254. Another form is 158.132.148.0/23, where 23 indicates the number of leading 1's in the subnet mask. There are three IP network addresses reserved for private networks. No Internet router will forward packets to/from these networks. The reserved network IP addresses are: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Refer to the lecture notes on TCPIP and/or the following references for more details of NAT. References [1] K. Egevang, The IP Network Address Translator (NAT), http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1631.html [2] James F. Kurose, Kwith W. Ross, Computer Networking a top down approach featuring the internet Page 9

[3] Y. Rekhter, B. Moskowitz, D. Karrenberg, G.J. de Groot, and E. Lear, Address Allocation for Private Internets, http://rfc.net/rfc1918.html [4] Chua Wen Kiat "Unoffical Ubuntu Starter Guide" http://ubuntuguide.org/#installdhcpserver [5] Steve "Setting up a simple Debian gateway" http://www.debian-administration.org/articles/23 -- End -- Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information