ip rule discard postrouting

CSC4140 Tutorial 2

SunMoon

Part 1

Iptables and NAT

Iptables

The tool iptables is about too many things: Packet Filtering; Packet Forwarding; Network Address Translation (NAT); etc…

[root@linux]# iptablesiptables v1.3.6: no command specifiedTry `iptables -h' or 'iptables --help' for more information.[root@linux]#

Iptables – What is it?

Actually, the Iptables is a sub-system in the Linux kernel.

The name of the sub-system is called netfilter.

iptablescommand

Linux Kernel

Netfilter InternalStructure

Manipulations

Tables

Iptables – Tables and Chains

Each function provided by the netfilter architecture is presented as a table.

filter nat mangle

netfilter

This table is in charge of filtering packets.

This table is in charge of translating IP addresses of the packets..

This table is in charge of changing packet content.


Under each table, there are a set of chains. Under each chain, you can assign a set of rules.

filter nat mangle

netfilter

INPUT

OUTPUT

FORWARD

PREROUTING

POSTROUTING

OUTPUT

INPUT

OUTPUT

FORWARD

PREROUTING

POSTROUTING

Tables

Chains


[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)target prot opt source destination

Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# _

Table name: filter The command: listChain name: INPUT

There is one rule set in the INPUT chain.

The other two chains.

The rule in the INPUT chain means:

When a packet with ICMP payload passes through the INPUT hook,DROP that packets, no matter it is from anywhere and to anywhere.

Iptables – Packet Flow

INPUT OUTPUT

FORWARDPREROUTING POSTROUTING

Local Processes

RoutingRules

Key

Incoming packets

Outgoing packets

Incoming + Outgoingpackets

If the destination of the packet is this machine …


INPUT OUTPUT


Local Processes

RoutingRules

Key

Incoming packets

Outgoing packets


If the destination of the packet is not this machine, and this machine knows where the packet should be sent …


INPUT OUTPUT


Local Processes

RoutingRules

Key

Incoming packets

Outgoing packets


If the packet from the local packet is set to leave, it will go through the POSTROUTING hook.

Iptables – E.g., the Filter Table

INPUT OUTPUT


Local Processes

RoutingRules

E.g., The filter table can onlyapply on the FORWARD, theINPUT, and the OUTPUThooks.

Iptables – Rules on Filter Table

[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere



Add a new rule to the INPUT chain.

The protocol of the packets in which this rule is interested is ICMP.

If a packet(1) passes through the INPUT hook, and(2) is an ICMP packet,

then the packet jumps to the target DROP – to discard the packet.

Iptables – Rules on Filter Table

[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere


Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# iptables –t filter –D INPUT 1[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destination



Delete a rule from the INPUT chain. To delete rule #1.

Iptables – More Rules on Filter Table

iptables –t filter –A INPUT --source 137.189.0.0/16 --protocol icmp --jump DROP

If a packet is:(a) passing through the INPUT hook; (b) coming from the CUHK network; (c) a ICMP packet,then, it is DROPPED.

Meaning: Attention: everyone in CUHK, DON’T PING ME!

iptables –t filter –A OUTPUT --destination www.cse.cuhk.edu.hk --jump DROP

If a packet is:(a) passing through the OUTPUT hook; (b) sending to www.cse.cuhk.edu.hk,then, it is DROPPED.

Meaning: You are not allowed to access “www.cse.cuhk.edu.hk” using any protocols!

Iptables – More Rules on Filter Table

Except DROP, the jump target can be: ACCEPT: self-explanatory; REJECT: it is different from DROP.

DROP is to discard the packet quietly. REJECT is to discard the packet and then responses to

the source with an ICMP “Port Unreachable” error.

Besides filtering…

The iptables is highly related to routing…

INPUT OUTPUT

POSTROUTINGPREROUTING FORWARD

RoutingI’ve the name

related routing!

I’ve the name related routing!

Network Address Translation - NAT

A technique called NAT is closely related to the iptables.

First of all, what is NAT? According to its name, it translates addresses.

Why do we need to translate addresses?

