Your SlideShare is downloading. ×
0
sriram@belenix.org
@sriramnrn
• Introduction
• What we will not be covering
• Setup – 30 mins
• Some network basics
• Some VirtualBox basics
• Routing (...
• On the whiteboard during the workshop.
• To be added to the presentation to be made available for download
• This session is for beginners
• Set up a router, and route between two networks
• Set up a firewall, and understand basi...
• Are you connected to the wifi yet? twguest/d1srupt1ve
• Do you have Vagrant installed and running? Vagrant 1.5.1 at leas...
• Vagrant up, halt, destroy
• Vagrant ssh
• Restarting from scratch
• About “office”, “router” and “dmz”
• Saving your wor...
• Ethernet configuration files
• service network restart
• ping
• traceroute
• ssh
• netstat
• From your laptop to the various individual boxes
• Print the route table
• Within each box
• Print the route table
• Wha...
• ssh to “office”
• From “office”, ssh to “router”.
• From “router”, ssh to “dmz”
• Why is this working?
• What should our routing look like?
• Set up the routes
• Are you able to get from office to dmz via the dmz IP?
• If yes...
• One of the first lessons one learns !
• Set up a route
• Set up a return route
• Ping
• from office to dmz
• from dmz to...
• SSH and traceroute
• from office to dmz
• from dmz to office
• Does the ssh and traceroute work ?
• Coming up – packet f...
• What is packet forwarding?
• How does it work?
• About /proc
• Ping, traceroute and SSH
• from office to dmz
• from dmz ...
• /proc is temporary. Reboot and check ! ;)
• Does the ping, traceroute, ssh work ?
• Persisting your packet forwarding vi...
• What if both the sides have the same IP address range?
• A common scenario between customer-vendor organizations
• Let’s...
• One “office”, two DMZs
• Two “offices”, one DMZ
• Given that we have
• One “office”, one “DMZ”
• One “office”, two DMZs
• Two “offices”, one DMZ
When we have the current ...
• Making a DMZ a DMZ
• Netfilter – the kernel module
• Iptables – the command line tool
• service iptables status
• What do we see here?
• How and why does iptables startup?
• Chkconfig
• Where the service script is located
• Turning iptables off
• temporaril...
• View the Wikipedia diagram
• What does a rule look like?
• Add a rule
• Delete a rule
• View the rule
• Persist the rule
• What happens when you flus...
• What happens when you flush the tables?
• How do we save the rules (service iptables save)
• Where are the rules saved?
...
• Change the default INPUT and FORWARD policies
• Edit the iptables files directly
• What do you see?
• Is an iptables ser...
• How do we log a packet?
• How do we log a packet?
• How do we drop a packet?
• What does the sender experience with a drop rule?
• How do we reject a packet?
• What does th...
• What rules should we have?
• Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP.
• Are we able to access port 8080 via the router I...
• Create two DMZs
• Expose an SSH service in each DMZ via the same IP but different ports
• Can
• defend against specific IP level characteristics
• Fast rate of packets
• Permit from certain origins only
• Won’t...
• What is NAT?
• A look at a basic NAT rule
• Let’s NAT
• Connections from office to DMZ via the router’s DMZ IP.
• ssh
• ...
• Checking the NAT table
• What if we have a pool of public IPs available for NAT?
• What should the solution be?
• Exposing one DMZ to another via routing and NAT
• On the same laptop
• Across laptops
www.sriramnarayanan.com
www.belenix.org
@sriramnrn
Upcoming SlideShare
Loading in...5
×

Linux routing and firewall for beginners

980

Published on

null Banglaore Chapter - April 2014 Invite only session

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
980
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Linux routing and firewall for beginners"

  1. 1. sriram@belenix.org @sriramnrn
  2. 2. • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
  3. 3. • On the whiteboard during the workshop. • To be added to the presentation to be made available for download
  4. 4. • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
  5. 5. • Are you connected to the wifi yet? twguest/d1srupt1ve • Do you have Vagrant installed and running? Vagrant 1.5.1 at least • Do you have Virtual Box installed and running? (Vbox 4.3 at least) • Download the iptables zip file • Do you have the vagrant.d zip file? (Separate from the Vagrant app) • Set VAGRANT_HOME to c:vagrant.d (where you extract vagrant.d to)
  6. 6. • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
  7. 7. • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
  8. 8. • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
  9. 9. • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
  10. 10. • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
  11. 11. • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
  12. 12. • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
  13. 13. • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
  14. 14. • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
  15. 15. • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
  16. 16. • One “office”, two DMZs • Two “offices”, one DMZ
  17. 17. • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
  18. 18. • Making a DMZ a DMZ
  19. 19. • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
  20. 20. • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
  21. 21. • View the Wikipedia diagram
  22. 22. • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
  23. 23. • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
  24. 24. • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
  25. 25. • How do we log a packet?
  26. 26. • How do we log a packet?
  27. 27. • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
  28. 28. • What rules should we have?
  29. 29. • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
  30. 30. • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
  31. 31. • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
  32. 32. • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
  33. 33. • Checking the NAT table
  34. 34. • What if we have a pool of public IPs available for NAT?
  35. 35. • What should the solution be?
  36. 36. • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops
  37. 37. www.sriramnarayanan.com www.belenix.org @sriramnrn
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×