Thursday, November 20, 2008

Networking Basics

Networking Basics

Basic Networking Funda
The traffic/data leaves one machine, goes towards the Gateway, which is then redirected towards the destination by the Gateway.
* In this process first routing table in the source machine should point towards the correct Gateway.
* The Gateway should have correct route, IPtables and natting rules pointing towards the destination.
* The destination machine should have correct IPtables to accept the data comming from that source.

In general Networking depends on three things.

* Routing
* Nating
* IPtables/Firewalls

Routing

It tells tell the system about where to send a packet for any destination.
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network, electronic data networks (such as the Internet), and transportation (transport) networks. This article is concerned primarily with routing in electronic data networks using packet switching technology.

In packet switching networks, routing directs forwarding, the transit of logically addressed packets from their source toward their ultimate destination through intermediate nodes; typically hardware devices called routers, bridges, gateways, firewalls, or switches. Ordinary computers with multiple network cards can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus constructing routing tables, which are held in the routers' memory, becomes very important for efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques enable the use of multiple alternative paths.

Routing, in a more narrow sense of the term, is often contrasted with bridging in its assumption that network addresses are structured and that similar addresses imply proximity within the network. Because structured addresses allow a single routing table entry to represent the route to a group of devices, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging) in large networks, and has become the dominant form of addressing on the Internet, though bridging is still widely used within localized environments.

To explore it more you should stop reading and take a look at the routing table in you system
* route -n
This command will give you a table ex.

Kernel IP routing table.




Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.0 192.168.20.1 255.255.255.0 UG 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.5 0.0.0.0 UG 0 0 0 eth0


To add a route to this table type
* route add -net 192.168.1.0/24 gw 192.168.1.1

You can replace 192.168.1.0/24 with network ip to which you want to send data and 192.168.1.1 with the gateway through which that network is connected.

To delete a route to this table type
* route del -net 192.168.1.0/24 gw 192.168.1.1



Natting

In computer networking, network address translation (NAT) is the process of modifying network address information in datagram packet headers while in transit across a traffic routing device for the purpose of remapping a given address space into another.

Most often today, NAT is used in conjunction with network masquerading (or IP masquerading) which is a technique that hides an entire address space, usually consisting of private network addresses , behind a single IP address in another, often public address space. This mechanism is implemented in a routing device that uses stateful translation tables to map the "hidden" addresses into a single address and then rewrites the outgoing Internet Protocol (IP) packets on exit so that they appear to originate from the router. In the reverse communications path, responses are mapped back to the originating IP address using the rules ("state") stored in the translation tables. The translation table rules established in this fashion are flushed after a short period without new traffic refreshing their state.

As described, the method only allows transit traffic through the router when it is originating in the masqueraded network, since this establishes the translation tables. However, most NAT devices today allow the network administrator to configure translation tables entries for permanent use. This feature is often referred to as "static NAT" or port forwarding and allows traffic originating in the 'outside' network to reach designated hosts in the masqueraded network.

Because of the popularity of this technique, see below, the term NAT has become virtually synonymous with the method of IP masquerading.

Network address translation has serious consequences (see below, Drawbacks & Benefits) on the quality of Internet connectivity and requires careful attention to the details of its implementation. As a result, many methods have been devised to alleviate the issues encountered. See article on NAT traversal.

Nating can be taken care off in 2 ways one is through the router and the other way is if you are dealing with Linux machines it can be done using IPtables.

To check nating tables on a Linux machine type
* iptables -nvL -t nat
This command will give you a table ex.

Chain PREROUTING (policy ACCEPT 3791 packets, 359K bytes)

pkts bytes target prot opt in out source destination


Chain POSTROUTING (policy ACCEPT 6573 packets, 406K bytes)

pkts bytes target prot opt in out source destination


Chain OUTPUT (policy ACCEPT 6405 packets, 394K bytes)

pkts bytes target prot opt in out source destination




NAT or DNAT

Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT


SNAT

Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT



PACKET FLOW UNDER NAT

* The packet is first examined by rules in the PREROUTING chain, if any. It is then inspected by the rules in the nat table's PREROUTING chain to see whether the packet requires DNAT. It is then routed.

