ip forwarding, sniffing, nat

|

리눅스를 NAT를 쓰거나 하는 게 아니라 단지 리눅스 PC 한 대에 두 개의 랜카드를 설치 후 양 랜카드 간에 Source IP의 변경없이 순수하게 패킷 포워딩을 하고자 할 때


  •  cat  /proc/sys/net/ipv4/ip_forwarding 실행하여 값이 1인지 확인 후,
  • 만약 값이 0 이라면 'echo 1 > /proc/sys/net/ipv4/ip_forwarding'를 이용하여 값을 1로 변경
  • 방화벽이 있을 경우를 대비하여 'iptables -F' 를 이용하여 방화벽 정책 초기화
  • 'iptables -P FORWARD ACCEPT' 를 이용, FORWARD policy를 ACCEPT로 변경

이렇게 하면 NIST NET 과 같은 Network Emulation program을 이용가능하게 된다.

--------------------------------------------------
iptables를 이용한 인터넷 공유
 
리눅스를 서버로 하는 홈네트워크를 구성할 경우 iptables를 이용하여 패킷 포워딩을 설정한다. MS 윈도우즈 계열의 장치들에서는 네트워크 인터페이스 설정 메뉴에서 인터넷공유를 체크하면 같은 역활을 한다. iptables는 네트워크 패킷들의 포워딩, 블록킹등의 규칙을 설정하는 리눅스 기반의 방화벽 프로그램이다.

예제를 위해 사용된 홈네트워크의 구성은 다음과 같으며 VM은 VMWare를 통한 가상 호스트이다. usb는 usb 인터페이스로 연결된 장치이고 우분투쪽의 인터페이스는 usb0으로 표시되며 yopy쪽에서는 usbf로 표시된다.



이 네트워크에서는 페도라와 우분투가 각각 새로운 서브 네트워크(NAT)를 구성하므로 페도라와 우분투가 각각 가상 머신들과 요피(PDA)를 위해 패킷 포워딩, 즉 인터넷 공유를 담당해야 한다.

우분투 호스트를 기준으로 설명하지만 페도라 역시 같은 방법으로 설정한다.

  1. IP 포워딩을 할성화 한다.
    • sudo sysctl net.ipv4.ip_forward를 실행해 보면 기본 설정은 0으로 되어 있을 것이다. 이를 수정하기 위해서는 /proc/sys/net/ipv4/ip_forward의 값을 0에서 1로 수정해 주어야 하는데 권한등의 이유로 이 값이 수정되지 않는다면 sudo vi /etc/sysctl.conf를 실행하여 net.ipv4.ip_forward=1 부분의 주석을 해제해 준다.
    • 이 설정은 재부팅 후에 적용이 되므로 재부팅을 하고 sudo sysctl net.ipv4.ip_forward를 다시 실행하여 값이 1로 바뀌어 있는지를 확인해 본다.

  2. iptables의 기존 정책을 초기화한다.
    • iptables -F
    • iptables -t nat -F
    • iptables를 잘 쓰고 기존에 설정된 포워딩, 블로킹 정책이 설정되어 있다면 초기화를 해서는 안될 것이다.

  3. 모든 패킷을 포워딩 하도록 정책 설정
    • sudo iptables -P FORWARD ACCEPT
    • sudo iptables --table nat -A POSTROUTING -o wlan0 -j MASQUERADE
    • 이렇게 함으로써 위의 네트워크맵의 Yopy는 인터넷을 사용할 수 있게 되었다.
    • 페도라의 경우 물론 위와 같은 콘솔 명령으로 실행하는 것도 가능하며 방화벽(system-config-firewall.py)를 통해 GUI를 이용한 설정도 가능하다. 설정하기 전에 서비스에서 iptables 데몬이 작동하고 있는지 확인한다.

  4. 보안 정책 설정 (추가 예정)
---------------------------------------------------

2. Summary: (I like doing summaries first)

Assuming external internet card is eth0, and external IP is 123.12.23.43 and the internal network card is eth1, then:

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43
$> echo 1 > /proc/sys/net/ipv4/ip_forward

Or for a dial-up connection:

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward

Then to secure it:

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
$> iptables -P INPUT DROP   #only if the first two are succesful
$> iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Or for a dial-up connection (with eth0 as the internal network card):

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
$> iptables -P INPUT DROP   #only if the first two are succesful
$> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

And thats it! To view the rules do "iptables -t nat -L"


3. Bitmore indepth version

Compiling the kernel: (Use a 2.4.x kernel or greater)

You need the following support in the kernel:

