Things to remember: May 2011

IP Masquerading using iptables

http://billauer.co.il/ipmasq-html.html

1 Talk’s outline

iptables versus ipchains
The goal (or: my goal)
The packet’s way through iptables
“Classic” masquerading (SNAT)
DNS faking (with DNAT)
Other things
Firewalling with iptables (If we have time)
Questions I’ll hopefully answer

Not covered: packet mangling (change TOS, TTL and flags)

2 Differences between iptables and ipchains

Same author (Rusty Russell), and basically smells the same
Most important: FORWARD taken apart from INPUT and OUTPUT
Changes in syntax
Masqurading is handled “separately”

3 ipchains and iptables don’t live together

If the ipchains module is resident in the kernel, iptables won’t insmod
And vice versa
Typical error message is misleading: “No kernel support”
Red Hat 7.3 boots up with ipchains as default

4 What I wanted in the first place

5 Requirements

Windows computer should have a gateway
DNS issue solved elegantly
Both computers have access to network at the same time
Network between computers is trustful
Proper firewalling
ADSL modem is considered hostile

6 iptables: The IP packet’s flow

7 iptables: How to swallow this

Packet filtering (firewalls) and manipulation (masquerading) are neighbours
Therefore, the same tools are used
Think routing tables
Chains: Think subroutines
Each chain is terminated with a target, or next line taken
Subchains work exactly like subroutines
Tables: Group of chains: filter and nat
Each chain has a policy - the default target

8 What is Masquerading?

All computers appear to have the same IP
This is done with Network Adress Translation
It’s easy to fake the “outgoing packet”
“Incoming packets” must be translated too
Port translation - a must

9 iptables: The IP packet’s flow

10 Source Network Address Translation (SNAT)

On ADSL: catch packets going out on ppp0
The source IP is changed
Source port numbers may be changed
Easiest rule: Do SNAT on all packets going out on ppp0
Will include OUTPUT packets by accident, but who cares?
Remember: Every SNAT produces an implicit DNAT
And vice versa

11 “Incoming” packets

The problem: Where should the packet go?
Simple TCP connection: iptables remembers the port numbers
UDP: Tricky
DNS: Return the answer to whoever asked
ICMP: Ping answers go the right way (!)
FTP, ICQ and friends: Requires special treatment (they work for me as a basic client)
When the other side opens a connection, that has to be treated specially
iptables has application-based modules

12 Defining SNAT iptables commands

The strict way:

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \
--to $PPPIP

The liberal way:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

The “liberal” form is better for temporary connections:
MASQUERADE automatically chooses address
MASQUERADE forgets old connections when interface goes down
For dial-up, cable modems and ADSL: MASQUERADE wins

13 POSTROUTE is just another chain

Selective rules can be used
Different manipulations are possible
Use -j ACCEPT to let the packet through untouched

14 The wrong way to masquerade

iptables -t nat -A POSTROUTING -j MASQUERADE

This makes masquerading the default policy for any outgoing packet
... including any forwarded packet.
All forwarded packets will appear to come from the masquerading host.
May confuse firewalls
Even worse, may confuse service applications to compromise security

15 Masquerading and firewalling

The internal computers are implicitly firewalled
The main computer gets all the unrelated packets
Main computer must be protected
Main computer protected with INPUT and OUTPUT chains
Other computers protected with FORWARD chains
Note that FORWARD chains also apply to the intranet connection

16 DNS faking with DNAT

The other computers have constant DNS addresses
The address is translated with DNAT

iptables -t nat -A PREROUTING -d 10.2.0.1 \
-j DNAT --to-destination 192.115.106.31
iptables -t nat -A PREROUTING -d 10.2.0.2 \
-j DNAT --to-destination 192.115.106.35

17 Automatic DNS DNAT setup

In an ADSL connection, the DNS addresses are given on connection
An ip-up.local script writes these addresses in the resolv.conf file

DNScount=1
for nameserver in \
`perl -nle "/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i && \
     (\\$1=~/^127/ || print \\$1)" /etc/resolv.conf`;
do iptables -t nat -A PREROUTING -d 10.2.0.$DNScount \
            -j DNAT --to-destination $nameserver
  let DNScount=DNScount+1;
done;

The perl statement above extracts the two addresses

18 The MTU on the Windows computer

ADSL ppp connection has MTU of 1452
Normal Ethernet has MTU 1500
Windows computer doesn’t know it goes through ADSL
Fragmentation
Fixed by adding an entry in Window’s registry

19 Other tricks

Server on masqueraded host (DNAT)
Port remapping (redirection)
Load balancing (One-to-many forward DNAT)
Packet mangling

20 The filter chains

INPUT, OUTPUT and FORWARD
Targets with ACCEPT, DROP, REJECT or QUEUE
A set of selective rules makes a firewall

21 Example: A firewall

Close everything and flush chains

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F -t nat
iptables -F -t filter
iptables -X

22 Example: A firewall (cont.)

Allow everything on loopback interface

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

23 Example: A firewall (cont.)

Keep ADSL modem short

iptables -A INPUT -i eth1 -s 10.0.0.138/32 \
          -d 10.0.0.0/8 -p tcp \
          --sport 1723 -m state \
          --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.138/32 \
           -d 10.0.0.0/8 -p gre -j ACCEPT
iptables -A INPUT -i eth1 -j DROP
iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \
          -d 10.0.0.138/32 -p tcp --dport 1723 \
          -j ACCEPT
iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \
          -d 10.0.0.138/32 -p gre -j ACCEPT
iptables -A OUTPUT -o eth1 -j DROP

