2015.10.05 Updated > Network Device Development - Part 2: Firewall 101

Network Device Development

PART 2 – Firewall 101

SEAN

Sean

• Developer

• erinus.startup@gmail.com

• https://www.facebook.com/erinus

GitHub

https://github.com/erinus/NetworkDeviceDevelopment

First Firewall

VMnet2

192.168.102.?

VMnet3

192.168.103.?

CLIENTUbuntu Desktop192.168.102.128

CLIENTUbuntu Desktop192.168.103.128

SWITCHDebian

VMnet1

NAT

eth1 eth2

eth0

PING (ICMP)

HTTP (TCP + Port 80)

Socket Buffer

struct sk_buff *skb;

Ethernet Header

struct ethhdr *eth_header = eth_hdr(skb);

IPv4 Header

struct iphdr *ip_header = ip_hdr(skb);

ICMP Header

struct icmphdr *icmp_header = icmp_hdr(skb);

TCP Header

struct tcphdr *tcp_header = tcp_hdr(skb);

UDP Header

struct udphdr *udp_header = udp_hdr(skb);

Important Constants

IPPROTO_TCP

IPPROTO_UDP

Important Functions

skb_pull(skb, length)

skb_push(skb, length)

skb_reset_mac_header(skb)

skb_reset_network_header(skb)

skb_reset_transport_header(skb)

Socket Buffer Has A Data Pointer

The pointer skb->data must point at current position.

When packet enters into forward hook, skb->data points at the beginning of layer 3.

Layer 3

Layer 2

skb->data

Move Among Layers

Layer 3

Layer 2 skb_push

Layer 4

skb_pull

Move To Layer 2

When skb->data points at the beginning of layer 2, you must call skb_reset_mac_header(skb) to set

right address of mac header.

Layer 3

Layer 2

skb->data

Layer 4

Move To Layer 2

skb_reset_mac_header(skb);

struct ethhdr *eth_header = eth_hdr(skb);

Layer 3

Layer 2

skb->data

Layer 4

Move To Layer 3

When skb->data points at the beginning of layer 3, you must call skb_reset_transport_header(skb) to

set right address of mac header.

Move To Layer 3

skb_reset_network_header(skb);

struct iphdr *ip_header = ip_hdr(skb);

Move To Layer 4

When skb->data points at the beginning of layer 4, you must call skb_reset_transport_header(skb) to

set right address of mac header.

Layer 3

Layer 2

skb->data

Layer 4

Move To Layer 4

skb_reset_transport_header(skb);

struct tcphdr *tcp_header = tcp_hdr(skb);

struct udphdr *udp_header = udp_hdr(skb);

struct icmphdr *icmp_header = icmp_hdr(skb);

Modify main.c

Modify main.c

IP Protocol ?TCP Protocol ?Move To Layer 4

Back To Layer 3

Port 80 ?

Install

$ make

$ make install

$ dmesg

Test your Firewall

CLIENT of VMnet2

$ sudo ip route add 192.168.103.0/24 via 192.168.102.128

CLIENT of VMnet3

$ sudo ip route add 192.168.102.0/24 via 192.168.103.128

Create HTTP Server on CLIENT of VMnet3

$ sudo python server-80.py

$ sudo python server-8080.py

Test on CLIENT of VMnet2

Open Web Browser and connect:

1. http://192.168.103.128:80/ Failure

2. http://192.168.103.128:8080/ Success

$ ping 192.168.103.128 Success

Next Part

Firewall 102