  • Under Networking Options

    • Network packet filtering (CONFIG_NETFILTER)

  • Under Networking Options->Netfilter Configuration

    • Connection tracking (CONFIG_IP_NF_CONNTRACK)

    • FTP Protocol support (CONFIG_IP_NF_FTP)

    • IP tables support (CONFIG_IP_NF_IPTABLES)

    • Connection state match support (CONFIG_IP_NF_MATCH_STATE)

    • Packet filtering (CONFIG_IP_NF_FILTER)

      • REJECT target support (CONFIG_IP_NF_TARGET_REJECT)

    • Full NAT (CONFIG_IP_NF_NAT)

      • MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE)

      • REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT)

    • Packet mangling (CONFIG_IP_NF_MANGLE)

    • LOG target support (CONFIG_IP_NF_TARGET_LOG)

First, if the iptable and masq modules are not compiled into the kernel and not installed, but do exist as modules, we need to install them. If you insmod ipt_MASQUERADE it will load ip_tables, ip_conntrack and iptable_nat.

$> modprobe ipt_MASQERADE

Now either your Intranet is large, or you're just trying to get two or three machines to work on the internet - it doesn't make much difference either way.

Okay, I'm assuming that you have no other rules, so do:

$> iptables -F; iptables -t nat -F; iptables -t mangle -F

If you get an error saying can't find iptables, go find it and install it. If it says no such table 'nat', recompile the kernel with nat support. If it says no such table as 'mangle', don't worry about it, it's not necessary for MASQ'ing. If it says iptables is incompatible with your kernel, go get > 2.4 and compile that with iptables support.

Then if you have a static ip do (e.g. network card not using DHCP):

$> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 123.12.23.43

or for dynamic (e.g. a modem - you have to call a number first):

$> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Then finally to tell the kernel yes, you really do want to start forwarding packets: (This only needs to be done once per reboot - but dosen't hurt to do it lots)

$> echo 1 > /proc/sys/net/ipv4/ip_forward

Once you have checked this all works (See under Post-install) only allow masquerading from the internal network - you don't want to allow people on the internet to use it after all :)

First, allow any existing connections, or anything related (e.g. ftp server connecting back to you)

$> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If this gives an error, then you most likely don't have state tracking in the kernel - go recompile. Then allow new connections only from our intranet (local/internal network). Replace the ppp0 with eth0 or whatever your external device is. (The ! means anything but)

$> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT

And now deny everything else:

$> iptables -P INPUT DROP   #only if the first two are succesful

If either of the first two rules failed, then this last rule with prevent the masquerading from working at all. To undo this rule do "iptables -P INPUT ACCEPT".


4. Post-install Instructions

And it should all work now. Don't forget to:

  • Setup all the clients on the internal network to point to the Linux internal IP address as their gateway. (In windows right-click network neighbourhood->properties->gateway then change it to the Linux gateway internal ip.)

  • Setup all the clients to use your ISP's HTTP proxy if they have one, use a transparent proxy (WARNING - I've heard reports of transparent proxying to be very slow on very big networks), or run squid on your new linux gateway. (This is optional, but preferrable for large networks)

  • Be sure to specify a DNS when setting up your clients. Otherwise you will get errors on the clients saying 'cannot resolve address' etc. If DNS used to work (URL address worked) but doesn't after you setup Masquerading, this is because your ISP's/network's DHCP server can no longer tell you what the DNS address is.

    [Offtopic] I wonder if you could simply send out a dhcp broadcast that just forwards on the dns server (and http_proxy while you're at it) without having to setup a dhcp server (or even if you do). Can someone mail me about this? :)

    Thanks to Richard Atcheson for pointing this out.

  • Now you should start securing it! First turn off forwarding in general: "iptables -P FORWARD DROP", and then learn how to use iptables and /etc/hosts.allow and /etc/hosts.deny to secure your system. WARNING - Don't try this mentioned iptables rule until you have the masquerading working. You have to explicitely allow every packet through that you want if you are going to set the last rule to be DENY. (Undo with "iptables -P FORWARD ACCEPT")

  • Allow through any services you do want the internet to see.

    For an example, to allow access to your web server do:

    $> iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
    $> iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT

    To allow ident (For connecting to irc etc) do

    $> iptables -A INPUT --protocol tcp --dport 113 -j ACCEPT

To test it:

  • Try connecting from a client to the web using an IP. Google's IP is 216.239.33.100 (well that's one of them) and you should be able to get a reply from that. e.g. "ping 216.239.33.100" "lynx 216.239.33.100".

