talk s outline
play

Talks outline iptables versus ipchains The goal (or: my goal) The - PowerPoint PPT Presentation

Apr 21, 2023 •462 likes •785 views

IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables p.1 Talks outline iptables versus ipchains The goal (or: my goal) The packets way through iptables Classic masquerading (SNAT)

  1. IP Masquerading using iptables Eli Billauer eli billauer@yahoo.com IP Masquerading using iptables – p.1

  2. Talk’s outline iptables versus ipchains The goal (or: my goal) The packet’s way through iptables “Classic” masquerading (SNAT) DNS faking (with DNAT) Other things Firewalling with iptables (If we have time) Questions I’ll hopefully answer Not covered: packet mangling (change TOS, TTL and flags) IP Masquerading using iptables – p.2

  3. Differences between iptables and ipchains Same author (Rusty Russell), and basically smells the same Most important: FORWARD taken apart from INPUT and OUTPUT Changes in syntax Masqurading is handled “separately” IP Masquerading using iptables – p.3

  4. ipchains and iptables don’t live together If the ipchains module is resident in the kernel, iptables won’t insmod And vice versa Typical error message is misleading: “No kernel support” Red Hat 7.3 boots up with ipchains as default IP Masquerading using iptables – p.4

  5. What I wanted in the first place Windows 2000 computer 10.128.200.2 eth0 10.128.200.1 Linux 81.218.94.210 computer ppp0 eth1 10.0.0.1 10.0.0.138 ADSL modem 81.218.94.1 IP Masquerading using iptables – p.5

  6. Requirements Windows computer should have a gateway DNS issue solved elegantly Both computers have access to network at the same time Network between computers is trustful Proper firewalling ADSL modem is considered hostile IP Masquerading using iptables – p.6

  7. iptables : The IP packet’s flow Network PREROUTING POSTROUTING (nat) (nat) ACCEPT ACCEPT network FORWARD OUTPUT routing (filter) (filter, nat) host INPUT Host’s IP (filter) stack ACCEPT TCP UDP ICMP ... IP Masquerading using iptables – p.7

  8. iptables : How to swallow this Packet filtering (firewalls) and manipulation (masquerading) are neighbours Therefore, the same tools are used Think routing tables Chains: Think subroutines Each chain is terminated with a target , or next line taken Subchains work exactly like subroutines Tables: Group of chains: filter and nat Each chain has a policy – the default target IP Masquerading using iptables – p.8

  9. What is Masquerading? All computers appear to have the same IP This is done with Network Adress Translation It’s easy to fake the “outgoing packet” “Incoming packets” must be translated too Port translation – a must IP Masquerading using iptables – p.9

  10. iptables : The IP packet’s flow Network PREROUTING POSTROUTING (DNAT) (SNAT) ACCEPT ACCEPT network OUTPUT FORWARD routing (filter, DNAT) (filter) host INPUT Host’s IP (filter) stack ACCEPT TCP UDP ICMP ... IP Masquerading using iptables – p.10

  11. Source Network Address Translation (SNAT) On ADSL: catch packets going out on ppp0 The source IP is changed Source port numbers may be changed Easiest rule: Do SNAT on all packets going out on ppp0 Will include OUTPUT packets by accident, but who cares? Remember: Every SNAT produces an implicit DNAT And vice versa IP Masquerading using iptables – p.11

  12. “Incoming” packets The problem: Where should the packet go? Simple TCP connection: iptables remembers the port numbers UDP: Tricky DNS: Return the answer to whoever asked ICMP: Ping answers go the right way (!) FTP , ICQ and friends: Requires special treatment (they work for me as a basic client) When the other side opens a connection, that has to be treated specially iptables has application-based modules IP Masquerading using iptables – p.12

  13. Defining SNAT iptables commands The strict way: iptables -t nat -A POSTROUTING -o ppp0 -j SNAT \ --to $PPPIP The liberal way: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE The “liberal” form is better for temporary connections: MASQUERADE automatically chooses address MASQUERADE forgets old connections when interface goes down For dial-up, cable modems and ADSL: MASQUERADE wins IP Masquerading using iptables – p.13

  14. POSTROUTE is just another chain Selective rules can be used Different manipulations are possible Use -j ACCEPT to let the packet through untouched IP Masquerading using iptables – p.14

  15. The wrong way to masquerade iptables -t nat -A POSTROUTING -j MASQUERADE This makes masquerading the default policy for any outgoing packet ... including any forwarded packet. All forwarded packets will appear to come from the masquerading host. May confuse firewalls Even worse, may confuse service applications to compromise security IP Masquerading using iptables – p.15

