CSC4140 Tutorial 2
SunMoon
Part 1
Iptables and NAT
Iptables
The tool iptables is about too many things: Packet Filtering; Packet Forwarding; Network Address Translation (NAT); etc…
[root@linux]# iptablesiptables v1.3.6: no command specifiedTry `iptables -h' or 'iptables --help' for more information.[root@linux]#
Iptables – What is it?
Actually, the Iptables is a sub-system in the Linux kernel.
The name of the sub-system is called netfilter.
iptablescommand
Linux Kernel
Netfilter InternalStructure
Manipulations
Tables
Iptables – Tables and Chains
Each function provided by the netfilter architecture is presented as a table.
filter nat mangle
netfilter
This table is in charge of filtering packets.
This table is in charge of translating IP addresses of the packets..
This table is in charge of changing packet content.
Iptables – Tables and Chains
Under each table, there are a set of chains. Under each chain, you can assign a set of rules.
filter nat mangle
netfilter
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
OUTPUT
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
Tables
Chains
Iptables – Tables and Chains
[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# _
Table name: filter The command: listChain name: INPUT
There is one rule set in the INPUT chain.
The other two chains.
The rule in the INPUT chain means:
When a packet with ICMP payload passes through the INPUT hook,DROP that packets, no matter it is from anywhere and to anywhere.
Iptables – Packet Flow
INPUT OUTPUT
FORWARDPREROUTING POSTROUTING
Local Processes
RoutingRules
Key
Incoming packets
Outgoing packets
Incoming + Outgoingpackets
If the destination of the packet is this machine …
Iptables – Packet Flow
INPUT OUTPUT
FORWARDPREROUTING POSTROUTING
Local Processes
RoutingRules
Key
Incoming packets
Outgoing packets
Incoming + Outgoingpackets
If the destination of the packet is not this machine, and this machine knows where the packet should be sent …
Iptables – Packet Flow
INPUT OUTPUT
FORWARDPREROUTING POSTROUTING
Local Processes
RoutingRules
Key
Incoming packets
Outgoing packets
Incoming + Outgoingpackets
If the packet from the local packet is set to leave, it will go through the POSTROUTING hook.
Iptables – E.g., the Filter Table
INPUT OUTPUT
FORWARDPREROUTING POSTROUTING
Local Processes
RoutingRules
E.g., The filter table can onlyapply on the FORWARD, theINPUT, and the OUTPUThooks.
Iptables – Rules on Filter Table
[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# _
Add a new rule to the INPUT chain.
The protocol of the packets in which this rule is interested is ICMP.
If a packet(1) passes through the INPUT hook, and(2) is an ICMP packet,
then the packet jumps to the target DROP – to discard the packet.
Iptables – Rules on Filter Table
[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destinationDROP icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# iptables –t filter –D INPUT 1[root@linux]# iptables –t filter –LChain INPUT (policy ACCEPT)target prot opt source destination
Chain FORWARD (policy ACCEPT)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination[root@linux]# _
Delete a rule from the INPUT chain. To delete rule #1.
Iptables – More Rules on Filter Table
iptables –t filter –A INPUT --source 137.189.0.0/16 --protocol icmp --jump DROP
If a packet is:(a) passing through the INPUT hook; (b) coming from the CUHK network; (c) a ICMP packet,then, it is DROPPED.
Meaning: Attention: everyone in CUHK, DON’T PING ME!
iptables –t filter –A OUTPUT --destination www.cse.cuhk.edu.hk --jump DROP
If a packet is:(a) passing through the OUTPUT hook; (b) sending to www.cse.cuhk.edu.hk,then, it is DROPPED.
Meaning: You are not allowed to access “www.cse.cuhk.edu.hk” using any protocols!
Iptables – More Rules on Filter Table
Except DROP, the jump target can be: ACCEPT: self-explanatory; REJECT: it is different from DROP.
DROP is to discard the packet quietly. REJECT is to discard the packet and then responses to
the source with an ICMP “Port Unreachable” error.
Besides filtering…
The iptables is highly related to routing…
INPUT OUTPUT
POSTROUTINGPREROUTING FORWARD
RoutingI’ve the name
related routing!
I’ve the name related routing!
Network Address Translation - NAT
A technique called NAT is closely related to the iptables.
First of all, what is NAT? According to its name, it translates addresses.
Why do we need to translate addresses?
