Networking Utilities & Firewall
Download
Report
Transcript Networking Utilities & Firewall
Tutorial 6: Networking Utilities & Firewall
1
Internet Control Message
Protocol (ICMP)
designed to compensate for the deficiencies
of IP protocol.
ICMP’s functions:
Announce network errors
Announce network congestion
Announce timeouts
Assist troubleshooting
2
Type:
3: Destination unreachable
4: Source quench
11: time exceeded
12: Parameter Problem
5: Redirection
8,0: Echo request or reply
13,14: Timestamp request and
reply
17,18: Address mask request and
reply
10,9: Route solicitation and
advertisement
3
How we testing the network ?
Ifconfig
Ping
Netstat
Nslookup
Traceroute
Tcpdump
4
How we know the network interface
settings ? – ifconfig
ifconfig is used to assign an address to a
network interface or to configure network
interface parameters.
WARNING: it is danger to use this to
change the configuration if you are not
familiar. USE other user level utilities. For
example,
RedHat – netconfig
5
Ifconfig
View interface information
[root]#
/sbin/ifconfig
ifconfig
–a -a
eth0
Ethernet Address
IP Address & Netmask
Link encap:Ethernet HWaddr 00:C0:4F:7A:BA:C7
inet addr:137.189.90.60 Bcast:137.189.91.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7010277 errors:0 dropped:0 overruns:0 frame:0
TX packets:8755564 errors:0 dropped:0 overruns:0 carrier:0
MAX Segment Size
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xdc80
lo
# of packets send/receive
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:46811 errors:0 dropped:0 overruns:0 frame:0
TX packets:46811 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
6
How we know the host is
reachable/alive ? – Ping
ping utilizes the ICMP protocol’s ECHO_REQUEST
datagram to elicit an ICMP ECHO_RESPONSE from
the specified host or network gateway.
pc90002
ECHO_REQUEST
pc90001
Exec: ping
pc90001
ECHO_RESPONSE
7
Ping
Useful option
- c count
specify # of ECHO_REQUEST send
- i wait
specify time interval in sending each packet
- s packetsize specify # of data bytes to be sent
-R
Record route. Displays the route buffer on
returned packets. Note that the IP header is
only large enough for nine such routes.
Rest of the hosts are ignore or discard in this
option. For this case, you can use traceroute
instead.
8
How we know the usage of port? –
netstat
netstat display the contents of various
network-related data structures in various
formats.
NOTICE: some of the options are different
in Solaris or Linux. Please refer to
corresponding man page.
9
Netstat
Command
Function
netstat -r
Show routing table
*netstat -M
Show multicast routing table
*netstat -ms
Show stream and protocol statistics
netstat -a
Show state of all sockets and routing table
entries
Show numerical addresses instead of host
names
netstat -n
netstat -i
Show state of interfaces
For those with * are only work in Solaris, there is different option in Linux to
achieve the same function.
10
How we find IP address form hostname? –
nslookup
nslookup is a networking application that
sending queries to DNS and request the domain
name information.
nslookup is deprecated, use dig and host instead.
Set default DNS
/etc/resolv.conf
(Redhat)
nameserver 137.189.91.188
search cse.cuhk.edu.hk
#set default DNS
#set default domain name
11
How we know a routing path from a remote
host? – traceroute
traceroute utilizes the IP protocol ‘time to live’ (ttl) field
and attempts to elicit an ICMP TIME_EXCEEDED
response from each gateway along the path to some host.
ttl decrement while passing each
gatways
traceroute pc90001
pc90002
TIME_EXCEEDED response
Generate
packet with
ttl =1,2,3,….
gateway1
ttl = 1,2,…
gateway2
If ttl = 0, the host/gateway to
replay a TIME_EXCEEDED
back to the source.
ttl = 1,…
pc90001
12
How we know whether there are packet send/receive at
the interface? – tcpdump
tcpdump prints out the headers of packets
on a network interface that match the
boolean expression
Only allow execute by root
13
It is an boolean
expression that select the
packet to be dumped.
