Network Configuration in Linux

Network Configuration in Linux
Spring 2012 Network Administration, Fordham University

Outline Understand iptables
Last class: to allow SSH traffic into your host iptables -A INPUT -p tcp --dport 22 -j ACCEPT Setting up Firewall, NAT, Gateway on Linux machine Last class: a wireless router capable of serving as all these (Firewall, NAT, gateway) This class: configure a Linux host to do all of these

Note on service Last class: service sshd start
service (daemon): a program that starts automatically at boot, and runs in background Web server, DNS server, NFS, … to manage services, use GUI tool or use command line tool, service: service servicename status|start|stop|restart e.g. service sshd stop service iptables restart such changes are made to current run only.

Service configuration
Make permanent change: configure which services to start in different runlevels: ntsysv //change current run level ntsysv –level 3 //configure runlevel 3 Runlevels & their meanings 0: shuts down all processes and halt system 1: single-user mode, for admin. to perform maintenance 2: special multi-user mode, no support for file sharing 3: full multi-user mode, NFS file sharing 4: unused 5: dedicated X windows terminal 6: shuts down all processes and reboots

Linux host as gateway/firewall/NAT
router: forward packets destined for other machines, or to appropriate next hop gateway: connect all computers on a private network to Internet, with one external IP address, so called “sharing Internet connection” firewall: Primary task is to filter packets What we need: Linux computer with at least two NICs iptables

Packet forwarding Linux machine can be configured to run as end host or router Turn on or off packet forwarding Writing 0 in file below to disable packet forwarding, 1 to enable packet forwarding. /proc/sys/net/ipv4/conf/<device_name>/forwarding Note: /proc: a virtual file system (not real disk files) provides a peek into Linux kernel Read or write a proc file => invoke kernel function call to read/write kernel parameters => monitor, control networking stack Linux networking stack provides many virtual files inside /proc

Netfilter architecture & iptables command
Netfilter architecture: whole software enabled packet filtering, NAT, … iptables: command line tool provided by netfilter architecture in Linux 2.4.x and 2.6.x kernel re-designed and heavily improved successor of Linux 2.2.x ipchains and 2.0.x ipfwadm

What can I do with iptables?
Build firewalls based on stateless and stateful packet filtering use NAT and masquerading for sharing internet access use NAT to implement transparent proxies Aid tc and iproute2 systems to build sophisticated QoS and policy routers further packet manipulation (mangling) like altering TOS/DSCP/ECN bits of IP header

Netfilter: how does it work?
A series of chains in Linux network protocol stack (Oval shapes in figure) register rules with a chain Registered rules are checked/executed for every pkt that traverses the chain e.g., to add a rule to drop all TCP pkts with dest port # 80 at filter/INPUT chain iptables -A INPUT -p tcp --dport 80 -j DROP Chain (and tables it belongs to) packet

chain rules Each chain has a sequence of rules, checked/executed in order, e.g., filter/INPUT chain on my laptop $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all anywhere anywhere ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ….

Rule: criteria & target
Each chain has a sequence of rules, checked/executed in order target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED … Each rule: specify criteria for matching pkts, and target (i.e., what to do for with matching pkts) If pkt does not match, check next rule in chain if pkt match criteria, target decides next action: maybe go to next chain (user-defined one) ACCEPT,DROP, QUEUE or RETURN

Default policy of chain
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED …. Each chain has a default policy: pkts that does not match with any rule ACCEPT – Let packet through DROP – Drop packet, no notiﬁcation REJECT – Reject packet, with an error message. REDIRECT – Send packet else where.

iptable: tables & chains
Chains are organized into tables: ﬁlter – default table, INPUT, OUTPUT, and FORWARD nat: PREROUTING, output,POSTROUTING mangle: PREROUTING,INPUT,OUTPUT, FORWARD, POSTROUTING

