CSC4140 Tutorial 2

SunMoon
 Part 1

Iptables and NAT

 Iptables


The tool iptables is about too many things:

Packet Filtering;

Packet Forwarding;

Network Address Translation (NAT);

etc…

[root@linux]# iptables
iptables v1.3.6: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@linux]#
 Iptables – What is it?


Actually, the Iptables is a sub-system in the
Linux kernel.

The name of the sub-system is called netfilter.

iptables Manipulations
Netfilter Internal
command Structure

Linux Kernel
 Iptables – Tables and Chains

Each function provided by the netfilter architecture is
presented as a table.
netfilter

Tables filter nat mangle

This table is in charge of This table is in charge of This table is in charge of

filtering packets. translating IP addresses changing packet content.
of the packets..
 Iptables – Tables and Chains


Under each table, there are a set of chains.

Under each chain, you can assign a set of rules.
netfilter

Tables filter nat mangle

Chains
INPUT PREROUTING INPUT PREROUTING

OUTPUT POSTROUTING OUTPUT POSTROUTING

FORWARD OUTPUT FORWARD

 Iptables – Tables and Chains
Table name: filter The command: list
Chain name: INPUT

[root@linux]# iptables –t filter –L

Chain INPUT (policy ACCEPT)
target prot opt source destination
There is one DROP icmp -- anywhere anywhere
rule set in the
INPUT chain. Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination
The other
[root@linux]# _
two chains.

The rule in the INPUT chain means:

When a packet with ICMP payload passes through the INPUT hook,
DROP that packets, no matter it is from anywhere and to anywhere.
 Iptables – Packet Flow

PREROUTING FORWARD POSTROUTING

If the destination of
the packet is this
Routing
machine … Rules

Key
INPUT OUTPUT
Incoming packets

Outgoing packets

Local Processes
Incoming + Outgoing
packets
 Iptables – Packet Flow

PREROUTING FORWARD POSTROUTING

If the destination of the packet is

not this machine, and this Routing
machine knows where the Rules
packet should be sent …

Key
INPUT OUTPUT
Incoming packets

Outgoing packets

Local Processes
Incoming + Outgoing
packets
 Iptables – Packet Flow

PREROUTING FORWARD POSTROUTING

If the packet from the local packet is

Routing set to leave, it will go through the
POSTROUTING hook.
Rules

Key
INPUT OUTPUT
Incoming packets

Outgoing packets

Local Processes
Incoming + Outgoing
packets
Iptables – E.g., the Filter Table

PREROUTING FORWARD POSTROUTING

Routing E.g., The filter table can only

Rules apply on the FORWARD, the
INPUT, and the OUTPUT
hooks.
INPUT OUTPUT

Local Processes
Iptables – Rules on Filter Table
[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP
[root@linux]# iptables –t filter –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination
[root@linux]# _

Add a new rule to The protocol of If a packet

the INPUT chain. the packets in (1) passes through the
which this rule is INPUT hook, and
interested is (2) is an ICMP packet,
ICMP.
then the packet jumps
to the target DROP – to
discard the packet.
Iptables – Rules on Filter Table
[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP
[root@linux]# iptables –t filter –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

Delete a rule from
target prot optthesource
INPUT chain. destination
To delete rule #1.
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux]# iptables –t filter –D INPUT 1
[root@linux]# iptables –t filter –L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination
[root@linux]# _
 Iptables – More Rules on Filter Table
iptables –t filter –A INPUT --source 137.189.0.0/16 --protocol icmp --jump DROP

If a packet is:
(a) passing through the INPUT hook; (b) coming from the CUHK network; (c) a ICMP packet,
then, it is DROPPED.

Meaning: Attention: everyone in CUHK, DON’T PING ME!

iptables –t filter –A OUTPUT --destination www.cse.cuhk.edu.hk --jump DROP

If a packet is:
(a) passing through the OUTPUT hook; (b) sending to www.cse.cuhk.edu.hk,
then, it is DROPPED.

Meaning: You are not allowed to access “www.cse.cuhk.edu.hk” using any protocols!
 Iptables – More Rules on Filter Table


Except DROP, the jump target can be:

ACCEPT: self-explanatory;

REJECT: it is different from DROP.

DROP is to discard the packet quietly.

REJECT is to discard the packet and then responses to
the source with an ICMP “Port Unreachable” error.
 Besides filtering…


The iptables is highly related to routing…

PREROUTING FORWARD POSTROUTING

Routing
I’ve the name I’ve the name
related routing! related routing!

