RH253 Unit 3 Network Resource Access Control

Objectives
Upon completion of this unit, you should be able to:
1) Describe IP and routing
2) Comapre IPv4 and IPv6
3) Describe IPv6 Features
4) Understand Netfilter Architecture
5) Learn to use the iptables command
6) Understand Network Address Translation (NAT)
 
Routing
1) Routers transfer packets between different networks
2) Each machine needs a default gateway to reach machines outside the local network
3) Additional routes can be set using the route command
 
IPv6 Features
1) Larger Address
- 128-bit Addressing
- Extended Address Hierarchy
2) Flexible Header Format
- Base header �C 40 octets
- Next Header field supports Optional Headers for current and future extensions
3) More support for Autoconfiguration
- Link-Local Addressing
- Router Advertisement Daemon
- Dynamic Host Configuration Protocol version 6
Implement IPv6
1) Kernel ipv6 module enables stateless autoconfiguration
2) Additional configuration implemented by /etc/rc.d/init.d/network initializaiton script
- NETWORKING_IPV6=yes in /etc/sysconfig/network
- IPV6INIT=yes in /etc/sysconfig/network-scripts/ifcfg-ethX
IPv6: Dynamic Interface Configuration
1) Two ways to dynamincally configure IPv6 addresses:
Router Advertisement Daemon:
- Runs on (Linux) Default Gateway �Cradvd
- Only specifies prefix and default gateway
- Enabled with IPV6_AUTOCONF=yes
- Interface ID automatically generated based on the MAC address of the system
2) DHCP version 6
- dhcp6s supports more configuration options
- Enabled with DHCPV6C=yes
IPv6: Static Interface Configuration
1) /etc/sysconfig/network-scripts/ifcfg-ethX
- IPV6ADDR=<ipv6_address>[/prefix_length]
- Device aliases unnecessary…
- IPV6ADDR_SECONDARIES=<ipv6_address>[/prefix_length] […]
 
IPv6: Routing Configuration
1) Default Gateway
- Dynamically from radvd or dhcpv6s
- Manually specified in /etc/sysconfig/network
IPV6_DEFAULTGW=<IPV6_address[%interface]>
IPV6_DEFAULTDEV=<interface> �C only valid on point-to-point interfaces
2) Static Routes
Defined per interface in /etc/sysconfig/network-scripts/route6-ethX
- Uses ip �C6 route add syntax
- <ipv6_network/prefix> via <ipv6_routeraddress>
 
tcp_wrappers and IPv6
1) tcp_wrapper is IPv6 aware
When IPv6 is fully implemented throughout the domain, ensure tcp_wrappers rules include IPv6 addresses
2) Example: preserving localhost connectivity, add to /etc/hosts.allow ALL: [::1]
 
New and Modified Utilities
1) ping6
2) traceroute6
3) tracepath6
4) ip �C6
5) host �Ct AAAA hostname6.domain6
 
Netfilter Overview
1) Filtering in the kernel: no daemon
2) Asserts policies at layer 2,3 & 4 of the OSI Reference Model
3) Only inspects packet headers
4) Consists of netfilter modules in kernel, and the iptables user-space software
 
Netfilter Tables and Chains
 
Netfilter Packet Flow
Rule Matching
1) Rules in ordered list
2) Packets tested against each rule in turn
3) On first match, the target is evaluated: usuallly exits the chain
4) Rule may specify multiple criteria for match
5) Every criteria in a specification must be met for the rule to match (logical AND)
6) Chain policy applies if no match
 
Rule Targets
1) Build-in targets: DROP, ACCEPT
2) Extention targets: LOG, REJECT, custom chain
- REJECT sends a notice returned to sender
- LOG connects to system log kernel facility
- LOG match does not exit the chain
3) Target is optional, but no more than on per rule and defaults to the chain policy if absent
Simple Example
iptables �Ct filter �CA INPUT �Cs 192.168.0.1 �Cj DROP
 
