SlideShare ist ein Scribd-Unternehmen logo

Linux – routing and firewall for beginners v 1.0

Als PPTX, PDF herunterladen
Sriram Narayanan
Sriram Narayanan

The slides for a full day workshop that I ran on April 12th 2014.

Technologie
1 von 36
Linux – Routing and Firewall for beginners sriram@belenix.org @sriramnrn
Agenda • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
What we should have achieved today • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
Setup • Download and extract iptables.zip from https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip • Change into the iptables directory • Run “vagrant up” • Will download a 350 MB file from the vagrant cloud.
Working with the infrastructure • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
Some network basics • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
Getting started with routing • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
Before we set up a route • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
Setting up a direct route to further hops • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
About routes and return routes • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
When routes and return routes are not enough • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
About packet forwarding • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
Persisting packet forwarding settings • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
When both the sides have the same IP range • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
Some exercises • One “office”, two DMZs • Two “offices”, one DMZ
Questions • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
The need for a firewall • Making a DMZ a DMZ
iptables and netfilter • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
iptables – getting around • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
iptables – What are tables? • View the Wikipedia diagram
iptables Rules – the basics • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
iptables Rules – persisting • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
Iptables – default policies • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
Iptables – logging packets • How do we log a packet?
Iptables – allowing packets • How do we log a packet?
Iptables – dropping and rejecting packets • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
Iptables – Let’s make that DMZ a DMZ! • What rules should we have?
Iptables – port forwarding – Exercise 1 • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
Iptables – port forwarding – Exercise 2 • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
Reality check: What a firewall is and isn’t • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
iptables - NAT • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
iptables – NAT – Behind the scenes • Checking the NAT table
iptables – NAT – One on One, vs a range • What if we have a pool of public IPs available for NAT?
When both the sides have the same IP range • What should the solution be?
Some exercises • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops
Thank you! www.sriramnarayanan.com www.belenix.org @sriramnrn

Empfohlen

Dokku - your own heroku
Dokku - your own herokuDokku - your own heroku
Dokku - your own heroku
Aleksandr Simonov
 
Dokku your own heroku 21
Dokku your own heroku 21Dokku your own heroku 21
Dokku your own heroku 21
Amoniac OÜ
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltStack
 
Scaling with Symfony - PHP UK
Scaling with Symfony - PHP UKScaling with Symfony - PHP UK
Scaling with Symfony - PHP UK
Ricard Clau
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
SaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltStack
 
OpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentOpenNebula in a Multiuser Environment
OpenNebula in a Multiuser Environment
NETWAYS
 
Redis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRedis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHP
Ricard Clau
 

Empfohlen

Dokku - your own heroku
Dokku - your own herokuDokku - your own heroku
Dokku - your own heroku
Aleksandr Simonov
 
Dokku your own heroku 21
Dokku your own heroku 21Dokku your own heroku 21
Dokku your own heroku 21
Amoniac OÜ
 
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web ScaleSaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltConf14 - Craig Sebenik, LinkedIn - SaltStack at Web Scale
SaltStack
 
Scaling with Symfony - PHP UK
Scaling with Symfony - PHP UKScaling with Symfony - PHP UK
Scaling with Symfony - PHP UK
Ricard Clau
 
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
Salt Air 19 - Intro to SaltStack RAET (reliable asyncronous event transport)
SaltStack
 
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google ScaleSaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltConf14 - Brendan Burns, Google - Management at Google Scale
SaltStack
 
OpenNebula in a Multiuser Environment
OpenNebula in a Multiuser EnvironmentOpenNebula in a Multiuser Environment
OpenNebula in a Multiuser Environment
NETWAYS
 
Redis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHPRedis Everywhere - Sunshine PHP
Redis Everywhere - Sunshine PHP
Ricard Clau
 
High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014
Derek Collison
 
Introduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackIntroduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStack
Craig Sebenik
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
Tomas Doran
 
Ryu dynamic loader
Ryu dynamic loaderRyu dynamic loader
Ryu dynamic loader
Yi Tseng
 
Migrating big data
Migrating big dataMigrating big data
Migrating big data
lauraxthomson
 
Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17
Kentaro Ebisawa
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltStack
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
Nathan Gibbs
 
A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?
Nick den Engelsman
 
Don't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinDon't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your Checkin
Perforce
 
