- Requirements
- Linux Networking Concepts
- What is a
computer network? - What is the
Internet? - How Does The Internet Work?
- This IP Thing
- Groups of IP Addresses: Network Masks
- Machine Names and IP Addresses (DNS)
- Different Services: Email, Web, FTP, Name Serving
- What Packets Look Like
- Environment Setup
- Network
- Netfilter/Iptables
- So What's A Packet Filter?
- Why Would I Want to Packet Filter?
- How Do I Packet Filter Under Linux?
- How Packets Traverse The Filters
- Using iptables
- Hands-on
- View current configuration
- Change the policy for a built-in chain INPUT. (-P).
- Create/Delete a new rule to a chain INPUT.
- Change the policy for a built-in chain FORWARD. (-P).
- Create/Delete a new rule to a chain FORWARD.
- Create a new rule to enable NAT to node1 and node2 (172.16.10.0/24)
- Create a new rule to enable NAT to server (192.168.20.0/24)
- Build the simple firewall script
- Vagrant is a command line utility for managing the life cycle of virtual machines.
- Virtualbox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use.
https://www.youtube.com/watch?v=7_LPdttKXPc
https://www.youtube.com/watch?v=HNQD0qJ0TC4
-
The role of the IP layer is to figure out how to
routepackets to their final destination -
Router is a node with interfaces on more than one network
-
The Linux Kernel's IP layer keeps a table of different
routes, describing how to get to various groups of IP addresses
Short Full Maximum Comment
Form Form #Machines
/8 /255.0.0.0 16,777,215 Used to be called an `A-class'
/16 /255.255.0.0 65,535 Used to be called an `B-class'
/17 /255.255.128.0 32,767
/18 /255.255.192.0 16,383
/19 /255.255.224.0 8,191
/20 /255.255.240.0 4,095
/21 /255.255.248.0 2,047
/22 /255.255.252.0 1,023
/23 /255.255.254.0 511
/24 /255.255.255.0 255 Used to be called a `C-class'
/25 /255.255.255.128 127
/26 /255.255.255.192 63
/27 /255.255.255.224 31
/28 /255.255.255.240 15
/29 /255.255.255.248 7
/30 /255.255.255.252 3
- IANA - IP Addresses - responsible for global coordination of the Internet Protocol addressing systems, as well as the Autonomous System Numbers used for routing Internet traffic.
- IANA - Root Servers - responsible for management of the DNS root zone. This role means assigning the operators of top-level domains, such as .uk and .com, and maintaining their technical and administrative details.
- TCP and UDP have a concept of
ports. - IANA - Protocol Registries - responsible for maintaining many of the codes and numbers contained in a variety of Internet protocols, enumerated below. We provide this service in coordination with the Internet Engineering Task Force (IETF).
Clone this repo and run:
vagrant up
At this point the Vagrant created 4 VMs (router, node1, node2, server).
Check the status of VMs
vagrant status
The diagram bellow represent the network connection between this VMs
vagrant ssh VM-NAME
sudo su -
ip address show
ip route show
cat /etc/resolv.conf
cat /proc/sys/net/ipv4/ip_forward
or
sudo su -
ifconfig -a
route -n
cat /etc/resolv.conf
cat /proc/sys/net/ipv4/ip_forward
router VM
vagrant ssh router
sudo su -
ping 192.168.20.20 # server vm
ping 172.16.10.10 # node1 vm
ping 172.16.10.11 # node2 vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com
tcpdump -i any -NNnl icmp
server VM
Open a new shell
vagrant ssh server
sudo su -
ping 192.168.20.2 # router vm
ping 172.16.10.10 # node1 vm
ping 172.16.10.11 # node2 vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com
node1 VM
Open a new shell
vagrant ssh node1
sudo su -
ping 172.16.10.2 # router vm
ping 172.16.10.11 # node2 vm
ping 192.168.20.20 # server vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com
node2 VM
Open a new shell
vagrant ssh node2
sudo su -
ping 172.16.10.2 # router vm
ping 172.16.10.10 # node1 vm
ping 192.168.20.20 # server vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com
server VM
vagrant ssh server
sudo su -
ip route add default via 192.168.20.2
or
sudo su -
route add default gw 192.168.20.2
node1 VMs
vagrant ssh node1
sudo su -
ip route add default via 172.16.10.2
or
sudo su -
route add default gw 172.16.10.2
node2 VMs
vagrant ssh node2
sudo su -
ip route add default via 172.16.10.2
or
sudo su -
route add default gw 172.16.10.2
Check the network connectivity again.