  16. Masquerading and firewalling The internal computers are implicitly firewalled The main computer gets all the unrelated packets Main computer must be protected Main computer protected with INPUT and OUTPUT chains Other computers protected with FORWARD chains Note that FORWARD chains also apply to the intranet connection IP Masquerading using iptables – p.16

  17. DNS faking with DNAT The other computers have constant DNS addresses The address is translated with DNAT iptables -t nat -A PREROUTING -d 10.2.0.1 \ -j DNAT --to-destination 192.115.106.31 iptables -t nat -A PREROUTING -d 10.2.0.2 \ -j DNAT --to-destination 192.115.106.35 IP Masquerading using iptables – p.17

  18. Automatic DNS DNAT setup In an ADSL connection, the DNS addresses are given on connection An ip-up.local script writes these addresses in the resolv.conf file DNScount=1 for nameserver in \ ‘perl -nle "/nameserver\D*(\d*\.\d*\.\d*\.\d*)/i && \ (\\$1=˜/ˆ127/ || print \\$1)" /etc/resolv.conf‘; do iptables -t nat -A PREROUTING -d 10.2.0.$DNScount \ -j DNAT --to-destination $nameserver let DNScount=DNScount+1; done; The perl statement above extracts the two addresses IP Masquerading using iptables – p.18

  19. The MTU on the Windows computer ADSL ppp connection has MTU of 1452 Normal Ethernet has MTU 1500 Windows computer doesn’t know it goes through ADSL Fragmentation Fixed by adding an entry in Window’s registry IP Masquerading using iptables – p.19

  20. Other tricks Server on masqueraded host (DNAT) Port remapping (redirection) Load balancing (One-to-many forward DNAT) Packet mangling IP Masquerading using iptables – p.20

  21. The filter chains INPUT, OUTPUT and FORWARD Targets with ACCEPT, DROP , REJECT or QUEUE A set of selective rules makes a firewall IP Masquerading using iptables – p.21

  22. Example: A firewall Close everything and flush chains iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -F -t nat iptables -F -t filter iptables -X IP Masquerading using iptables – p.22

  23. Example: A firewall (cont.) Allow everything on loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT IP Masquerading using iptables – p.23

  24. Example: A firewall (cont.) Keep ADSL modem short iptables -A INPUT -i eth1 -s 10.0.0.138/32 \ -d 10.0.0.0/8 -p tcp \ --sport 1723 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -s 10.0.0.138/32 \ -d 10.0.0.0/8 -p gre -j ACCEPT iptables -A INPUT -i eth1 -j DROP iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \ -d 10.0.0.138/32 -p tcp --dport 1723 \ -j ACCEPT iptables -A OUTPUT -o eth1 -s 10.0.0.0/8 \ -d 10.0.0.138/32 -p gre -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP IP Masquerading using iptables – p.24

  25. Example: A firewall (cont.) Linux computer with network rules: iptables -A OUTPUT -o ppp0 -s $PPPIP -j ACCEPT iptables -A INPUT -s ! 10.128.0.0/16 -p tcp \ --dport 0:1023 -j DROP iptables -A INPUT -i ppp0 -d $PPPIP -m state \ --state ESTABLISHED,RELATED -j ACCEPT IP Masquerading using iptables – p.25

  26. Example: A firewall (cont.) Everything is allowed on internal network iptables -A INPUT -s 10.128.0.0/16 \ -d 10.128.0.0/16 -j ACCEPT iptables -A OUTPUT -s 10.128.0.0/16 \ -d 10.128.0.0/16 -j ACCEPT IP Masquerading using iptables – p.26

  27. Example: A firewall (cont.) Forwarding.... iptables -A FORWARD -i ppp0 -o eth0 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT iptables -A FORWARD -j DROP Note that there is no forwarding in internal network IP Masquerading using iptables – p.27

  28. iptables script finale Make sure that the main chains end with DROP Zero counters iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -A FORWARD -j DROP iptables -Z IP Masquerading using iptables – p.28

  29. Summary It works really well It’s not difficult to set up if you know what you’re doing IP Masquerading using iptables – p.29

  30. References Linux IP Masquerade HOWTO (a version written in Jan 2003 is available) man iptables IP Masquerading using iptables – p.30

  31. The End Questions? EX, using the prosper document class Slides were made with L A T IP Masquerading using iptables – p.31

Recommend

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more

Outline: SUZero MML Talk Interspeech talk (for Ewald) Explain one technique in a bit more detail The experience of a coding sprint Unsupervised acoustic unit discovery for speech synthesis using discrete latent-variable neural

1.74k views • 110 slides
My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold

My presentation AB123C Outline Talk about giving a talk A tool to plan and hold presentations: AB123C The blackboard vs. slides The talk A mathematical talk is a presentation of your results in oral form Very different from

320 views • 21 slides
Canopy Midway Milestone How did we get here? Where are we going? Suggested Talk Outline: 1.

