Enterprise Networking Week 12
Spring 2023, Mondays 4:15-6:45 in Crown 105
April 17
Eventually we will look at this: blog.oddbit.com/post/2023-02-19-vrf-and-nat.
IPtables
iximiuz.com/en/posts/laymans-iptables-101
Set up rules. Rules have matching information, and then
a target. Typical targets are DROP, ACCEPT and LOG. (We
can also have another chain, a user-defined chain, as a target, for which
there can be a RETURN target to return to the original chain.) Here is a
list:
- DROP -- drop the packet; iptables is done with it
- ACCEPT -- accept the packet; iptables is done with it
- RETURN -- return from a user-defined chain
- LOG -- log the packet by the kernel
- ULOG -- userland logging
- CLASSIFY -- for CBQ, a predecessor to HTB
- TOS -- used to set the IP TOS field
- TTL -- set the TTL field, typically to disguise the use of NAT
- TCPMSS -- set the MSS field in TCP 3WHS options
- DSCP -- set the new TOS field, the "Differentiated Services Code
Point"
- ECN -- set the ECN field
- MARK -- set the so-called "fwmark"
- MASQUERADE -- network address translation
- SNAT -- more NAT
- DNAT -- more NAT
- SAME -- flavor of NAT
- NETMAP -- sort of NAT
- MIRROR -- weird
- REDIRECT
- REJECT -- like DROP, but explicitly
- NFQUEUE -- for redirecting raw packets out of the kernel; used in my
- QUEUE -- similar to NFQUEUE
Execution of the rules in a chain continues until we reach an ACCEPT or a
DROP.
Tables: There is a filter table, a mangle
table and a nat table. e can be thought of as sets of
chains. Here are the standard tables:
- filter -- for firewalls
- nat -- network address translation
- mangle -- for packet modification
- raw -- generally for packet operations not associated with connection
tracking
- security -- follows the filter table for so-called mandatory access
control (vs "discretionary" access control)
The filter table is for firewall-type rules; the mangle table is for
packet-modification rules (which we have not seen yet).
altsocketudp.py and initraw():
- bind method
- initraw() (in netfilter.py)
- nfinitreader()
- nfmainreader()
- packet_callback()
SNMP
- OIDs
- ireasoning MIB browser
- Table representation
- Some basic MIBs
SNMP tables
- get_bulk
- sparse tables
- some examples
- SNMP set vs get; security
implications
- ifXTable and ETHERLIKE mib
- BRIDGE mib and tracking users
- updated interfaces table
- row creation
- RMON example
- PING-mib