Emiliano Bruni, info@ebruni.it	Last modification: 24/02/2002 20.33
Copyright © 2001 Emiliano bruni	Licence: GNU Free Document License (http://www.gnu.org/licenses/fdl.html)

 

Introduction

Cos' is a firewall.

The defense against the INTERNET chaos

Strategies of defense.

Source Nat and Masquerade: to be annoying without INTERNET addresses

Destination Nat: the serveur that is but not is.

Transparent proxy: like diverting packages TCP/IP.

Transparent bridging: it transforms your Linux in a hub.

Advancing routing: the routing to n-esima the power.

A real example: the firewall of the I.Z.S. of Teramo.

References  

Introduction

In this last period the regarding interest the emergency of the nets has valicato the borders of the specialists of the field in order to invade the life of who, wanting or nolente, it has to that to make with INTERNET. The unexpected attention R-with regard to this important argument is due essentially to the escape, on the Italian market, of connettività INTERNET to wide band and costs many contents.

These thanks to one new called technology xDSL that Mbit/sec. allows to carry connettività to 2 speeds also of being used, like trasmissivo means, a most normal telephone cable. The contracts offers from the suppliers of national connettività moreover concur to navigate in modality leased-linens, that is with present connection ventiquattro hours on ventiquattro, without to pay telephone releases added to you.

This offered new has endured prospered in the panorama of the other solutions of connettività and allows, as an example, also to who it has a limited budget, of having in own house a business serveur web. It has but also carried to the light the lack of protection of the business nets that turn out hour subject to possible accesses from part of customers it does not authorize to you coming from from INTERNET.

In contracts it associates you to the connettività offer xDSL is but often a limitation on the number of IP addresses assigns you from the supplier to the customer. Many find cosi in the position not to be able to connect in net all blot some to them that possess.

The category of who exists then possessed already a connettività of type leased-linens before the advent of the technology xDSL and that hour in the situation of being able is found to choose a more economic and often faster alternative.

The passage to the solution xDSL is but, of usual, difficultly feasible for of problematic inherent to the conversion which, as an example: renumbering of it blots some inner, disservizi during the period of passage, insufficient number of IP addresses assigns to you from the supplier xDSL, etc....

Moreover, for who it makes an INTERNET use intense, is often difficult to remain under to the consumption roof salary that is present as tie in many contracts xDSL proposals from provider[ the 1 ]

A feasible solution for this category of consumers can be that one to place side by side, to the already present connettività, the connection xDSL and to try to channel the traffic on both the lines being balanced the way cargo not to exceed the roof traffic salary.

We see to examine the requirements and the problematic ones that are come to create in a solution of such type.

We consider a typical company that possesses already a leaving point towards the INTERNET net of type CDN or frame relay with speed, of usual, 512 minor of Kbit/sec attested on a equipment called router that instrada the traffic from the inner net towards INTERNET and viceversa. This company acquires, eventually from an other supplier of connettività, a line xDSL and wishes to distribute to the traffic on both the lines.

In particular, the administrator of the net, wishes that:

§         navigation web travels through the fastest line xDSL;

§         some inner computers, use you from preferential customers, child's step always through the line xDSL;

§         independently from the inner computer and the used service (web, ftp, icq, etc...), some situated ones come always seen through the line xDSL;

§         the rest of the traffic passes through the old line in order to avoid to exceed the traffic roof salary sets up from the provider on the line xDSL.

We call, for semplicità:

We try, like first attempt, to add BR directly on the same net on who is connected AR and the entire business net. What happens in this case. Absolutely null.

The business computers have all addresses To and have as gateway of default[ 2 ] AR and therefore the activation and the income of router the BR on the net does not have some effect.

Changing the gateway of default from AR to BR it is only obtained not to more succeed to be annoying in inner INTERNET and this because the addresses of blot some is of type To and, obviously, provider the B does not allow the escape of various addresses from BI.

Changing also IP addresses it is fallen in the problem of the renumbering that it was wanted to be avoided and, in any case, would be obtained to instead navigate all through B that through To to the face of the balance of the cargo.

We try then, rather than to go in turn for the company to modify the configuration of all the computers, to work on router the AR, on which all the packages directed towards the outside arrive, and see if some operation for redirigere part of the traffic can be carried out on router the BR.

Router instradano the traffic based on the single address of destination of the package. The only thing that could be made is to decide that, for some remote addresses, the traffic comes directed on router the BR.

Detention remaining that rules for every block of IP addresses must be added that is desired comes instradato on B remains however the problem that such packages, once it arrives to you on B have, like source address, an address To and therefore do not come however instradati.

Reassuming, in order to acquit to the demands taxes from the net administrator, it must happen that:

1. some packages are send to you on AR while others are instradati on BR and logic of the choice of the road to follow must depend on the present information on all header (the heading) of package IP and from the address of destination like it would not only make a router;
2. to the packages it sendes on BR goes changed IP address to you of the source give To to BI (network address traslation NAT) so that provider the B instradi the effectively such packages;
3. the solution must already be transparent regarding the net in being in order to avoid of having to modify netmask, gateway of default and IP addresses of blot of it of the net[ 3 ] (transparent bridging).

The only solution is to insert an active equipment between the inner net and the two router that esaudisca such ties. The device in issue is a firewall.

Although nearly all the firewalls satisfy condition 2 and most expensive firewalls satisfy also condition 3, I do not know some firewall that satisfies also condition 1 if the present firewall"iptables " on does not blot of it Linux.

E' just on such firewall that we will be based for our future trattazione.

Cos' is a firewall.

A firewall is an active member who seziona and connects two or more tronconi than net. Usually the net comes uniform in two sottoreti: one, said external one, comprises the entire INTERNET while the other, said inner, comprises one section more or less great than with of local computers.