Packet traversing: 1 pkt destined for own local host:
Arrives at interface (e.g., eth0) mangle/PREROUTING: normally used for mangling pkts, i.e., changing TOS and so on. nat/PREROUTING: used for DNAT mainly. Avoid filtering in this chain since it will be bypassed in certain cases. Routing decision: destined for local host or to be forwarded? mangle/INPUT: used to mangle pkts, after they have been routed, but before being sent to process filter/INPUT: do filtering for all incoming traffic destined for our local host. All incoming pkts destined for this host pass through this chain Local process/app. (i.e., server/client program)

Packet Traversing: 2 outgoing pkts from our own local host
Generated at local process/app Routing decision: what src addr. to use, what outgoing interface to use, and other needed info. mangle/OUTPUT: mangle pkts, do not filter to avoid side effects nat/OUTPUT: NAT outgoing pkts from firewall itself. filter/OUTPUT: filter pkts going out from local host mangle/POSTROUTING: used to mangle pkts before they leave our host, but after routing decisions nat/POSTROUTING: where we do SNAT, don't do filtering (side effects, certain pkts might slip through even though you set a default policy of DROP) Goes out on some interface (e.g., eth0)

Packet Traversing: 3 Pkt destined for another host on another network
Comes in on the interface (i.e., eth0) mangle/PREROUTING: used to mangle pkts, i.e., changing TOS etc nat/PREROUTING: used for DNAT, avoid filtering here since it will be bypassed in certain cases. Routing decision: destined for our local host or to be forwarded ? mangle/FORWARD: used to mangle pkts after initial routing decision, but before last routing decision made just before pkt is sent out

Packet Traversing: 3 Pkt destined for another host on another network
filter/FORWARD: only forwarded pkts go through here, and all filtering shall be done here mangle/POSTROUTING: used to mangle pkts after all routing decisions has been done, but still on this machine nat/POSTROUTING: used for SNAT and masquerade. Avoid filtering here, since certain packets might pass this chain without ever hitting it Goes out on outgoing interface (i.e., eth1) Out on the wire again (i.e., LAN).

Example: regular host Disable access to web server running on local host: Such pkts are destined to local host => check chains traversed by such pkts => find appropriate chain to set up rules, INPUT iptables -A INPUT -p tcp --dport 80 -j DROP I don’t want user to use telnet from local host: Such pkts are originated from local host => chains they traversed => appropriate chain to set up filtering iptables -A OUTPUT -p tcp --dport 23 -j DROP

Example: gateway In a gateway, I will allow outside host to ssh to a host within my LAN Such pkts are type 3 => chains such pkts traverse => chain to perform filtering: filter table’s FORWARD chain iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

Example: gateway/NAT Machine acts as gateway/NAT
to allow internal hosts to access Internet with private ips => change src IP addr of outgoing pkts to be public IP Such pkts are type 3 => chain to change src IP: nat/POSTROUTING iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source To allow incoming access to HTTP server => change dest IP addr to private IP of server Such pkts are type 3 => chain to change dest IP: nat/PREROUTING iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination

iptables command Userspace command line program
requires a kernel that features ip_tables packet filter (2.4.x and 2.6.x kernel) List, add/remove/modify rules from kernel’s packet filtering table, … Kernel’s filtering table is located in memory => Changes will be lost if reboot (unless you save in file) GUIs for iptables, like XFWall, Firewall Builder

iptable: usage iptables [-t <table_name>] <cmd> <chain> <plist> -t table_name specify table to work on Default table: filter chain: specify the chain to work on cmd: -A: append rule to end or specific location in chain -D: Delete a specific rule in a chain -F: Flush a chain, i.e., delete rules one by one. -L: List a chain -N: Create a new user-specified chain Replace a rule, …

iptables command -A, --append: append rule to end of chain
iptables -A INPUT ... i.e., last in rule-set and hence be checked last -D, --delete: delete a rule in a chain iptables -D INPUT --dport 80 -j DROP iptables -D INPUT 1 Either entering whole rule to match, or by specifying rule number that you want to match. rules are numbered from top of each chain, starting with 1.