Basic Chain Operations
1) List rules in a chain or table (-L or �CvL)
2) Append a rule to the chain (-A)
3) Insert a rule to the chain (-I)
-I CHAIN (inserts as the first rule)
-I CHAIN 3 (insert as rule 3)
4) Delet an individual rule (-D)
-D CHAIN 3 (delete rule 3 of the chain)
-D CHAIN RULE (delete rules explicitly)
Additional Chain Operations
1) Assign chain policy (-P CHAIN TARGET)
- ACCEPT (default, a built-in target)
- DROP (a built-in target)
- REJECT (not permitted, an extension target)
2) Flush all rules of a chain (-F)
- Does not flush the policy
3) Zero byte and packet counters (-Z [CHAIN])
- Useful for monitoring chain statistics
4) Manage custom chains (-N, �CX)
- -N Your_Chain_Name (adds chain)
- -X Your_Chain_Name (deletes chain)
 
Rules: General Considerations
1) Mostly closed is appropriate
- iptables �CP INPUT DROP or
- iptables �CA INPUT �Cj DROP
- iptables �CA INPUT �Cj REJECT
2) Criteria also apply to loopback interface
- The example rules above will have the side effect of blocking localhost
3) Rules, like routes, are loaded in memory and must be saved to a file for persistence across reboots
 
Match Arguments
1) Matches may be made by:
- IP address or hostname (warning: host names are resolved at the time of rule insertion)
- Port number, or service name
- Arguments may be negated with `!`
2) Inclusive port range may be specified `0:1023`
3) Masks may use VLSN or CIDR notation
 
Connection Tracking
1) Provides inspection of packets “state”
- a packet can be tested in a specific context
2) Simplifies rule design
- Without connection tracking, rules are usually in pairs (inbound  & outbound)
3) Implemented in “state” match extension
4) Recognized states: NEW, ESTABLISHED, RELATED, INVALID
5) Required more memory
 
Connection Tracking, continued
1) Connection tracking modules
- ip_conntrack_ftp
- ip_conntrack_tftp
- ip_nat_ftp
- ip_nat_tftp (and others)
2) /etc/sysconfig/iptables-config
 
Connection Tracking Example
1) One rule to permit established connections:
iptables �CA INPUT �Cm state �C-stats ESTABLISHED, RELATED �Cj ACCEPT
2) Many rules; one for each permitte service:
iptables �CA INPUT �Cm state �C-state NEW �Cp tcp �Cdport 25 �Cj ACCEPT
3) Lastly, one rule to block all others inbound:
iptables �CA INPUT �Cm state �C-state NEW �Cj DROP
 
Network Address Translation (NAT)
1) Translates one IP address into another (inbound and/or outbound)
2) Allows “hiding” internal IP addresses behind a single public IP
3) Rules set within the nat table
4) Network Address Translation types:
- Destination NAT (DNAT): Set in the PREROUTING chain where filtering uses translated address
- Source NAT (SNAT, MASQUERADE): Set in the POSTROUTING chain where filtering never uses translated address
DNAT Examples
1) INBOUND
iptables �Ct nat �CA PREROUTING �Cp tcp �Cdport 80 �Cj DNAT �Cto-dest 192.168.0.20
2) OUTBOUND (with port redirection)
iptables �Ct nat �CA OUTPUT �Cp tcp �Cdport 80 �Cj DNAT �Cto-dest 192.168.0.200:3128
 
SNAT Examples
1) MASQUERADE
iptables �Ct nat �CA POSTROUTING �Co eth0 �Cj MASQUERADE
2) SNAT
iptables �Ct nat �CA POSTROUTING �Cj SNAT �Cto-source 1.2.3.45
Rules Persistence
1) iptables is not a daemon, but loads rules into memory and exits
2) Rules are not persistent across reboot
- Service iptables save will store rules to /etc/sysconfig/iptables (Ensure this file has proper SELinux context!)
- System V management may be used, and is run before networking si configured
 
Sample /etc/sysconfig/iptables
IPv6 and ip6tables
1) Packet filtering for IPv6 traffic
2) Provided by the iptables-ipv6 package
3) Rules stored in /etc/sysconfig/ip6tables
4) Does not yet support:
- REJECT target
- nat table
- connection tracking with the state module
 
End of Unit 3
1) Questions and Answers
2) Summary
- Address questions
- Preparation for lab
- Goals
- Scenario
- Deliverables
- Please ask the instructor for assistance when needed

你可能感兴趣的:(unit,Access,NetWork,resource,control)