24 Example: A firewall (cont.)

Linux computer with network rules:

iptables -A OUTPUT -o ppp0 -s $PPPIP -j ACCEPT
iptables -A INPUT -s ! 10.128.0.0/16 -p tcp \
--dport 0:1023 -j DROP
iptables -A INPUT -i ppp0 -d $PPPIP -m state \
--state ESTABLISHED,RELATED -j ACCEPT

25 Example: A firewall (cont.)

Everything is allowed on internal network

iptables -A INPUT -s 10.128.0.0/16 \
-d 10.128.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 10.128.0.0/16 \
-d 10.128.0.0/16 -j ACCEPT

26 Example: A firewall (cont.)

Forwarding....

iptables -A FORWARD -i ppp0 -o eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -j DROP

Note that there is no forwarding in internal network

27 iptables script finale

Make sure that the main chains end with DROP
Zero counters

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
iptables -Z

28 Summary

It works really well
It’s not difficult to set up if you know what you’re doing

29 References

Linux IP Masquerade HOWTO (a version written in Jan 2003 is available)
man iptables

Linux – SSH passwordless login with putty

For Linux administrators that use Windows for their desktop OS, Putty is an invaluble tool. This tutorial will help you save time administering your servers without having to login to provide a username and password each time.

Download PuTTY

Download PuTTYgen

Open PuTTYgen

Select SSH-2 RSA

Click ‘Generate’

Save the Private Key

Click ‘Save private key’ (you do not have enter a password)

Save the private key in location easy to remember.

Copy public-key

Select all text in the public key area.

right-click and select copy

Configure the server settings in Putty

Open Putty
Click Session (left column)
- Enter the server hostname or IP address
- Enter a name under ‘Saved Sessions’
Click Connection > Data (left column)
- Enter ‘root’ for the auto-login username
Click Connection > SSH (left column)
- Select ’2′ as the Preferred SSH protocol version.
Click Connection > SSH > Auth (left column)
- Browse to the private key from step 4.
Click Session (left column)
- Click Save

Open a session with the server

Open PuTTY
Select the session saved earlier.
Click ‘Load’
Click ‘Open’
Login

Add client public key.

You should still have the public-key in the clip-board from step 5.
Open the authorized_keys file on the linux server
- [root@server]#vi ~/.ssh/authorized_keys2
- Press the ‘i’ key to insert in vi.
- Go to the bottom of the file and right-click on the putty screen (This should insert the public key generated with PuTTYgen)
- Press the ‘esc’ key to get out of insert mode in vi.
- Press ‘:’ to enter command mode in vi
- Type ‘wq’ to write and quit vi

Now, you should be finished. Let’s test.

Open PuTTY
Select the session saved earlier.
Click ‘Load’
Click ‘Open’

If you were able to login without entering your username and password you are finished!!If not, please continue to troubleshoot.

Troubleshooting: If you do not have a /root/.ssh folder, we will have to create one and set the permissions:

[root@server]#mkdir ~/.ssh
[root@server]#chmod 700 ~/.ssh

If you do not have a authorized_keys2 file, we will need to create one and set the permissions:

[root@server]#vi ~/.ssh/authorized_keys2
[root@server]#chmod 644 ~/.ssh/authorized_keys2

If you get an error that the key was rejected, you need to make sure the permissions are set correctly on the .ssh directory and authorized_keys2 file.

[root@server]#chmod 700 ~/.ssh
[root@server]#chmod 644 ~/.ssh/authorized_keys2

Linux: Finding out the amount of free & used memory

The command free can be used to display the total amount of free and used physical and swap memory in the system,as well as the shared memory and buffers used by the kernel

techno/work> which free
/usr/bin/free

/users/techno> free
total used free shared buffers cached
Mem: 384888 314220 70668 0 19740 57504
-/+ buffers/cache: 236976 147912
Swap: 524280 81232 443048

Interpreting the output of free:
All the numbers are reported in 1024-byte blocks. Here, we see a system with 384,888 blocks (about 384 MB) of physical RAM, with 314,220 (about 306 MB) currently in use. The "shared" column lists the amount of physical memory shared between multiple processes. Here, we see that about 0 MB of pages are being shared (not a good sign; memory is not being utilized well). The "buffers" column shows the amount of memory being used by the kernel buffer cache. The buffer cache is used to speed up disk operations, by allowing disk reads and writes to be serviced directly from memory. The buffer cache size will increase or decrease as memory usage on the system changes; this memory is reclaimed if it is needed by applications. Therefore, although we see that 306 MB of system memory is in use, not all (but most) of it is being used by application programs. The "cache" column indicates how many memory pages the kernel has cached for faster access later. Since the memory used for buffers and cache can easily be reclaimed for use by applications, the second line (-/+ buffers/cache) provides an indication of the memory actually used by applications (the "used" column) or available to applications (the "free" column). The sum of the memory used by buffers and cache reported in the first line is subtracted from the total used memory and added to the total free memory to give the two figures on the second line. In the third line, we see the total amount of swap, 524,280 blocks (about 511 MB). In this case, only very little of the swap is being used; there is plenty of physical RAM available. If additional applications were started, larger parts of the buffer cache memory would be used to host them. Swap space is generally used as a last resort when the system can't reclaim physical memory in other ways. Note that the amount of swap reported by free is somewhat less than the total size of your swap partitions and files. This is because several blocks of each swap area must be used to store a map of how each page in the swap area is being utilized. This overhead should be rather small; only a few kilobytes per swap area.

References:
1) Man page of free
2) O`Reilley's Running Linux

Tuesday, May 31, 2011