linuxnet.txt

黑客培训教程

     
    Ok so you got the cable you connect both computers. Now try to ping the
other computer. Does it work? Good you now have a working LAN. 
    If it doesn't check if you haven't a firewall messing with the connection to make clear that the problem isn't from the firewall allow everything from eth0 interface:

   root@ExampleBox: ~# /sbin/ipchains -A input -i eth0 -j ACCEPT
   
   If it wasn't that, make sure you are using a crossover cable and make sure you ethernet card is really working (ping the ethernet interface from
the same host lo interface). 


  Now let's say that instead of just 2 hosts you want to make an LAN with 3
or 4, you can connect them directly to each computer, well actually you can
if you had NICs to make different interface so they can comunicate 2 by 2
but not even someone completly insane would do that. So you buy a HUB or a
Switch, the main difference between both is that HUB works under broadcast
and Switch doesn't. HUB are less expensive and they work fine in home LANs.
  So now your network should be something like
  
    
        Host 1 eth0 <--> HUB  <--> eth0 Host 2
    (192.168.0.1)         |              (192.168.0.2)
			  |
			 eth0
			Host 3 (192.168.0.3) 
			
			
  Using HUBs you don't need to use crossover cables, instead you use CAT 3
or CAT 5 depending of your LAN speed. CAT 3 works at 10mbit/s CAT 5 works
at 10/100 mbit/s. If you are having problems do what was sayed about testing on the ethernet to ethernet connection example. (For the ones that are wondering what CAT stands for, it's not cat the animal, it's a category).
  
  Congradulations you now have a working LAN!!!


Making some configs
- -------------------

   Ok now let's say you ping the the IP 192.168.0.2 from host 192.168.0.1
 everything goes just fine, but what about if you ping using 192.168.0.1
hostname? Unknown Host, right?. Well since we don't have any DNS server on our network ping can't resolve the hostname. So what we do is editing /etc/hosts this is the alias file so you can put something like

192.168.0.2  Hostname2
192.168.0.3  Hostname3

  As mikestevens pointed on the lecture is better to list and before
the hostname the FQDN (Fully Qualified Domain Name) since we don't really
have a domain we'll call it local.
  So our entries would now look like
  
  192.168.0.2  Hostname2.local Hostname2
  192.168.0.3  Hostname3.local Hostname3
  
  Still I don't use FQDN on my LAN and never had problems. But some software might like to have the FQDN, well it's up to you. If you don't put the FQDN just remember that if you are having problems with some software might be it.
  Now after editing you can now give the alias Hostname2 and it will be
resolved into 192.168.0.2. 
  Same thing can be done to your network address (192.168.0.0) you just have to edit /etc/networks and add an entry like 
  
 192.168.0.0  MYLAN

 
 IP masquerading
 ===============
 
   What should I read?
   -------------------
   
   .IP masquerading howto 
   As usual /usr/doc dir or
   http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
   
   .ipchains howto
   /usr/doc or
   http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
   
   .ipchains man page
    man ipchains
   
   What is that?
   -------------
   
    IP masquerading is a NAT (Network Address Translation) system. But let's start from the beginning. When we were configuring the IP addresses I told you that we were using private ones if you set a package on the Internet to those IPs the routers won't know what to do, because those address are UNROUTABLE on the Internet. 
     Let's imagine that one of you boxes has dial-up access to the Internet, but you want all the the LAN to have it, IP masquerade is your saviour. The IP masquerading will operate like a router pretending to be the host that is requesting the data from the internet and when it gets the data it routes the packages to the internal IP address of our LAN box.


  How does it work?
  -----------------
  
    Well basically a connection using IP masquerading is something like the
diagram below



   INTERNET HOST  <--ppp0--> masquerading host <--- eth0---> masqueraded host
   (204.12.41.42)        (195.35.12.33)  (192.168.0.1)        (192.168.0.3)
                              
   We'll get to the configuration of this baby soon, but first I want you to know how this really works. 
   The masqueraded host for example telnets to the INTERNET HOST, 204.12.41.42, since it's configure to have the masquerading host has it's gateway it sends the package to him expecting that he knows how to route it. The masquerading host receives a datagram like:

       Source IP: 192.168.0.3
       Destination IP: 204.12.41.42
       Source Port: 1034
       Destination Port: 23
       rest of data
       
       So what it does is opening a new connection to the Destination IP
using as new source port an Higher port like 33567. It now changes the
datagram so it may be read:

       Source IP: 195.35.12.33
       Destination IP: 204.12.41.42
       Source Port: 33567
       Destination Port: 23
       rest of data
       
       At the same time the masquerading host stores in a table, called the
masquerading table (in other words a database) the masqueraded host IP it's
source port and the new connection source port. So when he receives a
datagram on port 33567 that will look like:

       Source IP: 204.12.41.42
       Destination IP: 195.35.12.33
       Source Port: 23
       Destination Port: 33567
       rest of data
       
       The masquerading host will check it's database and will see that for
his local port 33567 he has the masqueraded host 192.168.0.3 and port 1034
so once more the masquerading host changes the datagram to look like:

      Source IP: 204.12.41.42
      Destination IP: 192.168.0.3
      Source Port: 23
      Destination Port: 1034
      rest of data
      
      And sends it to the masqueraded host which will receive the data
thinking that he was contacting directly with 204.12.41.42.
      This is the principle of masquerading. 
      You are now thinking on services like ftp that a new connection is 
originated from the remote host, well yes, that can give you troubles 
with masquerading, afterall it had to have some problems. But the good thing is that there are already kernel modules to support such services. FTP, IRC DCC, Real Audio and some other services. The ones mentioned I managed to make them work. The others I never tried.