iptables command (cont’d)
-I, --insert: insert a rule in a chain iptables -I INPUT 1 --dport 80 -j ACCEPT rule is inserted as actual number that we specify -L, --list: list rules in a table, or chain iptables -L INPUT lists all entries in filter/INPUT chain iptables –L List all entries in a table (default table is filter)

iptables command (default policy)
-P, --policy: set a specified default target, or policy, on a chain iptables -P INPUT DROP All packets that don't match any rule will then be forced to use this policy of the chain. Legal targets are DROP and ACCEPT

-R, --replace: replace old rule at specified line iptables -R INPUT 1 -s j DROP replace first rule in filter/INPUT chain with a new rule

-F, --flush: flush all rules from specified chain iptables -F INPUT equivalent to deleting each rule one by one (faster) when used without specifying a chain, delete all rules in all chains in specified table.

-N, --new-chain:create a new chain of specified name in specified table iptables -N allowed Note: there must not already be a chain or target of same name -X, --delete-chain, delete specified chain from table iptables -X allowed there must be no rules that refer to the chain iptables –X delete all chains except those built in to specified table

Sample settings: filter table
sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all anywhere anywhere ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp anywhere anywhere ACCEPT all anywhere anywhere REJECT all anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

$ sudo iptables –t nat -L
Sample settings: nat table $ sudo iptables –t nat -L chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain POSTROUTING (policy ACCEPT) MASQUERADE all -- anywhere anywhere

Default settings on ubuntu
$iptables –L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)

Default settings on ubuntu
$ iptables –t nat –L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) Chain OUTPUT (policy ACCEPT)

How to create a rule Rule: match (criteria) and target
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source iptables -A INPUT -p tcp --dport 80 -j DROP How to create a rule

Match: overview Specifying matching criteria using:
iptables -A INPUT -p tcp --dport 80 -j DROP Specifying matching criteria using: generic matches can be used in all rules. TCP matches: can only be applied to TCP pkts UDP matches: can only be applied to UDP pkts, e.g., sport, dport iptables -A INPUT -p udp --sport 53 ICMP matches: can only be used on ICMP pkts special matches: such as state, owner and limit matches

Generic matches -p, --protocol -s, --src, --source
iptables -A INPUT -p tcp -s, --src, --source iptables -A INPUT -s /24: all pkts with source IP x --source ! /24, match all pkts with a src IP not within x range -d, --dst, --destination iptables -A INPUT -d

Generic matches (2) -i, --in-interface -o, --out-interface
iptables -A INPUT -i eth0 eth+ (match eth0, eth1,..), ! eth0 (match all interfaces except eth0) -o, --out-interface iptables -A FORWARD -o eth0 -f, --fragment iptables -A INPUT –f Match second and third part of a fragmented packet. For fragmented packets, there is no way to tell source or destination ports, nor ICMP types, among other things.

TCP matches --sport, --source-port --dport, --destination-port
iptables -A INPUT -p tcp --sport 22 --source-port 22:80 --source-port :80: from 0 to 80 --source-port 22: from 22 to 65535 --source-port ! 22 means that you want to match all ports but port 22 --dport, --destination-port iptables -A INPUT -p tcp --dport 22

TCP Matches (cont’d) --tcp-flags match TCP flags in a pkt
iptables -p tcp --tcp-flags SYN,FIN,ACK SYN Takes a list of flags to compare (a mask), no space in comma delimitation list flags: SYN, ACK, FIN, RST, URG, PSH --tcp-flags ALL NONE match if none of the flags are set --tcp-flags ! SYN,FIN,ACK SYN, match pkts that had ACK and FIN bits set, but not SYN bit

ICMP match ICMP protocol: used for error reporting and for connection controlling Headers of ICMP packets are very similar to those of IP headers, but differ in a number of ways. type header: tells us what the packet is for. E.g., if we try to access an unaccessible IP address, we would normally get an ICMP host unreachable in return. a complete listing of ICMP types, see the ICMP types appendix.

