Linux Routers and Community Networks



Similar documents
1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

+ iptables. packet filtering && firewall

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Firewalls. Chien-Chung Shen

Linux Networking: IP Packet Filter Firewalling

TECHNICAL NOTES. Security Firewall IP Tables

How to Turn a Unix Computer into a Router and Firewall Using IPTables

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Network Security Exercise 10 How to build a wall of fire

Linux Firewalls (Ubuntu IPTables) II

Firewall implementation and testing

CS Computer and Network Security: Firewalls

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Assignment 3 Firewalls

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Linux Firewall Wizardry. By Nemus

CS Computer and Network Security: Firewalls

Chapter 7. Firewalls

Intro to Linux Kernel Firewall

Firewall Configuration and Assessment

Netfilter / IPtables

Lab Objectives & Turn In

Firewalls. October 23, 2015

Main functions of Linux Netfilter

CSC574 - Computer and Network Security Module: Firewalls

Dynamic Host Configuration Protocol (DHCP) 02 NAT and DHCP Tópicos Avançados de Redes

Protecting and controlling Virtual LANs by Linux router-firewall

Linux: 20 Iptables Examples For New SysAdmins

Linux Firewall. Linux workshop #2.

How To Understand A Firewall

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Packet Filtering Firewall

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Focus on Security. Keeping the bad guys out

Load Balancing Trend Micro InterScan Web Gateway

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Linux Home Networking II Websites At Home

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

ipchains and iptables for Firewalling and Routing

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Linux Administrator (Advance)

CIS 433/533 - Computer and Network Security Firewalls

Packet filtering with Linux

10.4. Multiple Connections to the Internet

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

CSE543 - Computer and Network Security Module: Firewalls

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CIT 480: Securing Computer Systems. Firewalls

Linux Networking Basics

Firewall Examples. Using a firewall to control traffic in networks

Load Balancing Sophos Web Gateway. Deployment Guide

Load Balancing Bloxx Web Filter. Deployment Guide

Internet Protocol: IP packet headers. vendredi 18 octobre 13

GregSowell.com. Mikrotik Security

Linux as an IPv6 dual stack Firewall

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

IP Address: the per-network unique identifier used to find you on a network

Rapid Access Cloud: Se1ng up a Proxy Host

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

FIREWALL AND NAT Lecture 7a

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Load Balancing Smoothwall Secure Web Gateway

Definition of firewall

MikroTik RouterOS Workshop Load Balancing Best Practice. Warsaw MUM Europe 2012

Load Balancing Clearswift Secure Web Gateway

Load Balancing McAfee Web Gateway. Deployment Guide

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Lecture 18: Packet Filtering Firewalls (Linux) Lecture Notes on Computer and Network Security. by Avi Kak

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Technical Support Information

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

Innominate mguard Version 6

Firewall Firewall August, 2003

Linux MDS Firewall Supplement

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Install and configure a Debian based UniFi controller

Topics NS HS12 2 CINS/F1-01

Background General Firewall setup Iptables Introduction Iptables commands Limit Function Explanation with icmp and syn floods Zone Alarm

Firewalls with IPTables. Jason Healy, Director of Networks and Systems

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

CIT 480: Securing Computer Systems. Firewalls

Load Balancing SIP Quick Reference Guide v1.3.1

Manuale Turtle Firewall

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Vuurmuur - iptables manager

IP Firewalls. an overview of the principles

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Transcription:

Summer Course at Mekelle Institute of Technology. July, 2015. Linux Routers and Community Networks Llorenç Cerdà-Alabern http://personals.ac.upc.edu/llorenc llorenc@ac.upc.edu Universitat Politènica de Catalunya, Barcelona, Spain Revision: 0e36644 (2015-07-09) Llorenç Cerdà-Alabern Linux Routers and Community Networks 1 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Parts I Introduction II Lab 1: Basic Network Configuration III Lab 2: RIP and OSPF IV V Lab 4: Community Networks VI Lab 5: Network Management Llorenç Cerdà-Alabern Linux Routers and Community Networks 98 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 99 / 191

Objectives At the heart of Linux firewall there is the iptables command. Objectives of this lab: Getting familiar with the basic usage of iptables. Use firewall web interface. Llorenç Cerdà-Alabern Linux Routers and Community Networks 100 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 101 / 191

terminology The iptables command allows you to filter and/or modify some fields of the packets as they move through different stages (or chains) of the IP layer of the Linux machine. These built-in chains are PREROUTING, FORWARD, POSTROUTING, INPUT and OUTPUT. When the packet moves through one of these chains, the IP layer consults the tables where the iptables command makes possible to add. An action, or target, is applied to packets that match the expression specified in a rule. These tables are mangle, filter and nat. Llorenç Cerdà-Alabern Linux Routers and Community Networks 102 / 191

