Skip to content

Latest commit

 

History

History
619 lines (423 loc) · 13.4 KB

README.md

File metadata and controls

619 lines (423 loc) · 13.4 KB
Raw

Table of Contents

Course Netfilter/Iptables Hands-On

Requirements

  • Vagrant is a command line utility for managing the life cycle of virtual machines.
  • Virtualbox is a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use.

Linux Networking Concepts

What is a computer network?

What is the Internet?

How Does The Internet Work?

https://www.youtube.com/watch?v=7_LPdttKXPc

https://www.youtube.com/watch?v=HNQD0qJ0TC4

This IP Thing

  • The role of the IP layer is to figure out how to route packets to their final destination

  • Router is a node with interfaces on more than one network

  • The Linux Kernel's IP layer keeps a table of different routes, describing how to get to various groups of IP addresses

Groups of IP Addresses: Network Masks

    Short   Full                    Maximum         Comment
    Form    Form                    #Machines

    /8      /255.0.0.0              16,777,215      Used to be called an `A-class'
    /16     /255.255.0.0            65,535          Used to be called an `B-class'
    /17     /255.255.128.0          32,767
    /18     /255.255.192.0          16,383
    /19     /255.255.224.0          8,191
    /20     /255.255.240.0          4,095
    /21     /255.255.248.0          2,047
    /22     /255.255.252.0          1,023
    /23     /255.255.254.0          511
    /24     /255.255.255.0          255             Used to be called a `C-class'
    /25     /255.255.255.128        127
    /26     /255.255.255.192        63
    /27     /255.255.255.224        31
    /28     /255.255.255.240        15
    /29     /255.255.255.248        7
    /30     /255.255.255.252        3

Machine Names and IP Addresses (DNS)

  • IANA - IP Addresses - responsible for global coordination of the Internet Protocol addressing systems, as well as the Autonomous System Numbers used for routing Internet traffic.
  • IANA - Root Servers - responsible for management of the DNS root zone. This role means assigning the operators of top-level domains, such as .uk and .com, and maintaining their technical and administrative details.

Different Services: Email, Web, FTP, Name Serving

  • TCP and UDP have a concept of ports.
  • IANA - Protocol Registries - responsible for maintaining many of the codes and numbers contained in a variety of Internet protocols, enumerated below. We provide this service in coordination with the Internet Engineering Task Force (IETF).

What Packets Look Like

Environment Setup

Clone this repo and run:

vagrant up

At this point the Vagrant created 4 VMs (router, node1, node2, server).

Check the status of VMs

vagrant status

The diagram bellow represent the network connection between this VMs

Network Diagram

Network

Connect to each VM and check the network and routing table settings and take notes.

vagrant ssh VM-NAME

sudo su -
ip address show
ip route show
cat /etc/resolv.conf
cat /proc/sys/net/ipv4/ip_forward

or

sudo su -
ifconfig -a
route -n
cat /etc/resolv.conf
cat /proc/sys/net/ipv4/ip_forward

Check the network connectivity and take notes.

router VM

vagrant ssh router

sudo su -
ping 192.168.20.20 # server vm
ping 172.16.10.10 # node1 vm
ping 172.16.10.11 # node2 vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com
tcpdump -i any -NNnl icmp

server VM

Open a new shell

vagrant ssh server

sudo su -
ping 192.168.20.2 # router vm
ping 172.16.10.10 # node1 vm
ping 172.16.10.11 # node2 vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com

node1 VM

Open a new shell

vagrant ssh node1

sudo su -
ping 172.16.10.2 # router vm
ping 172.16.10.11 # node2 vm
ping 192.168.20.20 # server vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com

node2 VM

Open a new shell

vagrant ssh node2

sudo su -
ping 172.16.10.2 # router vm
ping 172.16.10.10 # node1 vm
ping 192.168.20.20 # server vm
ping 8.8.8.8
dig @8.8.8.8 www.google.com
curl -v https://www.google.com

Set the default route and take notes.

server VM

vagrant ssh server

sudo su -
ip route add default via 192.168.20.2

or

sudo su -
route add default gw 192.168.20.2

node1 VMs

vagrant ssh node1

sudo su -
ip route add default via 172.16.10.2

or

sudo su -
route add default gw 172.16.10.2

node2 VMs

vagrant ssh node2

sudo su -
ip route add default via 172.16.10.2

or

sudo su -
route add default gw 172.16.10.2

Check the network connectivity again.

Questions?

Enable router ip_forward

ip_forward - BOOLEAN
  0 - disabled (default)
  not 0 - enabled

    Forward Packets between interfaces.

    This variable is special, its change resets all configuration
    parameters to their default state (RFC1122 for hosts, RFC1812
    for routers)

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

vagrant ssh router

sudo su -
echo 1 > /proc/sys/net/ipv4/ip_forward

Enable ip_forward permanently. Edit /etc/sysctl.conf and add: net.ipv4.ip_forward=1

Check the network connectivity again.

