Presentation is loading. Please wait.

Presentation is loading. Please wait.

From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)

Published byVera Machado Modified over 5 years ago

Similar presentations

Presentation on theme: "From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)"— Presentation transcript:

1 From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)
NAT & IPTables From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)

2 NAT IPv4 Hack One external IP for a whole network
Used commonly in home routers All external traffic goes through the router Ok so what is a NAT, it is essentially a hack to try and overcome the lack of ipv4 addresses [Bullet], it essentially gives an entire internal network a single external ip address [bullet], it is commonly used with home networks [bullet], so your router has an external ip assigned by your isp and it has an internal ip assigned by itself (commonly ), so all traffic going through the router to the outside appears to come from the routers external ip, and then the router sorts out the responses and sends them to the right place.[end slide]

3 IPTABLES Packet Filtering Packet Manipulation Creates firewalls NATs
Cool stuff IPTABLES is the network packet filtering [bullet] and manipulation [bullet] tool for linux, it lets users create firewalls[bullet] and create NATs[bullet] and allows lots of other cool stuff[bullet] such as transparent proxying.[end slide]

4 Command Structure “-A chain” adds rules to a chain
IPTABLES –A INPUT –s /24 –j DROP “-A chain” adds rules to a chain This is followed by a match And then an action Can match on lost of things Can ACCEPT, DROP or jump to a user defined chain This is an example of an iptables command[eg]The default table is filter so is not necessary to declare it. –A adds rules to the specified chain[bullet], -D removes them, this is followed by a matching condition[bullet] and a jump or action[bullet]. Packets can be matched on lots of different things and in combination[bullet], -s shown, matches by IP or IP range. Common actions are ACCEPT, DROP or a user chain name[bullet], if it is a chain name then this chain is traversed. The example will drop all packets coming from SUCS.[end slide]

5 Tables, Chains and Rules
Tables define basic usage Chains contain rules that are checked till one is executed Different built in chains execute in different paces Rules execute actions on packets that match the condition. Iptables works with tables that contain chains which contain rules. Tables define basic usage and where it is applied, there are filter, nat, mangle and raw table[bullet], im going to talk mostly about the filter table and a brief bit in the nat table. Tables contain chains, they all have some built in chains and you can add custom chains, a chain is a collection of rules that are checked until one is executed[bullet], built in chains are executed on packets in different places such as the input chain in the filter table is execute on packets going into the software of the system[bullet]. Built in chains have a policy, which is executed if no rules are matched. Rules define a condition and an action to do if the condition is matched.[end slide]

6 Example Traversal Source: 137.44.10.6
–A INPUT –s /24 –j DROP –A INPUT –s /16 –j ACCEPT –P INPUT DROP DROP Matching Incoming Packet

7 Example Traversal Source: 137.44.195.83
–A INPUT –s /24 –j DROP –A INPUT –s /16 –j ACCEPT –P INPUT DROP ACCEPT Matching Matching Incoming Packet Not Matched

8 Example Traversal Source: 64.233.183.104
–A INPUT –s /24 –j DROP –A INPUT –s /16 –j ACCEPT –P INPUT DROP Policy DROP Not Matched Matching Incoming Packet Not Matched Matching

9 Connection Tracking Detects replies to sent packets Matching module
NEW is starting a new connection ESTABLISHED is for existing connections RELATED is for new connections related to existing ones Connection tracking is used to track what data is sent and to recognise the replies to data that was sent[bullet], packets can be matched on their status[bullet], they get clisified into 3 catogories, NEW, RELATED and ESTABLISHED. New shows it is a new connection[bullet], ESTABLISHED shows it is part of an already established connection[bullet], and RELATED is staring a new connection but it is related to an existing connection.[bullet] This allows packets to be accepted only in response to outgoing connections creating a firewall.[end slide]

10 Masquerade Used in the prerouting chain of the nat table
Makes NAT work Changes destination and source addressed as appropriate Masquerade uses similar technology to connection tracking to modify data being forwarded, it is used in the prerouting chain of the nat table[bullet], this is what does the NAT[bullet], it changes the destination and source addresses of packets being forwaded as appropriate to make the nat work [bullet]. [end slide]

11 Example Masq Code Internal interface is eth1
External interface is eth0 Example configuration: iptables –P INPUT DROP iptables -P FORWARD DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables –A FORWARD -i eth1 -j ACCEPT iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward Internal interface = eth1 External interface = eth0 (1): Set the policy for the input chain (2): Set the policy for the forward chain (3): Allows existing connections to be forwarded (4): Allows all data from the internal network to be forwarded (5): Enables masquerading for data going to the output interface (6): Enables ipv4 packed forwarding

12 Useful Bits iptables-save stores the configuration in a file
iptables-restore restores the configuration from a file Easily write scripts to restore it iptables has a good manual page The configuration example on the previous slide disappears when you reboot, but you can store it with commands[bullet]. And this can be configured to auto configure itself when linux boots[bullet]. Also iptables has a really good man page[bullet] so if you want to know what you can use to match packets or what else it can do the first place you can look[end of slide]

13 Any Questions? (Sorry for the time its taken and )[bullet] any questions?

Download ppt "From ACCEPT to MASQUERADE Tim(othy) Clark (eclipse)"

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Firewalls and Network Address Translation (NAT) Chapter 7.

Firewalls and Network Address Translation (NAT) Chapter 7.
IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.

IP Masquerading Homes and Businesses: When you only have one IP but you have LOTS of machines.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.

Packet Filtering CS-480b Dick Steflik. Stateless Packet Filters A border router configured to pass or reject packets based on information in the header.
Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.

Module 10 Linux Gateway (NAT) 10.1 – Introduction 10.2 – Official website and list 10.3 – Two types of NAT 10.4 – Controlling what to NAT 10.5 – How to.
TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.

TCP/IP Protocol Suite 1 Chapter 6 Upon completion you will be able to: Delivery, Forwarding, and Routing of IP Packets Understand the different types of.
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.

Iptables and apache 魏凡琮 (Jerry Wei). Agenda iptables apache.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

Similar presentations

Ads by Google