Questions?
ip_forward - BOOLEAN
0 - disabled (default)
not 0 - enabled
Forward Packets between interfaces.
This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
vagrant ssh router
sudo su -
echo 1 > /proc/sys/net/ipv4/ip_forward
Enable ip_forward permanently. Edit /etc/sysctl.conf and add: net.ipv4.ip_forward=1
Check the network connectivity again.
Questions?
-
A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet
-
It might decide to DROP the packet, ACCEPT the packet, or something more complicated (NAT)
- Control. Security. Watchfulness
-
Netfilter - is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
-
Iptables - is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
iptables/ip6tables - administration tool for IPv4/IPv6 packet filtering and NAT
- Several different tables may be defined.
- Each table contains a number of built-in chains and may also contain user-defined chains.
- Each chain is a list of rules which can match a set of packets.
- Each rule specifies what to do with a packet that matches (TARGET).
TARGETS:
DROPACCEPTRETURN- Or jump to a user-defined chain in the same table.
TABLES:
filter- INPUT, OUTPUT, FORWARDnat- PREROUTING, INPUT, OUTPUT, POSTROUTINGmangle- PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTINGraw- PREROUTING, OUTPUTsecurity- INPUT, OUTPUT, FORWARD (SECMARK, CONNSECMARK)
vagrant ssh node1
Open a new shell
vagrant ssh server
Open a new shell
vagrant ssh router
man iptables
router, server and node1:
iptables --table mangle --list --numeric --verbose
iptables --table nat --list --numeric --verbose
iptables --table filter --list --numeric --verbose
or
iptables -t mangle -L -nv
iptables -t nat -L -nv
iptables -t filter -L -nv
Note:
--line-numbers
node1
ping -c 3 172.16.10.2 # router
router
iptables --table filter --policy INPUT DROP
or
iptables -t filter -P INPUT DROP
node1
ping -c 3 172.16.10.2 # router
Note: Allow vagrant ssh traffic before change INPUT policy ;]
- Append a new rule to a chain (-A|--append).
- Insert a new rule at some position in a chain (-I|--insert).
- Replace a rule at some position in a chain (-R|--replace).
- Delete a rule at some position in a chain, or the first that matches (-D|--delete).
router
iptables --table filter --append INPUT --in-interface enp0s3 -j ACCEPT
iptables --table filter --append INPUT --protocol icmp -j ACCEPT
iptables --table filter --policy INPUT DROP
or
iptables -t filter -A INPUT -i enp0s3 -j ACCEPT
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -P INPUT DROP
node1
ping -c 3 172.16.10.2 # router
router
iptables --table filter --policy INPUT ACCEPT
iptables --table filter --delete INPUT --in-interface enp0s3 -j ACCEPT
iptables --table filter --delete INPUT --protocol icmp -j ACCEPT
or
iptables -t filter -P INPUT ACCEPT
iptables -t filter -D INPUT -i enp0s3 -j ACCEPT
iptables -t filter -D INPUT -p icmp -j ACCEPT
node1
ping -c 3 192.168.20.20 # server
router
iptables --table filter --policy FORWARD DROP
or
iptables -t filter -P FORWARD DROP
node1
ping -c 3 192.168.20.20 # server
router
iptables --table filter --policy FORWARD ACCEPT
or
iptables -t filter -P FORWARD ACCEPT
- Append a new rule to a chain (-A).
- Insert a new rule at some position in a chain (-I).
- Replace a rule at some position in a chain (-R).
- Delete a rule at some position in a chain, or the first that matches (-D).
router
iptables --table filter --append FORWARD --protocol icmp -j ACCEPT
iptables --table filter --policy FORWARD DROP
iptables -t filter -A FORWARD -p icmp -j ACCEPT
iptables -t filter -P FORWARD DROP
node1
ping -c 3 192.168.20.20
node1
ping -c 3 8.8.8.8
router
iptables --table nat --append POSTROUTING --source 172.16.10.0/24 -j MASQUERADE
or
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j MASQUERADE
node1
ping -c 3 8.8.8.8
server
ping -c 3 8.8.8.8
router
iptables --table nat --append POSTROUTING --source 192.168.20.0/24 -j MASQUERADE
or
iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j MASQUERADE
server
ping -c 3 8.8.8.8
apt-get update
apt-get install nginx
- Deny all traffic by default
- Allow ICMP traffic
- Allow lo traffic
- Allow http traffic: node -> server
- Allow http redirect: router -> server
- Allow Internet Access