OpenStack@NBU
OpenStack@NBUOpenStack@NBU
OpenStack@NBU
iTransformers
 
Compression talk
Compression talkCompression talk
Compression talk
Ilya Ganelin
 
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Chris Fregly
 
Hashicorp at holaluz
Hashicorp at holaluzHashicorp at holaluz
Hashicorp at holaluz
Ricard Clau
 
Deploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrDeploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and Solr
Jordi Llonch
 
Pluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshPluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheesh
Ratheesh Kaniyala
 
LWP + libcurl
LWP + libcurlLWP + libcurl
LWP + libcurl
Stanislaw Pusep
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrency
Thomas Jackson
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axe
Jim Leitch
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
idsecconf
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
sandy_vasan
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
n|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014High Performance Systems in Go - GopherCon 2014
High Performance Systems in Go - GopherCon 2014
 
Introduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStackIntroduction to Systems Management with SaltStack
Introduction to Systems Management with SaltStack
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
 
Ryu dynamic loader
Ryu dynamic loaderRyu dynamic loader
Ryu dynamic loader
 
Migrating big data
Migrating big dataMigrating big data
Migrating big data
 
Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17Quagga Overview as of 2015/10/17
Quagga Overview as of 2015/10/17
 
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
SaltConf14 - Saurabh Surana, HP Cloud - Automating operations and support wit...
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 
A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?A Serverless first approach - Will it Lambda?
A Serverless first approach - Will it Lambda?
 
Don't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your CheckinDon't Let a Bad Trigger Ruin Your Checkin
Don't Let a Bad Trigger Ruin Your Checkin
 
OpenStack@NBU
OpenStack@NBUOpenStack@NBU
OpenStack@NBU
 
Compression talk
Compression talkCompression talk
Compression talk
 
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
Tallinn Estonia Advanced Java Meetup Spark + TensorFlow = TensorFrames Oct 24...
 
Hashicorp at holaluz
Hashicorp at holaluzHashicorp at holaluz
Hashicorp at holaluz
 
Deploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and SolrDeploying Immutable infrastructures with RabbitMQ and Solr
Deploying Immutable infrastructures with RabbitMQ and Solr
 
Pluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheeshPluk2013 bodybuilding ratheesh
Pluk2013 bodybuilding ratheesh
 
LWP + libcurl
LWP + libcurlLWP + libcurl
LWP + libcurl
 
Saltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrencySaltconf 2016: Salt stack transport and concurrency
Saltconf 2016: Salt stack transport and concurrency
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axe
 
Micro control idsecconf2010
Micro control idsecconf2010Micro control idsecconf2010
Micro control idsecconf2010
 

Andere mochten auch

Lession3 Routing
Lession3 RoutingLession3 Routing
Lession3 Routing
leminhvuong
 
Soal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 BinangunSoal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 Binangun
Rudi AdiTia
 

Andere mochten auch (20)

Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
 
Segregation of Duties and Continuous Delivery
Segregation of Duties and Continuous DeliverySegregation of Duties and Continuous Delivery
Segregation of Duties and Continuous Delivery
 
Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™Integrating Linux routing with FusionCLI™
Integrating Linux routing with FusionCLI™
 
Linux Based DiffServ. Router
Linux Based DiffServ. RouterLinux Based DiffServ. Router
Linux Based DiffServ. Router
 
6 networking
6 networking6 networking
6 networking
 
Lession3 Routing
Lession3 RoutingLession3 Routing
Lession3 Routing
 
Effective Framework for Continuous Auditing
Effective Framework for Continuous AuditingEffective Framework for Continuous Auditing
Effective Framework for Continuous Auditing
 
Fraud in the Non Profit Industry
Fraud in the Non Profit IndustryFraud in the Non Profit Industry
Fraud in the Non Profit Industry
 
Thieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized OrganizationsThieves Within: Preventing Fraud in Small & Medium-Sized Organizations
Thieves Within: Preventing Fraud in Small & Medium-Sized Organizations
 
Pembahasansoallks2013
Pembahasansoallks2013Pembahasansoallks2013
Pembahasansoallks2013
 
Tugas 1 analisa transaksi
Tugas 1 analisa transaksiTugas 1 analisa transaksi
Tugas 1 analisa transaksi
 
Route Summarization
Route SummarizationRoute Summarization
Route Summarization
 
Soal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 BinangunSoal lks networking support 2013 SMK N 1 Binangun
Soal lks networking support 2013 SMK N 1 Binangun
 
