RH253 Unit 3 Network Resource Access Control

Objectives

Upon completion of this unit, you should be able to:

1) Describe IP and routing

2) Comapre IPv4 and IPv6

3) Describe IPv6 Features

4) Understand Netfilter Architecture

5) Learn to use the iptables command

6) Understand Network Address Translation (NAT)

 

Routing

1) Routers transfer packets between different networks

2) Each machine needs a default gateway to reach machines outside the local network

3) Additional routes can be set using the route command

 

IPv6 Features

1) Larger Address

- 128-bit Addressing

- Extended Address Hierarchy

2) Flexible Header Format

- Base header – 40 octets

- Next Header field supports Optional Headers for current and future extensions

3) More support for Autoconfiguration

- Link-Local Addressing

- Router Advertisement Daemon

- Dynamic Host Configuration Protocol version 6

Implement IPv6

1) Kernel ipv6 module enables stateless autoconfiguration

2) Additional configuration implemented by /etc/rc.d/init.d/network initializaiton script

- NETWORKING_IPV6=yes in /etc/sysconfig/network

- IPV6INIT=yes in /etc/sysconfig/network-scripts/ifcfg-ethX

IPv6: Dynamic Interface Configuration

1) Two ways to dynamincally configure IPv6 addresses:

Router Advertisement Daemon:

- Runs on (Linux) Default Gateway –radvd

- Only specifies prefix and default gateway

- Enabled with IPV6_AUTOCONF=yes

- Interface ID automatically generated based on the MAC address of the system

2) DHCP version 6

- dhcp6s supports more configuration options

- Enabled with DHCPV6C=yes

IPv6: Static Interface Configuration

1) /etc/sysconfig/network-scripts/ifcfg-ethX

- IPV6ADDR=<ipv6_address>[/prefix_length]

- Device aliases unnecessary…

- IPV6ADDR_SECONDARIES=<ipv6_address>[/prefix_length] […]

 

IPv6: Routing Configuration

1) Default Gateway

- Dynamically from radvd or dhcpv6s

- Manually specified in /etc/sysconfig/network

IPV6_DEFAULTGW=<IPV6_address[%interface]>
IPV6_DEFAULTDEV=<interface> – only valid on point-to-point interfaces

2) Static Routes

Defined per interface in /etc/sysconfig/network-scripts/route6-ethX

- Uses ip –6 route add syntax

- <ipv6_network/prefix> via <ipv6_routeraddress>

 

tcp_wrappers and IPv6

1) tcp_wrapper is IPv6 aware

When IPv6 is fully implemented throughout the domain, ensure tcp_wrappers rules include IPv6 addresses

2) Example: preserving localhost connectivity, add to /etc/hosts.allow ALL: [::1]

 

New and Modified Utilities

1) ping6

2) traceroute6

3) tracepath6

4) ip –6

5) host –t AAAA hostname6.domain6

 

Netfilter Overview

1) Filtering in the kernel: no daemon

2) Asserts policies at layer 2,3 & 4 of the OSI Reference Model

3) Only inspects packet headers

4) Consists of netfilter modules in kernel, and the iptables user-space software

 

Netfilter Tables and Chains

 

Netfilter Packet Flow

Rule Matching

1) Rules in ordered list

2) Packets tested against each rule in turn

3) On first match, the target is evaluated: usuallly exits the chain

4) Rule may specify multiple criteria for match

5) Every criteria in a specification must be met for the rule to match (logical AND)

6) Chain policy applies if no match

 

Rule Targets

1) Build-in targets: DROP, ACCEPT

2) Extention targets: LOG, REJECT, custom chain

- REJECT sends a notice returned to sender

- LOG connects to system log kernel facility

- LOG match does not exit the chain

3) Target is optional, but no more than on per rule and defaults to the chain policy if absent

Simple Example

iptables –t filter –A INPUT –s 192.168.0.1 –j DROP

 

Basic Chain Operations

1) List rules in a chain or table (-L or –vL)

2) Append a rule to the chain (-A)

3) Insert a rule to the chain (-I)

