-Linux can act as a full featured router. Many commercial routers run the linux kernel.
-A standard pc with afew network cards can act as a basic router.
-To set routing (ie ip forwarding on), do this:
# echo "1" > /proc/sys/net/ipv4/ip_forward
-netfilter - the packet filter or firewall system built into Linux.
- it helps a system decide how a packet should flow.
-iptables - the cmd line tool to manage netfilter.
-netfilter tasks:
. nat
. mangle
. raw
. filter
-nat - network address translation
- allows multiple systems to access another network via a single ip address, ie like a door or gateway.
- gateway = nat + routing
- firewall = nat + connection tracking
-mangle - marks and alters packets in specific ways (eg changing type of service bits in pkts to quality of service bits)
-raw - used for connection tracking at low level
-filter - provide basic filtering
-nat allows a sa to be able to hide hosts on both sides of a router to hide the two sides from each other.
-ie due to nat, the two sides are unaware of each other, only the router matters to them.
-netfilter nat:
. source nat (snat)
. dest nat (dnat)
. masquerading
-snat = hides source ip and port to look like a fixed ip (eg home private lans)
-dnat = changes destn ip and port (eg server farm lan)
-masquerade= special case of snat used in firewalls w dynamic ip (eg home private lans)
-chokepoint = the ip that acts as the gateway in netfilter nat.
-how does netfilter nat do its address translations?
-by maintaining an internal list of connections & the nodes--this list is called 'flows'.
-the flows have no idea about the contents of the connection only source-destn mapping.
-the flows look like - <ip addr of node>: <port>
-since netfilter nat doesnt know the contents of the connection, it can be a problem when malicious activity happens.
-to prevent this, Linux has something called 'stateful connection tracking' that reads the header of each pkt to decide if its good or bad.
-stateful connection tracking can be achieved wherever nat occurs.
-chains - a list of rules that define how a packet flows in netfilter.
-chain types - input, output, forward, pre-routing, post-routing
-to list and verify netfilter is installed compiled and working:
# iptables -L
# ip6tables -L [ ipv6 ]
-netfilter config file:
. /etc/sysconfig/iptables-config [ ip6tables-config for ipv6 ]
-useful netfilter cmds:
# iptables -t < table > [ -A | -D | -R | -L | -F ] <chain> <rulespec>
-eg # iptables -t filter -A input -p tcp --dport 80 -j accept [ accept all packets destined to tcp port 80 on input chain ]
# modprobe iptable_nat
# echo 1 > /proc/sys/net/ipv4/ip_forward [ sets routing, must for nat ]
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies [ sets syn cookie protection ]
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [ disables icmp broadcast / smurf attacks ]
No comments:
Post a Comment