Configuration
--------------

   .On the box that will be masquerading:
   
   You have to re-compile your kernel with IP masquerading support and also
with firewall support.
   
   Networking options -->
    
    (...)
    [*] IP: firewalling
    [*] IP: Masquerading
    --- Protocol-specific masquerading support will be built as modules.
    [*] IP: ICMP masquerading
    --- Protocol-specific masquerading support will be built as modules
    (...)
    
    Now you compile, if you never re-compiled it's better to check the
Kernel HOWTO (http:// ) and  bootup with the new kernel. After this there 
is just one more thing is to set the ipchains rule to masquerade packages 
coming from your LAN that are going to internet hosts.
    
    root@ExampleBox: ~# /sbin/ipchains -A forward -s 192.168.0.0/24 -d !
192.168.0.0./24 -j MASQ

    If you already have a firewall script just add that line to you script,
otherwise check the firewall script example on the security section, or just do as in the example type on your console.
    Just one more thing, IP forwarding is disabled by default so all this
work you have to echo "1" > /proc/sys/net/ipv4/ip_forward.
 
   .On the masqueraded hosts
   
   You have to add a default route using masquerading host as gateway
   Beeing 192.168.0.1 the IP masquerading host you would type:
   
   root@ExampleBox: ~# /sbin/route add default gateway 192.168.0.1
   
   Besides of this you need to add the following entries to the file
/etc/resolv.conf

   search ISP.com
   nameserver IP 
   
   where:
   ISP.com is your ISP domain, like telepac.pt, freeisp.com, teleweb.au...
   IP is the ip of your ISP DNS server
   

 And your done with configuration. You now can test IP masquerading on your
network. Do the following tests from a masqueraded host:

   . ping masquerading host internal IP
   . ping masquerading host external IP
   . ping an external IP
   . ping the same host but using hostname
   . browse to a site
   
   If it fails on the 1st you don't even have the network set correctly
check the LAN section, if it doesn't ping external IPs check if you really
add a default route if you get an error message like IP: No route to host
the default route wasn't set or it's misconfigured, re-check this section. 
If it pings external IPs but doesn't work with hostnames you didn't set
your DNS server at /etc/resolv.conf re-check this section.


  Congradulations you now have IP masquerading working on your LAN!!!
  
  
  Security
  --------
  
   Even having your internal LAN protected by NAT, it's always good to
implement a good security policy on your internet gateway, ipchains, or the
new iptables for kernel 2.4.x will help you with this. Besides you already
needed to use it since you need to set the masquerading. This is by any
means a section about ipchains if you wanna learn about ipchains check it's
howto and man page.
   Script follows
   
   #!/bin/sh
   # Example ipchains Script
   # By Ghost_Rider
   # For linux networking tutorial

   IPCHAINS="/sbin/ipchains"
   DNSSERVER="PUT UR DNS SERVER HERE"
   
   # flush rules
   
   $IPCHAINS -F input
   $IPCHAINS -F output
   $IPCHAINS -F forward
   
   # Set policies
 
   $IPCHAINS -P input DENY
   $IPCHAINS -P output accept
   $IPCHAINS -P forward DENY
   
   # Accept all local traffic
    
   $IPCHAINS -A input -i lo -j ACCEPT
   $IPCHAINS -A input -i eth0 -j ACCEPT
   
   # Deny private address comming from ppp0
   # Attemps of spoof to use our host to masquerade
   
   $IPCHAINS -A input -i ppp0 -s 10.0.0.0/8 -j DENY
   $IPCHAINS -A input -i ppp0 -s 172.16.0.0/12 -j DENY
   $IPCHAINS -A input -i ppp0 -s 192.168.0.0/24 -j DENY
   
   # Let's set IP Masquerading
   
   echo "1" > /proc/sys/net/ipv4/ip_forward
   $IPCHAINS -A forward -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQ
   
   #  Allow DNS
   
   $IPCHAINS -A input -i ppp0 -p tcp -s $DNSSERVER --sport 53 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p udp -s $DNSSERVER --sport 53 -j ACCEPT
   
   # Reject auth so you don't have to wait till timeout when sending mails
   
   $IPCHAINS -A input -i ppp0 -p tcp --dport 113 -j REJECT
   
   # Allowing ICMPs necessary
   # 0 = echo reply
   # 3 = Destination unreachable
   # 11 = time exceeded
   
   $IPCHAINS -A input -i ppp0 -p icmp --dport 0 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p icmp --dport 3 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p icmp --dport 11 -j ACCEPT
   
   # Log everything else..