\chapter{Practical TCP/IP} \label{cha:practical-tcpip} {\mns \subsection{Objectives} After completing this module you should be able to understand and utilise: \begin{itemize} \item Firewalling principles \item Basic firewalling with {\pgn ipchains} %% IMPROVEME: kernel 2.4. replaces ipchains? Keep an eye on this (LW) \item Network/routing debugging procedures \item Interface configuration under Linux \item The secure shell ({\cmdn sshd}, {\cmdn ssh}, and {\cmdn scp}) \end{itemize} \section{Ping Protocols} \begin{itemize} \item {\cmdn ping} used to test network/host availability \item A little about its implementation \begin{itemize} \item Uses ICMP protocol \item Send requests of type {\em echo-request} \item Receives answer {\em echo-reply} \end{itemize} \end{itemize} \section{Network Statistics ({\pgn netstat}) in Practice} \label{sec:netstat-in-practice} \begin{itemize} \item Show network status; many options \item Most useful: {\cmdn -r} and {\cmdn -n} flags (show routes, numeric addresses only) {\myts \begin{verbatim} $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0 202.80.80.0 192.168.0.1 255.255.255.0 UG 1500 0 0 eth0 192.100.100.0 192.168.0.1 255.255.255.0 UG 1500 0 0 eth0 194.217.100.0 192.168.0.143 255.255.255.0 UG 1500 0 0 eth0 192.168.1.0 192.168.0.1 255.255.255.0 UG 1500 0 0 eth0 192.168.3.0 192.168.0.1 255.255.255.0 UG 1500 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo \end{verbatim}}%$ \end{itemize} \begin{itemize} \item Note `gateway` above \begin{itemize} \item route to networks 202.80.80.0, 192.100.100.0, 192.168.1.0 and 192.168.3.0 use gateway 192.168.0.1 \item 192.168.0.1 is a gateway (router) which knows how to access those networks \item route to network 194.217.100.0 is via gateway at 192.168.0.143 \end{itemize} \item Often see destination of 0.0.0.0 \begin{itemize} \item `default` route \item send all otherwise unrouteable packets to designated gateway \end{itemize} \item {\em Iface} column shows which interface will be used \item Note interface for 127.0.0.0 --- `loopback` interface; the host itself \end{itemize} \section{{\pgn netstat} (continued)} \begin{itemize} \item Also show information about connected sockets \item {\pgn netstat -a} shows no. of active connections (useful for seeing system load) \item {\myts \begin{verbatim} Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:6000 *:* LISTEN tcp 0 0 linux.gazcl:domain *:* LISTEN tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:linuxconf *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN raw 0 0 *:icmp *:* 7 raw 0 0 *:tcp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 1 [ ] STREAM CONNECTED 8937 @00000082 unix 1 [ ] STREAM CONNECTED 8906 @0000007b unix 1 [ ] STREAM CONNECTED 8933 @00000081 unix 0 [ ACC ] STREAM LISTENING 327 /dev/log unix 1 [ ] STREAM CONNECTED 8949 @00000086 unix 1 [ ] STREAM CONNECTED 8926 @0000007f unix 1 [ ] STREAM CONNECTED 8644 @00000059 \end{verbatim}} \end{itemize} \section{{\pgn netstat} --- Further Examples} \begin{itemize} \item Configured interfaces \item {\pgn netstat -i} {\myts \begin{verbatim} Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 0 0 0 0 3107 0 0 0 BRU lo 3924 0 1035 0 0 0 1035 0 0 0 LRU \end{verbatim}} \item {\pgn netstat -p} shows processes listening on each socket~\footnote{Only supported in more recent versions} \begin{itemize} \item Includes PID \item Useful to kill processes hogging key ports \end{itemize} \end{itemize} {\myts \begin{verbatim} $ netstat -pn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/name tcp 0 0 10.0.0.1:1025 10.0.0.2:telnet ESTABLISHED 443/telnet tcp 0 0 10.0.0.1:1024 10.0.0.3:telnet ESTABLISHED 442/telnet tcp 0 0 10.0.0.1:1023 10.0.0.4:ssh ESTABLISHED 432/ssh Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 1 [ ] STREAM CONNECTED 662 432/ssh @00000037 unix 1 [ ] STREAM CONNECTED 591 388/login -- lee @0000002f \end{verbatim}}%$ \section{Network Traffic ({\pgn tcpdump}) in Practice} \label{sec:tcpdump-in-practice} \begin{itemize} \item Used to monitor network traffic \begin{itemize} \item Need