RH253 Unit 3 Network Resource Access Control
来源:互联网 发布:杨国华天音网络的状况 编辑:程序博客网 时间:2024/05/17 00:50
Objectives
Upon completion of this unit, you should be able to:
1) Describe IP and routing
2) Comapre IPv4 and IPv6
3) Describe IPv6 Features
4) Understand Netfilter Architecture
5) Learn to use the iptables command
6) Understand Network Address Translation (NAT)
Routing
1) Routers transfer packets between different networks
2) Each machine needs a default gateway to reach machines outside the local network
3) Additional routes can be set using the route command
IPv6 Features
1) Larger Address
- 128-bit Addressing- Extended Address Hierarchy
2) Flexible Header Format
- Base header – 40 octets- Next Header field supports Optional Headers for current and future extensions
3) More support for Autoconfiguration
- Link-Local Addressing- Router Advertisement Daemon- Dynamic Host Configuration Protocol version 6
Implement IPv6
1) Kernel ipv6 module enables stateless autoconfiguration
2) Additional configuration implemented by /etc/rc.d/init.d/network initializaiton script
- NETWORKING_IPV6=yes in /etc/sysconfig/network- IPV6INIT=yes in /etc/sysconfig/network-scripts/ifcfg-ethX
IPv6: Dynamic Interface Configuration
1) Two ways to dynamincally configure IPv6 addresses:
Router Advertisement Daemon:
- Runs on (Linux) Default Gateway –radvd- Only specifies prefix and default gateway- Enabled with IPV6_AUTOCONF=yes- Interface ID automatically generated based on the MAC address of the system
2) DHCP version 6
- dhcp6s supports more configuration options- Enabled with DHCPV6C=yes
IPv6: Static Interface Configuration
1) /etc/sysconfig/network-scripts/ifcfg-ethX
- IPV6ADDR=<ipv6_address>[/prefix_length]- Device aliases unnecessary…- IPV6ADDR_SECONDARIES=<ipv6_address>[/prefix_length] […]
IPv6: Routing Configuration
1) Default Gateway
- Dynamically from radvd or dhcpv6s- Manually specified in /etc/sysconfig/networkIPV6_DEFAULTGW=<IPV6_address[%interface]>
IPV6_DEFAULTDEV=<interface> – only valid on point-to-point interfaces
2) Static Routes
Defined per interface in /etc/sysconfig/network-scripts/route6-ethX
- Uses ip –6 route add syntax- <ipv6_network/prefix> via <ipv6_routeraddress>
tcp_wrappers and IPv6
1) tcp_wrapper is IPv6 aware
When IPv6 is fully implemented throughout the domain, ensure tcp_wrappers rules include IPv6 addresses
2) Example: preserving localhost connectivity, add to /etc/hosts.allow ALL: [::1]
New and Modified Utilities
1) ping6
2) traceroute6
3) tracepath6
4) ip –6
5) host –t AAAA hostname6.domain6
Netfilter Overview
1) Filtering in the kernel: no daemon
2) Asserts policies at layer 2,3 & 4 of the OSI Reference Model
3) Only inspects packet headers
4) Consists of netfilter modules in kernel, and the iptables user-space software
Netfilter Tables and Chains
Netfilter Packet Flow
Rule Matching
1) Rules in ordered list
2) Packets tested against each rule in turn
3) On first match, the target is evaluated: usuallly exits the chain
4) Rule may specify multiple criteria for match
5) Every criteria in a specification must be met for the rule to match (logical AND)
6) Chain policy applies if no match
Rule Targets
1) Build-in targets: DROP, ACCEPT
2) Extention targets: LOG, REJECT, custom chain
- REJECT sends a notice returned to sender- LOG connects to system log kernel facility- LOG match does not exit the chain
3) Target is optional, but no more than on per rule and defaults to the chain policy if absent
Simple Example
iptables –t filter –A INPUT –s 192.168.0.1 –j DROP
Basic Chain Operations
1) List rules in a chain or table (-L or –vL)
2) Append a rule to the chain (-A)
3) Insert a rule to the chain (-I)
-I CHAIN (inserts as the first rule)-I CHAIN 3 (insert as rule 3)
4) Delet an individual rule (-D)
-D CHAIN 3 (delete rule 3 of the chain)-D CHAIN RULE (delete rules explicitly)
Additional Chain Operations
1) Assign chain policy (-P CHAIN TARGET)
- ACCEPT (default, a built-in target)- DROP (a built-in target)- REJECT (not permitted, an extension target)
2) Flush all rules of a chain (-F)
- Does not flush the policy
3) Zero byte and packet counters (-Z [CHAIN])
- Useful for monitoring chain statistics
4) Manage custom chains (-N, –X)
