1 / 43

TCP/IP Sections: 13.7, 13.8, 13.11, 13.12

TCP/IP Sections: 13.7, 13.8, 13.11, 13.12. 13.7 Adding A Machine to a Network 13.8 Distribution-Specific Network Configuration 13.11 Security Issues 13.12 Linux NAT (IP MASQUERADING). Adding A Machine to a Network. The Basic steps to add a new machine to a local network are:

yamka
Download Presentation

TCP/IP Sections: 13.7, 13.8, 13.11, 13.12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Sections: 13.7, 13.8, 13.11, 13.12 13.7 Adding A Machine to a Network 13.8 Distribution-Specific Network Configuration 13.11 Security Issues 13.12 Linux NAT (IP MASQUERADING)

  2. Adding A Machine to a Network The Basic steps to add a new machine to a local network are: • Assign a unique IP Address and Hostname. • Set up the new host to configure its network interfaces at boot time • Set up a default route • Point to a DNS name server, to allow access to the rest of the internet. • Reboot the system each time you make changes that might affect the reboot to make sure that the machine comes up correctly

  3. Adding a mechine to a network Each distribution has established its own configuration files for automating network configuration at boot time as summarized in the following table

  4. Assigning hostnames and IP addresses Mapping from hostnames to IP addresses can be maintained through • Hosts file (/etc/hosts) • NIS = Network Information Service • DNS = Domain Name Service • some combination of above sources

  5. Renumbering Issue Renumbering = Assigning new IP addresses • Using Hostnames in the configuration files and making the hostname-to-IP address translation be done through DNS help overcoming the problem of changing IP addresses. However, • Using IP addresses in configuration files reduces dependencies during bootup when all services are not available.

  6. /etc/hosts example 127.0.0.1 localhost 192.108.21.48 lollipop.xor.com lollipop loghost 192.108.21.254 chimchim-gw.xor.com chimchim-gw 192.108.21.1 ns.xor.com ns 192.225.33.5 licenses.xor.com license-server • Because hosts file contains local mappings only. Most mapping systems use it for mappings that are needed at boot time. • Can be used for mappings that u don’t want others to know about it. • Minimal data are mappings for loopback address and the host itself.

  7. /etc/hosts (cont.) • Some put all their really important hosts, servers and gateways. • Debian – only localhost • Red Hat – localhost and the machine itself • SuSE – local host, the machine itself, and a few special IPv6 names. • The hostname command assigns a hostname to a machine. It typically run at boot time from one of the startup scripts, which obtains the name to be assigned from a configuration file.

  8. ifconfig: configure network interfaces • Enables/disables a network interface • Sets IP address and subnet mask • Sets various other parameters Ifconfiginterface address options • Interface: identifies the hardware interface to which the command applies • Address: the IP address of the interface, many versions of ifconfig accept hostname for this parameter.

  9. ifconfig Examples Ifconfig eth0 128.138.240.1 netmask 255.255.255.0 up Ifconfig interface Ifconfig –a Netstat –I • Options: • Up: turns the interface on (default) • Down : turns the interface off • Netmask: set the subnet mask for the network, used if subnetting isused , the network part is set to ones , the host part is set to zero • Broadcast : IP broadcast address for the interface, expressed in either hex or dotted quad notation. • Broadcast address is, in most systems, found by setting host part to all 1s. • Most systems used the netmask and ip address to calculate the broadcast address.

  10. ifconfig Examples • Red Hat% /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:02:b3:19:C8:86 inet addr:192.168.1.13 Bcast:192.168.1.255 UP BRADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets 206983 errors:0 dropped:0 overruns:0 frame:0 TX packets 218292 errors:0 dropped:0 overruns:0 frame:0 collisions:0 txqueuelen:100 interrupt:7 Base address:0xef00 • Ifconfig eth0 128.138.243.151 netmask 255.255.255.192 broadcast 128.138.243.191 up

  11. Mii-tool: configure autonegotiation and other media-specific options • Autonegotiation mode: both the card and its upstream connection (usually a switch port) try to guess what the other wants to use. • Problem: high packet loss • It is better to lock the interface speed and duplex both on servers and on the switch ports they are connected to. • Mii-tool sets Media specific parameters such as link speed and duplex • Mii-tool –force=100BaseTx-FD eth0

  12. Route: configure static routes • If a packet is destined for some host on a directly connected network, the “next-hop gateway” address in the routing table will be one of the local host’s own interfaces. • If no route matches the destination address, the default route is invoked if one exists, otherwise, an ICMP “netrwork unreachable” or “host unreachable”. route [op][type] destination gw gateway [metric] [dev interface] • Op: • Add: add a route • Del : remove a route

  13. Route (cont.) • Destination : host address (type – host) or a network address (type –net) • Gateway: the machine to which packets should be forwarded.it must be on a directly connected network. • Dev is optional and can be ommited • Metric: the number of forwardings (the hop count) required to reach the destinaction. • Type: optional “-net” or “-host”. If not specified then check the host part (is it all zeros), route may also check the /etc/networks

  14. Route examples • Route –f ,or route –flush : completely flushes the routing tables and starts over. • Netstat –nr : inspect existing routes • netstat –r : see names instead of numbers. redhat% netstat -nr Kernel IP routing table

  15. Route examples redhat% netstat -r Kernel IP routing table • Genmask: the netmask associated with the destination • Flags: status of the route, how is was learned and other parameters • Iface: the interface through which the packets using the route are sent.

