Linux   routing and firewall for beginners
Upcoming SlideShare
Loading in...5
×
 

Linux routing and firewall for beginners

on

  • 736 views

null Banglaore Chapter - April 2014 Invite only session

null Banglaore Chapter - April 2014 Invite only session

Statistics

Views

Total Views
736
Views on SlideShare
415
Embed Views
321

Actions

Likes
1
Downloads
11
Comments
0

2 Embeds 321

http://null.co.in 318
http://www.slideee.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Linux   routing and firewall for beginners Linux routing and firewall for beginners Presentation Transcript

  • sriram@belenix.org @sriramnrn
  • • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
  • • On the whiteboard during the workshop. • To be added to the presentation to be made available for download
  • • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
  • • Are you connected to the wifi yet? twguest/d1srupt1ve • Do you have Vagrant installed and running? Vagrant 1.5.1 at least • Do you have Virtual Box installed and running? (Vbox 4.3 at least) • Download the iptables zip file • Do you have the vagrant.d zip file? (Separate from the Vagrant app) • Set VAGRANT_HOME to c:vagrant.d (where you extract vagrant.d to)
  • • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
  • • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
  • • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
  • • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
  • • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
  • • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
  • • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
  • • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
  • • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
  • • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
  • • One “office”, two DMZs • Two “offices”, one DMZ
  • • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
  • • Making a DMZ a DMZ
  • • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
  • • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
  • • View the Wikipedia diagram
  • • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
  • • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
  • • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
  • • How do we log a packet?
  • • How do we log a packet?
  • • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
  • • What rules should we have?
  • • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
  • • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
  • • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
  • • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
  • • Checking the NAT table
  • • What if we have a pool of public IPs available for NAT?
  • • What should the solution be?
  • • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops
  • www.sriramnarayanan.com www.belenix.org @sriramnrn