  • Try a full out connection by name. e.g. "ping google.com" "lynx google.com" or from Internet Explorer / netscape.

Where eth0 is the external Internet card, and 123.12.23.43 is the external ip of that machine.


5. FAQ's - Frequently Asked Compla^H^H^H^H^H^H Questions

  • How do I list the rules I've got so far?

    - Try

    $> iptables -L
    $> iptables -t nat -L

  • It won't resolve IP's! I'm typing 'www.microsoft.com' in and it says it can't find it!

    - Make sure you add the dns server ip to all the clients.

  • It don't work! It doesn't like iptables / NAT / SNAT / MASQ

    - Go get the latest kernel, and compile with iptables and full NAT support.

  • It don't work! The masquerading doesn't work at all! Die scum!

    - Try echo 1 > /proc/sys/net/ipv4/ip_forward

  • It don't work! I can't use the network at all and I hate you!

    - Try

    $> iptables -F
    $> iptables -t nat -F
    $> iptables -t mangle -F

    (all rules went bye-bye) then rerun the other iptables rules.

    - Try iptables -P FORWARD ACCEPT

  • It still don't work!

    - Hmm, does "dmesg | tail" give any errors? or "cat /var/log/messages | tail" ? Like I care tho...

  • I don't get, it just ain't working!

    - I dunno.. but you should be able to:

    	1) From the gateway machine, ping the outside
    	2) From the gateway ping your internal machines
    	3) From the internal machines ping the gateway

    And this is before you play with masq'ing

  • Where do I put this stuff?

    - In the /etc/network/interfaces file, or firewall.rc. If you put it in the interfaces file, then put it as a pre-up to the external interface, and have "iptables -t nat -F" as the post-down.

  • How do I get it to only bring the ppp up on demand?

    - Assuming your ISP gateway IP is say 23.43.12.43 for arguments sake, then append a line like this:

    :23.43.12.43

    to /etc/ppp/peers/provider at the end. (this is for dynamic IP - static IP would be my.external.ip.number:23.43.12.43 )

    Then at the end of that file add on a newline:

    demand

    Pppd will remain in the background to redial the connection on demand if it's dropped until you do an "ifdown ppp0" or a "poff", unless you add a "nopersist" option, in which case pppd will exit after the connection is up. You can also add on a new line "idle 600" to disconnect after 10 mins of idleness.

  • The connection keeps dropping!

    - First, do you have demand dialing? Is it just doing what it is supposed to? Check /etc/ppp/peers/provider, and make sure your dial up works fine before attempting masq'ing.

    - Secondly, if not, then perhaps, like me, something is going weird, and you need to fall back to Linux 2.4.3 and see if that works instead.. dunno why.

  • I hate doing this myself! I want a pre-made script and GUI and stuff.

    - Sure: http://shorewall.sourceforge.net/

    Eat your heart out!

  • Do I count Cable modems as static or dynamic IP's?

    - Good question.. might as well make it dynamic.

  • Do I count DHCP network cards as static or dynamic IP's?

    - They are dynamic.

  • How do I handle incomming services?

    - Try forwarding or redirecting the IP ports - again make sure you firewall this if needed.

  • From the clients, I can ping the linux gateway's external IP address, but can't access the internet.

    - Okay, try doing "rmmod iptable_filter" - more info on this as I get it.

    - Make sure your not running routed or gated - to check run "ps aux | grep -e routed -e gated".

    - Look at http://ipmasq.cjb.net

  • How can I view the connections establish? Something like netstat..

    - Try cat /proc/net/ip_conntrack

  • I need more squid info and routing and stuff!

    - Try the Advanced Routing HOWTO http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html

  • This howto is crap! How do I yell at the guys who wrote this?

    - Go to #debian on irc.opensource.net and find and locate JohnFlux. - Mail me (JohnFlux) at tapselj0@cs.man.ac.uk

  • This howto is crap! How can I see better versions?

    - Try http://ipmasq.cjb.net

    - Consult the LDP Masq-HOWTO.

  • What else are you working on?

    Currently I'm writing a guide on linux on anti-missile-missiles-made-simple. There's no good guides on protecting your system from nuclear attacks for newbies. People seem to think its rocket science or something..


-------------------------------------------------

--------------------------------------------------

'개발/활용정보 > Linux' 카테고리의 다른 글

bootchart  (0) 2011.12.29
Shell Script  (0) 2011.12.29
리눅스 명령어 목록  (0) 2011.10.10
linux 브릿지 설정 brctl  (0) 2011.10.10
tcpdump  (0) 2011.10.07
And