1 Tutorial 6: Networking Utilities & Firewall

2 Internet Control Message Protocol (ICMP) designed to compensate for the deficiencies of IP protocol. ICMP’s functions: Announce network errors Announce network congestion Announce timeouts Assist troubleshooting

3 3: Destination unreachable 4: Source quench 11: time exceeded 12: Parameter Problem 5: Redirection 8,0: Echo request or reply 13,14: Timestamp request and reply 17,18: Address mask request and reply 10,9: Route solicitation and advertisement Type:

4 How we testing the network ? Ifconfig Ping Netstat Nslookup Traceroute Tcpdump

5 How we know the network interface settings ? – ifconfig ifconfig is used to assign an address to a network interface or to configure network interface parameters. WARNING: it is danger to use this to change the configuration if you are not familiar. USE other user level utilities. For example, RedHat – netconfig

6 Ifconfig View interface information ifconfig – a [root]# /sbin/ifconfig -a eth0 Link encap:Ethernet HWaddr 00:C0:4F:7A:BA:C7 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets: errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xdc80 lo Link encap:Local Loopback inet addr: Mask: UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:46811 errors:0 dropped:0 overruns:0 frame:0 TX packets:46811 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 Ethernet Address IP Address & Netmask MAX Segment Size # of packets send/receive

7 How we know the host is reachable/alive ? – Ping ping utilizes the ICMP protocol ’ s ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from the specified host or network gateway. pc90001 pc90002 Exec: ping pc90001 ECHO_REQUEST ECHO_RESPONSE

8 Ping Useful option - c count specify # of ECHO_REQUEST send - i waitspecify time interval in sending each packet - s packetsizespecify # of data bytes to be sent - RRecord route. Displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Rest of the hosts are ignore or discard in this option. For this case, you can use traceroute instead.

9 How we know the usage of port? – netstat netstat display the contents of various network-related data structures in various formats. NOTICE: some of the options are different in Solaris or Linux. Please refer to corresponding man page.

10 Netstat CommandFunction netstat -rShow routing table *netstat -MShow multicast routing table *netstat -msShow stream and protocol statistics netstat -aShow state of all sockets and routing table entries netstat -nShow numerical addresses instead of host names netstat -iShow state of interfaces For those with * are only work in Solaris, there is different option in Linux to achieve the same function.

11 How we find IP address form hostname? – nslookup nslookup is a networking application that sending queries to DNS and request the domain name information. nslookup is deprecated, use dig and host instead. Set default DNS /etc/resolv.conf(Redhat) nameserver #set default DNS search cse.cuhk.edu.hk #set default domain name

12 How we know a routing path from a remote host? – traceroute traceroute utilizes the IP protocol ‘ time to live ’ (ttl) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host. traceroute pc90001 pc90002 gateway1gateway2pc90001 Generate packet with ttl =1,2,3,…. ttl decrement while passing each gatways If ttl = 0, the host/gateway to replay a TIME_EXCEEDED back to the source. TIME_EXCEEDED response ttl = 1,2,…ttl = 1,…

13 How we know whether there are packet send/receive at the interface? – tcpdump tcpdump prints out the headers of packets on a network interface that match the boolean expression Only allow execute by root

14 Tcpdump tcpdump [expression] It is an boolean expression that select the packet to be dumped. Type (including host, net and port) host pc90001 net port 21 Dir (specify particular transfer direction, including src, dst) src pc90002 dst net Proto (specify particular protocol, including ether, ip, arp, tcp, udp and so on) tcp port 21 ether src pc90001

15 Tcpdump Examples To print all packets arriving at or departing from pc90002 tcpdump host pc90002 To print all IP packets except pc90004 tcpdump ip host not pc90004 To print all UDP packets from pc90001 and showing the header contents tcpdump – x udp and host pc90001 To print all ICMP packets and sending from pc90001 tcpdump icmp and src host pc90001

16 Tcpdump [root]# tcpdump udp tcpdump: listening on eth0 13:01: netbios-ns > netbios ns: udp 50 13:01: pc90060.cse.cuhk.edu.hk > garden.cse.cuhk.edu.hk.domain: (44) 13:01: netbios-ns > netbios-ns: udp 50 13:01: pc90060.cse.cuhk.edu.hk > beryl.cse.cuhk.edu.hk.domain: (44) 13:01: pc90060.cse.cuhk.edu.hk > garden.cse.cuhk.edu.hk.domain: (44) [root]# tcpdump -x icmp and src host solar22 tcpdump: listening on eth0 13:03: solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF) dbf fe01 dab4 89bd bd 5a3c 0800 dd63 0d a91 f54c 0003 f a0b 0c0d 0e0f :03: solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF) dbfa 4000 fe01 daae 89bd bd 5a3c e9 0d a91 f54f fb a0b 0c0d 0e0f

17 What is a firewall? A firewall is a secure and trusted machine that aims to protect the internal network from outside attacks. It is usually located between the private network and the public network. It is configured with a set of rules that determine whether the incoming or outgoing network traffic is accepted, denied or rejected. Why I need firewall? Control Security Watchfulness

18 Using iptables There are three types of built-in chains (or lists of rules): INPUT – destined for the local system OUTPUT – originate from the local system FORWARD – enter the system and is forwarded to another destination Forward InputOutput Routing Decision Local Process

19 There are mainly three types of operations: ACCEPT – accept the packet DROP – discard the packet silently REJECT – actively reply the source that the packet is rejected. All the rules are consulted until the first rule matching the packet is located. If no rules match the packet, the kernel looks at the chain policy.

20 Operations to manage whole chains N: create a new chain P: change the policy of built-in chain L:list the rules in a chain F: flush the rules out of a chain Manipulate rules inside a chain A: append a new rule to a chain I: insert a new rule at some position in a chain R: Replace a rule at some position in a chain D: delete a rule in a chain

21 Some filtering specifications: j: specify the rule target s: specify the source addresses d: specify the destination addresses p: specify the protocol used (e.g. tcp, udp, icmp) i: specify the input interface o: specify the output interface !: specify the inversion (i.e. NOT)

22 TCP Extensions: --tcp-flags: filter on specific flags --syn: shorthand of --tcp-flags SYN, RST, ACK SYN --source-port (or --sport): specify the source port --destination port (or --dport): specify the destination port UDP Extensions: --sport and --dport

23 Logging Logging can be done by specify the rule target as LOG (i.e. –j LOG). Options: --log-level: debug, info, notice, warning, err, crit, alert, and emerg. Type “man syslog.conf” for details. --log-prefix: uniquely identify a log message.

24 Examples Drop all icmp (such as ping) packets iptables –A INPUT –p icmp –j DROP Flush all chains iptables –F List all existing rules iptables –L Accept the ssh service from CSE machines iptables –A INPUT –p tcp –s /22 –d 0/0 --dport 23 –j ACCEPT

25 Reject all incoming TCP traffic destined for ports 0 to 1023 iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport 0:1023 –j REJECT Reject all outgoing TCP traffic except the one destined for iptables –A OUTPUT –p tcp –s 0/0 –d ! –j REJECT Drop all SYN packets from pc89184 Iptables –A INPUT –p TCP –s syn –j DROP

26 References Linux iptables HOWTO, by Rusty Russell HOWTO.html HOWTO.html