INPUT OUTPUT
Network Address Translation - NAT


A technique called NAT is closely related to the
iptables.


First of all, what is NAT?

According to its name, it translates addresses.


Why do we need to translate addresses?
 NAT - Application scenario

www.cse.cuhk.edu.hk
137.189.91.192

Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
192.168.1.0/24

Linux
Windows XP
192.168.1.3
192.168.1.2
 NAT - Application scenario
If Bob doesn’t use NAT, but route the
request through the default route…
www.cse.cuhk.edu.hk
137.189.91.192 Src: 192.168.1.2 Dest: 137.189.91.192

Src Port: 12345 Dest Port: 80

Src: 192.168.1.2 Dest: 137.189.91.192

Src Port: 12345 Dest Port: 80 Broadband Gateway

WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24

Linux
Windows XP
192.168.1.3
192.168.1.2
 NAT - Application scenario
www.cse.cuhk.edu.hk
137.189.91.192
If Bob doesn’t use NAT, but route the
request through the default route…
Src: 137.189.91.192 Dest: 192.168.1.2
Src Port: 80 Dest Port: 12345

Reply
I don’t have the route to host
172.16.1.1. Goodbye, little
poor packet!

Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24

Linux
Windows XP
192.168.1.3
192.168.1.2
 NAT - Application scenario
If Bob is using NAT, then…
HX broadband knows how to route the
reply this time.
www.cse.cuhk.edu.hk
Src: 123.45.67.89 Dest: 137.189.91.192
137.189.91.192
Src Port: 12345 Dest Port: 80

Src: 192.168.1.2 Dest: 137.189.91.192

Src Port: 12345 Dest Port: 80 Broadband Gateway

WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24

Linux
Windows XP
192.168.1.3
192.168.1.2
 NAT - Application scenario
If Bob is using NAT, then…

www.cse.cuhk.edu.hk Src: 137.189.91.192 Dest: 123.45.67.89

137.189.91.192 Src Port: 80 Dest Port: 12345

I know where is
123.45.67.89. It is Bob’s
home. Let me route it!

Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24

Linux
Windows XP
192.168.1.3
192.168.1.2
 NAT - Application scenario

The NAT technique opens private networks to the
public!


Private address is therefore used extensively!

Your computing labs (Room 122, 904, 924 …) use private
addresses.

The Classnet and the Resnet use private addresses.


NAT is just a trick done by the gateway that stands
between the private network and the public network.
 IP Masquerading


The scenario discussed before is a special
case of NAT, know as IP Masquerading

To translate any outgoing packet:

From any source IP address to the external IP
address of gateway.

From any source port number to the port number
assigned by gateway.
Iptables Rules for IP Masquerading

PREROUTING FORWARD POSTROUTING

Routing
The MASQUERADE target is only
valid for the POSTROUTING
chain of the nat table!

INPUT OUTPUT

The following rule is not useful enough. Why?

 IP Masquerading Target

[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE

 Iptables Rules for IP Masquerading


Address translation for outgoing packets
[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE

[root@gateway]# iptables -t nat -A POSTROUTING –s 172.16.1.0/24 -j MASQUERADE

[root@gateway]# iptables -t nat -A POSTROUTING –d ! 172.16.1.0/24 -j MASQUERADE

More fancy rules …

[root@gateway]# iptables -t nat -A POSTROUTING \ Your private network can

-s 192.168.1.0/24 -d 137.189.0.0/16 \ “access” CUHK network
-j MASQUERADE and itself only.

[root@gateway]# iptables -t nat -A POSTROUTING \ Your private network can

-p tcp -d ! 192.168.1.0/24 --dport 22 \ only use SSH to reach the
-j MASQUERADE outside world!
 More NAT Targets

IP Masquerading is only one of the functions of the
NAT table.

The true potential is locked inside the targets:

SNAT – source NAT, and

DNAT – destination NAT.


E.g.,
[root@gateway]# iptables -t nat –A PREROUTING
-p tcp --dport 80 -j DNAT \
--to-destination proxy.cse.cuhk.edu.hk:8000

OMG! This is a transparent HTTP proxy!