Tables The mangle table allows you to add that change some of the fields of the packets, such as TTL or TOS. The nat table allows you to add that change the IP addresses of the packets. The types of are: SNAT to change the source address and DNAT to change the target address. The filter table allows you to add for filtering. The types of are: DROP to discard a packet and ACCEPT to accept it. Llorenç Cerdà-Alabern Linux Routers and Community Networks 103 / 191

Processing of IP datagrams in a Linux router Llorenç Cerdà-Alabern Linux Routers and Community Networks 104 / 191

User specified chains User can create user-chains. If a packet enters a built-in chain, e.g. FORWARD in the filter table, a rule can specify a jump to a user-chain within the same table. FORWARD delegate_forward zone_lan_forward j delegate_forward j zone_lan_forward Llorenç Cerdà-Alabern Linux Routers and Community Networks 105 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 106 / 191

Generic iptables command iptables [-t <table>] <command> <expression> -j <rule type> If the table is not indicated, the rule is considered to be applied to filter table. The expression (or match) identifies which are the packets in which the rule has to be applied. The type of rule (or target) identifies what has to be done with the packet matching the rule: DROP, ACCEPT, SNAT, DNAT or jump to a user-chain. Llorenç Cerdà-Alabern Linux Routers and Community Networks 107 / 191

Commands -A <chain>: adds a rule to the table of the chain <chain>. Example: iptables -A INPUT... -D <chain> <n>: removes the rule <n> from a table of <chain>. Example: iptables -D INPUT 1. -I <chain> <n>...: inserts a rule in the line that is specified. Example: iptables -I INPUT 1 --dport 80 -j ACCEPT -L <chain>: lists the of a table of <chain>. -n not translate numerical addresses into names. -v verbose. --line show the number of the rule. Example: iptables --line -nvl INPUT. -P <chain>: specifies the default rule. ACCEPT if not specified. Example: iptables -P INPUT DROP. Llorenç Cerdà-Alabern Linux Routers and Community Networks 108 / 191

Generic expressions -p <protocol>: identifies a protocol. Example: iptables -A INPUT -p tcp... will add a rule that will be applied for all the TCP packets to the filter table of the INPUT chain. -s <@IP src>: identifies a packet with <@IP src>. A mask can be added, and! denies the expression. Example: iptables -A INPUT -s! 192.168.0.0/24... will add a rule to the filter table of the INPUT chain that will be applied for all the packets with a source @IP that doesn t belong to the range 192.168.0.0/24. -d <@IP destination>: same for destination address. -i <input-interface>: input interface. It can be only applied in the chains INPUT, FORWARD and PREROUTING. Example, iptables -A INPUT -i eth0... will add a rule that will be applied for all the packets that will arrive from the eth0 interface. Llorenç Cerdà-Alabern Linux Routers and Community Networks 109 / 191

TCP Expressions Can be only applied for the TCP protocol: -p tcp. --sport <src-port>: TCP packets with <src-port>. Range: initial:final can be specified. Otherwise, the initial value that will be indicated is 0 and, if not, the final value that will be indicated is 65535. Example: iptables -A INPUT -p tcp --sport 1024:... will apply the rule for all the TCP packets with a port number 1024. --dport <dst-port>: same for the destination port. --tcp-flags <flag list> <flags list to 1>: look at the packets of the <flag list> which flags have only a value equal to 1 if they are included in <flags list to 1>. Flags can be SYN, FIN, ACK, RST, URG, PSH, ALL, NONE. Example: iptables -p tcp --tcp-flags SYN,RST,ACK SYN... will apply the rule for all the packets with the flag SYN enabled and the RST and ACK to 0. Llorenç Cerdà-Alabern Linux Routers and Community Networks 110 / 191

UDP Expressions Can be only applied for the UDP protocol: -p udp. --sport <src-port>: same as stated before for TCP. --dport <dst-port>: same as stated before for TCP. ICMP Expressions Can be only applied for the ICMP protocol: -p icmp. --icmp-type <type>: identifies the icmp packets of the type <type>. If you execute iptables -p icmp --help a list of the possible types will be given. Llorenç Cerdà-Alabern Linux Routers and Community Networks 111 / 191

