Linux – Routing and Firewall for beginners

sriram@belenix.org@sriramnrn

Agenda

• Introduction• What we will not be covering• Setup – 30 mins• Some network basics• Some VirtualBox basics• Routing (demo, troubleshooting and exercises)• Firewalls (demo, troubleshooting and exercises)

About Diagrams

• On the whiteboard during the workshop.• To be added to the presentation to be made available for download

What we should have achieved today• This session is for beginners• Set up a router, and route between two networks• Set up a firewall, and understand basic firewall administration• What I haven’t tried in today’s infra• Asymmetric routing

• We won’t be covering today:• LARTC (Linux Advanced Routing and Traffic Control)• QoS• Policy Based Routing• VPNs

Setup

• Are you connected to the wifi yet? twguest/d1srupt1ve• Do you have Vagrant installed and running? Vagrant 1.5.1 at least• Do you have Virtual Box installed and running? (Vbox 4.3 at least)• Download the iptables zip file • Do you have the vagrant.d zip file? (Separate from the Vagrant app)• Set VAGRANT_HOME to c:\vagrant.d\ (where you extract vagrant.d

to)

Working with the infrastructure

• Vagrant up, halt, destroy• Vagrant ssh• Restarting from scratch• About “office”, “router” and “dmz”• Saving your work via puppet

Some network basics

• Ethernet configuration files• service network restart• ping• traceroute• ssh• netstat

Getting started with routing

• From your laptop to the various individual boxes• Print the route table

• Within each box• Print the route table

• What have we discovered ? Draw a diagram• Explore the Virtual Box settings and validate the diagram• Which IPs are you able to ping? From where?• Why is the ping working?• Why is the traceroute working?

Before we set up a route

• ssh to “office”• From “office”, ssh to “router”.• From “router”, ssh to “dmz”• Why is this working?

Setting up a direct route to further hops• What should our routing look like?• Set up the routes• Are you able to get from office to dmz via the dmz IP?• If yes, why?• If no, what do you think is missing?

About routes and return routes

• One of the first lessons one learns !• Set up a route• Set up a return route• Ping• from office to dmz• from dmz to office

• Does the ping work ?• We’ll look at SSH and traceroute next• Persisting the route settings

When routes and return routes are not enough• SSH and traceroute• from office to dmz• from dmz to office

• Does the ssh and traceroute work ?• Coming up – packet forwarding

About packet forwarding

• What is packet forwarding?• How does it work?• About /proc• Ping, traceroute and SSH • from office to dmz• from dmz to office

• Does the ping, traceroute, ssh work ?• What does netstat on the receiving side tell you?• Next: Persisting your packet forwarding setting

Persisting packet forwarding settings

• /proc is temporary. Reboot and check ! ;)• Does the ping, traceroute, ssh work ?• Persisting your packet forwarding via /etc/sysctl.conf• Reloading /etc/sysctl.conf

When both the sides have the same IP range• What if both the sides have the same IP address range?• A common scenario between customer-vendor organizations

• Let’s see this during the firewalls section

Some exercises

• One “office”, two DMZs• Two “offices”, one DMZ

Questions

• Given that we have• One “office”, one “DMZ”• One “office”, two DMZs• Two “offices”, one DMZ

When we have the current configuration

Then is this “DMZ” a DMZ?

The need for a firewall

• Making a DMZ a DMZ

iptables and netfilter

• Netfilter – the kernel module• Iptables – the command line tool

• service iptables status• What do we see here?

iptables – getting around

• How and why does iptables startup?• Chkconfig• Where the service script is located

• Turning iptables off• temporarily• permanently• flushing the tables

• service iptables status• What do we see here?

iptables – What are tables?

• View the Wikipedia diagram

iptables Rules – the basics

• What does a rule look like?• Add a rule• Delete a rule• View the rule• Persist the rule• What happens when you flush the tables?• How do we save the rules (service iptables save)• Where are the rules saved?• How are the rules loaded?• Is it safe to edit the file directly?

iptables Rules – persisting

• What happens when you flush the tables?• How do we save the rules (service iptables save)• Where are the rules saved?• How are the rules loaded?• Is it safe to edit the file directly?• About iptables restarts and reloads

Iptables – default policies

• Change the default INPUT and FORWARD policies• Edit the iptables files directly• What do you see?• Is an iptables service restart required?

Iptables – logging packets

• How do we log a packet?

Iptables – allowing packets

• How do we log a packet?

Iptables – dropping and rejecting packets• How do we drop a packet?• What does the sender experience with a drop rule?

• How do we reject a packet?• What does the sender experience with a reject rule?

Iptables – Let’s make that DMZ a DMZ!• What rules should we have?

Iptables – port forwarding – Exercise 1• Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP.• Are we able to access port 8080 via the router IP?

Iptables – port forwarding – Exercise 2

• Create two DMZs• Expose an SSH service in each DMZ via the same IP but different ports

Reality check: What a firewall is and isn’t• Can• defend against specific IP level characteristics

• Fast rate of packets• Permit from certain origins only

• Won’t• Defend you from app vulnerabilities

iptables - NAT

• What is NAT?• A look at a basic NAT rule• Let’s NAT• Connections from office to DMZ via the router’s DMZ IP.

• ssh• Python SimpleHTTPServer

• What does netstat on the DMZ tell you about the remote IP?• What does the python SimpleHTTPServer log tell you about the

remote IP?

iptables – NAT – Behind the scenes

• Checking the NAT table

iptables – NAT – One on One, vs a range• What if we have a pool of public IPs available for NAT?

When both the sides have the same IP range• What should the solution be?

Some exercises

• Exposing one DMZ to another via routing and NAT• On the same laptop• Across laptops

Thank you!

www.sriramnarayanan.comwww.belenix.org@sriramnrn