Post on 31-Dec-2015
1
Tutorial 6: Networking Utilities & Firewall
2
Internet Control Message Protocol (ICMP)
designed to compensate for the deficiencies of IP protocol.
ICMP’s functions: Announce network errors Announce network congestion Announce timeouts Assist troubleshooting
3
3: Destination unreachable 4: Source quench11: time exceeded12: Parameter Problem 5: Redirection
8,0: Echo request or reply13,14: Timestamp request and reply17,18: Address mask request and reply10,9: Route solicitation and advertisement
Type:
4
How we testing the network ?
Ifconfig Ping Netstat Nslookup Traceroute Tcpdump
5
How we know the network interface settings ? – ifconfig
ifconfig is used to assign an address to a network interface or to configure network interface parameters.
WARNING: it is danger to use this to change the configuration if you are not familiar. USE other user level utilities. For example, RedHat – netconfig
6
Ifconfig
View interface information
ifconfig –a[root]# /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:C0:4F:7A:BA:C7
inet addr:137.189.90.60 Bcast:137.189.91.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7010277 errors:0 dropped:0 overruns:0 frame:0
TX packets:8755564 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xdc80
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:46811 errors:0 dropped:0 overruns:0 frame:0
TX packets:46811 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Ethernet AddressIP Address & Netmask
MAX Segment Size
# of packets send/receive
7
How we know the host is reachable/alive ? – Ping
ping utilizes the ICMP protocol’s ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from the specified host or network gateway.
pc90001
pc90002
Exec: ping pc90001
ECHO_REQUEST
ECHO_RESPONSE
8
Ping Useful option
- c count specify # of ECHO_REQUEST send - i wait specify time interval in sending each packet - s packetsize specify # of data bytes to be sent - R Record route. Displays the route buffer
on returned packets. Note that the IP header is only large enough for nine such routes. Rest of the hosts are ignore or discard in this option. For this case, you can use traceroute
instead.
9
How we know the usage of port? – netstat
netstat display the contents of various network-related data structures in various formats.
NOTICE: some of the options are different in Solaris or Linux. Please refer to corresponding man page.
10
NetstatCommand Function
netstat -r Show routing table
*netstat -M Show multicast routing table
*netstat -ms Show stream and protocol statistics
netstat -a Show state of all sockets and routing table entries
netstat -n Show numerical addresses instead of host names
netstat -i Show state of interfaces
For those with * are only work in Solaris, there is different option in Linux to achieve the same function.
11
How we find IP address form hostname? – nslookup
nslookup is a networking application that sending queries to DNS and request the domain name information.
nslookup is deprecated, use dig and host instead. Set default DNS
/etc/resolv.conf (Redhat)nameserver 137.189.91.188 #set default DNS
search cse.cuhk.edu.hk #set default domain name
12
How we know a routing path from a remote
host? – traceroute traceroute utilizes the IP protocol ‘time to live’ (ttl) field
and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
traceroute pc90001
pc90002
gateway1 gateway2 pc90001
Generate packet with ttl =1,2,3,….
ttl decrement while passing each gatways
If ttl = 0, the host/gateway to replay a TIME_EXCEEDED back to the source.TIME_EXCEEDED response
ttl = 1,2,… ttl = 1,…
13
How we know whether there are packet send/receive at
the interface? – tcpdump tcpdump prints out the headers of packets
on a network interface that match the boolean expression
Only allow execute by root
14
Tcpdump tcpdump [expression]
It is an boolean expression that select the packet to be dumped.