State Expressions Regarded as no implicit: -p state. States can be: NEW, ESTABLISHED and RELATED. --state <state list>: identifies <state list>. Example: iptables -m state --state RELATED,ESTABLISHED... will apply the rule to the packets of the connections in one of these states. Llorenç Cerdà-Alabern Linux Routers and Community Networks 112 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 113 / 191

The DNAT rule iptables [-t <table>] <command> <expression> -j DNAT Used with the option --to-destination. Can be put only in the nat table of the PREROUTING and OUTPUT chains. An address or a range of addresses can be specified (and the connections will be randomly distributed among the specified addresses, in other words, a load-balancing will be done). In case of an expression TCP or UDP a port or a range or ports can also be indicated (to distribute the connections among the range of ports). Example: ~# iptables -t nat -A PREROUTING -p tcp -d 200.10.10.10 --dport 80 \ ~# -j DNAT --to-destination 192.168.10.10-192.168.10.20:80-100 Llorenç Cerdà-Alabern Linux Routers and Community Networks 114 / 191

The SNAT rule iptables [-t <table>] <command> <expression> -j SNAT Used with the option --to-source. Can be put only in the nat table of the POSTROUTING chain. An address or a range of addresses can be specified (and the connections will be randomly distributed among the specified addresses, in other words, a load-balancing will be done). In case of an expression TCP or UDP a port or a range or ports can also be indicated (to distribute the connections among the range of ports). Example: ~# iptables -t nat -A POSTROUTING -p tcp -o ppp0 \ ~# -j SNAT --to-source 200.10.10.10-200.10.10.20:1024-32000 Llorenç Cerdà-Alabern Linux Routers and Community Networks 115 / 191

The Masquerade rule iptables [-t <table>] <command> <expression> -j MASQUERADE used as the SNAT target, but it does not require any --to-source: the address of an interface is applied to all outgoing packets. Example: ~# iptables -t nat -A POSTROUTING -p tcp -o ppp0 -j MASQUERADE --to-ports 1024-20000 Llorenç Cerdà-Alabern Linux Routers and Community Networks 116 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 117 / 191

Saving iptables to file The command: ~# iptables-save > cc dumps all the command that iptables is executing and readdress them to the file cc. You can edit this file and replace the new of iptables with the command: ~# iptables-restore cc Llorenç Cerdà-Alabern Linux Routers and Community Networks 118 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 119 / 191

Install Apache server 1 Install Apache server in the PCs. It will be used as web server. ~# apt-get update ~# apt-get install apache2 Llorenç Cerdà-Alabern Linux Routers and Community Networks 120 / 191

Configuration of the network Gi int Internal network 10.i.2.0/24 eth0.1 Ri ext serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ 1 Each group i, i = 1, 10 will configure the network of the figure. 2 Disable the default firewall. 3 The PC ext represents a host in the Internet. ext must be configured with no default route such that it can only reach the public address of the router Ri. 4 The PC serv represents a server in the DMZ. 5 The PC int represents a host in the internal network. 6 Configure the network DMZ and the Internal network. Verify that the router Ri, serv and int can reach each other, but ext cannot reach serv and int. Llorenç Cerdà-Alabern Linux Routers and Community Networks 121 / 191

SNAT Gi int Internal network 10.i.2.0/24 eth0.1 Ri serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ ext 1 Execute the following command in Ri: Ri:~# iptables -t nat -A POSTROUTING -o eth0.5 -j SNAT --to-source 100.0.i.1 2 Check that now serv and int can reach ext but not vice-versa, why? Check by executing tcpdump in eth0.1, eth0.2 and eth0.5 of Ri how the firewall change the IP addresses. Llorenç Cerdà-Alabern Linux Routers and Community Networks 122 / 191

DNAT Gi int Internal network 10.i.2.0/24 eth0.1 Ri ext serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ 1 Execute the following command in Ri: Ri:~# iptables -t nat -A PREROUTING -p tcp -i eth0.5 -d 100.0.i.1 --dport ssh \ Ri:~# -j DNAT --to-destination 10.i.1.2 2 Check that now ext can connect to the ssh server of serv (for example, by executing ssh root@100.0.i.1), but if it pings to serv it doesn t reply, why? 3 Check that ext has not access to any other service of the serv (for example, web). 4 Which is the rule that should be executed in order to get to ping from ext to serv?, and to get to connect to the web server of serv? Try the. Llorenç Cerdà-Alabern Linux Routers and Community Networks 123 / 191