  16. Default routes • All packets whose destination network is not found in the kernels routing table are sent to the default route. • route add default gwgateway-ip-address • How to set default route

  17. Configuring DNS To configure a machine as a DNS client: • Modify /etc/resolv.conf, • this file lists the domains that should be searched to resolve names that are incomplete(not fully qualified) • It lists the IP addresses of the name servers to contact for name lookups. • Some requires modification of “service switch” file

  18. Modify /etc/resolv.conf Search cs.clorado.edu colorado.edu Nameserver 128.138.242.1 Nameserver 128.138.234.151 Nameserver 192.108.21.1 • Domain is sometimes used instead of search in ancient resolve,conf file. • Search is preferred, but Red Hat defaults tp resolv.conf file that uses domain instead of search

  19. service switch • Some systems have a “service switch” file that determines which mechanism will be used to resolve hostname-to-IP-address mappings. See page 498 for prioritization . • Allow specification of the order in which DNS, NIS, and /etc/hosts should be consulted.

  20. Service switch files by system

  21. The Linux networking stack • Includes support for virtual network interfaces, selective acknowledgments as well as a new IP feature , Explicit Congestion Notification (NCF) • ECN marks TCP packets to notify the sender of congestion. It is a good thing for both bulk transfers of data and transactional data such as web requests and responses.

  22. Distributed-Specific Network Configuration • Linuxconf: module-based utility that provides a simple interface for managing a number of system administration tasks, including most network-related configuration. • Three interfaces: text-based, web, and X windows. • Reboot or bring the network interface down or up to see for a change to a configuration file to take effect. • Red Hat and Debian ifup and ifdown • SuSE reboot the machine

  23. Network Configuration for Red Hat

  24. etc/sysconfig/networkexample NETWORKING=yes HOSTNAME=redhat.toadranch.com DOMAINNAME=toadranch.com ###OPTIONAL GATEWAY=192.168.1.254

  25. /etc/sysconfig/network-scripts/ifcfg-ifnameexamples DEVICE=eth0 IPADD=192.168.1.13 NETMASK=255.255.255.0 NETWORK=192.168.1.0 BROADCAST=192.168.1.255 ONBOOT=yes DEVICE=lo IPADD=127.0.0.1 NETMASK=255.0.0.0 NETWORK=172.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes NAME=loopback Ifcfg-eth0 file Ifcfg-lo file

  26. Network Configuration for Red Hat(cont.) • Ifupifname : brings an interface up • Ifdownifname : brings an interface down • /etc/rc.d/init.d/network • script that accepts the argument start, stop, restart, and status • Manage all the interfaces at once • Invoked at boot time • Any routes added to the file /etc/sysconfig/static-routes are entered into the routing table at root time eth0 net 130.255.204.48 netmask 255.255.255.248 gw 130.255.204.49 eth1 net 192.38.8.0 netmask 255.255.255.224 gw 192.38.8.9 Arguments are provided to route add

  27. Network Configuration for SuSE • /sbin/SuSEconfig: a tool that uses scripts in /sbin/conf.d and /etc/rc.config.d to do configuration stuff. • /etc/rc.config contains all network-related parameters except routing information and DNS information. Example START_LOOPBACK=“yes” NETCINFIG=“_0” IPADDR_0=“192.168.1.101” NETDEV_0=“eth0” IFCONFIG_0=“192.168.1.101 broadcast 192.168.1.255 netmask 255.255.255.0” FQHOSTNAME=“inura.toadranch.com” DISABLE_ECN=“yes”

  28. Dynamic Routing in SuSE • Dynamic routing is also configured in with rc.config Example START_ROUTED=“no” ### RIP (Routing Information Protocol) version 1 daemon START_ZEBRA=“no” ### zebra routing manager START_BGPD=“no” ### BGB (Border Gateway Protocol)daemon START_RIPING=“no” ### RIP version 2 daemon START_OSPFD=“no” ### OSPF (Open Shortest Path First) daemon START_MRTD=“no” ### Multithreaded routing daemon

  29. Network configuration for Debian Example of /etc/network/interfaces file Iface lo inet loopback Iface eth0 inet static address 192.168.1.102 netmask 255.255.255.0 gateway 192.168.1.254

  30. The interfaces file is read by ifup and ifdown that prings the interfaces up and down respectively. • The inetkeyword in the iface line is the address family, this will always be inet. • static specifies that the IP address and netmask lines are required for static configuration • gatway specifies the address of the default gateway and is used to install default route The options file allows some network variables to be set at boot time.