NAT - Application scenario

Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1

Private LAN:192.168.1.0/24

Windows XP192.168.1.2

Linux 192.168.1.3

www.cse.cuhk.edu.hk137.189.91.192


Private LAN:172.16.1.0/24


Src: 192.168.1.2 Dest: 137.189.91.192

Src Port: 12345 Dest Port: 80

Src: 192.168.1.2 Dest: 137.189.91.192


If Bob doesn’t use NAT, but route the request through the default route…

Private LAN:192.168.1.0/24


Linux 192.168.1.3





Dest: 192.168.1.2Src: 137.189.91.192

Dest Port: 12345Src Port: 80

If Bob doesn’t use NAT, but route the request through the default route…

Reply I don’t have the route to host 172.16.1.1. Goodbye, little poor packet!

Private LAN:192.168.1.0/24


Linux 192.168.1.3





Src: 192.168.1.2 Dest: 137.189.91.192


If Bob is using NAT, then…

Src: 123.45.67.89 Dest: 137.189.91.192


If Bob is using NAT, then…HX broadband knows how to route the

reply this time.

Private LAN:192.168.1.0/24


Linux 192.168.1.3





If Bob is using NAT, then…

Dest: 123.45.67.89 Src: 137.189.91.192

Dest Port: 12345Src Port: 80

I know where is 123.45.67.89. It is Bob’s home. Let me route it!

Private LAN:192.168.1.0/24


Linux 192.168.1.3



The NAT technique opens private networks to the public!

Private address is therefore used extensively! Your computing labs (Room 122, 904, 924 …) use private

addresses. The Classnet and the Resnet use private addresses.

NAT is just a trick done by the gateway that stands between the private network and the public network.

IP Masquerading

The scenario discussed before is a special case of NAT, know as IP Masquerading

To translate any outgoing packet: From any source IP address to the external IP

address of gateway. From any source port number to the port number

assigned by gateway.

Iptables Rules for IP Masquerading

[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE

IP Masquerading Target

INPUT OUTPUT

POSTROUTINGPREROUTING FORWARD

Routing

The MASQUERADE target is only valid for the POSTROUTING chain of the nat table!

The following rule is not useful enough. Why?

Iptables Rules for IP Masquerading

Address translation for outgoing packets[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE

[root@gateway]# iptables -t nat -A POSTROUTING –d ! 172.16.1.0/24 -j MASQUERADE

[root@gateway]# iptables -t nat -A POSTROUTING \ -s 192.168.1.0/24 -d 137.189.0.0/16 \ -j MASQUERADE

More fancy rules …

[root@gateway]# iptables -t nat -A POSTROUTING \ -p tcp -d ! 192.168.1.0/24 --dport 22 \ -j MASQUERADE

Your private network can “access” CUHK network

and itself only.

Your private network can only use SSH to reach the

outside world!

[root@gateway]# iptables -t nat -A POSTROUTING –s 172.16.1.0/24 -j MASQUERADE

More NAT Targets

IP Masquerading is only one of the functions of the NAT table.

The true potential is locked inside the targets: SNAT – source NAT, and DNAT – destination NAT.

E.g.,

[root@gateway]# iptables -t nat –A PREROUTING -p tcp --dport 80 -j DNAT \ --to-destination proxy.cse.cuhk.edu.hk:8000

OMG! This is a transparent HTTP proxy!

More NAT Targets

[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -p tcp -s 192.168.10.0/24 \ --to-source 137.189.91.208:10001-20000

[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -p tcp -s 192.168.20.0/24 \ --to-source 137.189.91.208:20001-30000

OMG!! This gateway supports two private networks and it gives the ranges of ports that are allowed to use for each network!

192.168.10.0/24

192.168.20.0/24

port 10001:20000

port 20001:30000

Note: the rules are not completed.

More NAT Targets

[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -s 192.168.10.0/24 \ --to-source 137.189.91.208

[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -s 192.168.20.0/24 \ --to-source 137.189.91.209

OMG!!! This gateway has a lot of NICs!

