Beruflich Dokumente
Kultur Dokumente
SunMoon
Part 1
The tool iptables is about too many things:
Packet Filtering;
Packet Forwarding;
Network Address Translation (NAT);
etc…
[root@linux]# iptables
iptables v1.3.6: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@linux]#
Iptables – What is it?
Actually, the Iptables is a sub-system in the
Linux kernel.
The name of the sub-system is called netfilter.
iptables Manipulations
Netfilter Internal
command Structure
Linux Kernel
Iptables – Tables and Chains
Each function provided by the netfilter architecture is
presented as a table.
netfilter
Under each table, there are a set of chains.
Under each chain, you can assign a set of rules.
netfilter
Chains
INPUT PREROUTING INPUT PREROUTING
When a packet with ICMP payload passes through the INPUT hook,
DROP that packets, no matter it is from anywhere and to anywhere.
Iptables – Packet Flow
If the destination of
the packet is this
Routing
machine … Rules
Key
INPUT OUTPUT
Incoming packets
Outgoing packets
Local Processes
Incoming + Outgoing
packets
Iptables – Packet Flow
Key
INPUT OUTPUT
Incoming packets
Outgoing packets
Local Processes
Incoming + Outgoing
packets
Iptables – Packet Flow
Key
INPUT OUTPUT
Incoming packets
Outgoing packets
Local Processes
Incoming + Outgoing
packets
Iptables – E.g., the Filter Table
Local Processes
Iptables – Rules on Filter Table
[root@linux]# iptables -t filter -A INPUT --protocol icmp --jump DROP
[root@linux]# iptables –t filter –L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere
If a packet is:
(a) passing through the INPUT hook; (b) coming from the CUHK network; (c) a ICMP packet,
then, it is DROPPED.
If a packet is:
(a) passing through the OUTPUT hook; (b) sending to www.cse.cuhk.edu.hk,
then, it is DROPPED.
Meaning: You are not allowed to access “www.cse.cuhk.edu.hk” using any protocols!
Iptables – More Rules on Filter Table
Except DROP, the jump target can be:
ACCEPT: self-explanatory;
REJECT: it is different from DROP.
DROP is to discard the packet quietly.
REJECT is to discard the packet and then responses to
the source with an ICMP “Port Unreachable” error.
Besides filtering…
The iptables is highly related to routing…
Routing
I’ve the name I’ve the name
related routing! related routing!
INPUT OUTPUT
Network Address Translation - NAT
A technique called NAT is closely related to the
iptables.
First of all, what is NAT?
According to its name, it translates addresses.
Why do we need to translate addresses?
NAT - Application scenario
www.cse.cuhk.edu.hk
137.189.91.192
Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
192.168.1.0/24
Linux
Windows XP
192.168.1.3
192.168.1.2
NAT - Application scenario
If Bob doesn’t use NAT, but route the
request through the default route…
www.cse.cuhk.edu.hk
137.189.91.192 Src: 192.168.1.2 Dest: 137.189.91.192
Linux
Windows XP
192.168.1.3
192.168.1.2
NAT - Application scenario
If Bob doesn’t use NAT, but route the
request through the default route…
www.cse.cuhk.edu.hk Src: 137.189.91.192 Dest: 192.168.1.2
137.189.91.192 Src Port: 80 Dest Port: 12345
Reply
I don’t have the route to host
172.16.1.1. Goodbye, little
poor packet!
Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24
Linux
Windows XP
192.168.1.3
192.168.1.2
NAT - Application scenario
If Bob is using NAT, then…
HX broadband knows how to route the
reply this time.
www.cse.cuhk.edu.hk
Src: 123.45.67.89 Dest: 137.189.91.192
137.189.91.192
Src Port: 12345 Dest Port: 80
Linux
Windows XP
192.168.1.3
192.168.1.2
NAT - Application scenario
If Bob is using NAT, then…
I know where is
123.45.67.89. It is Bob’s
home. Let me route it!
Broadband Gateway
WAN: 123.45.67.89
LAN: 192.168.1.1
Private LAN:
172.16.1.0/24
192.168.1.0/24
Linux
Windows XP
192.168.1.3
192.168.1.2
NAT - Application scenario
The NAT technique opens private networks to the
public!
Private address is therefore used extensively!
Your computing labs (Room 122, 904, 924 …) use private
addresses.
The Classnet and the Resnet use private addresses.
NAT is just a trick done by the gateway that stands
between the private network and the public network.
IP Masquerading
The scenario discussed before is a special
case of NAT, know as IP Masquerading
To translate any outgoing packet:
From any source IP address to the external IP
address of gateway.