Ketika cinta berbuah surga
Ketika cinta berbuah surgaKetika cinta berbuah surga
Ketika cinta berbuah surga
 
Soal lks-smk-jateng2015
Soal lks-smk-jateng2015Soal lks-smk-jateng2015
Soal lks-smk-jateng2015
 
Cowok Rasa Apel
Cowok Rasa ApelCowok Rasa Apel
Cowok Rasa Apel
 
Effective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesikEffective Internal Controls (Annotated) by @EricPesik
Effective Internal Controls (Annotated) by @EricPesik
 
Security & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoftSecurity & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoft
 
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
Ringkasan Pengalamatan Internet Protocol (IP) Versi 4
 

Ähnlich wie Linux – routing and firewall for beginners v 1.0

Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
openstackindia
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
Tomas Doran
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
hacktivity
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
Balazs Bucsay
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
Tomas Doran
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 

Ähnlich wie Linux – routing and firewall for beginners v 1.0 (20)

Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'd
 
Enhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world applicationEnhancing OpenStack FWaaS for real world application
Enhancing OpenStack FWaaS for real world application
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer Networking
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hosting
 
Building a Small Datacenter
Building a Small DatacenterBuilding a Small Datacenter
Building a Small Datacenter
 
How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1How to convert your Linux box into Security Gateway - Part 1
How to convert your Linux box into Security Gateway - Part 1
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Building a Small DC
Building a Small DCBuilding a Small DC
Building a Small DC
 
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of OhioNagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
Nagios Conference 2014 - Bryan Heden - 10,000 Services Across The State of Ohio
 
Automation & Programmability.pptx
Automation & Programmability.pptxAutomation & Programmability.pptx
Automation & Programmability.pptx
 
Template
TemplateTemplate
Template
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Kürzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Linux – routing and firewall for beginners v 1.0

  • 1. Linux – Routing and Firewall for beginners sriram@belenix.org @sriramnrn
  • 2. Agenda • Introduction • What we will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
  • 3. What we should have achieved today • This session is for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
  • 4. Setup • Download and extract iptables.zip from https://www.dropbox.com/s/6ef1nfdplliao30/iptables.zip • Change into the iptables directory • Run “vagrant up” • Will download a 350 MB file from the vagrant cloud.
  • 5. Working with the infrastructure • Vagrant up, halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
  • 6. Some network basics • Ethernet configuration files • service network restart • ping • traceroute • ssh • netstat
  • 7. Getting started with routing • From your laptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
  • 8. Before we set up a route • ssh to “office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
  • 9. Setting up a direct route to further hops • What should our routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
  • 10. About routes and return routes • One of the first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
  • 11. When routes and return routes are not enough • SSH and traceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
  • 12. About packet forwarding • What is packet forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
  • 13. Persisting packet forwarding settings • /proc is temporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
  • 14. When both the sides have the same IP range • What if both the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
  • 15. Some exercises • One “office”, two DMZs • Two “offices”, one DMZ
  • 16. Questions • Given that we have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
  • 17. The need for a firewall • Making a DMZ a DMZ
  • 18. iptables and netfilter • Netfilter – the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
  • 19. iptables – getting around • How and why does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
  • 20. iptables – What are tables? • View the Wikipedia diagram
  • 21. iptables Rules – the basics • What does a rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
  • 22. iptables Rules – persisting • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
  • 23. Iptables – default policies • Change the default INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
  • 24. Iptables – logging packets • How do we log a packet?
  • 25. Iptables – allowing packets • How do we log a packet?
  • 26. Iptables – dropping and rejecting packets • How do we drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
  • 27. Iptables – Let’s make that DMZ a DMZ! • What rules should we have?
  • 28. Iptables – port forwarding – Exercise 1 • Exercise 1: Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
  • 29. Iptables – port forwarding – Exercise 2 • Create two DMZs • Expose an SSH service in each DMZ via the same IP but different ports
  • 30. Reality check: What a firewall is and isn’t • Can • defend against specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
  • 31. iptables - NAT • What is NAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
  • 32. iptables – NAT – Behind the scenes • Checking the NAT table
  • 33. iptables – NAT – One on One, vs a range • What if we have a pool of public IPs available for NAT?
  • 34. When both the sides have the same IP range • What should the solution be?
  • 35. Some exercises • Exposing one DMZ to another via routing and NAT • On the same laptop • Across laptops