null Banglaore Chapter - April 2014 Invite only session

1. sriram@belenix.org
@sriramnrn

2. • Introduction
• What we will not be covering
• Setup – 30 mins
• Some network basics
• Some VirtualBox basics
• Routing (demo, troubleshooting and exercises)
• Firewalls (demo, troubleshooting and exercises)

3. • On the whiteboard during the workshop.
• To be added to the presentation to be made available for download

4. • This session is for beginners
• Set up a router, and route between two networks
• Set up a firewall, and understand basic firewall administration
• What I haven’t tried in today’s infra
• Asymmetric routing
• We won’t be covering today:
• LARTC (Linux Advanced Routing and Traffic Control)
• QoS
• Policy Based Routing
• VPNs

5. • Are you connected to the wifi yet? twguest/d1srupt1ve
• Do you have Vagrant installed and running? Vagrant 1.5.1 at least
• Do you have Virtual Box installed and running? (Vbox 4.3 at least)
• Download the iptables zip file
• Do you have the vagrant.d zip file? (Separate from the Vagrant app)
• Set VAGRANT_HOME to c:vagrant.d (where you extract vagrant.d
to)

6. • Vagrant up, halt, destroy
• Vagrant ssh
• Restarting from scratch
• About “office”, “router” and “dmz”
• Saving your work via puppet

7. • Ethernet configuration files
• service network restart
• ping
• traceroute
• ssh
• netstat

8. • From your laptop to the various individual boxes
• Print the route table
• Within each box
• Print the route table
• What have we discovered ? Draw a diagram
• Explore the Virtual Box settings and validate the diagram
• Which IPs are you able to ping? From where?
• Why is the ping working?
• Why is the traceroute working?

9. • ssh to “office”
• From “office”, ssh to “router”.
• From “router”, ssh to “dmz”
• Why is this working?

10. • What should our routing look like?
• Set up the routes
• Are you able to get from office to dmz via the dmz IP?
• If yes, why?
• If no, what do you think is missing?

11. • One of the first lessons one learns !
• Set up a route
• Set up a return route
• Ping
• from office to dmz
• from dmz to office
• Does the ping work ?
• We’ll look at SSH and traceroute next
• Persisting the route settings

12. • SSH and traceroute
• from office to dmz
• from dmz to office
• Does the ssh and traceroute work ?
• Coming up – packet forwarding

13. • What is packet forwarding?
• How does it work?
• About /proc
• Ping, traceroute and SSH
• from office to dmz
• from dmz to office
• Does the ping, traceroute, ssh work ?
• What does netstat on the receiving side tell you?
• Next: Persisting your packet forwarding setting

14. • /proc is temporary. Reboot and check ! ;)
• Does the ping, traceroute, ssh work ?
• Persisting your packet forwarding via /etc/sysctl.conf
• Reloading /etc/sysctl.conf

15. • What if both the sides have the same IP address range?
• A common scenario between customer-vendor organizations
• Let’s see this during the firewalls section

16. • One “office”, two DMZs
• Two “offices”, one DMZ

17. • Given that we have
• One “office”, one “DMZ”
• One “office”, two DMZs
• Two “offices”, one DMZ
When we have the current configuration
Then is this “DMZ” a DMZ?

18. • Making a DMZ a DMZ

19. • Netfilter – the kernel module
• Iptables – the command line tool
• service iptables status
• What do we see here?

20. • How and why does iptables startup?
• Chkconfig
• Where the service script is located
• Turning iptables off
• temporarily
• permanently
• flushing the tables
• service iptables status
• What do we see here?

21. • View the Wikipedia diagram

22. • What does a rule look like?
• Add a rule
• Delete a rule
• View the rule
• Persist the rule
• What happens when you flush the tables?
• How do we save the rules (service iptables save)
• Where are the rules saved?
• How are the rules loaded?
• Is it safe to edit the file directly?

23. • What happens when you flush the tables?
• How do we save the rules (service iptables save)
• Where are the rules saved?
• How are the rules loaded?
• Is it safe to edit the file directly?
• About iptables restarts and reloads

24. • Change the default INPUT and FORWARD policies
• Edit the iptables files directly
• What do you see?
• Is an iptables service restart required?

25. • How do we log a packet?

26. • How do we log a packet?

27. • How do we drop a packet?
• What does the sender experience with a drop rule?
• How do we reject a packet?
• What does the sender experience with a reject rule?

28. • What rules should we have?

29. • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP.
• Are we able to access port 8080 via the router IP?

30. • Create two DMZs
• Expose an SSH service in each DMZ via the same IP but different ports

31. • Can
• defend against specific IP level characteristics
• Fast rate of packets
• Permit from certain origins only
• Won’t
• Defend you from app vulnerabilities

32. • What is NAT?
• A look at a basic NAT rule
• Let’s NAT
• Connections from office to DMZ via the router’s DMZ IP.
• ssh
• Python SimpleHTTPServer
• What does netstat on the DMZ tell you about the remote IP?
• What does the python SimpleHTTPServer log tell you about the
remote IP?

33. • Checking the NAT table

34. • What if we have a pool of public IPs available for NAT?

35. • What should the solution be?

36. • Exposing one DMZ to another via routing and NAT
• On the same laptop
• Across laptops

37. www.sriramnarayanan.com
www.belenix.org
@sriramnrn