192.168.10.0/24

192.168.20.0/24

137.189.91.208

137.189.91.209

Note: the rules are not completed

NAT Summary

NAT can change the source addresses and the destination addresses of IP packets.

MAQUARADE target changes the source address to be the gateway’s address before the

packet leaves the gateway at POSTROUTING hook, and changes the destination address automatically back to the original

source address (and is done at PREROUTING hook quietly). SNAT target

focuses on changing the source address of the packet at the POSTROUTING hook to any address specified by the rule.

Therefore, MAQUARADE is a special case of SNAT. DNAT target

focuses on changing the destination address of the packet at the PREROUTING hook to any address specified by the rule.

Part 2

Apache HTTP server

Apache HTTP server

Apache HTTP server is an open source web server maintained by the Apache Software Foundation

Installing Apache (the Ubuntu way):

All the web pages are placed inside a folder known as document root

By default, the document root is /var/www

[root@gateway]# apt-get install apache2

Apache HTTP server

After installing, you can test your apache server by visiting http://server_ip/ apache2-default/ or http://server_ip/

You can now add files of your own web page to /var/www

Features of Apache server

Apache server comes with a modular design, advanced features (e.g. PHP support) is handled using modules

Configuration files for the server and its modules are located under /etc/apache2

Configuration Files

Pay attention to the following files and directories apache2.conf

The main configuration file, not much detail here

ports.conf Specify which ports and IP address to listen to

sites-available/ Files in this directory contain configuration directives for different

virtual hosts

mods-available/ Contains configuration directives for server modules

Enabling sites and modules

A files in sites-available/ or mods-available/ is only effective if its symbolic links appears in the folder:

sites-enabled/ Contains symlinks to sites in site-available, which you want to enable

mods-enabled/ Contains symlinks to modules in mods-available, which you want to

enable

You don’t have to deal with the symlinks yourself, use commands:

a2enmod, a2dismod, a2ensite, a2dissite

Running CGI program

In /etc/apache2/sites-available/default, you would find the following configuration

This suggest that by default, apache server allows the execution of CGI scripts inside /usr/lib/cgi-bin/,

And the scripts are accessible through the URL http://ip_address/cgi-bin/your_script_name.cgi

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/<Directory “/usr/lib/cgi-bin”>

AllowOverride NoneOptions +ExecCGI –MultiViews +SymLinksIfOwnerMatchOrder allow,denyAllow from all

</Directory>

Adding PHP support

Installing PHP (the Ubuntu way):

After that, the PHP configuration files appear in /etc/apache2/mods-available/

Enable the module

[root@gateway]# apt-get install libapache2-mod-php5 php5 \php5-cgi php5-cli

[root@gateway]# ls /etc/apache2/mods-available/php*mods-available/php5.conf mods-available/php5.load

[root@gateway]# a2enmod php5

Privilege of CGI

If you execute the system utility “id” in your CGI script, you would find the following output

This shows that your CGI scripts are run with effective user id and group id “www-data”

Why? Because the apache server has limited its privilege by setting the process owner user id to “www-data”

The ownership of your CGI process is inherited from the apache server

Privilege of CGI

However, many system operations require the root permission, e.g., iptables

How can these operations be done by a CGI program?

Exploit the setuid and setgid features of *nix

Recall: setuid, setgid

setuid, and setgid are unix access rights flags that allow users to run an executable with the permissions of the executable’s owner or group

That means: If the executable’s owner is root If the executable has given the setuid attribute Then a user can run the executable as if he/she is

the root

Using Wrapper

So how can you make your CGI access/execute files that require root privilege?

Use a “wrapper” program!

$ iptables –LIptables v1.3.6 … Permission denied…

$ gcc –o godlike godlike.c$ sudo chown root.root godlike$ sudo chmod 4711 godlike$ ./godlikeChain INPUT (policy ACCEPT)…

$ cat godlike.c/* The wrapper code */int main(){

return system(“iptables –L”);}

End of tutorial

Q & A

ip rule discard postrouting

Documents

iptables iptables v1

input chain

nat iptables

iptables t filter

input destination

filter chain

chain input policy

iptables t filter d