ICMP match --icmp-type: specify ICMP type to match
iptables -A INPUT -p icmp --icmp-type 8 ICMP types specified either by numeric values or by names Numerical values are specified in RFC 792. For a complete listing of ICMP name values: iptables --protocol icmp --help, --icmp-type ! 8, matches ICMP packets with type not 8

Special Matches All special matches need to be turned on with –m option -m mac, -m multiport, … --mac-source iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 match packets based on their MAC source address. reversed with an ! , e.g., --mac-source ! 00:00:00:00:00:01

Special match (Multiport)
matches multiple (up to 15) ports, may only be used with -p tcp or -p udp iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 iptables -A INPUT -p tcp -m multiport --port 22,53,80,110 match packets based both on their destination port and their source port

Special match (owner) -m owner: to match pkts based on identity of the process that created them only works for OUTPUT chain impossible to find out owner of packets generated by other hosts certain packets may not have an owner, e.g., ICMP responses Owner: specified as process ID, user ID, group ID, session ID

Owner match iptables -A OUTPUT -m owner --uid-owner 500
Match pkts created by given User ID (UID E.g., to block users other than root from opening new connections block everyone but http user from sending packets from HTTP port iptables -A OUTPUT -m owner --gid-owner 0 Match based on what group the user creating pkts are in E.g., block all but users in a network group from getting out onto Internet

Owner match iptables -A OUTPUT -m owner --pid-owner 78
match pkts based on Process ID (PID) that was responsible for them E.g., only allow PID 94 to send packets from HTTP port Alternatively we could write a small script that grabs the PIDfrom a ps output for a specific daemon and then adds a rule for it. For an example, you could have a rule as shown in the Pid-owner.txt

Special match (State) four possible states:
iptables -A INPUT -m state --state RELATED,ESTABLISHED –j accept what states pkts must be in to be matched four possible states: NEW: first pkt seen within a specific connection E.g., a TCP SYN pkt, a first UDP pkt with a certain (src_ip, dest_ip, src_port, dest_port) tuple NEW state change to ESTABLISHED state, upon receipt of reply packet ESTABLISHED: has seen traffic in both directions, i.e., one host sends a packet, and gets a reply from the other host

Packet state (2) RELATED: A connection that is related to another already ESTABLISHED connection e.g., a ESTABLISHED connection spawns a connection outside of its main connection, the new connection will be considered RELATED Ex: FTP-data connections are considered RELATED to FTP control port Related connections often require special helper modules to be correctly understood by netfilter INVALID: pkt state can not be identified E.g., ICMP error messages that do not respond to any known connections Generally, it is a good idea to DROP everything in this state.

State matech & Stateful firewall
State match enable stateful firewalls More secure than stateless firewalls With --state match we can easily control who or what is allowed to initiate new sessions. sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all anywhere anywhere ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED ACCEPT icmp anywhere anywhere ACCEPT all anywhere anywhere REJECT all anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

conntrack entries /proc/net/ip_conntrack: info about all connections:
tcp SYN_SENT src= dst= sport=32775 \ dport=22 [UNREPLIED] src= dst= sport=22 \ dport=32775 use=2 a protocol, in this case is tcp same value in normal decimal coding TTL: timeout value for the entry actual state of connection src IP add, dest IP addr, src port and dest port UNREPLIED: no return traffic seen Expected return pkts: src/dest IP and port

Special match (other) iptables -A INPUT -p tcp -m string --algo bm --string ‘exe’ matches pkts containing string ‘exe’ iptables -A INPUT -p tcp -m length --length 10:100 matches pkts with length between 10 and 100 bytes Also, can specify ‘greater than 10’ by 10: There are many others …

How to create a rule: target
Rule: match (criteria) and target iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source iptables -A INPUT -p tcp --dport 80 -j DROP How to create a rule: target

target/jump target/jumps: what to do with a matching
Jump: to a specific chain iptables -N tcp_packets //create a chain iptables -A INPUT -p tcp -j tcp_packets // add a jump target All TCP pkts traversing filter/INPUT will jump to tcp_packets (sub chain) (check and execute rules within) When reach end of tcp_packets, return to INPUT (super chain), check/execute next rule

targets: -j Target: what to do with matching pkts
ACCEPT: let pkt through, pkt will not continue traversing current chain or other ones in same table (can still travel chains in other tables, and be dropped there) DROP: drop pkt on the floor, will not carry out any further processing (in any other chains) No error mesg sent REJECT: drop pkts and send error msg RETURN: SNAT, DNAT, MASQUARADE QUEUE, LOG …

