1 / 26

Tutorial 6: Networking Utilities & Firewall

Tutorial 6: Networking Utilities & Firewall. Internet Control Message Protocol (ICMP). designed to compensate for the deficiencies of IP protocol. ICMP’s functions: Announce network errors Announce network congestion Announce timeouts Assist troubleshooting. Type:.

ttierney
Download Presentation

Tutorial 6: Networking Utilities & Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Tutorial 6: Networking Utilities & Firewall

  2. Internet Control Message Protocol (ICMP) • designed to compensate for the deficiencies of IP protocol. • ICMP’s functions: • Announce network errors • Announce network congestion • Announce timeouts • Assist troubleshooting

  3. Type: 3: Destination unreachable 4: Source quench 11: time exceeded 12: Parameter Problem 5: Redirection 8,0: Echo request or reply 13,14: Timestamp request and reply 17,18: Address mask request and reply 10,9: Route solicitation and advertisement

  4. How we testing the network ? • Ifconfig • Ping • Netstat • Nslookup • Traceroute • Tcpdump

  5. How we know the network interface settings ? – ifconfig • ifconfig is used to assign an address to a network interface or to configure network interface parameters. • WARNING: it is danger to use this to change the configuration if you are not familiar. USE other user level utilities. For example, • RedHat – netconfig

  6. Ifconfig Ethernet Address • View interface information ifconfig –a IP Address & Netmask [root]# /sbin/ifconfig -a eth0 Link encap:Ethernet HWaddr 00:C0:4F:7A:BA:C7 inet addr:137.189.90.60 Bcast:137.189.91.255 Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7010277 errors:0 dropped:0 overruns:0 frame:0 TX packets:8755564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:11 Base address:0xdc80 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:46811 errors:0 dropped:0 overruns:0 frame:0 TX packets:46811 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 MAX Segment Size # of packets send/receive

  7. How we know the host is reachable/alive ? – Ping • ping utilizes the ICMP protocol’s ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from the specified host or network gateway. ECHO_REQUEST pc90002 Exec: ping pc90001 pc90001 ECHO_RESPONSE

  8. Ping • Useful option • - c count specify # of ECHO_REQUEST send • - i wait specify time interval in sending each packet • - s packetsize specify # of data bytes to be sent • - R Record route. Displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Rest of the hosts are ignore or discard in this option. For this case, you can use traceroute instead.

  9. How we know the usage of port? – netstat • netstat display the contents of various network-related data structures in various formats. • NOTICE: some of the options are different in Solaris or Linux. Please refer to corresponding man page.

  10. Netstat For those with * are only work in Solaris, there is different option in Linux to achieve the same function.

  11. How we find IP address form hostname? – nslookup • nslookup is a networking application that sending queries to DNS and request the domain name information. • nslookup is deprecated, use dig and host instead. • Set default DNS • /etc/resolv.conf (Redhat) nameserver 137.189.91.188 #set default DNS search cse.cuhk.edu.hk #set default domain name

  12. How we know a routing path from a remote host? – traceroute • traceroute utilizes the IP protocol ‘time to live’ (ttl) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host. traceroute pc90001 pc90002 ttl decrement while passing each gatways If ttl = 0, the host/gateway to replay a TIME_EXCEEDED back to the source. TIME_EXCEEDED response Generate packet with ttl =1,2,3,…. gateway1 gateway2 pc90001 ttl = 1,2,… ttl = 1,…

  13. How we know whether there are packet send/receive at the interface? – tcpdump • tcpdump prints out the headers of packets on a network interface that match the boolean expression • Only allow execute by root

  14. It is an boolean expression that select the packet to be dumped. Tcpdump • tcpdump [expression]

  15. Tcpdump • Examples • To print all packets arriving at or departing from pc90002 • tcpdump host pc90002 • To print all IP packets except pc90004 • tcpdump ip host not pc90004 • To print all UDP packets from pc90001 and showing the header contents • tcpdump –x udp and host pc90001 • To print all ICMP packets and sending from pc90001 • tcpdump icmp and src host pc90001