Thanks to its strategic position, the firewall turns out the better place where to impose of the logical ones of traffic for the packages R-in.transito and/or to execute a monitoring of such packages.

The main function of the firewall is that one protect the systems informed to us present in the inner section from the "present chaos" in the external side. The firewall acts on the packages R-in.transito from and for the inner zone being able to execute on they operations of:

• control,
• modification,
• monitoring.

These thanks to its ability "to open" package IP in order to read the present information on its header.

The firewalls of this type are said "packet-type". An other tipologia exists, that one of the type firewalls "application-type", than it differs from before in how much acts on the contained information in the data that the package transports and not on the header.

The firewalls "packet-type" cannot, as an example, characterize a virus because they do not act on the content of the data transports to you from package IP.

We will not take but in consideration "application-type" in how much they are:

• little performanti above all on nets to high traffic;
• usually they are implements through software closed owner to you;
• they are implements to you in hardware;
• they need of a software side client;
• they are expensive.

Materially the firewall is a member hardware that possesses two or more cards than net on which it comes made to turn an operating atmosphere that analyzes and manages the traffic of the packages in base to one configuration given from the administrator of the net.

The operating atmosphere can be, for cosi to say, closed and its functionalities are decided from the constructor and it can be acted only modifying the inner configuration that is modifying the rules of selection of the packages or can be opened and to allow, beyond that to modify the configuration, also to modify and to widen its operating abilities.

This philosophy, adopted from the operating system Linux, allows its firewall to operate to the par of whichever other device trades them from the cost of tens of migliaia of euro including moreover functionalities that do not find on some other product and with the possibility to execute, in relation as an example to the passage of prestabiliti information packets, script personalizes that they can send to you mail, to ignite sirene acoustic etc....

The defense against the INTERNET chaos

Also the Linux firewall, as the most blasonati firewall it trades them, obviously possesses the ability to filter the packages R-in.transito and to limit therefore the access from the outside to the single services inner publics being eliminated the possibility of access to the private resources presents on the business net.

Such ability comes put in practical through the application of rules applied to the entire block of present information in the header of the paccetto. The firewall can decide if to accept or to reject the package in base, as an example, to the address and/or the door of the source or the adressee, based on the type of package (TCP, UDP, ICMP...) and therefore via.

These rules can be applied in various moments of the process of transfer of the package from the external net to the inner net.

Iptables previews the analysis and the application of rules on the packages in processes that come calls you of PREROUTING, INPUT, FORWARD, OUTPUT and POSTROUTING.

In order to understand when and as these processes act follow the distance of a package IP from the card of external net to that inner one without the presence of the firewall software iptables. After to have entered from the card of external net, the package comes opened and of it comes analyzed the header to the search of the destination address. This address comes confronted with the table of routing of the instradato machine and therefore towards a local door or the card of appropriate net if the destination address is different from that associate to the firewall.

Before continuing, inasmuch as we have pulled in dance the table of routing, we see that function carries out in the process of transport of the package.

The table of routing, comes used in order to decide where to instradare package IP based on the present address of destination in the header.

It contains an association between blocks of INTERNET addresses and resources with which such addresses they can be caught up. The resources can be local interfaces of net or IP addresses of said computers "gateway".

Of continuation banal table of routing of one machina with one is an example of one single interface ethernet. Linux nomination the interfaces of net ethernet with the suffisso eth, numbering them then based on the position to the inside of slot the ISA/PCI.

In evidence:

§ address 127.0.0.1, the cosi said address of loopback, mappato on the interface (virtual) ;

§ the 192.168.0.255 mappati addresses of the local net from 192.168.0.0 to on the net card eth0;

§ the route of default, address 0.0.0.0/0.0.0.0, the last resource in the case that the other routes do not come applied to the package and that, of usual, corresponds to the address of the router/gateway towards INTERNET.

We return to the analysis of the way covered from our package IP and see what happens in presence of the firewall iptables.

The package enters from the external interface and comes subordinate, before the process of routing, to the application of the present directives in list PREROUTING.

Usually, in such process they come inserted rules that stretch to evidence the package in order to distinguish it the other packages and to execute on it adequate operations in the successive ones is made of the transport process. We will see an example of that when we will try to instead instradare a package based on the address of the source that to the usual address of destination.

In such phase they come also applied the rules for the management of destination NAT (DNAT) that we will see in the next ones understood them.

The package endures the usual process of routing based on the present table in the local machine.

If the package, based on the table of routing, is destined to the interface of inner net they come applied the rules described in the FORWARD list .

Usually they are the these more important filters in how much define what can pass from the outside towards the inside and what not.

If the package is destined, based on the table of routing, to the local machine they come applied the rules described in the INPUT list . These filters proteggono the same firewall from undesired accesses.

If the package has like source the local machine, that is it has been generated from a process of the local machine come applied, to the package, the OUTPUT rules .

It is in the case of forward that of output, before exiting from the card of inner net, the package endures the application of the POSTROUTING directives . In such phase they come of usual applied the rules for source NAT (SNAT) that we will see in the next ones understood them.

In everyone of these step every directive is asked substantially: "if header of the sure package the verification conditions, than what I must make of the package"? The answer to this question can be or to accept the package that continues in its distance to the inside of the other directives and the others step or to reject the package that comes definitively thrown via.

In every step, if the package not verification nobody of the conditions set up, can be defined a rule of default applying to the package that will come therefore accepted or rejected.

Usually the coming from packages from the inside are thought sure and acceptable and assign to you towards the outside and therefore, in particular, the packages that they have as source the firewall will be allowed and therefore the obvious formulation of default of the OUTPUT process will be that one of ACCEPT.

What it is wanted instead to be avoided, less than exceptions, and that from the outside can impunemente be approached towards the inside. Here because it is usual to set up to DROP the configuration of default of the INPUT and FORWARD processes .

