The router assignment

SunMoon

2

Internet Sharing

Why?

Your ISP gives you a single IP addr (external IP addr)

But you can't assign this single addr to all your PCs

How?

Build a private network

Setup a PC in the network takes that IP and helps other PCs

to access the Internet

This is the gateway of your network, your router basically acts like a

gateway

3

Internet Sharing

Build a private network

Your PCs are given IP addrs that belongs to a

private subnet (e.g. 192.168.1.0/24)

You should use ”DHCP server” to automatically

assign IP addr, but now assume you setup

manually. (using ifconfig)

4

Internet Sharing

Setup the gateway

First it should forward packets between the private

network and the Internet

# echo 1 > /proc/sys/net/ipv4/ip_forward

But your PCs are using private IP addrs

So you need to setup NAT on the gateway

5

Internet Sharing

Setup NAT on gateway

What should the NAT do?

Replace ”src addr” of out-going packets with the external

IP addr

Iptables help you do the tricks

In Iptables, the table ”nat” is for this purpose

You need to alter the ”POSTROUTING” chain

POSTROUTING

chain

Routing

Rules

PREROUTING

chain

6

Internet Sharing

Setup Iptables for NAT

iptables –t nat –A POSTROUTING –d ! 192.168.1.0/24 –s <client_ip> -p tcp –j

MASQUERADE

To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)

Iptables –t nat –L –n

Other iptables options

Iptables –t nat –F: clear the table

Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain

Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one

Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule

7

Internet Sharing

The above slides are about the gateway, how

about the other PCs?

They should know who will forward the packet

for them

This is done by setting the gateway address:

route add default gw 192.168.1.1

8

Internet Sharing

Now the Internet Sharing part is completed. You can now share the Internet connection

among your home PCs! Your homebrew router got basic function

9

Port forwarding

Say, you are hosting a web server at PC A

You want to open the server to people outside your network

They contact your server at <external IP address, port 80>

Your router should decide which PC should receive the packet

Change the dst address of IP packet, forward the packet to the

destination PC

NAT again!

10

Port forwarding

Similar to the previous rule, but we now change the dst IP addr

instead of src one

Which chain to modify? PREROUTING or POSTROUTING?

The dst IP addr is modified before the packet is routed, so

answer is: PREROUTING

(iptables -t nat –A PREROUTING -d 137.189.90.91 -s !

192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination

192.168.1.78)

POSTROUTING

chain

Routing

Rules

PREROUTING

chain

11

Packet filtering

An example: Suppose you want to stop your family members from connecting to a

hazardous host Then your router should drop IP packets that heads to that host

Iptables can do this for you The “filter” table controls the transmission of packets that…

headed for the router originated from the router forwarded through the router (i.e. the conversation between the home

PCs and outsiders)

Packet filtering

There are three chains in the “filter” table For traffic that not originated from nor headed to

the router, modify the FORWARD chain

INPUT OUTPUT

FORWARDPREROUTING POSTROUTING

Router’s Local Processes

RoutingRules

Packetsfrom LAN or WAN

Packetsto LAN or WAN

ERGWAVE-style login system

The desired feature: Internet sharing is only for authenticated users Upon browsing external pages, non-authenticated users are

redirected to the login page After successful login, the users are redirected back to the

external pages There are three problems

How do you redirect users to the login page? How do you NOT redirect authenticated user to the login

page? How do you bring users back to the external pages?

ERGWAVE-style login system

Problem 1 – Redirection to login page Like port forwarding, we use DNAT, modify the dst addr (and port if

needed) of packets from home PCs Add a rule to the PREROUTING chain to modify the dst addr to the

router ip The Apache server on the router should respond to the request But note that the URL (document path) in the HTTP request packet are

left unchanged e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt Your Apache server will blame you with error 404

You should setup a different web server to handle this Setup a new Apache virtual host (covered in last tutorial), or Write a simple web server (sample code released)

Method of redirection: HTTP response 302 -- Moved temporarily (try to Google the protocol)

ERGWAVE-style login system

Problem 2 – Avoid redirection The IP addresses of authenticated users are known The redirection rule should be by-passed Insert a rule to the PREROUTING chain, before the

redirection rule Rules in a chain are executed from top to bottom Iptables –t nat –I PREROUTING 1 ….

This rule check if the IP addr is authenticated, if so, let the packet through and ignore the remaining rules

You may use “-j ACCEPT” (or “–j RETURN” which rely on default policy of the chain)

ERGWAVE-style login system

Problem 3 - Returning to the external site The site URL should not be forgotten How do you know the URL?

From the GET and HOST fields in HTTP request message Read it in your own simple web server, or PHP, or…

“Request packet” with no proxy

GET / HTTP/1.1Host: www.cse.cuhk.edu.hkUser-Agent: Mozilla/5.0 … Firefox/2.0.0.11 GTB5Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Connection: keep-alive…

Through Proxy

GET http://www/ HTTP/1.1Host: wwwUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11 GTB5Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Proxy-Connection: keep-aliveCookie: slider1=slider1:4

ERGWAVE-style login system

Problem 3 - Returning to the external site How do you remember it?

Encode into the URL of the router Web UI, or Store in cookies (refer to the lecture notes), or Store in router storage (Maintain a mapping between

user IP address and external page URL)

Timeout

Feature: In “login mode”, user got the right to access Internet

after logged in. This access right got timeout after a specified time

period The user will need to login again

This job of removing access right from user is automatic, perform at a certain time

This can be done by cron

cron, crontab

Cron is a daemon to execute scheduled commands Crontab is a utility that manipulate the schedule of cron The schedule is in a table format, you may modify by using a

text editor (try: crontab -e) Example - Adding a task in command prompt:

# echo “* * * * * date >> /root/beat.txt” | crontab -u root - This will write the date and time info to the file every minute

Format of a line of task: minute hour day month day_of_week command e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call

at 7:30

crontab The above command would override the cron schedule

To append jobs to crontab, use “crontab -l” to dump the

contents to a file first, append the new job to the file, and reload

the crontab by “crontab filename”

Note that cron is for repeating routines, for one-time-only jobs,

you may use “atd”:

Restart atd daemon first: /etc/init.d/atd restart

echo “date > test.txt” | at NOW + 5 minutes

Questions?