Routing with Linux 'cause you really love the command line

Slides:



Advertisements
Similar presentations
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Advertisements

Firewalls and Network Address Translation (NAT) Chapter 7.
Chapter 9: Access Control Lists
EMOS Group 3 組員:郭柏宏 郭建漢 蕭鼎亞 黃雍文 黃博奕.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Ipchains A packet-filtering Firewalls supported by Linux distributions.
System Administration Network Tools. ping Test connectivity / latency (RTT) ICMP echo request/reply Variants ◦ARP ping  Send ARP instead  May also ping.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
IPtables Objectives –to learn the basics of iptables Contents –Start and stop IPtables –Checking IPtables status –Input and Output chain –Pre and Post.
Computer Networks II By: Ing. Hector M Lugo-Cordero, MS.
Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.
1 實驗九:建置網路安全閘道器 教師: 助教:. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
IPtables Objectives Contents Practicals Summary
Le firewall Technofutur. Table des matières Schémas du réseau Routage sans VPN Routage avec VPN Le NAT Le firewall.
CSN09101 Networked Services Week 6 : Firewalls + Security Module Leader: Dr Gordon Russell Lecturers: G. Russell.
Firewalls & Network Monitoring Advanced Registry Operations Curriculum.
Network Configuration in Linux
ACCESS CONTROL LIST.
1 Firewalls. ECE Internetwork Security 2 Overview Background General Firewall setup Iptables Introduction Iptables commands “Limit” Function Explanation.
Firewall C. Edward Chow CS691 – Chapter 26.3 of Matt Bishop Linux Iptables Tutorial by Oskar Andreasson.
IPTABLES -FIREWALL. IPTABLES IPTABLE BASIC IMPORTANT FILES SIMPLE SECURITY IMPLEMENTATION (GRAPHICAL WAY) IMPLEMENTING FIREWALL RULE WITH EXAMPLE (COMMAND.
Introduction to Linux Firewall
Firewalls Chien-Chung Shen The Need for Firewalls Internet connectivity is essential –however it creates a threat (from the network) vs.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
Linux Firewall Iptables.
Wireless Access Point. What is a WAP?  A Wireless access point (WAP) is a device that allows a wireless device to connect to a wired network.
Installing Systems on a Simulated Subnet North Carolina System Administrators.
LINUX Network Concepts M.S.Dibay Moghaddam Second Linux Festival Amir Kabir University of Technology Computer & IT Department.
Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer.
Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.
Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or.
Home Networking CCCC Linux Desktop SIG August 20, 2007.
Managing and Directing Network Traffic with Linux

Lab 12 – Cisco Firewall.
Configuring DHCP Relay Configuration Example
Network and System Security Risk Assessment
Module 3: Enabling Access to Internet Resources
Firewalls Dr. X (Derived from slides by Prof. William Enck, NCSU)
FIREWALL configuration in linux
CCENT Study Guide Chapter 12 Security.
Firewalls.
Network Address Translation (NAT)
ECE 544: Middlebox lab Abhigyan Sharma.
Network Address Translation (NAT)
Unix Linux Administration I
Network and System Security Risk Assessment
Chapter 10: DHCP Routing & Switching Chapter 10: DHCP
Packet Filtering Dick Steflik.
Firewall Exercise.
Chapter 4: Access Control Lists (ACLs)
Setting Up Firewall using Netfilter and Iptables
OPS235: Configuring a Network Using Virtual Machines – Part 2
COP 4343 Unix System Administration
Firewalls By conventional definition, a firewall is a partition made
The “FREE” WiFi by Chandan.
From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)
Honeypots.
ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
WireGuard zswu.
Presentation transcript:

Routing with Linux 'cause you really love the command line Jim Salter Technomancer, Mercenary Sysadmin, Small Business Owner Today's slides can be found at: http://openoid.net/presentations/ This presentation is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (C) 2015 jim@openoid.net

super techie sysadmin crap ahead. WARNING: super techie sysadmin crap ahead. proceed at own risk

What's in one of these, anyway? At a minimum: DHCP server DNS server router (lol) firewall NAT

One of these kids is not like the others...

