Linux – routing and firewall for beginners v 1.0

566 views

Published on

The slides for a full day workshop that I ran on April 12th 2014.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
566
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Linux – routing and firewall for beginners v 1.0

  1. 1. Linux – Routing and Firewall for beginners sriram@belenix.org @sriramnrn
  2. 2. Agenda • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
  3. 3. What we should have achieved today • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
  4. 4. Setup • Download and extract iptables.zip from https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip • Change into the iptables directory • Run “vagrant up” • Will download a 350 MB file from the vagrant cloud.
  5. 5. Working with the infrastructure • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
  6. 6. Some network basics • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
  7. 7. Getting started with routing • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
  8. 8. Before we set up a route • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
  9. 9. Setting up a direct route to further hops • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
  10. 10. About routes and return routes • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
  11. 11. When routes and return routes are not enough • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
  12. 12. About packet forwarding • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
  13. 13. Persisting packet forwarding settings • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
  14. 14. When both the sides have the same IP range • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
  15. 15. Some exercises • One “office”, two DMZs • Two “offices”, one DMZ
  16. 16. Questions • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
  17. 17. The need for a firewall • Making a DMZ a DMZ
  18. 18. iptables and netfilter • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
  19. 19. iptables – getting around • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
  20. 20. iptables – What are tables? • View the Wikipedia diagram
  21. 21. iptables Rules – the basics • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
  22. 22. iptables Rules – persisting • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
  23. 23. Iptables – default policies • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
  24. 24. Iptables – logging packets • How do we log a packet?
  25. 25. Iptables – allowing packets • How do we log a packet?
  26. 26. Iptables – dropping and rejecting packets • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
  27. 27. Iptables – Let’s make that DMZ a DMZ! • What rules should we have?
  28. 28. Iptables – port forwarding – Exercise 1 • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
  29. 29. Iptables – port forwarding – Exercise 2 • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
  30. 30. Reality check: What a firewall is and isn’t • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
  31. 31. iptables - NAT • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
  32. 32. iptables – NAT – Behind the scenes • Checking the NAT table
  33. 33. iptables – NAT – One on One, vs a range • What if we have a pool of public IPs available for NAT?
  34. 34. When both the sides have the same IP range • What should the solution be?
  35. 35. Some exercises • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops
  36. 36. Thank you! www.sriramnarayanan.com www.belenix.org @sriramnrn

×