NAT - Application scenario
Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1
Private LAN:192.168.1.0/24
Windows XP192.168.1.2
Linux 192.168.1.3
www.cse.cuhk.edu.hk137.189.91.192
NAT - Application scenario
Private LAN:172.16.1.0/24
www.cse.cuhk.edu.hk137.189.91.192
Src: 192.168.1.2 Dest: 137.189.91.192
Src Port: 12345 Dest Port: 80
Src: 192.168.1.2 Dest: 137.189.91.192
Src Port: 12345 Dest Port: 80
If Bob doesn’t use NAT, but route the request through the default route…
Private LAN:192.168.1.0/24
Windows XP192.168.1.2
Linux 192.168.1.3
Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1
NAT - Application scenario
Private LAN:172.16.1.0/24
www.cse.cuhk.edu.hk137.189.91.192
Dest: 192.168.1.2Src: 137.189.91.192
Dest Port: 12345Src Port: 80
If Bob doesn’t use NAT, but route the request through the default route…
Reply I don’t have the route to host 172.16.1.1. Goodbye, little poor packet!
Private LAN:192.168.1.0/24
Windows XP192.168.1.2
Linux 192.168.1.3
Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1
NAT - Application scenario
Private LAN:172.16.1.0/24
www.cse.cuhk.edu.hk137.189.91.192
Src: 192.168.1.2 Dest: 137.189.91.192
Src Port: 12345 Dest Port: 80
If Bob is using NAT, then…
Src: 123.45.67.89 Dest: 137.189.91.192
Src Port: 12345 Dest Port: 80
If Bob is using NAT, then…HX broadband knows how to route the
reply this time.
Private LAN:192.168.1.0/24
Windows XP192.168.1.2
Linux 192.168.1.3
Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1
NAT - Application scenario
Private LAN:172.16.1.0/24
www.cse.cuhk.edu.hk137.189.91.192
If Bob is using NAT, then…
Dest: 123.45.67.89 Src: 137.189.91.192
Dest Port: 12345Src Port: 80
I know where is 123.45.67.89. It is Bob’s home. Let me route it!
Private LAN:192.168.1.0/24
Windows XP192.168.1.2
Linux 192.168.1.3
Broadband GatewayWAN: 123.45.67.89LAN: 192.168.1.1
NAT - Application scenario
The NAT technique opens private networks to the public!
Private address is therefore used extensively! Your computing labs (Room 122, 904, 924 …) use private
addresses. The Classnet and the Resnet use private addresses.
NAT is just a trick done by the gateway that stands between the private network and the public network.
IP Masquerading
The scenario discussed before is a special case of NAT, know as IP Masquerading
To translate any outgoing packet: From any source IP address to the external IP
address of gateway. From any source port number to the port number
assigned by gateway.
Iptables Rules for IP Masquerading
[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE
IP Masquerading Target
INPUT OUTPUT
POSTROUTINGPREROUTING FORWARD
Routing
The MASQUERADE target is only valid for the POSTROUTING chain of the nat table!
The following rule is not useful enough. Why?
Iptables Rules for IP Masquerading
Address translation for outgoing packets[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE
[root@gateway]# iptables -t nat -A POSTROUTING –d ! 172.16.1.0/24 -j MASQUERADE
[root@gateway]# iptables -t nat -A POSTROUTING \ -s 192.168.1.0/24 -d 137.189.0.0/16 \ -j MASQUERADE
More fancy rules …
[root@gateway]# iptables -t nat -A POSTROUTING \ -p tcp -d ! 192.168.1.0/24 --dport 22 \ -j MASQUERADE
Your private network can “access” CUHK network
and itself only.
Your private network can only use SSH to reach the
outside world!
[root@gateway]# iptables -t nat -A POSTROUTING –s 172.16.1.0/24 -j MASQUERADE
More NAT Targets
IP Masquerading is only one of the functions of the NAT table.
The true potential is locked inside the targets: SNAT – source NAT, and DNAT – destination NAT.
E.g.,
[root@gateway]# iptables -t nat –A PREROUTING -p tcp --dport 80 -j DNAT \ --to-destination proxy.cse.cuhk.edu.hk:8000
OMG! This is a transparent HTTP proxy!
More NAT Targets
[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -p tcp -s 192.168.10.0/24 \ --to-source 137.189.91.208:10001-20000
[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -p tcp -s 192.168.20.0/24 \ --to-source 137.189.91.208:20001-30000
OMG!! This gateway supports two private networks and it gives the ranges of ports that are allowed to use for each network!