From any source port number to the port number
assigned by gateway.
Iptables Rules for IP Masquerading
Routing
The MASQUERADE target is only
valid for the POSTROUTING
chain of the nat table!
INPUT OUTPUT
Address translation for outgoing packets
[root@gateway]# iptables -t nat -A POSTROUTING -j MASQUERADE
E.g.,
[root@gateway]# iptables -t nat –A PREROUTING
-p tcp --dport 80 -j DNAT \
--to-destination proxy.cse.cuhk.edu.hk:8000
port 20001:30000
192.168.20.0/24
More NAT Targets
[root@137.189.91.208]# iptables -t nat -A POSTROUTING -j SNAT \
-s 192.168.10.0/24 \
--to-source 137.189.91.208
192.168.20.0/24 137.189.91.209
NAT Summary
NAT can change the source addresses and the destination
addresses of IP packets.
MAQUARADE target
changes the source address to be the gateway’s address before the
packet leaves the gateway at POSTROUTING hook, and
changes the destination address automatically back to the original
source address (and is done at PREROUTING hook quietly).
SNAT target
focuses on changing the source address of the packet at the
POSTROUTING hook to any address specified by the rule.
Therefore, MAQUARADE is a special case of SNAT.
DNAT target
focuses on changing the destination address of the packet at the
PREROUTING hook to any address specified by the rule.
Part 2
Apache HTTP server is an open source web
server maintained by the Apache Software
Foundation
Installing Apache (the Ubuntu way):
[root@gateway]# apt-get install apache2
All the web pages are placed inside a folder
known as document root
By default, the document root is /var/www
Apache HTTP server
After installing, you can test your apache server
by visiting http://server_ip/ apache2-default/ or
http://server_ip/
You can now add files of your own web page to
/var/www
Features of Apache server
Apache server comes with a modular design,
advanced features (e.g. PHP support) is
handled using modules
Configuration files for the server and its
modules are located under /etc/apache2
Configuration Files
Pay attention to the following files and directories
apache2.conf
The main configuration file, not much detail here
ports.conf
Specify which ports and IP address to listen to
sites-available/
Files in this directory contain configuration directives for different
virtual hosts
mods-available/
Contains configuration directives for server modules
Enabling sites and modules
A files in sites-available/ or mods-available/ is only
effective if its symbolic links appears in the folder:
sites-enabled/
Contains symlinks to sites in site-available, which you want to enable
mods-enabled/
Contains symlinks to modules in mods-available, which you want to
enable
You don’t have to deal with the symlinks yourself, use
commands:
a2enmod, a2dismod, a2ensite, a2dissite
Running CGI program
In /etc/apache2/sites-available/default, you would find
the following configuration
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI –MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
This suggest that by default, apache server allows the
execution of CGI scripts inside /usr/lib/cgi-bin/,
And the scripts are accessible through the URL
http://ip_address/cgi-bin/your_script_name.cgi
Adding PHP support
Installing PHP (the Ubuntu way):
[root@gateway]# apt-get install libapache2-mod-php5 php5 \
php5-cgi php5-cli
After that, the PHP configuration files appear in
/etc/apache2/mods-available/
[root@gateway]# ls /etc/apache2/mods-available/php*
mods-available/php5.conf mods-available/php5.load
Enable the module
[root@gateway]# a2enmod php5
Privilege of CGI
If you execute the system utility “id” in your CGI script,
you would find the following output
This shows that your CGI scripts are run with effective
user id and group id “www-data”
Why? Because the apache server has limited its
privilege by setting the process owner user id to “www-
data”
The ownership of your CGI process is inherited from
the apache server
Privilege of CGI
However, many system operations require the
root permission, e.g., iptables
How can these operations be done by a CGI
program?
Exploit the setuid and setgid features of *nix
Recall: setuid, setgid
setuid, and setgid are unix access rights flags
that allow users to run an executable with the
permissions of the executable’s owner or group
That means:
If the executable’s owner is root
If the executable has given the setuid attribute
Then a user can run the executable as if he/she is
the root
Using Wrapper
So how can you make your CGI
access/execute files that require root privilege?
Use a “wrapper” program!
$ iptables –L
Iptables v1.3.6 … Permission denied
…
$ cat godlike.c
$ gcc –o godlike godlike.c /* The wrapper code */
$ sudo chown root.root godlike int main()
$ sudo chmod 4711 godlike {
$ ./godlike return system(“iptables –L”);
Chain INPUT (policy ACCEPT) }
…
End of tutorial
Q&A