- -N Your_Chain_Name (adds chain)- -X Your_Chain_Name (deletes chain)
Rules: General Considerations
1) Mostly closed is appropriate
- iptables –P INPUT DROP or- iptables –A INPUT –j DROP- iptables –A INPUT –j REJECT
2) Criteria also apply to loopback interface
- The example rules above will have the side effect of blocking localhost
3) Rules, like routes, are loaded in memory and must be saved to a file for persistence across reboots
Match Arguments
1) Matches may be made by:
- IP address or hostname (warning: host names are resolved at the time of rule insertion)- Port number, or service name- Arguments may be negated with `!`
2) Inclusive port range may be specified `0:1023`
3) Masks may use VLSN or CIDR notation
Connection Tracking
1) Provides inspection of packets “state”
- a packet can be tested in a specific context
2) Simplifies rule design
- Without connection tracking, rules are usually in pairs (inbound & outbound)
3) Implemented in “state” match extension
4) Recognized states: NEW, ESTABLISHED, RELATED, INVALID
5) Required more memory
Connection Tracking, continued
1) Connection tracking modules
- ip_conntrack_ftp- ip_conntrack_tftp- ip_nat_ftp- ip_nat_tftp (and others)
2) /etc/sysconfig/iptables-config
Connection Tracking Example
1) One rule to permit established connections:
iptables –A INPUT –m state –-stats ESTABLISHED, RELATED –j ACCEPT
2) Many rules; one for each permitte service:
iptables –A INPUT –m state –-state NEW –p tcp –dport 25 –j ACCEPT
3) Lastly, one rule to block all others inbound:
iptables –A INPUT –m state –-state NEW –j DROP
Network Address Translation (NAT)
1) Translates one IP address into another (inbound and/or outbound)
2) Allows “hiding” internal IP addresses behind a single public IP
3) Rules set within the nat table
4) Network Address Translation types:
- Destination NAT (DNAT): Set in the PREROUTING chain where filtering uses translated address- Source NAT (SNAT, MASQUERADE): Set in the POSTROUTING chain where filtering never uses translated address
DNAT Examples
1) INBOUND
iptables –t nat –A PREROUTING –p tcp –dport 80 –j DNAT –to-dest 192.168.0.20
2) OUTBOUND (with port redirection)
iptables –t nat –A OUTPUT –p tcp –dport 80 –j DNAT –to-dest 192.168.0.200:3128
SNAT Examples
1) MASQUERADE
iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE
2) SNAT
iptables –t nat –A POSTROUTING –j SNAT –to-source 1.2.3.45
Rules Persistence
1) iptables is not a daemon, but loads rules into memory and exits
2) Rules are not persistent across reboot
- Service iptables save will store rules to /etc/sysconfig/iptables (Ensure this file has proper SELinux context!)- System V management may be used, and is run before networking si configured
Sample /etc/sysconfig/iptables
IPv6 and ip6tables
1) Packet filtering for IPv6 traffic
2) Provided by the iptables-ipv6 package
3) Rules stored in /etc/sysconfig/ip6tables
4) Does not yet support:
- REJECT target- nat table- connection tracking with the state module
End of Unit 3
1) Questions and Answers
2) Summary
- Address questions- Preparation for lab- Goals- Scenario- Deliverables- Please ask the instructor for assistance when needed
- RH253 Unit 3 Network Resource Access Control
- RH253 Unit 2 System Service Access Controls
- RH253 Unit 1 System Performance and Security
- CM Config File-Network Access Control Object.
- ORA-24247: network access denied by access control list
- ionic $resource.query 访问,Access-Control-Allow-Origin问题
- 记一次ORA-24247: network access denied by access control list (ACL)
- oracle 发送邮件(job,ORA-24247: network access denied by access control list (ACL))
- ORA-24247:network access denied by access control list (ACL) 的处理方法
- Access Control
- Access Control
- Access Control
- Access Control
- Access Control
- Access Control
- Access Control
- Access Network
- RBAC新解:基于资源的权限管理(Resource-Based Access Control)
- 安全新兵营第九天:蜜罐系统
- 安全新兵营第八天:密码强度
- EqualLogic PS5000试用手记之七:ESXi虚拟机备份
- ESX虚拟机文件列表详解
- 安全新兵营第七天:反电脑间谍
- RH253 Unit 3 Network Resource Access Control
- 安全新兵营第六天:使用UAC
- EqualLogic PS5000试用手记之六:ESXi连接iSCSI SAN
- VMDirectPath
- 安全新兵营第五天:密码提问
- EqualLogic PS5000试用手记之五:小试牛刀
- EqualLogic PS5000试用手记之四: 从零开始
- 安全新兵营第四天:认证管理
- EqualLogic PS5000试用手记