1

Tutorial 6: Networking Utilities & Firewall

2

Internet Control Message Protocol (ICMP)

designed to compensate for the deficiencies of IP protocol.

ICMP’s functions: Announce network errors Announce network congestion Announce timeouts Assist troubleshooting

3

3: Destination unreachable 4: Source quench11: time exceeded12: Parameter Problem 5: Redirection

8,0: Echo request or reply13,14: Timestamp request and reply17,18: Address mask request and reply10,9: Route solicitation and advertisement

Type:

4

How we testing the network ?

Ifconfig Ping Netstat Nslookup Traceroute Tcpdump

5

How we know the network interface settings ? – ifconfig

ifconfig is used to assign an address to a network interface or to configure network interface parameters.

WARNING: it is danger to use this to change the configuration if you are not familiar. USE other user level utilities. For example, RedHat – netconfig

6

Ifconfig

View interface information

ifconfig –a[root]# /sbin/ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:C0:4F:7A:BA:C7

inet addr:137.189.90.60 Bcast:137.189.91.255 Mask:255.255.252.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:7010277 errors:0 dropped:0 overruns:0 frame:0

TX packets:8755564 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

Interrupt:11 Base address:0xdc80

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:3924 Metric:1

RX packets:46811 errors:0 dropped:0 overruns:0 frame:0

TX packets:46811 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

Ethernet AddressIP Address & Netmask

MAX Segment Size

# of packets send/receive

7

How we know the host is reachable/alive ? – Ping

ping utilizes the ICMP protocol’s ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from the specified host or network gateway.

pc90001

pc90002

Exec: ping pc90001

ECHO_REQUEST

ECHO_RESPONSE

8

Ping Useful option

- c count specify # of ECHO_REQUEST send - i wait specify time interval in sending each packet - s packetsize specify # of data bytes to be sent - R Record route. Displays the route buffer

on returned packets. Note that the IP header is only large enough for nine such routes. Rest of the hosts are ignore or discard in this option. For this case, you can use traceroute

instead.

9

How we know the usage of port? – netstat

netstat display the contents of various network-related data structures in various formats.

NOTICE: some of the options are different in Solaris or Linux. Please refer to corresponding man page.

10

NetstatCommand Function

netstat -r Show routing table

*netstat -M Show multicast routing table

*netstat -ms Show stream and protocol statistics

netstat -a Show state of all sockets and routing table entries

netstat -n Show numerical addresses instead of host names

netstat -i Show state of interfaces

For those with * are only work in Solaris, there is different option in Linux to achieve the same function.

11

How we find IP address form hostname? – nslookup

nslookup is a networking application that sending queries to DNS and request the domain name information.

nslookup is deprecated, use dig and host instead. Set default DNS

/etc/resolv.conf (Redhat)nameserver 137.189.91.188 #set default DNS

search cse.cuhk.edu.hk #set default domain name

12

How we know a routing path from a remote

host? – traceroute traceroute utilizes the IP protocol ‘time to live’ (ttl) field

and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.

traceroute pc90001

pc90002

gateway1 gateway2 pc90001

Generate packet with ttl =1,2,3,….

ttl decrement while passing each gatways

If ttl = 0, the host/gateway to replay a TIME_EXCEEDED back to the source.TIME_EXCEEDED response

ttl = 1,2,… ttl = 1,…

13

How we know whether there are packet send/receive at

the interface? – tcpdump tcpdump prints out the headers of packets

on a network interface that match the boolean expression

Only allow execute by root

14

Tcpdump tcpdump [expression]

It is an boolean expression that select the packet to be dumped.