It would be an error to leave to ACCEPT these rules and to try to close all the inner services. The firewall serves, in particular, in order to close all, also what neanche it is known of having open. Denying all and only accepting that that is considered as corrected it is sure that if from the outside of approaches to one given inner resource it is because we have been to demand it.

The first banal script of configuration of our firewall will be therefore (the flag - P sets up for the note politics of default for the process):

- P INPUT DROP

- P FORWARD DROP

- P OUTPUT ACCEPT

Strategies of defense.

We learn to defend itself considering, like simple example, one small connected net to INTERNET composed from a small group of computer client with installed the operating system Windows® 2000 Professional and from a business serveur with address 62.0.0.2 on which you 2000 Serveur with the serveur® web Microsoft Internet Information Serveur is installed the operating system Windows.

Seen the meager number of it blots some present on the net has been possible to assign to every machine an IP address assigned from the provider.

Our scope, like administrators of the net, is that one of proteggerla from eventual accesses does not authorize you coming from from the outside allowing the access to the single serveur web.

To such scope we separate to our net from INTERNET inserting a Linux firewall endured to goes them of the router and we try to create a such configuration that allows us to catch up the scope that there are over preplaces.

The more obvious thing to make is that one to block to the access to our serveur allowing the access from the outside to its door web.

We could be tries you to activate one configuration of the type

-A FORWARD –p tcp –d 60.0.0.2 –-dport ! web –j DROP [ 4 ]

and effectively our serveur would be sure in how much all the packages to it assigns directed you to the door web would not come rejects to you from the rule over.

What the administrator of the net has forgotten is that the other computers are open services also on all and that cosi making we have left to hacker of passage a possibility to use such doors for an eventual attack to our net.

This has had to the fact not to have specific the political of default for the processes of INPUT, OUTPUT and FORWARD that, if it does not specify to you explicitly, is sets up to you to ACCEPT. The packages assign you to all the other PC of our net come therefore implicitly accepted and therefore all the services activated on the several PC inner are accessible from the outside and eventually attachable.

One does not believe in fact that the Windows computers® 2000 Professional are sure thanks to the facts not to be of the serveur.

To part the doors of protocol NETBIOS that active the operating system for the management of the Microsoft net you can be other doors opened to the insaputa of the net administrator and, to times, also of the same customer. As an example, the person who ago development ASP for the business serveur could have installed, on just the computer, a serveur IIS for velocizzare makes itself of development. Inasmuch as serveur IIS, less than not to demand it explicitly, installs also a serveur ftp and a serveur smtp here that, to the insaputa of the administrator, there is in net an other serveur web, a serveur ftp and a serveur of mail opened to the relay that it can be used, as an example, for actions of Spamming.

She comprises herself therefore that closing the single business serveur does not avoid to the net of being subordinate to external attacks.

The correct philosophy is, like saying previously, to set up to DROP the INPUT and FORWARD processes and to set up the single rule of access to the serveur web like

-A FORWARD –p tcp –d 60.0.0.2 -–dport web –j ACCEPT

In this way all ours blot some are protect.

The problem is that hour too much the customers of our net are protect in how much cannot more be annoying and also the serveur web is disabled to answer to, the hour legitimate, demanded from the outside.

The coming from packages from the inner net and assign you to the outside come in fact reject to you from politics of default of the FORWARD process .

In order to resolve this, considering sure all the logons that they have like source our net, we must take part on the configuration of the firewall and accept such packages. One corrected formulation could be

-A FORWARD –s 62.0.0.0/24 –i eth1 –j ACCEPT

where the indication of the interface of origin of the package is esplicitata in order to avoid technical of sproofing[ 5 ] from the outside.

Hour the things begin to go a po' better. We are protect and the serveur web answers to the demands from the outside. Our inner customers but still do not succeed to be annoying. Their packages of demand for external services correctly filter towards the outside thanks to the hardly inserted rule but the answers to such demands do not succeed to re-enter in how much go to falling in the rule of DROP of the FORWARD process .

That one that we must guarantee is that coming from packages from blot some localized in "enemy territory" can reach we single in answer to one our demand and not in general.

The problem resides but in the fact that the analysis of the single package in income does not allow to evincere if it is relative or less to one our demand.

Because of that, nearly all the firewalls trades them and all the Linux firewalls with the exception of iptables do not succeed to resolve this dilemma and they must be pleased of "intuire" this thing.

The usual method with which it is tried to characterize the answer packages is based on the way with the junior clerks to you communicates between of they.

There are two ways with which a client that one is connected to a remote serveur active bidirectional communication. In the first case the client, that it speaks from a local door is connected on the door remote standard of the services and on this channel, opened from the client the packages in both travel the directions. In according to case the client answer from the serveur communicates to the serveur to wait for one on one determined local door. The serveur is connected to this new local door and the data travel in a sense on the first logon and in the other on the other logon.

In both the local cases however doors are comprised between door 1024 and the 65535. Such interval of doors takes the name of doors not privileged from the fact that they can be opened from software that they are put in I listen on they even if the process on which they turn is controlled from the administrative customer (root).

To the contrary the doors from the 1 to the 1023 are said privileged doors and only processes that turn under the customer of root can be put in listen on such doors.

That that usually they make remote the firewalls in order to allow the serveur to answer to the demands for the client local is to allow the passage of all the packages assign to you to blot some inner on the doors not privileged.

Such solution resolves the problem but he is not free from problems. "a malignant" program could open one of these doors in order to allow the access to hacker (cosi dictates backdoor) that, thanks to this new rule of firewall, the outside could enter in the machine. It is true that the process backdoor does not turn under the customer of root but while a hacker it has entered and Bravo could go back the levels of the system and then reach the level of root becoming therefore the master of the macchima.

Moreover many of the systems operated you of the Windows family® do not have the concept of customers and therefore of the backdoor to install on not privileggiate doors they would immediately allow the hacker to take the complete control of the system.