Canopy Midway Milestone How did we get here? Where are we going? Suggested Talk Outline: 1.

Canopy Midway Milestone How did we get here? Where are we going? Suggested Talk Outline: 1. Project title, team, & value proposition (1 slide) 2. Introduction to Problem & Solution (2 slides) 3. Overview of Talk (1 slide) 4. Heuristic

465 views • 19 slides
Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to

Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to

Research Unit UTIC Laboratory LIPN , UMR 7030 ESSTT, University of Tunis CNRS, University of Paris 13 Outline Outline Introduction (the concept of Desktop Grids) Objectives of the talk How to decentralize Desktop Grid middlewares, p , Two

334 views • 18 slides
First observation of DCS decay of a charmed Brayon: Liu Kai Outline Today let's talk more

First observation of DCS decay of a charmed Brayon: Liu Kai Outline Today let's talk more

First observation of DCS decay of a charmed Brayon: Liu Kai Outline Today let's talk more about physics rather technique details. Outline Experimental status of charmed hadrons weak decays of Lambda_c some highlights of

326 views • 8 slides
Talk outline Hamming similarity search Approximate similarity search using LSH Recent

Talk outline Hamming similarity search Approximate similarity search using LSH Recent

Locality-sensitive Hashing without False Negatives S CALABLE S IMILARITY Rasmus Pagh IT University of Copenhagen S EARCH SODA, January 10, 2016 1-2 post-doc positions available starting fall 2016 - contact me for details! 1 Talk outline

1.07k views • 64 slides
The Value of Genetics Talk Outline Genetic Selection and how it works How we have

The Value of Genetics Talk Outline Genetic Selection and how it works How we have

Beef 2015 Presentation By Alf Collins Jnr The Value of Genetics Talk Outline Genetic Selection and how it works How we have achieved genetic gain at ALC What it means in $ value Id like to start with the three legged stool

476 views • 4 slides
Legislating for No More Bad Investments Philip Sutton, Strategist Talk outline

Legislating for No More Bad Investments Philip Sutton, Strategist Talk outline

Legislating for No More Bad Investments Philip Sutton, Strategist Talk outline Introduction to the NMBI Act for passage by State and Territory governments Change paradigm (going for the package) The campaign for the

450 views • 10 slides
So what are hammers (and counterexample generators) good for? Talk outline 1. Sledgehammer

So what are hammers (and counterexample generators) good for? Talk outline 1. Sledgehammer

Jasmin Christian Blanchette So what are hammers (and counterexample generators) good for? Talk outline 1. Sledgehammer 2. Nitpick 3. Nunchaku 4. Lean Forward 10 1. Sledgehammer 2. Automatic proof search 2. for Isabelle/HOL Joint work

570 views • 36 slides
Talk outline Overview: Advantages and challenges of the SRF gun technology SRF gun

Talk outline Overview: Advantages and challenges of the SRF gun technology SRF gun

Survey of SRF guns First beam 21 st April 2011 Sergey Belomestnykh Collider-Accelerator Department, BNL July 25, 2011 SRF Conference Chicago July 25-29, 2011 Talk outline Overview: Advantages and challenges of the SRF gun

1.05k views • 26 slides
THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach & 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

363 views • 32 slides
Schema.org Update Guha Outline of talk The context How did we end up where we are with the

Schema.org Update Guha Outline of talk The context How did we end up where we are with the

Schema.org Update Guha Outline of talk The context How did we end up where we are with the Semantic Web Schema.org What it is, status of adoption Interesting examples & applications Schema.org principles, how does

591 views • 44 slides
Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most

Leadership and Your Inner Monologue: Harnessing the Power of Self-Talk Mary Fran Bontempo Self-Talk Self-Talk is your most powerful influence. When did you wake up thinking like this? Change is a Dirty Word for women. 1. Think

673 views • 21 slides
Theory in Practice: Modeling in Neuroimaging How to model big MRI datasets Outline of talk

Theory in Practice: Modeling in Neuroimaging How to model big MRI datasets Outline of talk