sufficient privilege to monitor devices \end{itemize} \item Can show only particular information \begin{itemize} \item Traffic to/from a particular host \item Traffic on a certain port \item Certain types of traffic, e.g. TCP, ARP, UDP \end{itemize} \item Very configurable \begin{itemize} \item Decide what you want to do \item Then look at manual page \end{itemize} \end{itemize} \section{{\pgn tcpdump} Options} \begin{itemize} \item Some options \begin{tabular}[t]{|l|>{\PBS\rr}p{303pt}|} \hline {\cmdn -i} & Says which network {\em interface} to show\\ \hline {\cmdn -n} & Print IP addresses {\em not names} \\ \hline {\cmdn -N} & Don't print domain name of address \\ \hline {\cmdn -t} & Don't print {\em timestamp} \\ \hline {\cmdn -q} & Show only minimal output ({\em quiet})\\ \hline {\cmdn -v} & {\em Verbose} info (time-to-live etc.) \\ \hline \end{tabular} \end{itemize} \section{{\pgn tcpdump} Examples} {\myts \begin{verbatim} $ tcpdump dst host 192.168.0.143 -i eth0 -n -t tcpdump: listening on eth0 192.168.0.131 > 192.168.0.143: icmp: echo request 192.168.0.131 > 192.168.0.143: icmp: echo request arp who-has 192.168.0.143 tell 192.168.0.131 192.168.0.131 > 192.168.0.143: icmp: echo request 192.168.0.131.1026 > 192.168.0.143.telnet: S 73945916:73945916(0) win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: . ack 3134108710 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: P 0:27(27) ack 1 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: . ack 13 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: P 27:35(108) ack 5 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: P 35:38(3) ack 55 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: P 38:41(3) ack 125 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: . ack 132 win 32120 (DF) 192.168.0.131.1026 > 192.168.0.143.telnet: P 41:42(1) ack 132 win 32120 (DF) \end{verbatim}}%$ {\myts \begin{verbatim} $ tcpdump dst host 192.168.0.143 -i eth0 -N -q tcpdump: listening on eth0 09:56:32.947997 landlord.mysql > samosa.5660: tcp 166 (DF) 09:56:32.955822 landlord.mysql > samosa.5660: tcp 166 (DF) 09:56:32.963597 landlord.mysql > samosa.5660: tcp 182 (DF) 09:56:32.970917 landlord.mysql > samosa.5660: tcp 166 (DF) 09:56:32.979341 landlord.mysql > samosa.5660: tcp 166 (DF) 09:56:32.987218 landlord.mysql > samosa.5660: tcp 166 (DF) 09:56:32.995902 landlord.mysql > samosa.5660: tcp 555 (DF) \end{verbatim}}%$ \section{Firewalling} \label{sec:firewalling} \begin{itemize} \item Allows you to protect your machine \begin {itemize} \item As well as machines {\em behind} them \end{itemize} \item Checks packet headers before acting on them \begin{itemize} \item Can ignore, reject or accept packets \item Makes decision based on source, destination, or packet type \begin{itemize} \item Or a combination \end{itemize} \end{itemize} \item Set up using {\cmdn ipchains} under kernel 2.2 \begin{itemize} \item Older kernels used {\cmdn ipfwadm} \end{itemize} \end{itemize} \section{Basic Theory} \label{sec:basic-firewall-theory} \begin{itemize} \item Two main considerations \begin{itemize} \item Port Filtering \item Host Filtering \end{itemize} \item Block services you don't need \item Limit services you {\em do} need to specific machines/networks \end{itemize} \section{Basic Theory (continued)} \begin{itemize} \item Firewalling can be done with {\pgn inetd} \begin{itemize} \item {\fn /etc/hosts.allow} \item {\fn /etc/hosts.deny} \item {\fn /etc/inetd.conf} \end{itemize} \item Flaw in {\pgn inetd} would still let things through \item Best to drop the packets as soon as possible \begin{itemize} \item Kernel-level filtering \end{itemize} \end{itemize} \section{{\pgn ipchains}} \label{sec:ipchains} \begin{itemize} \item Packet filtering set up using {\pgn ipchains} \item All the filtering is done in the kernel \begin{itemize} \item Not by {\cmdn ipchains} \item {\cmdn ipchains} just sets up/modifies the rules \end{itemize} \item All packets entering and leaving are examined~\footnote{Including loopback traffic which conceptually leaves the