  31. Network Configuration with GUI • Red Hat include a tool called neat (Network administration Tool) that can perform Ethernet, modem, ISDN, xDSL, and wireless configuration. • To run • Select Main menu  programs  system  network configuration Or • type neat in a shell

  32. Security Issues IP forwarding • let the linux box acts as a router. • Turn this feature off unless you have multiple network interfaces and intend to have a the Linux box as router. • Hosts with this feature enabled can compromise security by making external packets appear to have come inside local network which can enables naughty packets evade network scanners and packet filters

  33. Security issues ICMP redirectors • Can be used maliciously to reroute the traffic and mess with the networking table. • Most operating systems listen to them and follow their instructions • It is recommended to configure routers and hosts acting as routers to ignore and perhaps log ICMP

  34. Security issues Source routing • IP source routing mechanism let the series of gateways for a packet to transit on the way to its destination. • It can create security problems because packets are often filtered to their origin • If some one can cleverly route a packet to make it appear to have originated from your network instead of the internet, it might slip through your firewall. • It is recommended to not accept neither forward source routed packets

  35. Security issues Broadcast pings and other forms of directed broadcast • Ping packets addressed to a network’s broadcast address (instead of to a particular host address). • Can be used in denial of service attacks • Most hosts have a way to diable broadcast pings • The router can also be configured not to filter out broadcast pings

  36. Security issues IP spoofing • If the software creating the packet uses a raw socket, it can fill in any source address it likes. • Te machine identified by the spoofed source address (if it is a real address) is often the victim in this scheme. Error and return packets can disrupt or flood the victims network connections. • IP spoofing should be denied at border router by blocking outgoing packets whose source address is not within your address space. • If a network uses private address space, addresses escaping to the internet can be filtered and caught since private addresses are not routable.

  37. Security issues IP spoofing (cont.) • Linux-based firewalls provide a way to implement filtering, however, most sites prefer to implement this type of filtering at their border routers. • Protect against a hacker forging the source address on external packets to fool the firewall into thinking that they originated on your internal network. Rp_filter kernel parameter(settable in the /proc/sys/net/ipv4/conf/ifnamedirectory) can help detecting these packets. set rp (reversed path) to 1. • If the site has multiple connections to the internet, rp has to be set to 0 if inbound and outbound routes are different (preferred to be different)

  38. Security issues Host-based firewalls • Packet filtering (aka “firewall”) software • Linux security is weak and NT’s security is worse. • It is recommended to buy a dedicated hardware solution to use as a firewall. Go to page 676 to read more about firewall-related issues.

  39. Security issues Virtual private networks (VPN) • Private networks that include a series secure, encrypted “tunnels”. • These “tunnels” allow using the internet as if it were a private data line • Used to connect several parts of the world as if they are within a one pig private network • Some VPNs use the IPSEC protocol (standarized by the IETF in 1998. other use proprietary solutions. • Examples: Cisco’s 3660 router and the Watchguard FireBox provide VPN. They provide tunneling and encryption.

  40. Security issues Security-related kernel variables

  41. Security issues Changing of Security-related kernel variables • Red hat : • Add values to /etc/sysctl.conf, which is read by sysctl command ar boot time. • Format of sysctl.conf is variable=value • Net.ipv4.ip_forward=0 (turn off IP forwarding) • SuSE • sysctl doesn’t run at boot process • Edit rc.config(in /etc/init.d/boot) or add a call to the sysctl command somewhere in the startup sequence • Debian • It provides a sample sysctl.conf file nad also calls sysctl during startup

  42. Linux NAT (IP MASQUERADING) • Linux provides limited form of NAT (Network Address Translation) that is more properly called PAT (Port Address Translation) or “IPMASQUERADING” • The predominant Linux software (up to writing of this book) for setting up NAT is called ipchains .However, • A new improved package called iptables uses the “netfilter” feature in linux 2.4 kernel and is the current release of Red Hat. • For IP masquerading to work • Enable IP forwarding • Build the kernel with CONFIG_IP_MASQUERADING defined • It is helpful to set the kernel variable ip_masq_debug

  43. IP MASQUERADING Examples • To disguise the private address space used on the internal network 192.168.1.0/24, you could use the following command Ipchains –A forward –i ppp0 –s 192.168.1.0/24 –d ! 192.168.1.0 –j MASQ • To map packets from 192.168.1.0/24 network to a range of 10 addresses in the routable network 128.138.198.0 , Iptables –A POSTROUTING SNAT –to-source 128.138.198.1-128.138.198.0

More Related