REJECT target Matching pkt is dropped dead (similarly to DROP), an error msg is sent to src host only valid in INPUT, FORWARD and OUTPUT chains or their sub chains, chains use REJECT target may only be called by INPUT, FORWARD, and OUTPUT chains e.g., iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset tcp-reset, only for TCP, send an TCP RST pkt to sending host (to close open TCP connections gracefully) Other possible error msgs icmp-net-unreachable, icmp-host-unreachable,icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited and icmp-host-prohibited … Default: port-unreachable

RETURN target matching pkt stop traveling through current chain, return to super chain or take default policy For example: a packet enters INPUT chain, and matches a rule with target --jump EXAMPLE_CHAIN. It then starts traversing EXAMPLE_CHAIN, matches a rule with --jump RETURN target Pkt jump back to INPUT chain if pkt hits a --jump RETURN rule in INPUT chain, it would take default policy (no more checking/executing rules)

DNAT target rewrite Des IP address of matching pkts, and all subsequent pkts in same stream These pkts are then routed on to correct device, host or network only available in PREROUTING and nat/OUTPUT chain, and any of the chains called upon from the above chains E.g., to forward all pkts with dest port 80 on to web server within LAN

DNAT target example specify a whole range of dest IP addr, and DNAT mechanism choose dest IP addr at random for each stream iptables -t nat -A PREROUTING -p tcp -d dport 80 -j DNAT --to-destination send on all packets destined for to a range of IP's, namely through 10 Note: a single stream will always use same dest IP To specify a port or port range to which pkts would be redirected to. --to-destination :80 --to-destination :80-100

SNAT target Rewrite source IP address of matching packets
E.g, making all pkts leaving a private LAN look as if coming from a single IP only valid within nat table, within POSTROUTING chain. Only first pkt in a connection is mangled by SNAT, and after that all future packets using same connection will also be SNATted.

SNAT example iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source : which source IP to use : choose randomly from these, and a single stream would always use same IP addr tcp/udp: can specify a range of ports to be used. All source ports would then be confined to range specified.

MASQUERADE target Change src IP, similar to SNAT target
to IP addr. of interface (automatically identified) only valid in nat/POSTROUTING chain iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports --to-ports: set src port or ports to use on outgoing pkts a single port --to-ports 1025 For a static IP, use SNAT (avoid overhead)

Example PING on localhost Add rule to drop ICMP from local host
ping -c Add rule to drop ICMP from local host iptables -A INPUT -s p icmp -j DROP Try ping, might still get response Why? Check current settings: is ICMP accepted in an earlier rule ? Insert the rule as first to check/execute … iptables –I INPUT 1 –s –p icmp –j DROP Delete the rule and ping again … iptables -D INPUT 1 iptables -D INPUT –s p icmp -j DROP

Exercise How to disable ssh access to a host that’s not from LAN?
Suppose IP addr used in LAN is: *…

Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT
iptables -A INPUT -s j DROP iptables -A INPUT -s p tcp -j DROP iptables -A INPUT -s p tcp –dport telnet -j DROP iptables -A INPUT -p tcp --destination-port telnet –i ppp0 -j DROP

Share WiFi Internet connection
My laptop: wlan0: connected to FordhamLC eth0: connect to private LAN via wireless router Steps Enable forwording (su first, or sudo) echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT //all pkts for established/related conn from outside to internal host iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT //forward all pkts from internal hosts to outside

On host within private LAN
Set default gateway Use same DNS server used by gateway Linux: store DNS servers in /etc/resolv.conf Trouble shooting Simplest case first, ping Using wireshark to examine related pkts

Network Configuration in Linux

Similar presentations

Presentation on theme: "Network Configuration in Linux"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Network Configuration in Linux

Similar presentations

Presentation on theme: "Network Configuration in Linux"— Presentation transcript:

Similar presentations

About project

Feedback