machine} \end{itemize} \section{{\pgn ipchains} Details} \begin{itemize} \item Every packet goes through one or more `{\em chains}' \begin{itemize} \item A `chain' is a set of rules \item Rules can accept, reject, or deny a packet \begin{itemize} \item Can also send it to another chain \end{itemize} \end{itemize} \item Three default chains, {\em input}, {\em output}, {\em forward} \begin{itemize} \item If a packet passes through a default chain without matching: \begin{itemize} \item Fate is determined by the chains {\em policy} \item Can be {\em Accept}, {\em deny}, or {\em reject} \end{itemize} \item If it reaches the end of a user defined chain \begin{itemize} \item Carries on where it left off \end{itemize} \end{itemize} \item {\em forward} is for IP masquerading systems \begin{itemize} \item Not covered here \end{itemize} %% FIXME: We should have a diagram of chains here (LW) Similar to /usr/doc/ipchains-1.3.9/HOWTO.html \end{itemize} \section{{\pgn ipchains} Options} \begin{itemize} \item Dealing with chains: \begin{tabular}[t]{|l|>{\PBS\rr}p{313pt}|} \hline {\cmdn -N} & Create a new chain \\ \hline {\cmdn -X} & Delete an empty chain\\ \hline {\cmdn -P} & Change the policy for a chain\\ \hline {\cmdn -L} & List the rules in a chain\\ \hline {\cmdn -F} & Flush (delete) all rules from a chain\\ \hline \end{tabular} \\[20pt] \item Dealing with rules: \begin{tabular}[t]{|l|>{\PBS\rr}p{313pt}|} \hline {\cmdn -A} & Append a rule to a chain \\ \hline {\cmdn -D} & Delete a single rule from a chain\\ \hline {\cmdn -I} & Insert a rule at some point in a chain\\ \hline \end{tabular} \end{itemize} \section{Options For Rules} \begin{itemize} \item Use the following to specify packets to match \begin{tabular}[t]{|l|>{\PBS\rr}p{250pt}|} \hline {\cmdn -s} & Source address \\ \hline {\cmdn -d} & Destination address \\ \hline {\cmdn -p} & Protocol ({\cmdn TCP}, {\cmdn UDP}, {\cmdn ICMP}) \\ \hline {\cmdn -j {\usb chain}} & Jump to chain/action \\ \hline {\cmdn \verb|--|sport} & Source Port \\ \hline {\cmdn \verb|--|dport} & Destination Port \\ \hline \end{tabular} \end{itemize} \section{{\pgn ipchains} --- Examples} \begin{itemize} \item In most cases default chains will be sufficient \item To block all {\pgn ping} requests to our machine: {\myts \begin{verbatim} $ ipchains -A input -p icmp -s 0.0.0.0/0 \ > --icmp-type echo-request -j DENY $ ipchains -L input Chain input (policy ACCEPT): target prot opt source destination ports DENY icmp ------ anywhere anywhere echo-request \end{verbatim}} \item To block outgoing {\pgn ping} packets: {\myts \begin{verbatim} $ ipchains -A output -p icmp -d 0.0.0.0/0 \ > --icmp-type echo-request -j DENY $ ipchains -L output Chain output (policy ACCEPT): target prot opt source destination ports DENY icmp ------ anywhere anywhere echo-request $ ping -c1 landlord PING landlord.gbdirect.co.uk (192.168.0.129): 56 data bytes ping: sendto: Operation not permitted ping: wrote landlord.gbdirect.co.uk 64 chars, ret=-1 --- landlord.gbdirect.co.uk ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss \end{verbatim}}%$ \item Very simple examples but they show the theory \end{itemize} \section{Removing Rules} \begin{itemize} \item Rules can be removed by {\em number}, e.g. to delete the first rule in the {\em input} chain: {\myss \begin{verbatim} $ ipchains -D input 1 \end{verbatim}}%$ \item or definition, e.g. delete the {\em first} matching rule: {\myfs \begin{verbatim} $ ipchains -D output -p icmp -d 0.0.0.0/0 --icmp-type echo-request -j DENY \end{verbatim}} \item To clear an entire chain use: {\myss \begin{verbatim} $ ipchains -F chainname \end{verbatim}} \item If no {\cmdn chainname} is given, it clears all chains \end{itemize} \section{Implementing ipchains} \begin{itemize} \item The rules are normally set up in the machines `init scripts' \item Typically by creating a script in {\fn init.d} that is run just before networking starts \begin{itemize} \item Example in section \ref{sec:ipchains-setup-script} \end{itemize} \item Ensure you flush existing rules first (just in