Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Linux – routing and firewall for beginners v 1.0
1. Linux – Routing and
Firewall for beginners
sriram@belenix.org
@sriramnrn
2. Agenda
• Introduction
• What we will not be covering
• Setup – 30 mins
• Some network basics
• Some VirtualBox basics
• Routing (demo, troubleshooting and exercises)
• Firewalls (demo, troubleshooting and exercises)
3. What we should have achieved today
• This session is for beginners
• Set up a router, and route between two networks
• Set up a firewall, and understand basic firewall administration
• What I haven’t tried in today’s infra
• Asymmetric routing
• We won’t be covering today:
• LARTC (Linux Advanced Routing and Traffic Control)
• QoS
• Policy Based Routing
• VPNs
4. Setup
• Download and extract iptables.zip from
https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip
• Change into the iptables directory
• Run “vagrant up”
• Will download a 350 MB file from the vagrant cloud.
5. Working with the infrastructure
• Vagrant up, halt, destroy
• Vagrant ssh
• Restarting from scratch
• About “office”, “router” and “dmz”
• Saving your work via puppet
6. Some network basics
• Ethernet configuration files
• service network restart
• ping
• traceroute
• ssh
• netstat
7. Getting started with routing
• From your laptop to the various individual boxes
• Print the route table
• Within each box
• Print the route table
• What have we discovered ? Draw a diagram
• Explore the Virtual Box settings and validate the diagram
• Which IPs are you able to ping? From where?
• Why is the ping working?
• Why is the traceroute working?
8. Before we set up a route
• ssh to “office”
• From “office”, ssh to “router”.
• From “router”, ssh to “dmz”
• Why is this working?
9. Setting up a direct route to further hops
• What should our routing look like?
• Set up the routes
• Are you able to get from office to dmz via the dmz IP?
• If yes, why?
• If no, what do you think is missing?
10. About routes and return routes
• One of the first lessons one learns !
• Set up a route
• Set up a return route
• Ping
• from office to dmz
• from dmz to office
• Does the ping work ?
• We’ll look at SSH and traceroute next
• Persisting the route settings
11. When routes and return routes are not
enough
• SSH and traceroute
• from office to dmz
• from dmz to office
• Does the ssh and traceroute work ?
• Coming up – packet forwarding
12. About packet forwarding
• What is packet forwarding?
• How does it work?
• About /proc
• Ping, traceroute and SSH
• from office to dmz
• from dmz to office
• Does the ping, traceroute, ssh work ?
• What does netstat on the receiving side tell you?
• Next: Persisting your packet forwarding setting
13. Persisting packet forwarding settings
• /proc is temporary. Reboot and check ! ;)
• Does the ping, traceroute, ssh work ?
• Persisting your packet forwarding via /etc/sysctl.conf
• Reloading /etc/sysctl.conf
14. When both the sides have the same IP
range
• What if both the sides have the same IP address range?
• A common scenario between customer-vendor organizations
• Let’s see this during the firewalls section
16. Questions
• Given that we have
• One “office”, one “DMZ”
• One “office”, two DMZs
• Two “offices”, one DMZ
When we have the current configuration
Then is this “DMZ” a DMZ?
18. iptables and netfilter
• Netfilter – the kernel module
• Iptables – the command line tool
• service iptables status
• What do we see here?
19. iptables – getting around
• How and why does iptables startup?
• Chkconfig
• Where the service script is located
• Turning iptables off
• temporarily
• permanently
• flushing the tables
• service iptables status
• What do we see here?
21. iptables Rules – the basics
• What does a rule look like?
• Add a rule
• Delete a rule
• View the rule
• Persist the rule
• What happens when you flush the tables?
• How do we save the rules (service iptables save)
• Where are the rules saved?
• How are the rules loaded?
• Is it safe to edit the file directly?
22. iptables Rules – persisting
• What happens when you flush the tables?
• How do we save the rules (service iptables save)
• Where are the rules saved?
• How are the rules loaded?
• Is it safe to edit the file directly?
• About iptables restarts and reloads
23. Iptables – default policies
• Change the default INPUT and FORWARD policies
• Edit the iptables files directly
• What do you see?
• Is an iptables service restart required?
26. Iptables – dropping and rejecting packets
• How do we drop a packet?
• What does the sender experience with a drop rule?
• How do we reject a packet?
• What does the sender experience with a reject rule?
27. Iptables – Let’s make that DMZ a DMZ!
• What rules should we have?
28. Iptables – port forwarding – Exercise 1
• Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP.
• Are we able to access port 8080 via the router IP?
29. Iptables – port forwarding – Exercise 2
• Create two DMZs
• Expose an SSH service in each DMZ via the same IP but different ports
30. Reality check: What a firewall is and isn’t
• Can
• defend against specific IP level characteristics
• Fast rate of packets
• Permit from certain origins only
• Won’t
• Defend you from app vulnerabilities
31. iptables - NAT
• What is NAT?
• A look at a basic NAT rule
• Let’s NAT
• Connections from office to DMZ via the router’s DMZ IP.
• ssh
• Python SimpleHTTPServer
• What does netstat on the DMZ tell you about the remote IP?
• What does the python SimpleHTTPServer log tell you about the
remote IP?
32. iptables – NAT – Behind the scenes
• Checking the NAT table
33. iptables – NAT – One on One, vs a range
• What if we have a pool of public IPs available for NAT?
34. When both the sides have the same IP
range
• What should the solution be?
35. Some exercises
• Exposing one DMZ to another via routing and NAT
• On the same laptop
• Across laptops