Tcpdump
tcpdump [expression]
Type (including host, net
and port)
host pc90001
net 137.189
port 21
Dir (specify particular
transfer direction, including
src, dst)
Proto (specify particular
protocol, including ether, ip,
arp, tcp, udp and so on)
src pc90002
dst net 202.123.456
tcp port 21
ether src pc90001
14
Tcpdump
Examples
To print all packets arriving at or departing from pc90002
To print all IP packets except pc90004
tcpdump ip host not pc90004
To print all UDP packets from pc90001 and showing the header
contents
tcpdump host pc90002
tcpdump –x udp and host pc90001
To print all ICMP packets and sending from pc90001
tcpdump icmp and src host pc90001
15
Tcpdump
[root]# tcpdump udp
tcpdump: listening on eth0
13:01:09.884933 192.168.0.3.netbios-ns > 192.168.0.255.netbios ns: udp 50
13:01:10.204118 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)
13:01:10.634916 192.168.0.3.netbios-ns > 192.168.0.255.netbios-ns: udp 50
13:01:15.206077 pc90060.cse.cuhk.edu.hk.33883 > beryl.cse.cuhk.edu.hk.domain: 60655+ (44)
13:01:20.215660 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)
[root]# tcpdump -x icmp and src host solar22
tcpdump: listening on eth0
13:03:52.253498 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)
4500 0054 dbf4 4000 fe01 dab4 89bd 5848
89bd 5a3c 0800 dd63 0d31 0000 3a91 f54c
0003 f286 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819
13:03:55.349628 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)
4500 0054 dbfa 4000 fe01 daae 89bd 5848
89bd 5a3c 0800 65e9 0d32 0000 3a91 f54f
0005 69fb 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819
16
What is a firewall?
A firewall is a secure and trusted machine that
aims to protect the internal network from outside
attacks. It is usually located between the private
network and the public network. It is configured
with a set of rules that determine whether the
incoming or outgoing network traffic is accepted,
denied or rejected.
Why I need firewall?
Control
Security
Watchfulness
17
Using iptables
There are three types of built-in chains (or lists of
rules):
INPUT – destined for the local system
OUTPUT – originate from the local system
FORWARD – enter the system and is forwarded to
another destination
Routing
Decision
Forward
Input
Output
Local Process
18
There are mainly three types of operations:
ACCEPT – accept the packet
DROP – discard the packet silently
REJECT – actively reply the source that the
packet is rejected.
All the rules are consulted until the first
rule matching the packet is located.
If no rules match the packet, the kernel
looks at the chain policy.
19
Operations to manage whole chains
N: create a new chain
P: change the policy of built-in chain
L:list the rules in a chain
F: flush the rules out of a chain
Manipulate rules inside a chain
A: append a new rule to a chain
I: insert a new rule at some position in a chain
R: Replace a rule at some position in a chain
D: delete a rule in a chain
20
Some filtering specifications:
j: specify the rule target
s: specify the source addresses
d: specify the destination addresses
p: specify the protocol used (e.g. tcp, udp,
icmp)
i: specify the input interface
o: specify the output interface
!: specify the inversion (i.e. NOT)
21
TCP Extensions:
--tcp-flags: filter on specific flags
--syn: shorthand of --tcp-flags SYN, RST,
ACK SYN
--source-port (or --sport): specify the source
port
--destination port (or --dport): specify the
destination port
UDP Extensions:
--sport and --dport
22
Logging
Logging can be done by specify the rule
target as LOG (i.e. –j LOG).
Options:
--log-level: debug, info, notice, warning, err,
crit, alert, and emerg. Type “man syslog.conf”
for details.
--log-prefix: uniquely identify a log message.
23
Examples
Drop all icmp (such as ping) packets
Flush all chains
iptables –F
List all existing rules
iptables –A INPUT –p icmp –j DROP
iptables –L
Accept the ssh service from CSE machines
iptables –A INPUT –p tcp –s 137.189.88.0/22 –d 0/0
--dport 23 –j ACCEPT
24
Reject all incoming TCP traffic destined for
ports 0 to 1023
Reject all outgoing TCP traffic except the one
destined for 137.189.96.142
iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport
0:1023 –j REJECT
iptables –A OUTPUT –p tcp –s 0/0 –d !
137.189.96.142 –j REJECT
Drop all SYN packets from pc89184
Iptables –A INPUT –p TCP –s 137.189.89.184 -syn –j DROP
25
References
Linux iptables HOWTO, by Rusty Russell
http://www.linuxguruz.org/iptables/howto/iptablesHOWTO.html
26