We remember moreover that some serveur is put in listens on doors not privileged. A typical example is serveur proxy SQUID that is settled of usual on door 3128 or 8080. Such serveur would be raggiungibile from the outside even if the service proxy had to be a private service to exclusive for internal use only.

If it is therefore true that the opening of the privileged doors is not a solution to the problem it is also true that it turns out an indiscriminate opening and therefore could allow approached does not wish to you from the outside.

How resolves instead dearly the problem of the answers to local demands the firewall iptables?

Since we have already said that it is impossible to go back to the correlation between demand and answer being analyzed the single package in income, iptables trace of all resolves the thing holding the inner demands and verifying that the return packages are effectively it associates you to one of these demands. If the package such verification condition comes otherwise sended client to the package it comes rejected.

This function is possible thanks to the module ip_conntrack. Through this module it comes added an ulterior analysis to the R-in.transito package that prescinds from the analysis of header the TCP/IP and that it confronts the package with all the other packages journeys to you in the firewall previously. This analysis returns cosi said "be" of the relative package to the other packages. The state of a package meant to the inside of the analysis of the module ip_conntrack can assume the following values:

§         NEW à the package is not correlated to no other package journeyed previously and is therefore stiff to the creation of one new logon

§         ESTABLISHED à the package belongs to a already existing logon that is is a package of relative answer to demand for data on the existing logon (demanded case page web)

§         RELATED à a package that is correlated but does not belong to one existing logon (case answer ftp)

§         INVALID à has not been possible to gain the state of the package.

Having added this new information to the analysis of the package it is hour possible to write a rule that it only allows the income in our net of coming from packages from the "enemy zone" if it correlates to you to demands for inner hosts. The rule, to add to the configuration of the firewall turns out to be:

-A FORWARD –d 62.0.0.0/24 –m state –-state ESTABLISHED,RELATED –j ACCEPT

In this way we are resolutions protect our net dearly.

Rileggiamo and we comment to words what makes our configuration puts into effect them:

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A FORWARD –s 62.0.0.0/24 –i eth1 –j ACCEPT

-A FORWARD –d 62.0.0.0/24 –m state -–state ESTABLISHED,RELATED –j ACCEPT

-A FORWARD –p tcp –d 60.0.0.2 –-dport web –j ACCEPT

that is all the packages R-in.transito on our firewall come reject to you to exception of the packages in departure from our inner net and of the coming from packages from the outside that or they are correlates to you to coming from demands from the inside or are packages assigns you to our serveur web.

Therefore we have caught up the scope prepostoci.

Source Nat and Masquerade: to be annoying without INTERNET addresses.

One of the aspects underrates you in the days in which INTERNET ARPANET was still called has been that relative one to the dimensions of the space of IP addresses and their allocation.

In the vision of who it has created the Net thought that, for as they had been defined IP addresses, their number was so large to be practically inexhaustible.

The analysis was so optimistic that came assigns to you, to the first institutions that of it they made demanded, blocks of wide overdimensioned addresses regarding their future requirements of the time and also.

Nobody could neanche far have imagined the enormous expansion of the Net and the enormous number of computer that they would have demanded to make some it leave.

Today free IP addresses are a resource a lot important and the iter necessary for their allocation it is complex and it previews the demand for a description analytics and detailed of theirs I use from part of the petitioner.

It is for this reason that the provider they assign to the final customers the minimal number of IP addresses and make a lot to weigh, in terms of costs, the allocation of IP addresses added to you.

The situation of a customer is not therefore rare who looks at itself to assign from provider a number of smaller IP addresses of the number of blots some present on its net and that therefore she is found in the necessity to limit navigation to little computers.

An analogous problem has it who is connected to INTERNET through a modem and a subscription to an Internet Service Provider (ISP). The provider, in this case, it assigns, for the duration of the connection, an IP address to the computer that becomes to all the effects one machine of the INTERNET.

But if this computer is connected also to a local net which they approach other computers the customer it could want to share the logon obtained with the others so that all can approach to INTERNET using that only access. Obviously only the computer with the modem can be annoying in how much is the only one to having a real IP address.

The answer to these demands is the cosi said masquerade that it is a sottoinsieme of a method more general than modification of called package IP source NAT or SNAT.

That cos' it is the operation of SNAT and like can help to resolve the problem of the reduced number of IP addresses assigns to you from the provider?

Technically the SNAT modification, in the header of the packages, IP address of the source making to believe the adressee of the package that it comes from an other IP address.

This allows also who is not physically in INTERNET to be annoying for the Net. We explain with an example this, from the first moment, controsenso.

We consider two computer, with Windows® a 2000 Professional and with Linux, it connects you to the same local net.

To the two computers they are assigns to you to two IP addresses Intranet[ 6 ] of block 192.168.0.0/24 and, in particular, the Linux machine has an IP address assigned to its card of 192.168.0.1 net eth0 while the Windows machine® has address 192.168.0.2.

Protocol TCP/IP is independent from the operating system and therefore, through it, the two blot some "are looked at" on the local net.

On the Linux machine there is also a modem and a subscription through a ISP is shaped you. During the period of connection with the ISP, to the machine it comes assigned an INTERNET address aaa.bbb.ccc.ddd. The Linux machine has therefore, for the duration of the connection, two IP addresses assigns to you, an inside, with which it sees the Windows machine®, and one external, on the logon modem, through which he turns out visible and it sees the INTERNET.

We ask ourselves as it can be obtained to make to navigate also the Windows machine® through the connection activated from the Linux machine.

The first one step consists in informing module TCP/IP of the Windows machine® that exists, on the local net, a machine that knows as to send packages to INTERNET that is the gateway of default consists in shaping of the Windows machine® setting up it with IP address of the Linux machine.

But attention, the Linux machine has, hour that is connected, two IP addresses. Which of the two it goes set up on the Windows machine®?