Performance Reliability Flexibility Security Mastery Why Linux? Why bare? Performance Reliability Flexibility Security Mastery

Which Linux? Ubuntu. if you don't like it, write your own “how to build a Linux router” presentation

stripped down clean CLI apt packages predictable LTS seriously, why Ubuntu? stripped down clean CLI apt packages predictable LTS

But I like a GUI ='( X then try an x86 build of DD-WRT! =) --------------------------------------------------

But I like a GUI ='( then try an x86 build of pfSense! =)

Performance, you say? yes, performance =)

Overview * configure network interfaces * enable IP forwarding in /etc/sysctl.conf * enable DHCP service with isc-dhcp-server * enable DNS service with bind9 * set up NAT with iptables masquerade * set up firewall rules with iptables

configure interfaces # /etc/network/interfaces # loopback interface auto lo iface lo inet loopback # The WAN interface (marked LAN1 on the case) auto p4p1 iface p4p1 inet dhcp # The LAN interface (marked LAN2 on the case) auto p1p1 iface p1p1 inet static address 192.168.99.1 netmask 255.255.255.0

enable ipv4 forwarding you@box:~$ sudo nano /etc/sysctl.conf # Uncomment the next line to enable # packet forwarding for IPv4 #net.ipv4.ip_forward=1 you@box:~$ sudo sysctl -p

dhcp and dns you@box:~$ sudo apt-get update you@box:~$ sudo apt-get install isc-dhcp-server you@box:~$ sudo apt-get install bind9 # /etc/dhcp/dhcpd.conf subnet 192.168.99.0 netmask 255.255.255.0 { range 192.168.99.100 192.168.99.199; option routers 192.168.99.1; option domain-name-servers 192.168.99.1; option broadcast-address 192.168.99.255; } you@box:~$ sudo /etc/init.d/isc-dhcp-server restart

startup script you@box:~$ \ sudo touch /etc/network/if-pre-up.d/iptables; sudo chmod 755 /etc/network/if-pre-up.d/iptables #!/bin/sh # this is /etc/network/if-pre-up.d/iptables # it starts the firewall immediately prior # to any network interface coming online. /sbin/iptables-restore << EOF # rules go here EOF

If it doesn't end with COMMIT, your ruleset won't parse! iptables anatomy This is a table. It begins with its *name and the default policies for its :chains. *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT If it doesn't end with COMMIT, your ruleset won't parse!

skeleton iptables *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD ACCEPT [0:0] # Service rules -A INPUT -j DROP # Forwarding rules -A FORWARD -j DROP

the *nat table *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # p4p1 is WAN interface, p1p1 is LAN interface -A POSTROUTING -o p4p1 -j MASQUERADE COMMIT

*filter table - srv rules :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # basic global accept - ICMP, loopback, traceroute, established -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS, SSH, DHCP client requests - accept from LAN -A INPUT -i p1p1 -p tcp --dport 53 -j ACCEPT -A INPUT -i p1p1 -p udp --dport 53 -j ACCEPT -A INPUT -i p1p1 -p tcp --dport 22 -j ACCEPT -A INPUT -i p1p1 -p udp --dport 67:68 -j ACCEPT # drop all other inbound traffic -A INPUT -j DROP

*filter section - forwarding # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN (p1p1) to WAN (p4p1) -A FORWARD -i p1p1 -o p4p1 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT

port forwarding # pinholes go in *nat table before its COMMIT! # NAT pinhole: HTTP from WAN to LAN -A PREROUTING -p tcp -m tcp -i p4p1 --dport 80 -j DNAT --to-destination 192.168.99.100:80 # the matching forward rules go in *filter table # before its COMMIT! # forwarded traffic from our NAT pinhole -A FORWARD -p tcp -d 192.168.99.100 --dport 80 -j ACCEPT

ha, ha, you can't read this #!/bin/sh # This is /etc/network/if-pre-up.d/iptables. It starts the firewall immediately prior to any network interface coming online. WAN=p4p1 LAN=p1p1 /sbin/iptables-restore << EOF *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o $WAN -j MASQUERADE # NAT pinhole: HTTP from WAN to LAN -A PREROUTING -p tcp -m tcp -i $WAN --dport 80 -j DNAT --to-destination 192.168.99.100:80 COMMIT *filter :FORWARD ACCEPT [0:0] # Service rules # basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS - accept from LAN -A INPUT -i $LAN -p tcp --dport 53 -j ACCEPT -A INPUT -i $LAN -p udp --dport 53 -j ACCEPT # SSH - accept from LAN -A INPUT -i $LAN -p tcp --dport 22 -j ACCEPT # DHCP client requests - accept from LAN -A INPUT -i $LAN -p udp --dport 67:68 -j ACCEPT # drop all other inbound traffic -A INPUT -j DROP # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN (p1p1) to WAN (p4p1) -A FORWARD -i $LAN -o $WAN -j ACCEPT # allow traffic from our NAT pinhole -A FORWARD -p tcp -d 192.168.99.100 --dport 80 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP EOF

Questions? Comments? Angry denunciations?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.