 More NAT Targets
[root@137.189.91.208]# iptables -t nat -A POSTROUTING -j SNAT \
-p tcp -s 192.168.10.0/24 \
--to-source 137.189.91.208:10001-20000

[root@137.189.91.208]# iptables -t nat -A POSTROUTING -j SNAT \

-p tcp -s 192.168.20.0/24 \
Note: the rules are not completed. --to-source 137.189.91.208:20001-30000

OMG!! This gateway supports two private

networks and it gives the ranges of ports
that are allowed to use for each network!
192.168.10.0/24
port 10001:20000

port 20001:30000

192.168.20.0/24
 More NAT Targets
[root@137.189.91.208]# iptables -t nat -A POSTROUTING -j SNAT \
-s 192.168.10.0/24 \
--to-source 137.189.91.208

[root@137.189.91.208]# iptables -t nat -A POSTROUTING -j SNAT \

-s 192.168.20.0/24 \
Note: the rules are not completed --to-source 137.189.91.209

OMG!!! This gateway has a lot of

NICs!
137.189.91.208
192.168.10.0/24

192.168.20.0/24 137.189.91.209
 NAT Summary

NAT can change the source addresses and the destination
addresses of IP packets.

MAQUARADE target

changes the source address to be the gateway’s address before the
packet leaves the gateway at POSTROUTING hook, and

changes the destination address automatically back to the original
source address (and is done at PREROUTING hook quietly).

SNAT target

focuses on changing the source address of the packet at the
POSTROUTING hook to any address specified by the rule.

Therefore, MAQUARADE is a special case of SNAT.

DNAT target

focuses on changing the destination address of the packet at the
PREROUTING hook to any address specified by the rule.
 Part 2

Apache HTTP server

 Apache HTTP server


Apache HTTP server is an open source web
server maintained by the Apache Software
Foundation

Installing Apache (the Ubuntu way):
[root@gateway]# apt-get install apache2


All the web pages are placed inside a folder
known as document root

By default, the document root is /var/www
 Apache HTTP server


After installing, you can test your apache server
by visiting http://server_ip/ apache2-default/ or
http://server_ip/

You can now add files of your own web page to
/var/www
 Features of Apache server


Apache server comes with a modular design,
advanced features (e.g. PHP support) is
handled using modules

Configuration files for the server and its
modules are located under /etc/apache2
 Configuration Files


Pay attention to the following files and directories

apache2.conf

The main configuration file, not much detail here

ports.conf

Specify which ports and IP address to listen to

sites-available/

Files in this directory contain configuration directives for different
virtual hosts

mods-available/

Contains configuration directives for server modules
 Enabling sites and modules


A files in sites-available/ or mods-available/ is only
effective if its symbolic links appears in the folder:

sites-enabled/

Contains symlinks to sites in site-available, which you want to enable

mods-enabled/

Contains symlinks to modules in mods-available, which you want to
enable

You don’t have to deal with the symlinks yourself, use
commands:

a2enmod, a2dismod, a2ensite, a2dissite
 Running CGI program

In /etc/apache2/sites-available/default, you would find
the following configuration
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI –MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>


This suggest that by default, apache server allows the
execution of CGI scripts inside /usr/lib/cgi-bin/,

And the scripts are accessible through the URL
http://ip_address/cgi-bin/your_script_name.cgi
 Adding PHP support

Installing PHP (the Ubuntu way):
[root@gateway]# apt-get install libapache2-mod-php5 php5 \
php5-cgi php5-cli


After that, the PHP configuration files appear in
/etc/apache2/mods-available/
[root@gateway]# ls /etc/apache2/mods-available/php*
mods-available/php5.conf mods-available/php5.load


Enable the module
[root@gateway]# a2enmod php5
 Privilege of CGI

If you execute the system utility “id” in your CGI script,
you would find the following output


This shows that your CGI scripts are run with effective
user id and group id “www-data”

Why? Because the apache server has limited its
privilege by setting the process owner user id to “www-
data”

The ownership of your CGI process is inherited from
the apache server
 Privilege of CGI


However, many system operations require the
root permission, e.g., iptables

How can these operations be done by a CGI
program?

Exploit the setuid and setgid features of *nix
 Recall: setuid, setgid


setuid, and setgid are unix access rights flags
that allow users to run an executable with the
permissions of the executable’s owner or group

That means:

If the executable’s owner is root

If the executable has given the setuid attribute

Then a user can run the executable as if he/she is
the root
 Using Wrapper


So how can you make your CGI
access/execute files that require root privilege?

Use a “wrapper” program!
$ iptables –L
Iptables v1.3.6 … Permission denied
…
$ cat godlike.c
$ gcc –o godlike godlike.c /* The wrapper code */
$ sudo chown root.root godlike int main()
$ sudo chmod 4711 godlike {
$ ./godlike return system(“iptables –L”);
Chain INPUT (policy ACCEPT) }
…
End of tutorial

Q&A