Obviously local address 192.168.0.1 in how much the other is already an INTERNET address and the machine Windows® 2000 does not know like catching up the Net.

With this configuration one demanded of destined the Windows® machine to INTERNET reaches on the Linux machine that instrada the package on its route of default that, from when the logon is active modem, it turns out settata just on such line.

It seems that already all functions but in truth do not work nothing. The only machine that the provider has authorized to be annoying is the Linux machine. When the equipment of the ISP sees to arrive of the packages from the Windows machine® with source address 192.168.0.1 they reject such packages in how much, from their point of view, are anomalous packages because along such telephone logon the only packages that would have to arrive must have source address aaa.bbb.ccc.ddd.

What then makes the activated SNAT if on the Linux machine?

When it arrives the package from the Windows machine® the iptables marks the header that it would have to assume the package of associated answer to it and replaces the source address 192.168.0.2 of the package R-in.transito with its INTERNET address aaa.bbb.ccc.ddd instradandolo along the line modems.

Hour the equipment of the provider does not have more no reason in order to reject the package in how much, from their point of view, it comes from the legitimately authorized subject to be annoying along that logon.

The thing does not end but here in how much the remote serveur sendes the answer to the Linux machine that is looked at to arrive an answer for one demanded that it has not made. Here it takes part of new the SNAT that notices, controlling the header of the package with that one saved over, than this remote data traffic it goes diverted to the Windows machine®.

It replaces then to the address of the adressee, currently settato on the header of the answer package, IP address of the Windows machine® and glielo it sendes. The Windows machine® is looked at to arrive the answer package that expected and is happy J.

The Windows machine® is annoying therefore for "interposed person" in how much is the Linux machine that ago to be annoying masking of time in time the address source of the local machine.

It is intuitable that this operation resolves the problems also of the customers with connection xDSL and with little IP addresses. Of it we will see an example in the next ones understood them.

We see hour technically as the things are shaped on the Linux machine with iptables.

The configuration of the SNAT is much simple one and consists in the activation of the table of NAT in the process of POSTROUTING through the formulation:

-t nat –A POSTROUTING –o ppp0 –j MASQUERADE

it must ppp0 is the interface escape modem towards INTERNET.

As the system is looked at does not appear some IP address in the configuration in how much automatically previews to gain the dynamic address assigned of time in time from the provider and to use it for the SNAT.

If the situation is that one of an assigned static address like in the case of a connection xDSL with little IP addresses it is better to use this configuration

-t nat –A POSTROUTING –o eth0 –j SNAT –-to xxx.xxx.xxx.xxx

where eth0 it is the net interface INTERNET side and xxx.xxx.xxx.xxx it is the INTERNET address of this interface.

A last question: why this rule goes applied in the POSTROUTING process ?

The explanation is simple; in order to make that, at least until the last moment, before exiting from the interface towards INTERNET the package still it is identified like coming from from the inner machine and on which being able to apply rules of filter or routing. If this masking happened before, the package would seem of all the indistinguishable one from a package generated locally from box the Linux and they could not therefore be to apply eventual filters to you personalizes to you.

 

Destination Nat: the serveur that is but not is.

Analogous to source the NAT also the destination network address traslation it acts modifying header of the packages R-in.transito and in particular the address and the door of destination.

To the contrary of the SNAT, but for the same reason, the DNAT comes applied in the process of cosi PREROUTING that all the remaining processes of iptables and routing act on the package already modified.

The DNAT operation can be used for operations of "port forwarding" or of "transparent proxy". Omitting this according to case that we will deal in the next one understood it, we take care hour of the operation of "port forwarding", to understand cos' is and of like it comes executed using destination the NAT.

"port forwarding" it is that operation for which a present door on a serveur in truth a lot often active on an other serveur is a "gunlayer" to a present service on an other door. All the demands for logon on the first door come forwarded to active the real service on the second door.

I use of "port forwarding" is had in the situation in which or more present services in a net with addresses Intranet must be export to you and visible also on the INTERNET net.

We as an example carry therefore a company that has acquired a line xDSL from a supplier of connettività INTERNET that has assigned four IP addresses to them in the interval from 194.244.12.0 to 194.244.12.3.

Of the four addresses, the zero are the address of the net, one is the address of the router that it connects the company to the provider and the three is the address of broadcast. Only address free turns out therefore194.244.12.2 and, inasmuch as the company in truth possesses many computers that wish to be annoying on the Net, has used the SNAT activating it on one Linux machine. The free address has been assigned to the interface of external net while to that inner one it has been given an address Intranet of class 192.168.0.0/24.

The company decides therefore to transfer the just situated one, currently in housing near a provider, on the business net in order to have of one better management and maintenance.

To activate the serveur web on the firewall could be impossible for incompatibilità of operating system but, also in the case in which this incompatibilità did not exist, the installation of ulterior services on the firewall is totally unacceptable. The firewall, as only bastion between we is "the enemy" must be totally sure and every additional service would stretch to reduce this safety factor.

The serveur comes therefore coupled to the inner net and it comes assigned address to it Intranet 192.168.0.1.

How becomes visible the serveur to the INTERNET inasmuch as hour has an unattainable address Intranet from the Net?

If it is true that the installation of the service web on the firewall was unacceptable is but true that to try of absolutely mappare the door web of the firewall with the door web of serveur 192.168.0.1 not preclude the emergency of the net.

The idea is just this: externally the serveur web will come seen active on door 80 (web) of address 194.222.12.2 but all the packages directed on this mail will come then divert to you from the firewall on door 80 of serveur 192.168.0.1.

Like segugi, we follow package TCP/IP of demand for one page of our situated and relative package of answer.

The package of demand directed towards door 80 for serveur 194.222.12.2 enters from the external card eth0 of the firewall.