Type (including host, net and port)
host pc90001 net 137.189 port 21
Dir (specify particular transfer direction, including src, dst)
src pc90002 dst net 202.123.456
Proto (specify particular protocol, including ether, ip, arp, tcp, udp and so on)
tcp port 21 ether src pc90001
15
Tcpdump
Examples To print all packets arriving at or departing from pc90002
tcpdump host pc90002 To print all IP packets except pc90004
tcpdump ip host not pc90004 To print all UDP packets from pc90001 and showing the header
contents tcpdump –x udp and host pc90001
To print all ICMP packets and sending from pc90001 tcpdump icmp and src host pc90001
16
Tcpdump[root]# tcpdump udp
tcpdump: listening on eth0
13:01:09.884933 192.168.0.3.netbios-ns > 192.168.0.255.netbios ns: udp 50
13:01:10.204118 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)
13:01:10.634916 192.168.0.3.netbios-ns > 192.168.0.255.netbios-ns: udp 50
13:01:15.206077 pc90060.cse.cuhk.edu.hk.33883 > beryl.cse.cuhk.edu.hk.domain: 60655+ (44)
13:01:20.215660 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)
[root]# tcpdump -x icmp and src host solar22
tcpdump: listening on eth0
13:03:52.253498 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)
4500 0054 dbf4 4000 fe01 dab4 89bd 5848
89bd 5a3c 0800 dd63 0d31 0000 3a91 f54c
0003 f286 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819
13:03:55.349628 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)
4500 0054 dbfa 4000 fe01 daae 89bd 5848
89bd 5a3c 0800 65e9 0d32 0000 3a91 f54f
0005 69fb 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819
17
What is a firewall? A firewall is a secure and trusted machine that
aims to protect the internal network from outside attacks. It is usually located between the private network and the public network. It is configured with a set of rules that determine whether the incoming or outgoing network traffic is accepted, denied or rejected.
Why I need firewall? Control Security Watchfulness
18
Using iptables There are three types of built-in chains (or lists of
rules): INPUT – destined for the local system OUTPUT – originate from the local system FORWARD – enter the system and is forwarded to
another destination
Forward
Input Output
RoutingDecision
Local Process
19
There are mainly three types of operations: ACCEPT – accept the packet DROP – discard the packet silently REJECT – actively reply the source that the
packet is rejected. All the rules are consulted until the first
rule matching the packet is located. If no rules match the packet, the kernel
looks at the chain policy.
20
Operations to manage whole chains N: create a new chain P: change the policy of built-in chain L:list the rules in a chain F: flush the rules out of a chain
Manipulate rules inside a chain A: append a new rule to a chain I: insert a new rule at some position in a chain R: Replace a rule at some position in a chain D: delete a rule in a chain
21
Some filtering specifications: j: specify the rule target s: specify the source addresses d: specify the destination addresses p: specify the protocol used (e.g. tcp, udp,
icmp) i: specify the input interface o: specify the output interface !: specify the inversion (i.e. NOT)
22
TCP Extensions: --tcp-flags: filter on specific flags --syn: shorthand of --tcp-flags SYN, RST,
ACK SYN --source-port (or --sport): specify the source
port --destination port (or --dport): specify the
destination port UDP Extensions:
--sport and --dport
23
Logging
Logging can be done by specify the rule target as LOG (i.e. –j LOG).
Options: --log-level: debug, info, notice, warning, err,
crit, alert, and emerg. Type “man syslog.conf” for details.
--log-prefix: uniquely identify a log message.
24
Examples Drop all icmp (such as ping) packets
iptables –A INPUT –p icmp –j DROP Flush all chains
iptables –F List all existing rules
iptables –L Accept the ssh service from CSE machines
iptables –A INPUT –p tcp –s 137.189.88.0/22 –d 0/0 --dport 23 –j ACCEPT
25
Reject all incoming TCP traffic destined for ports 0 to 1023 iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport
0:1023 –j REJECT Reject all outgoing TCP traffic except the one
destined for 137.189.96.142 iptables –A OUTPUT –p tcp –s 0/0 –d !
137.189.96.142 –j REJECT Drop all SYN packets from pc89184
Iptables –A INPUT –p TCP –s 137.189.89.184 --syn –j DROP
26
References Linux iptables HOWTO, by Rusty Russell
http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html