  16. Tcpdump [root]# tcpdump udp tcpdump: listening on eth0 13:01:09.884933 192.168.0.3.netbios-ns > 192.168.0.255.netbios ns: udp 50 13:01:10.204118 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44) 13:01:10.634916 192.168.0.3.netbios-ns > 192.168.0.255.netbios-ns: udp 50 13:01:15.206077 pc90060.cse.cuhk.edu.hk.33883 > beryl.cse.cuhk.edu.hk.domain: 60655+ (44) 13:01:20.215660 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44) [root]# tcpdump -x icmp and src host solar22 tcpdump: listening on eth0 13:03:52.253498 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF) 4500 0054 dbf4 4000 fe01 dab4 89bd 5848 89bd 5a3c 0800 dd63 0d31 0000 3a91 f54c 0003 f286 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 13:03:55.349628 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF) 4500 0054 dbfa 4000 fe01 daae 89bd 5848 89bd 5a3c 0800 65e9 0d32 0000 3a91 f54f 0005 69fb 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819

  17. What is a firewall? • A firewall is a secure and trusted machine that aims to protect the internal network from outside attacks. It is usually located between the private network and the public network. It is configured with a set of rules that determine whether the incoming or outgoing network traffic is accepted, denied or rejected. • Why I need firewall? • Control • Security • Watchfulness

  18. Forward Routing Decision Input Output Local Process Using iptables • There are three types of built-in chains (or lists of rules): • INPUT – destined for the local system • OUTPUT – originate from the local system • FORWARD – enter the system and is forwarded to another destination

  19. There are mainly three types of operations: • ACCEPT – accept the packet • DROP – discard the packet silently • REJECT – actively reply the source that the packet is rejected. • All the rules are consulted until the first rule matching the packet is located. • If no rules match the packet, the kernel looks at the chain policy.

  20. Operations to manage whole chains • N: create a new chain • P: change the policy of built-in chain • L:list the rules in a chain • F: flush the rules out of a chain • Manipulate rules inside a chain • A: append a new rule to a chain • I: insert a new rule at some position in a chain • R: Replace a rule at some position in a chain • D: delete a rule in a chain

  21. Some filtering specifications: • j: specify the rule target • s: specify the source addresses • d: specify the destination addresses • p: specify the protocol used (e.g. tcp, udp, icmp) • i: specify the input interface • o: specify the output interface • !: specify the inversion (i.e. NOT)

  22. TCP Extensions: • --tcp-flags: filter on specific flags • --syn: shorthand of --tcp-flags SYN, RST, ACK SYN • --source-port (or --sport): specify the source port • --destination port (or --dport): specify the destination port • UDP Extensions: • --sport and --dport

  23. Logging • Logging can be done by specify the rule target as LOG (i.e. –j LOG). • Options: • --log-level: debug, info, notice, warning, err, crit, alert, and emerg. Type “man syslog.conf” for details. • --log-prefix: uniquely identify a log message.

  24. Examples • Drop all icmp (such as ping) packets • iptables –A INPUT –p icmp –j DROP • Flush all chains • iptables –F • List all existing rules • iptables –L • Accept the ssh service from CSE machines • iptables –A INPUT –p tcp –s 137.189.88.0/22 –d 0/0 --dport 23 –j ACCEPT

  25. Reject all incoming TCP traffic destined for ports 0 to 1023 • iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport 0:1023 –j REJECT • Reject all outgoing TCP traffic except the one destined for 137.189.96.142 • iptables –A OUTPUT –p tcp –s 0/0 –d ! 137.189.96.142 –j REJECT • Drop all SYN packets from pc89184 • Iptables –A INPUT –p TCP –s 137.189.89.184 --syn –j DROP

  26. References • Linux iptables HOWTO, by Rusty Russell • http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html

More Related