In the PREROUTING process the firewall verification that this package corresponds to one determined rule and of modification adressee (DNAT) replacing the address of destination with the 192.168.0.2.

The table of routing sees hour a destined package to this inner host and the instrada on the card eth1 allowing the package to reach on the really present serveur web on the net.

The inner serveur web proceeded the demand and prepares an answer package.

This package returns therefore on the firewall that recognizes this like relative package of answer to the package that little before it had modified and modification this package sostuendo to the source address Intranet just the address and forwards it to the remote host.

Result, from the point of view of the remote host:

and therefore all quadrant perfectly.

The configuration of the iptables in order to obtain this result is much simple one

-t nat –A PREROUTING –p tcp –d 194.222.12.2 –-dport 80 –j DNAT Ð

–-to 192.168.0.1

As it is looked at, the mapping of the doors has not been necessary to specify the door of destination in how much is the same one. If inner the serveur web were activated on a door not standard and therefore different from door 80 it would have had to add this information to the line of configuration of the DNAT.

Obviously what it works for a service works also with many. They can externally cosi be had more serveur inner and mapparli using single IP address of the firewall. If but it is attempted to export two serveur of the same type, as an example two serveur web activated on two blots some different, single one of the two could be seen on firewall on the door web standard externally present. The other will have to be mappato on one door xx standard and will not be visible externally single through the URL

http://www.mysite.com:xx/

Transparent proxy: like diverting packages TCP/IP.

A specialistic shape of DNAT therefore is said redirezione of the packages that allows, in transparent way, to divert some tipologie of data on one single machine for reasons of monitoring or transparent proxy.

We analyze because it must and such operation considering the transparent proxy of type is wanted to be executed web applied to a ISP that offers connections in dial-up to a private user and/or trades them. The ISP has, near its date center, a proxy server that, if used from the customers, intercepts the demands web making oneself loaded with the reception of the pages and the shipment to the customer with the advantage to save in premises the received pages. If a successive demand makes reference to a already present page on the hard disk local it comes sended this to the customer with obvious savings in terms of outgoing band of the provider and in terms of answer to the customer inasmuch as the page arrives from one "nearer" lease.

The heel of Achille of this system is in the used phrase "if from the customer". In fact I use it or less of the proxy it is to discretion of the customer who, on the browser of just the computer, can activate or less I use it of the proxy of the ISP.

Obviously the maximum advantage with the proxy is had if all use it in way maximizing cosi the probability that a demand page comes found in premises and it does not have to be recovered from situated the remote one.

The transparent proxy it is that operation to less send in any case to all the demands web to the serveur proxy independently from the activated fact that the customer has or I use it of the proxy on its computer.

How it works to level of flow given the thing?

The package of demand for a remote page web from part of a local customer crosses the firewall that, applying one determined DNAT rule, replaces to destination the address that one of the proxy. The package comes therefore instradato from the table of routing on the same interface from which the serveur had entered in how much proxy is found, regarding the firewall, from the same side of the customer, the protected side.

The proxy it takes in delivery the demand web and recovers the page in premises or from remote based on the availability of the same one on the hard disk. Once obtained the demand page sendes to the answer to the customer taking this information from the header of the package.

We add an observation, before showing the line of configuration of the iptables that it executes the operation of DNAT for the transparent proxy: the software proxy goes instructd of the fact that is in order to be used like transparent proxy and that the demand package that arrives to it it is not a demand package proxy but it is directly a package HTTP and therefore it must modify the protocol of interpretation of the receiving package in order to understand which is the remote information to try. Serveur proxy SQUID has as an example this functionality to use also protocol HTTP adopting a position like serveur in transparent proxy.

We conclude this argument showing as the line of configuration of the transparent appears proxy on iptables:

-t nat –A PREROUTING –I eth1 –p tcp –dport 80 –s ! xxx.xxx.xxx.xxx Ð

-j REDIRECT –to xxx.xxx.xxx.xxx:8080

where xxx.xxx.xxx.xxx it is the address of the serveur on which the connected serveur proxy to door 8080 is active .

Transparent bridging: it transforms your Linux in a hub.

Although little inherent to the argument firewall, the problem of the transparent bridging is born every which time must above all be implemented a firewall to the inside of a preesistente net if this net totally is connected to INTERNET.

In fact, usually, the introduction of a firewall seziona the net in two sottosezioni. Therefore that involves unavoidablly the modification of the netmask in the hosts of the two sections and, for the single hosts of the inner section, the firewall must become the new gateway of default and therefore also this parameter goes dawned. This situation is aggravated from the fact that, of usual, the firewall comes posizionato endured under router business the cosi that the pointed out modifications over go practically executed on all the hosts.

Moreover also the configuration of the router goes modified in order to adapt themselves to the new netmask and in order to inform it that the sottorete lacking firewall can be caught up through the gateway.

It can but to capitare that this modification turns out impossible to execute in how much, in some cases, the router is not of property of the company but it is of property of the carrier that it has yielded it leasehold to the company together to the connettività INTERNET.

For all these reasons the introduction of a firewall can be problematic if not irrisolvibile.

We see as the thing is resolved thanks to the potentialities of the operating system Linux that, to how much the undersigned knows, is the only one who allows to place side by side to a powerful firewall with one solution of transparent bridging.

The idea is that one to render "transparent" the new introduced machine avoiding sezionamenti and modifications to the configurations of netmask and gateway through I use it of the proxy ARP.

The ARP is a protocol with which the cards of net they demand information to the other present cards on the LAN.

When a net card wants to know if a some host has a particular IP address demands to the eventual card that on the LAN has that IP address to identify itself. This message comes listened to from all the net cards, is spoken cosi about message of broadcast. If one of these recognizes IP address demanded like just, answers to the demand with just the address hardware that is a identificativo univoco of every card of net produced in the world.