Theory in Practice: Modeling in Neuroimaging How to model big MRI datasets Outline of talk Theory recap: modelling approaches can be reduced to two types: predictive and descriptive Big data complicates our ability to apply

938 views • 91 slides
Talk outline Long-range horizontal network and the association field Electrophysiology,

Talk outline Long-range horizontal network and the association field Electrophysiology,

Talk outline Long-range horizontal network and the association field Electrophysiology, optical imaging : dynamics of propagating waves A hypothesis Non invasive approach in human : Perception and MEG Functional role : reduced

389 views • 22 slides
Modeling, Mathematical and Numerical Analysis for some Compressible and Incompressible Equations

Modeling, Mathematical and Numerical Analysis for some Compressible and Incompressible Equations

Modeling, Mathematical and Numerical Analysis for some Compressible and Incompressible Equations in Thin Layer. M. Ersoy 15 october 2010 Outline of the talk Outline of the talk 1 Introduction Atmosphere dynamic Sedimentation Unsteady mixed

1.22k views • 110 slides
ST. PATRICK, BISHOP OF ARMAGH, AND ENLIGHTENER OF IRELAND Outline of Talk on St. Patrick I. Life

ST. PATRICK, BISHOP OF ARMAGH, AND ENLIGHTENER OF IRELAND Outline of Talk on St. Patrick I. Life

ST. PATRICK, BISHOP OF ARMAGH, AND ENLIGHTENER OF IRELAND Outline of Talk on St. Patrick I. Life and Legend II. Signs and Symbols III. St. Patricks Day in America: The Case Study of New Haven IV. World-Wide Expansion Presentation by:

277 views • 6 slides
Minimum Cut and Minimum k -Cut in Hypergraphs via Branching Contractions Kyle Fox joint with

Minimum Cut and Minimum k -Cut in Hypergraphs via Branching Contractions Kyle Fox joint with

Minimum Cut and Minimum k -Cut in Hypergraphs via Branching Contractions Kyle Fox joint with Debmalya Panigrahi and Fred Zhang Duke University Talk Outline A (short) lecture, some recent work, and a new result Talk Outline A

1.15k views • 111 slides
Outline of Talk Defining terms associated with Physician Aid Physician Assisted Dying in in

Outline of Talk Defining terms associated with Physician Aid Physician Assisted Dying in in

5/23/16 Outline of Talk Defining terms associated with Physician Aid Physician Assisted Dying in in Dying (PAD) California Ethics and debates surrounding PAD Overview of the End of Life Options Act How to respond to PAD requests

402 views • 12 slides
Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline

Tools for Supersymmetric Phenomenology by Ben Allanach (University of Cambridge) Talk outline SPA project http://spa.desy.de/spa/ , http://www.ippp.dur.ac.uk/montecarlo/BSM/ Bestiary of public codes only: supposedly impartial

937 views • 36 slides
Natural capital risks & opportunities Talk outline 1. What is natural capital? 2. Some

Natural capital risks & opportunities Talk outline 1. What is natural capital? 2. Some

Natural capital risks & opportunities Talk outline 1. What is natural capital? 2. Some important points to be aware of 3. A natural capital account of the RSPBs reserves 4. Examples of land-use changes which typically provide

609 views • 26 slides
Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve & ve)

Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve & ve)

Ndwakhulu Mukhufhi CEO Outline of Talk Africa Continent of Wonders (+ve & ve) Challenges in Emerging Economies The Intra African System of Metrology The CIPM MRA in Africa What is Needed to grow Metrology? Africa,

513 views • 34 slides
Blogging about R Audio recording of this talk is on: R-statistics.com R-statistics.com

Blogging about R Audio recording of this talk is on: R-statistics.com R-statistics.com

Blogging about R Audio recording of this talk is on: R-statistics.com R-statistics.com (tal.galili@gmail.com) Tal Galili [1] [1] Department of Statistics and Operations Research, Tel Aviv University, Israel. Talk outline Why? Benefits

1.17k views • 81 slides
How (not?) to give a talk Herbert Gangl Term 2, 2014 1 Outline 1. timing 2. content 3.

How (not?) to give a talk Herbert Gangl Term 2, 2014 1 Outline 1. timing 2. content 3.

How (not?) to give a talk Herbert Gangl Term 2, 2014 1 Outline 1. timing 2. content 3. structure 4. delivery 5. visual aids 6. mastery 2 1. Timing stick to time pick out best bit(s) share fairly between sections

900 views • 68 slides

More recommend