Networking With Linux

1
Networking With Linux

• Ronni Wilkinson
• Network Managers Meeting
• December 5, 2002

2
Our Setup

• RedHat 7.3
• Iptables
• 2.4.18-10brnf0.0.7.i686 kernel (with bridging and
  firewalling combined support) http//bridge.sour
  ceforge.net/
• Bridge Utilities http//bridge.sourceforge.net/br
  idge-utils/
• Inline Snort http//www.snort.org/dl/contrib/patc
  hes/inline/

3
Why Bridging?

• No devoted subnets!
• Can always NAT/Masquerade
• One less hop
• Firewalling IDS Active response (But be
  careful! It can turn against you!)
• Stealthy

4
A Picture
5
Another Picture
6
Setting Up Snort

• When compiling ./configure --enable-inline \
  --with-libipq-includes/usr/local/include \
  --with-libipq-libraries/usr/local/lib
• When invoking
• snort Q -D c snort.conf
• Can change signatures to DROP
• Will be integrated in version 1.10

7
Setting up the BridgeGet Rid of any Old Setup

• brctl delif br0 eth0
• brctl delif br0 eth1
• ifconfig br0 down
• brctl delbr br0

8
Build the Bridge

• ifconfig eth0 0.0.0.0 up
• ifconfig eth1 0.0.0.0 up
• brctl addbr br0
• brctl addif br0 eth0
• brctl addif br0 eth1
• No Spanning Tree Protocol
• brctl stp br0 off
• Turn it on
• ifconfig br0 0.0.0.0 up
• Or give the bridge an IP address and turn it on
• ifconfig br0 10.252.49.231 netmask 255.255.255.0
  up
• route add default gw 10.252.49.1

9
Setting up IptablesStarting From Scratch

• Flush all built-in tables
• iptables F
• Flush specified table (NAT)
• iptables F t NAT
• Flush all user defined tables
• iptables -X

10
Iptables SetupLoading Modules

• /sbin/depmod a
• /sbin/modprobe ipt_LOG
• /sbin/modprobe ip_conntrack_ftp
• /sbin/modprobe ip_conntrack_irc
• Needed for inline Snort
• /sbin/modprobe ip_queue
• Setup forwarding between interfaces
• echo "1" gt /proc/sys/net/ipv4/ip_forward

11
Netfilter Framework
12
Iptables RulesAllow SSH to the bridge machine
itself

• iptables A INPUT p tcp d 10.252.49.231 \
  -dport 22 j ACCEPT
• iptables A INPUT i eth0 m state \--state
  RELATED,ESTABLISHED j ACCEPTiptables A INPUT
  i lo j ACCEPTiptables P INPUT DROP

13
Iptables Rules Allow TCP through the bridge,
feed to Snort

• iptables A FORWARD m state \--state
  RELATED,ESTABLISHED j QUEUE
• iptables A FORWARD p tcp m state \
• --state NEW,RELATED j QUEUE

14
Masquerading

• Modem connections/DHCP
• Doesnt drop connections when address changes
• Makes all packets from internal look like they
  are coming from the modem machine/DHCP address
  (outgoing interfaces address)
• echo 1 gt /proc/sys/net/ipv4/ip_forward
• modprobe iptable_nat
• iptables -t nat -A POSTROUTING -o ppp0 -j
  MASQUERADE

15
Source NAT

• Translate source address
• iptables t nat A POSTROUTING \ o
  ltoutgoing-interfacegt -j SNAT \ -to-source
  ltaddressgt-ltaddressgtport-port
• iptables t nat A POSTROUTING o eth1 \ -J
  SNAT -to-source 10.252.49.231

16
Destination NAT

• Translate destination address
• iptables t nat A PREROUTING \ i
  ltincoming-interfacegt -j DNAT \ --to-destination
  ltaddressgt-ltaddressgtport-port
• iptables t nat A PREROUTING -i eth0 p tcp \
• -d 10.252.49.77 dport 80 j DNAT \
• --to-destination 10.252.49.231
• iptables t nat A PREROUTING -i eth0 p tcp \
• -d 10.252.49.77 dport 80 j REDIRECT

17
Load Balancing

• Source Policy Routing Make sure Person A, who
  pays the lower rate, gets routed over the house
  modem instead of the DSL
• Split Access for Multiple Uplinks Packets coming
  in from ISP A go back out ISP A
• Load Balancing default route becomes a multipath
  path route, balance routes over 2 providers
• iptables t nat A PREROUTING i eth0 d
  10.252.49.231 p tcp -dport 80 j DNAT
  -to-destination 10.252.50.4-10.252.50.8

18
QOS Outgoing Packets (Classless)

• pfifo_fast first in first out 3 bands,
  packets in Band 0 get handled, then Band 1, etc.
• Token Bucket Filter Rate does not exceed some
  limit, but bursting is possible with enough
  tokens
• Allows uploading without killing interactive
  sessions
• tc qdisc add dev ppp0 root tbf rate 220kbit
  latency 50ms burst 1540
• Stochastic Fairness Queueing less accurate but
  promotes fairness so no one conversation drowns
  out the others
• tc qdisc add dev ppp0 root sfq perturb 10

19
QOS Outgoing Packets (Classful)

• Giving priority to particular kinds of traffic
• CBQ Class Based Queueing isnt very precise,
  uses idle time to force limits
• PRIO pfifo on steroids
• Hierarchical Token Buckets like CBQ, but uses
  token buckets instead of idle time

20
QOS Incoming Packets

• Actually Ingress Policer
• Kernel Estimator
• Counts 25 times/sec how much traffic and figure
  the bitrate
• Token Bucket Filter
• Cannot delay, either passes or drops packet
• Overlimit Actions
• Continue (check other filters), drop, Pass/OK,
  reclassify (to Best Effort, default)

21
References

• Firewalling for Free An Enterprise Firewall
  without the Enterprise Price
• http//bridge.sourceforge.net/docs/Firewalling20f
  or20Free.pdf
• Linux Advanced Routing and Traffic Control Howto
• http//lartc.org/
• Netfilter/Iptables
• http//www.netfilter.org/documentation/index.html
• Linux Firewalls, Second Edition by Robert
  Ziegler ISBN 0-7357-1099-6