192.168.10.0/24
192.168.20.0/24
port 10001:20000
port 20001:30000
Note: the rules are not completed.
More NAT Targets
[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -s 192.168.10.0/24 \ --to-source 137.189.91.208
[[email protected]]# iptables -t nat -A POSTROUTING -j SNAT \ -s 192.168.20.0/24 \ --to-source 137.189.91.209
OMG!!! This gateway has a lot of NICs!
192.168.10.0/24
192.168.20.0/24
137.189.91.208
137.189.91.209
Note: the rules are not completed
NAT Summary
NAT can change the source addresses and the destination addresses of IP packets.
MAQUARADE target changes the source address to be the gateway’s address before the
packet leaves the gateway at POSTROUTING hook, and changes the destination address automatically back to the original
source address (and is done at PREROUTING hook quietly). SNAT target
focuses on changing the source address of the packet at the POSTROUTING hook to any address specified by the rule.
Therefore, MAQUARADE is a special case of SNAT. DNAT target
focuses on changing the destination address of the packet at the PREROUTING hook to any address specified by the rule.
Part 2
Apache HTTP server
Apache HTTP server
Apache HTTP server is an open source web server maintained by the Apache Software Foundation
Installing Apache (the Ubuntu way):
All the web pages are placed inside a folder known as document root
By default, the document root is /var/www
[root@gateway]# apt-get install apache2
Apache HTTP server
After installing, you can test your apache server by visiting http://server_ip/ apache2-default/ or http://server_ip/
You can now add files of your own web page to /var/www
Features of Apache server
Apache server comes with a modular design, advanced features (e.g. PHP support) is handled using modules
Configuration files for the server and its modules are located under /etc/apache2
Configuration Files
Pay attention to the following files and directories apache2.conf
The main configuration file, not much detail here
ports.conf Specify which ports and IP address to listen to
sites-available/ Files in this directory contain configuration directives for different
virtual hosts
mods-available/ Contains configuration directives for server modules
Enabling sites and modules
A files in sites-available/ or mods-available/ is only effective if its symbolic links appears in the folder:
sites-enabled/ Contains symlinks to sites in site-available, which you want to enable
mods-enabled/ Contains symlinks to modules in mods-available, which you want to
enable
You don’t have to deal with the symlinks yourself, use commands:
a2enmod, a2dismod, a2ensite, a2dissite
Running CGI program
In /etc/apache2/sites-available/default, you would find the following configuration
This suggest that by default, apache server allows the execution of CGI scripts inside /usr/lib/cgi-bin/,
And the scripts are accessible through the URL http://ip_address/cgi-bin/your_script_name.cgi
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/<Directory “/usr/lib/cgi-bin”>
AllowOverride NoneOptions +ExecCGI –MultiViews +SymLinksIfOwnerMatchOrder allow,denyAllow from all
</Directory>
Adding PHP support
Installing PHP (the Ubuntu way):
After that, the PHP configuration files appear in /etc/apache2/mods-available/
Enable the module
[root@gateway]# apt-get install libapache2-mod-php5 php5 \php5-cgi php5-cli
[root@gateway]# ls /etc/apache2/mods-available/php*mods-available/php5.conf mods-available/php5.load
[root@gateway]# a2enmod php5
Privilege of CGI
If you execute the system utility “id” in your CGI script, you would find the following output
This shows that your CGI scripts are run with effective user id and group id “www-data”
Why? Because the apache server has limited its privilege by setting the process owner user id to “www-data”
The ownership of your CGI process is inherited from the apache server
Privilege of CGI
However, many system operations require the root permission, e.g., iptables
How can these operations be done by a CGI program?
Exploit the setuid and setgid features of *nix
Recall: setuid, setgid
setuid, and setgid are unix access rights flags that allow users to run an executable with the permissions of the executable’s owner or group
That means: If the executable’s owner is root If the executable has given the setuid attribute Then a user can run the executable as if he/she is
the root
Using Wrapper
So how can you make your CGI access/execute files that require root privilege?
Use a “wrapper” program!
$ iptables –LIptables v1.3.6 … Permission denied…
$ gcc –o godlike godlike.c$ sudo chown root.root godlike$ sudo chmod 4711 godlike$ ./godlikeChain INPUT (policy ACCEPT)…
$ cat godlike.c/* The wrapper code */int main(){
return system(“iptables –L”);}
End of tutorial
Q & A