Networking With Linux

Networking With Linux Ronni Wilkinson Network Manager’s Meeting December 5, 2002 Our Setup • RedHat 7.3 • Iptables • 2.4.18-10brnf0.0.7.i686 kernel (with bridging and firewalling combined support): http://bridge.sourceforge.net/ • Bridge Utilities: http://bridge.sourceforge.net/bridge-utils/ • Inline Snort: http://www.snort.org/dl/contrib/patches/inline/ Why Bridging? • • • • No devoted subnets! Can always NAT/Masquerade One less hop Firewalling + IDS = Active response (But be careful! It can turn against you!) • Stealthy A Picture Another Picture Setting Up Snort • When compiling: ./configure --enable-inline \ --with-libipq-includes=/usr/local/include \ --with-libipq-libraries=/usr/local/lib • When invoking: snort –Q -D –c snort.conf • Can change signatures to DROP • Will be integrated in version 1.10 Setting up the Bridge: Get Rid of any Old Setup brctl delif br0 eth0 brctl delif br0 eth1 ifconfig br0 down brctl delbr br0 Build the Bridge ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 No Spanning Tree Protocol: brctl stp br0 off Turn it on: ifconfig br0 0.0.0.0 up Or give the bridge an IP address and turn it on: ifconfig br0 10.252.49.231 netmask 255.255.255.0 up route add default gw 10.252.49.1 Setting up Iptables: Starting From Scratch Flush all built-in tables: iptables –F Flush specified table (NAT): iptables –F –t NAT Flush all user defined tables: iptables -X Iptables Setup: Loading Modules /sbin/depmod –a /sbin/modprobe ipt_LOG /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc Needed for inline Snort: /sbin/modprobe ip_queue Setup forwarding between interfaces: echo "1" > /proc/sys/net/ipv4/ip_forward Netfilter Framework Packets Passing through Bridge; SNORT Destination NAT Source NAT; Masquerading 1 PRE_ROUTING eth1 3 FORWARD 4 POST_ROUTING ROUTING LOCAL PROCESSES ROUTING eth0 LOCAL_OUT 2 LOCAL_IN 5 Iptables Rules: Allow SSH to the bridge machine itself iptables –A INPUT –p tcp –d 10.252.49.231 \ -–dport 22 –j ACCEPT iptables –A INPUT –i eth0 –m state \ --state RELATED,ESTABLISHED –j ACCEPT iptables –A INPUT –i lo –j ACCEPT iptables –P INPUT DROP Iptables Rules: Allow TCP through the bridge, feed to Snort iptables –A FORWARD –m state \ --state RELATED,ESTABLISHED –j QUEUE iptables –A FORWARD –p tcp –m state \ --state NEW,RELATED –j QUEUE Masquerading • Modem connections/DHCP • Doesn’t drop connections when address changes • Makes all packets from internal look like they are coming from the modem machine/DHCP address (outgoing interface’s address): echo 1 > /proc/sys/net/ipv4/ip_forward modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Source NAT • Translate source address iptables –t nat –A POSTROUTING \ –o -j SNAT \ –-to-source

[-

][:port-port] iptables –t nat –A POSTROUTING –o eth1 \ -J SNAT –-to-source 10.252.49.231 Destination NAT • Translate destination address iptables –t nat –A PREROUTING \ –i -j DNAT \ --to-destination

[-

][:port-port] iptables –t nat –A PREROUTING -i eth0 –p tcp \ -d 10.252.49.77 –dport 80 –j DNAT \ --to-destination 10.252.49.231 iptables –t nat –A PREROUTING -i eth0 –p tcp \ -d 10.252.49.77 –dport 80 –j REDIRECT Load Balancing • Source Policy Routing: Make sure Person A, who pays the lower rate, gets routed over the house modem instead of the DSL • Split Access for Multiple Uplinks: Packets coming in from ISP A go back out ISP A • Load Balancing: default route becomes a multipath path route, balance routes over 2 providers iptables –t nat –A PREROUTING –i eth0 –d 10.252.49.231 –p tcp –-dport 80 –j DNAT –-to-destination 10.252.50.4-10.252.50.8 QOS – Outgoing Packets • pfifo_fast – first in first out – 3 bands, packets in Band 0 get handled, then Band 1, etc. • Token Bucket Filter – Rate does not exceed some limit, but bursting is possible with enough tokens – Allows uploading without killing interactive sessions: tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540 (Classless) • Stochastic Fairness Queueing – less accurate but promotes fairness so no one conversation drowns out the others tc qdisc add dev ppp0 root sfq perturb 10 QOS – Outgoing Packets (Classful) • Giving priority to particular kinds of traffic • CBQ – Class Based Queueing – isn’t very precise, uses idle time to force limits • PRIO – pfifo on steroids • Hierarchical Token Buckets – like CBQ, but uses token buckets instead of idle time QOS – Incoming Packets • Actually Ingress Policer • Kernel Estimator – Counts 25 times/sec how much traffic and figure the bitrate • Token Bucket Filter – Cannot delay, either passes or drops packet • Overlimit Actions: – Continue (check other filters), drop, Pass/OK, reclassify (to Best Effort, default) References Firewalling for Free: An Enterprise Firewall without the Enterprise Price http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf Linux Advanced Routing and Traffic Control Howto: http://lartc.org/ Netfilter/Iptables: http://www.netfilter.org/documentation/index.html Linux Firewalls, Second Edition by Robert Ziegler ISBN 0-7357-1099-6