Downloaded 27 times
Uploaded byn|u - The Open Security Community
Linux routing and firewall for beginners
This document outlines an agenda for a workshop on networking and firewall basics. It will cover setting up a router and routing between networks, firewall administration, and demonstrations of routing, pinging, traceroute, SSH, and basic firewall rules. It provides instructions on software installation and setup for the demonstrations and includes exercises on port forwarding, multi-DMZ configurations, and network address translation.
More Related Content
Similar to Linux routing and firewall for beginners
More from n|u - The Open Security Community
Linux routing and firewall for beginners
- 1.
- 2. • Introduction • Whatwe will not be covering • Setup – 30 mins • Some network basics • Some VirtualBox basics • Routing (demo, troubleshooting and exercises) • Firewalls (demo, troubleshooting and exercises)
- 3. • On thewhiteboard during the workshop. • To be added to the presentation to be made available for download
- 4. • This sessionis for beginners • Set up a router, and route between two networks • Set up a firewall, and understand basic firewall administration • What I haven’t tried in today’s infra • Asymmetric routing • We won’t be covering today: • LARTC (Linux Advanced Routing and Traffic Control) • QoS • Policy Based Routing • VPNs
- 5. • Are youconnected to the wifi yet? twguest/d1srupt1ve • Do you have Vagrant installed and running? Vagrant 1.5.1 at least • Do you have Virtual Box installed and running? (Vbox 4.3 at least) • Download the iptables zip file • Do you have the vagrant.d zip file? (Separate from the Vagrant app) • Set VAGRANT_HOME to c:vagrant.d (where you extract vagrant.d to)
- 6. • Vagrant up,halt, destroy • Vagrant ssh • Restarting from scratch • About “office”, “router” and “dmz” • Saving your work via puppet
- 7. • Ethernet configurationfiles • service network restart • ping • traceroute • ssh • netstat
- 8. • From yourlaptop to the various individual boxes • Print the route table • Within each box • Print the route table • What have we discovered ? Draw a diagram • Explore the Virtual Box settings and validate the diagram • Which IPs are you able to ping? From where? • Why is the ping working? • Why is the traceroute working?
- 9. • ssh to“office” • From “office”, ssh to “router”. • From “router”, ssh to “dmz” • Why is this working?
- 10. • What shouldour routing look like? • Set up the routes • Are you able to get from office to dmz via the dmz IP? • If yes, why? • If no, what do you think is missing?
- 11. • One ofthe first lessons one learns ! • Set up a route • Set up a return route • Ping • from office to dmz • from dmz to office • Does the ping work ? • We’ll look at SSH and traceroute next • Persisting the route settings
- 12. • SSH andtraceroute • from office to dmz • from dmz to office • Does the ssh and traceroute work ? • Coming up – packet forwarding
- 13. • What ispacket forwarding? • How does it work? • About /proc • Ping, traceroute and SSH • from office to dmz • from dmz to office • Does the ping, traceroute, ssh work ? • What does netstat on the receiving side tell you? • Next: Persisting your packet forwarding setting
- 14. • /proc istemporary. Reboot and check ! ;) • Does the ping, traceroute, ssh work ? • Persisting your packet forwarding via /etc/sysctl.conf • Reloading /etc/sysctl.conf
- 15. • What ifboth the sides have the same IP address range? • A common scenario between customer-vendor organizations • Let’s see this during the firewalls section
- 16. • One “office”,two DMZs • Two “offices”, one DMZ
- 17. • Given thatwe have • One “office”, one “DMZ” • One “office”, two DMZs • Two “offices”, one DMZ When we have the current configuration Then is this “DMZ” a DMZ?
- 18. • Making aDMZ a DMZ
- 19. • Netfilter –the kernel module • Iptables – the command line tool • service iptables status • What do we see here?
- 20. • How andwhy does iptables startup? • Chkconfig • Where the service script is located • Turning iptables off • temporarily • permanently • flushing the tables • service iptables status • What do we see here?
- 21. • View theWikipedia diagram
- 22. • What doesa rule look like? • Add a rule • Delete a rule • View the rule • Persist the rule • What happens when you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly?
- 23. • What happenswhen you flush the tables? • How do we save the rules (service iptables save) • Where are the rules saved? • How are the rules loaded? • Is it safe to edit the file directly? • About iptables restarts and reloads
- 24. • Change thedefault INPUT and FORWARD policies • Edit the iptables files directly • What do you see? • Is an iptables service restart required?
- 25. • How dowe log a packet?
- 26. • How dowe log a packet?
- 27. • How dowe drop a packet? • What does the sender experience with a drop rule? • How do we reject a packet? • What does the sender experience with a reject rule?
- 28. • What rulesshould we have?
- 29. • Exercise 1:Expose port 8080 on the DMZ via port 80 on the router IP. • Are we able to access port 8080 via the router IP?
- 30. • Create twoDMZs • Expose an SSH service in each DMZ via the same IP but different ports
- 31. • Can • defendagainst specific IP level characteristics • Fast rate of packets • Permit from certain origins only • Won’t • Defend you from app vulnerabilities
- 32. • What isNAT? • A look at a basic NAT rule • Let’s NAT • Connections from office to DMZ via the router’s DMZ IP. • ssh • Python SimpleHTTPServer • What does netstat on the DMZ tell you about the remote IP? • What does the python SimpleHTTPServer log tell you about the remote IP?
- 33. • Checking theNAT table
- 34. • What ifwe have a pool of public IPs available for NAT?
- 35. • What shouldthe solution be?
- 36. • Exposing oneDMZ to another via routing and NAT • On the same laptop • Across laptops
- 37.