Default Gi int Internal network 10.i.2.0/24 eth0.1 Ri serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ ext 1 Execute the commands in Ri (do not delete the previous ones): Ri:~# iptables -P INPUT DROP Ri:~# iptables -P OUTPUT DROP Ri:~# iptables -P FORWARD DROP 2 Check that none of the PCs is now reachable. Why? Llorenç Cerdà-Alabern Linux Routers and Community Networks 124 / 191

Forwarding Gi int Internal network 10.i.2.0/24 eth0.1 Ri serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ 1 Execute the commands in Ri: Ri:~# iptables -A FORWARD -i eth0.2 -o eth0.5 -j ACCEPT Ri:~# iptables -A FORWARD -i eth0.5 -o eth0.2 -m state \ Ri:~# --state ESTABLISHED,RELATED -j ACCEPT ext 2 Check that now serv can ping to ext but not vice-versa. Why? 3 Check that now serv can access to any of the services of ext (for example, try ssh) but not vice-versa. Why? Llorenç Cerdà-Alabern Linux Routers and Community Networks 125 / 191

Forwarding Gi int Internal network 10.i.2.0/24 eth0.1 Ri ext serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ 1 Execute the command in Ri: Ri:~# iptables -A FORWARD -p tcp -i eth0.5 -o eth0.2 -d 10.i.1.2 -j ACCEPT 2 Check that now that ext can connect to the ssh server of serv but int cannot. Why? 3 Check that ext only can access to the ssh server of serv (check for example that ext cannot access the web server of serv), why? 4 Configure the firewall in order to get ext to ping serv. Llorenç Cerdà-Alabern Linux Routers and Community Networks 126 / 191

Forwarding Gi int Internal network 10.i.2.0/24 eth0.1 Ri serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ 1 Execute the commands in Ri: Ri:~# iptables -A FORWARD -i eth0.1 -o eth0.2 -j ACCEPT Ri:~# iptables -A FORWARD -i eth0.2 -o eth0.1 -j ACCEPT ext 2 Now serv and int can see each other, but they donã Â Â t reach Ri. Why? Llorenç Cerdà-Alabern Linux Routers and Community Networks 127 / 191

Forwarding Gi int Internal network 10.i.2.0/24 eth0.1 Ri serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ ext 1 Execute the commands in Ri: Ri:~# iptables -A INPUT -p icmp -i eth0.1 -d 10.i.2.1 -j ACCEPT Ri:~# iptables -A OUTPUT -p icmp -o eth0.1 -s 10.i.2.1 -m state \ Ri:~# --state ESTABLISHED,RELATED -j ACCEPT 2 Now int can ping to Ri, but cannot have access to any of the services of Ri. Why? Execute the commands that are necessary to get serv to have the same restrictions when accessing to Ri than those that int has. Llorenç Cerdà-Alabern Linux Routers and Community Networks 128 / 191

Firewall design Gi int Internal network 10.i.2.0/24 eth0.1 Ri ext serv.2.1 eth0.5 Internet 10.i.1.0/24.1.2.2 eth0.2.1 100.0.i.0/24 DMZ Remove the previous of the firewall and design a that meets the following: 1 int is the only host which can connect to the ssh server of Ri. int has not to be able to connect to any other service of Ri. 2 int is able to connect to the ssh server of ext, but neither any other of the services of ext nor to any other host of the Internet. ext must not be able to start a connection to int, nor even to do a ping. 3 ext is able to connect to the web server of serv, and ping serv, but neither any other of the services of serv nor to any other host of the internal network. Llorenç Cerdà-Alabern Linux Routers and Community Networks 129 / 191

Summer Course at Mekelle Institute of Technology. Linux Routers and Community Networks Part IV Outline Llorenç Cerdà-Alabern Linux Routers and Community Networks 130 / 191

Firewall using the web interface 1 Using the WI, assign LAN1, LAN2, LAN3 and LAN4 to the lan firewall-zone: Network -> Interfaces -> Edit 2 Start the firewall (System -> Startup -> firewall -> Enable -> Start) and use iptables-save to observe the. 3 Use the firewall WI (Network -> Firewall) to setup some options (e.g. Masquerading), and check the iptables changes with iptables-save. Llorenç Cerdà-Alabern Linux Routers and Community Networks 131 / 191

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information