*If the packet is destined for a protected network, then it is filtered by the rules in the FORWARD chain of the filter table and, if necessary, the packet undergoes SNAT in the POSTROUTING chain before arriving to the network.



Masquerading (Many to One NAT)


Masquerading is another name for what many call many to one NAT. Traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall.

Note: The masquerade IP address always defaults to the IP address of the firewall's main interface. The advantage of this is that you never have to specify the NAT IP address.

You can configure many to one NAT to an IP alias, using the POSTROUTING and not the MASQUERADE statement. An example of this can be seen in the static NAT section that follows.


Port Forwarding Type NAT


In many cases home users may get a single DHCP public IP address from their ISPs. If a Linux firewall is also your interface to the Internet and you want to host a Web site on one of the NAT protected home servers, then you will have to use port forwarding

Port forwarding is handled by the PREROUTING chain of the nat table

examples:

* iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 80 -j DNAT --to 192.168.1.200:8080


This rule allows the port forwarding for traffic destined to port 80 of the firewall's IP address to be forwarded to port 8080 on server 192.168.1.200


SNAT
----

SNAT is used to NAT all other outbound connections initiated from the protected network to appear to come from single IP address.


POSTROUTING 1 to 1
------------------

* iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 -j SNAT --to-source 97.158.253.26

Many to 1
---------

* iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth0 --to-source 97.158.253.29



* DNAT ----- Used to do destination network address translation. ie. rewriting the destination IP address of the packet

* SNAT ----- Used to do source network address translation rewriting the source IP address of the packet The source IP address is user defined

* MASQUERADE Used to do Source Network Address Translation.By default the source IP address is the same as that used by the firewall's interface


NOTE:

ipforwarding should be enabled..then only your rules will work

cat /proc/sys/net/ipv4/ip_forward

This should give 1.



IPtables/Firewalls

iptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page [1], which can be opened using "man iptables" when installed. iptables is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.

iptables works with Linux kernels 2.4 and 2.6. Older Linux kernels use ipchains (Linux 2.2) and ipfwadm (Linux 2.0).


The source of the packet determines which chain it traverses initially. There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the "filter" table. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.

Each rule in a chain contains the specification of which packets it matches. It may also contain a target. As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.

The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.

This example shows an already-configured workstation firewall. The command "iptables -L" is executed by user root to display the firewall configuration.

* iptables -nvL


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain localhost.localdomain
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Before proceeding further one should be aware of the three predefined chains of IPtables.
* INPUT
* OUTPUT
* FORWARD

INPUT
As the name explains this chain comes into picture when any packet is destined towards the system.

OUTPUT
This chain has to be configured when thinking of sending packet to other machines in the network.Usually we don't configure this chain.As it's default policy is ACCEPT.

FORWARD
This chain comes into picture when any packet in the network travels from 1 system 2 the other via the gateway, then FORWARD chain on the gateway has to be configured in such a way that it should accept the packets for forwarding.


Adding rules to IPTABLES
* iptables -I INPUT -s 192.168.20.0/24 -j ACCEPT
* iptables -I FORWARD -s 192.168.20.0/24 -j ACCEPT
* iptables -A FORWARD -s 192.168.20.0/24 --dport 80 -j ACCEPT
* iptables -I FORWARD -d 192.168.20.0/24 -j DROP

(Where I/A are to specify the priority of the ip rule, I is the inserting to the highest priority and A is appending it to the last)

Deleting rules from IPTABLES.
* iptables -D INPUT -s 192.168.20.0/24 -j ACCEPT
* iptables -D FORWARD -s 192.168.20.0/24 -j ACCEPT
* iptables -D FORWARD -s 192.168.20.0/24 --dport 80 -j ACCEPT
* iptables -D FORWARD -d 192.168.20.0/24 -j DROP

(Remember the rule should be in the same format as it was added only change is the -D)

To check if you are connected to your network properly commands like ping. telnet and traceroute will help.
See man pages of these commands for more help.
Use tcpdump to view the flow of packets FOR BETTER RESULTS.


Hope this helps.

No comments:

Post a Comment