When it is assigned to one determined net card a particular IP address automatically executes an operation to the inside of the cosi dictates table ARP that associates to IP address the address hardware of the net card informing the card is made to recognize on the net in case someone demands that IP address.

In the example over the machine with IP address and 10.0.0.3 address hardware 00:50:ba:08:e5:f2 who has asked all the cards(ff:ff:ff:ff:ff:ff) had address 10.0.0.4. The net card 00:50:fc:04:8c:1d, present on an other machine has been identified like card that has associated the demanded address. Table ARP for machine 10.0.0.3 turns out to be:

Address   HWtype   HWaddress           Flags Mask Iface

10.0.0.3 ether    00:50:BA:08:E5:F2   C          eth0

while for the 10.0.0.4 it is had that

Interface: 10.0.0.4 on Interface 0x1000003

  Internet Address      Physical Address      Type

  10.0.0.4              00-50-fc-04-8c-1d     dynamic

where the different visualization of the shown table of ARP is due to the fact that before has been obtained from a Linux machine while the second one is like only comes printed publication the table of ARP on one machine Windows® 2000 professional.

The idea to the base of the proxy ARP is in adding manually to the table of ARP of the card of external net all the range of addresses that hour has been moved inner.

We follow therefore, like our usual, the distance of a package IP coming from from the outside and directed to one local machine.

[ DESIGN FLOW OF THE PACKAGE ]

The destined package to local address 194.12.12.12 enters in the router that it knows, based on its table of routing, than class 194.12.12.0/24 directly it is connected on its interface ethernet. Along such interface it sendes therefore one demanded ARP asking, in broadcast, who is that it has address 194.12.12.12.

On the directly connected net to the ethernet of router there and only the eth0 of the firewall that has been instructd, thanks to the proxy ARP, to answer positively to every demand ARP for addresses for class 194.12.12.0/24.

The router it then sendes the package to the eth0 of the firewall believing that it is the card of net with address 194.12.12.12. The package enters in the firewall and, based on the table of routing, the firewall discovers that class 194.12.12.0/24 is nearly totally present on the eth1. It sendes therefore, after to have applied the eventual rules of firewall, the package on the eth1 to the corrected adressee who has made itself to recognize having answered to demand ARP executed from the firewall on the eth1.

Therefore, through the proxy ARP, the package in income is reached on the firewall without that it has been necessary to modify the configuration of the router.

An analogous solution has from the inner side of the net instrucing the eth1 to answer positively to packages ARP of demand for IP address of the router.

Therefore, when host 194.12.12.12 tries to answer to the remote host trying its gateway of default, the router, the eth1 ago to believe of being the router and it takes in delivery the package that then is prefortified to send on the eth0 towards the router not before having applied the eventual rules of firewall.

After to have seen as it works the thing we see like active on the firewall.

Before what is the manual configuration of IP addresses on the net cards[ 7 ]:

ifconfig eth0 add 194.12.12.12 netmask 255.255.255.255 up

ifconfig eth1 add 194.12.12.12 netmask 255.255.255.255 up

IP address add 194.12.12.12/32 dev eth0

IP address add 194.12.12.12/32 dev eth1

From, for semplicità and saving, to all the two cards of net an only IP address and netmask with solo a that IP address so that in the table of routing additions do not come, for hour, no route in how much the routes come by hand added from the commandos:

route add –net 194.12.12.0 netmask 255.255.255.0 eth1

route add –host 194.12.12.1 netmask 255.255.255.255 eth0

ip route add 194.12.12.0/24 dev eth1

ip route add 194.12.12.1 dev eth0

that they inform the firewall where is the router and where it is the rest of the net. The two routes, as it is looked at, are overlapped for IP address of router the 194.12.12.1 but it will come applied, for the router, the second one in how much has one netmask more specific one.

And hour, the configuration of the proxy ARP side eth0 [ TO VERIFY ]

arp –i eth0 -Ds 194.12.12.0 eth0 netmask 255.255.255.0 pub

ip neigh add proxy 194.12.12.0/24 nud permanent dev eth0

and side eth1

arp –i eth1 –Ds 194.12.12.1 eth1 netmask 255.255.255.255 pub

ip neigh add proxy 194.12.12.1 nud permanent dev eth1

that it adds class 192.12.12.0 to table ARP of the eth0 and the address of the router to the table of ARP of the eth1.

Advancing routing: the routing to n-esima the power.

Coupled personal the computer and arranges operating Linux allows to realize one of router the more complexes currently available.

This is a directory, for null exaustive, of the possibilities offered from router a Linux:

§         to regulate and to limit the band based on the remote host source or,

§         to subdivide and to share the band available on one line

§         to fuse with two or more lines so as to to have virtually an only line sum of the real lines,

§         to expose more to servere like if they were one single so as to to obtain a balance of the cargo

§         to execute operations of routing based on the customer unix, to the address of the source or the remote one, the type of service, hour of the day etc.

That one on which we want to focus our attention is the function of routing based sull' address del source. For ulterior information a glance to the Linux Advancing Routing in the references can be given to the end of this article.

Up to now, speaking about the table of routing, it has been said that, when a package enters in the machine, it is based on such table in order to confront the address of destination of the package and to find the correct route for instradare the package to the adressee.

Some times but this logic cannot be sufficient. We suppose that posseggano two lines of connettività, one little powerful but to forfetari costs and one much fast one but to consumption. It can be wanted, as an example, to make that it blots them of it of customers "privileges to you" can use the faster connection without moreover to allow to all its I use in order to avoid excessive costs of consumption on such line.

The solution exists if it is possible to execute an algorithm of routing based on the address source of the package so as to to send to all the package on the first connection to exclusion of those coming from from the customers it privileges to you.

We see as the Linux machine works routing on one with the advanced suite iproute2 and kernel to release the 2.4.0.

On such machine an only table of routing does not exist but various tables of routing can be generated forcing the packages to use one of these logical tables based on various.