-I CHAIN (inserts as the first rule)

-I CHAIN 3 (insert as rule 3)

4) Delet an individual rule (-D)

-D CHAIN 3 (delete rule 3 of the chain)

-D CHAIN RULE (delete rules explicitly)

Additional Chain Operations

1) Assign chain policy (-P CHAIN TARGET)

- ACCEPT (default, a built-in target)

- DROP (a built-in target)

- REJECT (not permitted, an extension target)

2) Flush all rules of a chain (-F)

- Does not flush the policy

3) Zero byte and packet counters (-Z [CHAIN])

- Useful for monitoring chain statistics

4) Manage custom chains (-N, –X)

- -N Your_Chain_Name (adds chain)

- -X Your_Chain_Name (deletes chain)

 

Rules: General Considerations

1) Mostly closed is appropriate

- iptables –P INPUT DROP or

- iptables –A INPUT –j DROP

- iptables –A INPUT –j REJECT

2) Criteria also apply to loopback interface

- The example rules above will have the side effect of blocking localhost

3) Rules, like routes, are loaded in memory and must be saved to a file for persistence across reboots

 

Match Arguments

1) Matches may be made by:

- IP address or hostname (warning: host names are resolved at the time of rule insertion)

- Port number, or service name

- Arguments may be negated with `!`

2) Inclusive port range may be specified `0:1023`

3) Masks may use VLSN or CIDR notation

 

Connection Tracking

1) Provides inspection of packets “state”

- a packet can be tested in a specific context

2) Simplifies rule design

- Without connection tracking, rules are usually in pairs (inbound  & outbound)

3) Implemented in “state” match extension

4) Recognized states: NEW, ESTABLISHED, RELATED, INVALID

5) Required more memory

 

Connection Tracking, continued

1) Connection tracking modules

- ip_conntrack_ftp

- ip_conntrack_tftp

- ip_nat_ftp

- ip_nat_tftp (and others)

2) /etc/sysconfig/iptables-config

 

Connection Tracking Example

1) One rule to permit established connections:

iptables –A INPUT –m state –-stats ESTABLISHED, RELATED –j ACCEPT

2) Many rules; one for each permitte service:

iptables –A INPUT –m state –-state NEW –p tcp –dport 25 –j ACCEPT

3) Lastly, one rule to block all others inbound:

iptables –A INPUT –m state –-state NEW –j DROP

 

Network Address Translation (NAT)

1) Translates one IP address into another (inbound and/or outbound)

2) Allows “hiding” internal IP addresses behind a single public IP

3) Rules set within the nat table

4) Network Address Translation types:

- Destination NAT (DNAT): Set in the PREROUTING chain where filtering uses translated address

- Source NAT (SNAT, MASQUERADE): Set in the POSTROUTING chain where filtering never uses translated address

DNAT Examples

1) INBOUND

iptables –t nat –A PREROUTING –p tcp –dport 80 –j DNAT –to-dest 192.168.0.20

2) OUTBOUND (with port redirection)

iptables –t nat –A OUTPUT –p tcp –dport 80 –j DNAT –to-dest 192.168.0.200:3128

 

SNAT Examples

1) MASQUERADE

iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

2) SNAT

iptables –t nat –A POSTROUTING –j SNAT –to-source 1.2.3.45

Rules Persistence

1) iptables is not a daemon, but loads rules into memory and exits

2) Rules are not persistent across reboot

- Service iptables save will store rules to /etc/sysconfig/iptables (Ensure this file has proper SELinux context!)

- System V management may be used, and is run before networking si configured

 

Sample /etc/sysconfig/iptables

IPv6 and ip6tables

1) Packet filtering for IPv6 traffic

2) Provided by the iptables-ipv6 package

3) Rules stored in /etc/sysconfig/ip6tables

4) Does not yet support:

- REJECT target

- nat table

- connection tracking with the state module

 

End of Unit 3

1) Questions and Answers

2) Summary

- Address questions

- Preparation for lab

- Goals

- Scenario

- Deliverables

- Please ask the instructor for assistance when needed