Enterprise Networking Week 11

Spring 2023, Mondays 4:15-6:45 in Crown 105

April 10

Eventually we will look at this: blog.oddbit.com/post/2023-02-19-vrf-and-nat.

Project 4

Policy-based routing

multiple forwarding tables, rules, fwmark, iptables

Discussion of book --dest-port vs --dport

What goes wrong if rp_disable() is commented out: using WireShark to track the missing SYN+ACK

Pox Openflow example: learning-switch code

Active Queue Management (AQM)




We did my home front-line firewall week 10.

At five points in the Linux network kernel, there are "callback" attachment points called chains. The term "chain" probably comes from a list of rules that can be attached; the rules in a chain are numbered. The five points are:

(the iptables command is the most common command for manipulating these kernel hooks, but not the only one; the generic term for these hooks is netfilter.)

What can you do with this:

Set up rules. Rules have matching information, and then a target. Typical targets are DROP, ACCEPT and LOG. (We can also have another chain, a user-defined chain, as a target, for which there can be a RETURN target to return to the original chain.) Here is a list:

Execution of the rules in a chain continues until we reach an ACCEPT or a DROP.

Tables: There is a filter table, a mangle table and a nat table. e can be thought of as sets of chains. Here are the standard tables:

The filter table is for firewall-type rules; the mangle table is for packet-modification rules (which we have not seen yet).

Simple firewall: drop inbound packets that are not part of established connections.

Always set DROP policies. Otherwise you can make sure the last rule in each chain says to drop everything, but then it's very hard to add new rules.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

Now allow the firewall to accept connections from INSIDE, and send to INSIDE

iptables --append INPUT --in-interface $INSIDE --jump ACCEPT
iptables --append OUTPUT --out-interface $INSIDE --jump ACCEPT

Now I set up something for protocol-41 packets, that is, IPv6-in-IPv4 packets. These are delivered to host $ASGARD only (which then has its own iptables6 firewall)

iptables --table nat --append PREROUTING --in-interface $OUTSIDE --protocol 41 --jump DNAT --to-destination $ASGARD
# this applies *after* the previous PREROUTING line to ACCEPT the just-mangled packets
iptables --append FORWARD --protocol 41 --destination $ASGARD --jump ACCEPT
# what about the packets from ASGARD?
# Not sure I need this??
iptables --table nat --append PREROUTING --in-interface $INSIDE --protocol 41 --jump ACCEPT

Now make sure the outside world cannot reach the router pretty much at all. Except I do allow DHCP packets from my ISP, and some ICMP packets.

# iptables --append INPUT --in-interface $OUTSIDE -p udp --dport 68 --jump ACCEPT
iptables --append INPUT --in-interface $OUTSIDE -p icmp --icmp-type echo-request --jump ACCEPT
iptables --append INPUT --in-interface $OUTSIDE -p icmp --icmp-type destination-unreachable --jump ACCEPT
iptables --append INPUT --in-interface $OUTSIDE -p icmp --icmp-type echo-reply --jump ACCEPT
# iptables --append INPUT --in-interface $OUTSIDE --jump DROP
# maybe do the same for output, except allow echo-reply?
iptables --append OUTPUT --out-interface $OUTSIDE -p icmp --icmp-type echo-request --jump ACCEPT
iptables --append OUTPUT --out-interface $OUTSIDE -p icmp --icmp-type destination-unreachable --jump ACCEPT
iptables --append OUTPUT --out-interface $OUTSIDE -p icmp --icmp-type echo-reply --jump ACCEPT
#iptables --append OUTPUT --out-interface $OUTSIDE --jump DROP

Now comes the part where packets from outside are forwarded only if they are part of a preexisting connection. (What is a preexisting connection for UDP?)

#5. Arriving packets should be forwarded only if they are part of an existing connection
#(do I want RELATED? Probably YES, as it allows ICMP errors in)
#iptables --append FORWARD -i $OUTSIDE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD --in-interface $OUTSIDE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

How would I allow inbound ssh connections? Inbound ssh connections from one IP address?

Example of setting up nat:

eth1: outside-world interface
eth0: inside ntework

# set up nat

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

More examples: https://www.thegeekstuff.com/2011/06/iptables-rules-examples/

Example with policy-based routing:


Ulam ufw tables/chains

altsocketudp.py and initraw():