Type (including host, net and port)

host pc90001 net 137.189 port 21

Dir (specify particular transfer direction, including src, dst)

src pc90002 dst net 202.123.456

Proto (specify particular protocol, including ether, ip, arp, tcp, udp and so on)

tcp port 21 ether src pc90001

15

Tcpdump

Examples To print all packets arriving at or departing from pc90002

tcpdump host pc90002 To print all IP packets except pc90004

tcpdump ip host not pc90004 To print all UDP packets from pc90001 and showing the header

contents tcpdump –x udp and host pc90001

To print all ICMP packets and sending from pc90001 tcpdump icmp and src host pc90001

16

Tcpdump[root]# tcpdump udp

tcpdump: listening on eth0

13:01:09.884933 192.168.0.3.netbios-ns > 192.168.0.255.netbios ns: udp 50

13:01:10.204118 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)

13:01:10.634916 192.168.0.3.netbios-ns > 192.168.0.255.netbios-ns: udp 50

13:01:15.206077 pc90060.cse.cuhk.edu.hk.33883 > beryl.cse.cuhk.edu.hk.domain: 60655+ (44)

13:01:20.215660 pc90060.cse.cuhk.edu.hk.33883 > garden.cse.cuhk.edu.hk.domain: 60655+ (44)

[root]# tcpdump -x icmp and src host solar22

tcpdump: listening on eth0

13:03:52.253498 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)

4500 0054 dbf4 4000 fe01 dab4 89bd 5848

89bd 5a3c 0800 dd63 0d31 0000 3a91 f54c

0003 f286 0809 0a0b 0c0d 0e0f 1011 1213

1415 1617 1819

13:03:55.349628 solar22.cse.cuhk.edu.hk > pc90060.cse.cuhk.edu.hk: icmp: echo request (DF)

4500 0054 dbfa 4000 fe01 daae 89bd 5848

89bd 5a3c 0800 65e9 0d32 0000 3a91 f54f

0005 69fb 0809 0a0b 0c0d 0e0f 1011 1213

1415 1617 1819

17

What is a firewall? A firewall is a secure and trusted machine that

aims to protect the internal network from outside attacks. It is usually located between the private network and the public network. It is configured with a set of rules that determine whether the incoming or outgoing network traffic is accepted, denied or rejected.

Why I need firewall? Control Security Watchfulness

18

Using iptables There are three types of built-in chains (or lists of

rules): INPUT – destined for the local system OUTPUT – originate from the local system FORWARD – enter the system and is forwarded to

another destination

Forward

Input Output

RoutingDecision

Local Process

19

There are mainly three types of operations: ACCEPT – accept the packet DROP – discard the packet silently REJECT – actively reply the source that the

packet is rejected. All the rules are consulted until the first

rule matching the packet is located. If no rules match the packet, the kernel

looks at the chain policy.

20

Operations to manage whole chains N: create a new chain P: change the policy of built-in chain L:list the rules in a chain F: flush the rules out of a chain

Manipulate rules inside a chain A: append a new rule to a chain I: insert a new rule at some position in a chain R: Replace a rule at some position in a chain D: delete a rule in a chain

21

Some filtering specifications: j: specify the rule target s: specify the source addresses d: specify the destination addresses p: specify the protocol used (e.g. tcp, udp,

icmp) i: specify the input interface o: specify the output interface !: specify the inversion (i.e. NOT)

22

TCP Extensions: --tcp-flags: filter on specific flags --syn: shorthand of --tcp-flags SYN, RST,

ACK SYN --source-port (or --sport): specify the source

port --destination port (or --dport): specify the

destination port UDP Extensions:

--sport and --dport

23

Logging

Logging can be done by specify the rule target as LOG (i.e. –j LOG).

Options: --log-level: debug, info, notice, warning, err,

crit, alert, and emerg. Type “man syslog.conf” for details.

--log-prefix: uniquely identify a log message.

24

Examples Drop all icmp (such as ping) packets

iptables –A INPUT –p icmp –j DROP Flush all chains

iptables –F List all existing rules

iptables –L Accept the ssh service from CSE machines

iptables –A INPUT –p tcp –s 137.189.88.0/22 –d 0/0 --dport 23 –j ACCEPT

25

Reject all incoming TCP traffic destined for ports 0 to 1023 iptables –A INPUT –p tcp –s 0/0 –d 0/0 –dport

0:1023 –j REJECT Reject all outgoing TCP traffic except the one

destined for 137.189.96.142 iptables –A OUTPUT –p tcp –s 0/0 –d !

137.189.96.142 –j REJECT Drop all SYN packets from pc89184

Iptables –A INPUT –p TCP –s 137.189.89.184 --syn –j DROP

26

References Linux iptables HOWTO, by Rusty Russell

http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html