To the activation of or more cards than net on a machine a specific table of routing that the routing is associated for the local addresses, the addresses of the present nets on the LAN connected to the cards of net and the address of the gateway of default. In the suite iproute2 already this table of routing divede in three rules of routing calls local, main and default.

These rules come applied to all packages R-in.transito and while the rule local has a priority much elevating others have one low priority therefore that, if the customer decides to add to new rules of routing, these can be applied before those of main and default that eventually they can be ignored.

We consider therefore a simple situation, like described over, in which there is necessity to activate a source routing and we suppose that the situation base of the router is of having like gateway of default that one on the forfetaria logon.

If we want to instradare an IP address on the fast connettività we can add one table of routing to elevated priority more regarding the main and to the default and to make to only apply such table to the coming from packages from IP address in issue. Such table will contain one obviously new formulation of the connected gateway of default heading at the router for the faster logon.

We see as a lot is executed simply the thing. The activated rules of routing of default are like saying:

[root@K7 root]# ip rule list

0:      from all lookup local

32766:  from all lookup main

32767:  from all lookup default

where evince, in the order the number of priority of the rule, the field of application of the rule (from all) and the name of the rule.

We add a rule of routing only applying in the address case source xxx.xxx.xxx.xxx

[root@K7 root]# ip rule add from xxx.xxx.xxx.xxx table linkFast

and if we go to visualize the rules of routing

[root@K7 root]# ip rule list

0:      from all lookup local

32765   from xxx.xxx.xxx.xxx lookup linkFast

32766:  from all lookup main

32767:  from all lookup default

we find that the new rule will come applied before the main and of the default. As said in this rule we add the connected gateway of default to the router to the link fast yyy.yyy.yyy.yyy through the code

[root@K7 root]# ip route add default via yyy.yyy.yyy.yyy dev eth1 Ð

table linkFast

and this is all. The coming from packages from xxx.xxx.xxx.xxx will find like gateway of default the router yyy.yyy.yyy.yyy. All the others will follow the slower way.

In truth it is possible, coupling to the functions of iproute2 those of firewall iptables to execute of the routing being based on complex any rules.

We suppose as an example of wanting to send along link fast also the all packages of type web, of way to make to navigate our customers in way much fast one without as an example to load this line with the traffic with type e-mail that it does not have need of link fast but that allows us not to too much load the cost on the band to consumption.

Obviously this functionality is not applicable only using the suite iproute2. We see as the coupled thing works in with the suite iptables.

The algorithm of routing of the suite iproute2 can base its decision on which rules of routing applying based on the source address as we have or seen hour. But it can base the algorithm of chosen also on the presence and the value of tag in the header of package IP. Such tag it can be inserted from a rule of firewall in the PREROUTING process .

Therefore, the firewall marks determines packages to you based on complex any rules and the routing then it applies to these packages marks to you one table of routing different from that one of default.

We can then write endured the rule of firewall and the rule of routing that they are, I hope, sufficiently esplicative:

iptables –A PREROUTING –i eth0 –t mangle –p tcp –-dport 80 –j MARK Ð

–-set-mark 1

that it applies, before the process of routing, a tag to all the packages in income from the inner card and assigns to doors web and the rule

ip rule add fwmark 1 lookup linkFast

that it sendes all the packages that tag have set up from the equal firewall to one on the link fast.

A real example: the firewall of the I.Z.S. of Teramo.

In the first months of 2001 I was contacted from the Zooprofilattico Institute Experiences them "G. Caporale" of the Abruzzi and the Molise in quality of adviser for the analysis and the resolution of an operating requirement gushed from the purchase, from part of the I.Z.S. of an ulterior line of connettività INTERNET beyond to that one already existing connected to university net Italian GARR.

The requirements that had pushed the I.Z.S. to make such chosen it was dictated from the necessity to operate a band modernization and from the escape, on the Italian market, of solutions of connettività of type xDSL to low cost.

The inner I.Z.S. thinking too much complicated the renumbering necessary in case had decided of cessation of the line with the GARR has preferred to add an other link and to try contractually to distribute to the cargo on the two lines holding account of the greater band available on the balanced channel xDSL but from a roof of traffic salary place from provider "the sforato Interbusiness" which invoicing to consumption is passed to one.

In order to avoid to exceed such roof the administrator of the inner net of the I.Z.S. it has decided to distribute to the traffic on the two lines sending the traffic web of the inner customers and all the traffic generated from customers privileges to you on the fastest line xDSL relegating all the remaining traffic to "low priority" on slower line GARR.

The undersigned is convened for the performance of these political.

The solution proposed and currently in works near the I.Z.S. it has been that one to put a Linux firewall endured under the router preesistente and to place on an other card of net the router xDSL. On a third card of net has been inserted the connection to the coming from ridge from the inner net.

The firewall has been shaped in transparent bridging so as to to turn out transparent to it blots some avoiding problems of reconfiguration of the inner hosts.

On the firewall it has been activated a rule of PREROUTING that marchia the coming from from the hosts privilege to you or directed packages to the services web.

In the successive process of ROUTING to the marchiati cosi packages it comes made to follow a table of routing different that it has shaped like route of default the router xDSL.

Before exiting from the package machine such it comes applied, in the POSTROUTING process a SNAT in order to avoid that packages with source pertaining to net GARR come reject you from the Interbusiness net in how much not coming from from the net assigned to the I.Z.S.

Therefore, with a solution of Linux firewall, and recycle personal a computer that otherwise would have been discharged a problem is melted that otherwise would have been impossible to resolve.

References

§         Linux Networking Howto

§         Linux 2,4 Packet Filtering Howto

§         Linux 2,4 Nat Howto

§         Iproute2 Utility Howto Suite

§         Linux 2,4 Advanced Howto ruotine

§         MonMotha' s Firewall configuration files.