Questions?

Netfilter/Iptables

So What's A Packet Filter?

  • A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet

  • It might decide to DROP the packet, ACCEPT the packet, or something more complicated (NAT)

Why Would I Want to Packet Filter?

  • Control. Security. Watchfulness

How Do I Packet Filter Under Linux?

  • Netfilter - is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

  • Iptables - is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

How Packets Traverse The Filters

Routing tables traversal process

Using iptables

iptables/ip6tables - administration tool for IPv4/IPv6 packet filtering and NAT

  • Several different tables may be defined.
  • Each table contains a number of built-in chains and may also contain user-defined chains.
  • Each chain is a list of rules which can match a set of packets.
  • Each rule specifies what to do with a packet that matches (TARGET).

TARGETS:

  • DROP
  • ACCEPT
  • RETURN
  • Or jump to a user-defined chain in the same table.

TABLES:

  • filter - INPUT, OUTPUT, FORWARD
  • nat - PREROUTING, INPUT, OUTPUT, POSTROUTING
  • mangle - PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTING
  • raw - PREROUTING, OUTPUT
  • security - INPUT, OUTPUT, FORWARD (SECMARK, CONNSECMARK)

Hands-on

vagrant ssh node1

Open a new shell

vagrant ssh server

Open a new shell

vagrant ssh router

man iptables

View current configuration

router, server and node1:

iptables --table mangle --list --numeric --verbose
iptables --table nat --list --numeric --verbose
iptables --table filter --list --numeric --verbose

or

iptables -t mangle -L -nv
iptables -t nat -L -nv
iptables -t filter -L -nv

Note: --line-numbers

Change the policy for a built-in chain INPUT. (-P).

node1

ping -c 3 172.16.10.2 # router

router

iptables --table filter --policy INPUT DROP

or

iptables -t filter -P INPUT DROP

node1

ping -c 3 172.16.10.2 # router

Create/Delete a new rule to a chain INPUT.

Note: Allow vagrant ssh traffic before change INPUT policy ;]

  • Append a new rule to a chain (-A|--append).
  • Insert a new rule at some position in a chain (-I|--insert).
  • Replace a rule at some position in a chain (-R|--replace).
  • Delete a rule at some position in a chain, or the first that matches (-D|--delete).

router

iptables --table filter --append INPUT --in-interface enp0s3 -j ACCEPT
iptables --table filter --append INPUT --protocol icmp -j ACCEPT
iptables --table filter --policy INPUT DROP

or

iptables -t filter -A INPUT -i enp0s3 -j ACCEPT
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -P INPUT DROP

node1

ping -c 3 172.16.10.2 # router

router

iptables --table filter --policy INPUT ACCEPT
iptables --table filter --delete INPUT --in-interface enp0s3 -j ACCEPT
iptables --table filter --delete INPUT --protocol icmp -j ACCEPT

or

iptables -t filter -P INPUT ACCEPT
iptables -t filter -D INPUT -i enp0s3 -j ACCEPT
iptables -t filter -D INPUT -p icmp -j ACCEPT

Change the policy for a built-in chain FORWARD. (-P).

node1

ping -c 3 192.168.20.20 # server

router

iptables --table filter --policy FORWARD DROP

or

iptables -t filter -P FORWARD DROP

node1

ping -c 3 192.168.20.20 # server

router

iptables --table filter --policy FORWARD ACCEPT

or

iptables -t filter -P FORWARD ACCEPT

Create/Delete a new rule to a chain FORWARD.

  • Append a new rule to a chain (-A).
  • Insert a new rule at some position in a chain (-I).
  • Replace a rule at some position in a chain (-R).
  • Delete a rule at some position in a chain, or the first that matches (-D).

router

iptables --table filter --append FORWARD --protocol icmp -j ACCEPT
iptables --table filter --policy FORWARD DROP

iptables -t filter -A FORWARD -p icmp -j ACCEPT
iptables -t filter -P FORWARD DROP

node1

ping -c 3 192.168.20.20

Create a new rule to enable NAT to node1 and node2 (172.16.10.0/24)

node1

ping -c 3 8.8.8.8

router

iptables --table nat --append POSTROUTING --source 172.16.10.0/24 -j MASQUERADE

or

iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j MASQUERADE

node1

ping -c 3 8.8.8.8

Create a new rule to enable NAT to server (192.168.20.0/24)

server

ping -c 3 8.8.8.8

router

iptables --table nat --append POSTROUTING --source 192.168.20.0/24 -j MASQUERADE

or

iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -j MASQUERADE

server

ping -c 3 8.8.8.8
apt-get update
apt-get install nginx

Build the simple firewall script

  • Deny all traffic by default
  • Allow ICMP traffic
  • Allow lo traffic
  • Allow http traffic: node -> server
  • Allow http redirect: router -> server
  • Allow Internet Access