Ergwave Cuhk
Transcript of Ergwave Cuhk
The router assignment
SunMoon
2
Internet Sharing
Why?
Your ISP gives you a single IP addr (external IP addr)
But you can't assign this single addr to all your PCs
How?
Build a private network
Setup a PC in the network takes that IP and helps other PCs
to access the Internet
This is the gateway of your network, your router basically acts like a
gateway
3
Internet Sharing
Build a private network
Your PCs are given IP addrs that belongs to a
private subnet (e.g. 192.168.1.0/24)
You should use ”DHCP server” to automatically
assign IP addr, but now assume you setup
manually. (using ifconfig)
4
Internet Sharing
Setup the gateway
First it should forward packets between the private
network and the Internet
# echo 1 > /proc/sys/net/ipv4/ip_forward
But your PCs are using private IP addrs
So you need to setup NAT on the gateway
5
Internet Sharing
Setup NAT on gateway
What should the NAT do?
Replace ”src addr” of out-going packets with the external
IP addr
Iptables help you do the tricks
In Iptables, the table ”nat” is for this purpose
You need to alter the ”POSTROUTING” chain
POSTROUTING
chain
Routing
Rules
PREROUTING
chain
6
Internet Sharing
Setup Iptables for NAT
iptables –t nat –A POSTROUTING –d ! 192.168.1.0/24 –s <client_ip> -p tcp –j
MASQUERADE
To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)
Iptables –t nat –L –n
Other iptables options
Iptables –t nat –F: clear the table
Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain
Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one
Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule
7
Internet Sharing
The above slides are about the gateway, how
about the other PCs?
They should know who will forward the packet
for them
This is done by setting the gateway address:
route add default gw 192.168.1.1
8
Internet Sharing
Now the Internet Sharing part is completed. You can now share the Internet connection
among your home PCs! Your homebrew router got basic function
9
Port forwarding
Say, you are hosting a web server at PC A
You want to open the server to people outside your network
They contact your server at <external IP address, port 80>
Your router should decide which PC should receive the packet
Change the dst address of IP packet, forward the packet to the
destination PC
NAT again!
10
Port forwarding
Similar to the previous rule, but we now change the dst IP addr
instead of src one
Which chain to modify? PREROUTING or POSTROUTING?
The dst IP addr is modified before the packet is routed, so
answer is: PREROUTING
(iptables -t nat –A PREROUTING -d 137.189.90.91 -s !
192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination
192.168.1.78)
POSTROUTING
chain
Routing
Rules
PREROUTING
chain
11
Packet filtering
An example: Suppose you want to stop your family members from connecting to a
hazardous host Then your router should drop IP packets that heads to that host
Iptables can do this for you The “filter” table controls the transmission of packets that…
headed for the router originated from the router forwarded through the router (i.e. the conversation between the home
PCs and outsiders)
Packet filtering
There are three chains in the “filter” table For traffic that not originated from nor headed to
the router, modify the FORWARD chain
INPUT OUTPUT
FORWARDPREROUTING POSTROUTING
Router’s Local Processes
RoutingRules
Packetsfrom LAN or WAN
Packetsto LAN or WAN
ERGWAVE-style login system
The desired feature: Internet sharing is only for authenticated users Upon browsing external pages, non-authenticated users are
redirected to the login page After successful login, the users are redirected back to the
external pages There are three problems
How do you redirect users to the login page? How do you NOT redirect authenticated user to the login
page? How do you bring users back to the external pages?
ERGWAVE-style login system
Problem 1 – Redirection to login page Like port forwarding, we use DNAT, modify the dst addr (and port if
needed) of packets from home PCs Add a rule to the PREROUTING chain to modify the dst addr to the
router ip The Apache server on the router should respond to the request But note that the URL (document path) in the HTTP request packet are
left unchanged e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt Your Apache server will blame you with error 404
You should setup a different web server to handle this Setup a new Apache virtual host (covered in last tutorial), or Write a simple web server (sample code released)
Method of redirection: HTTP response 302 -- Moved temporarily (try to Google the protocol)
ERGWAVE-style login system
Problem 2 – Avoid redirection The IP addresses of authenticated users are known The redirection rule should be by-passed Insert a rule to the PREROUTING chain, before the
redirection rule Rules in a chain are executed from top to bottom Iptables –t nat –I PREROUTING 1 ….
This rule check if the IP addr is authenticated, if so, let the packet through and ignore the remaining rules
You may use “-j ACCEPT” (or “–j RETURN” which rely on default policy of the chain)
ERGWAVE-style login system
Problem 3 - Returning to the external site The site URL should not be forgotten How do you know the URL?
From the GET and HOST fields in HTTP request message Read it in your own simple web server, or PHP, or…
“Request packet” with no proxy
GET / HTTP/1.1Host: www.cse.cuhk.edu.hkUser-Agent: Mozilla/5.0 … Firefox/2.0.0.11 GTB5Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Connection: keep-alive…
Through Proxy
GET http://www/ HTTP/1.1Host: wwwUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11 GTB5Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: UTF-8,*Keep-Alive: 300Proxy-Connection: keep-aliveCookie: slider1=slider1:4
ERGWAVE-style login system
Problem 3 - Returning to the external site How do you remember it?
Encode into the URL of the router Web UI, or Store in cookies (refer to the lecture notes), or Store in router storage (Maintain a mapping between
user IP address and external page URL)
Timeout
Feature: In “login mode”, user got the right to access Internet
after logged in. This access right got timeout after a specified time
period The user will need to login again
This job of removing access right from user is automatic, perform at a certain time
This can be done by cron
cron, crontab
Cron is a daemon to execute scheduled commands Crontab is a utility that manipulate the schedule of cron The schedule is in a table format, you may modify by using a
text editor (try: crontab -e) Example - Adding a task in command prompt:
# echo “* * * * * date >> /root/beat.txt” | crontab -u root - This will write the date and time info to the file every minute
Format of a line of task: minute hour day month day_of_week command e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call
at 7:30
crontab The above command would override the cron schedule
To append jobs to crontab, use “crontab -l” to dump the
contents to a file first, append the new job to the file, and reload
the crontab by “crontab filename”
Note that cron is for repeating routines, for one-time-only jobs,
you may use “atd”:
Restart atd daemon first: /etc/init.d/atd restart
echo “date > test.txt” | at NOW + 5 minutes
Questions?