case): \begin{quote} {\cmdn \$ ipchains -F} \end{quote} \item Generally start with the DENY rules then add what you want \item Maximum security \end{itemize} \section{Save and restore} \begin{itemize} \item Often useful to create a firewalling {\em `config file'} \item {\pgn ipchains-save} outputs a text file you can store \begin{verbatim} [Setup firewall rules as you want] $ ipchains-save > /etc/ip.rules Saving `input'. Saving `forward'. Saving `output'. $ \end{verbatim} \item Can reinitialise your firewalling with {\pgn ipchains-restore} and your `config file', e.g. \begin{verbatim} $ ipchains-restore < /etc/ip.rules $ \end{verbatim} \item Usually done in a startup script \end{itemize} \section{{\pgn ipchains} setup script} \label{sec:ipchains-setup-script} \begin{itemize} \item A sample script may look like: \end{itemize} {\myfs \begin{verbatim} #! /bin/sh # Script to control packet filtering. # If no rules, do nothing. # Altered from the ipchains HOWTO [ -f /etc/ipchains.rules ] || exit 0 case "$1" in start) echo -n "Turning on packet filtering:" /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 echo "." ;; stop) echo -n "Turning off packet filtering:" /sbin/ipchains -X /sbin/ipchains -F /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward ACCEPT echo "." ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 \end{verbatim}} \section{Real World {\pgn ipchains}} \begin{itemize} \item Connect out to a host but not in {\myfs \begin{verbatim} $ ipchains -A input -d 192.168.0.131/32 -p TCP -y -j DENY \end{verbatim}}%$ \item {\cmdn -y} limits matching to packets with the SYN bit set \begin{itemize} \item Used when establishing connections \end{itemize} \item No-one can open a connection from {\cmdn 192.168.0.131} \begin{itemize} \item Can still connect to it from here {\ldots} \end{itemize} \end{itemize} \section{Interface Configuration and Management} \label{sec:interface-config-and-manage} \begin{itemize} \item An interface is a point of connection to a network \item Usually a single device \begin{itemize} \item Network card \item PPP link \end{itemize} \item A device can have more than one interface \begin{itemize} \item Referred to as `aliases' \item Commonly used for virtual web sites \end{itemize} \end{itemize} \section{Point-and-Click Interface Administration} \begin{itemize} \item Number of ways to add/edit interface details \begin{itemize} \item Linuxconf \item Redhat {\pgn control-panel} \item {\em `By hand!'} \end{itemize} \item For most cases you can probably use one of the two graphical methods \item Useful to understand the configuration files behind it all \item See the \emph{Linux Network Administrator's Guide} at \url{http://www.linuxdoc.org/LDP/nag2/} for much there is to know about this. \end{itemize} \section{{\fn /etc/sysconfig/network-scripts}} %% FIXME: These couple of foils are RH only, we should remove/genericise these ... (LW) \begin{itemize} \item Directory containing scripts and config files~\footnote{This applies to RedHat only, you should see section~\ref{sec:proper-way} for information on other distributions} \item {\fn ifup} \& {\fn ifdown} activate/deactivate an interface \item Argument specifies interface to act on, e.g. \begin{verbatim} $ ifdown eth0 \end{verbatim}%$ \item {\fn ifcfg-eth*} are config files for each interface \begin{itemize} \item Should be numbered sequentially from 0 \begin{itemize} \item {\fn ifcfg-eth0} is the first interface \end{itemize} \item Files ending in {\fn :n} (where {\cmdn n} is a number) are aliases \begin{itemize} \item {\fn ifcfg-eth0:0} is the first alias for the first interface \end{itemize} \end{itemize} \end{itemize} \section{{\fn ifcfg-ethx}} \begin{itemize} \item Describes characteristics of a given interface \begin{itemize} \item What device it should be known as ({\cmdn DEVICE}) \item IP address, network, and netmask ({\cmdn IPADDR}, {\cmdn NETWORK}, {\cmdn NETMASK}) \item Whether it is activated at boot time ({\cmdn ONBOOT}) \item Whether it can be controlled by normal users ({\cmdn USERCTL}) \end{itemize} \item Example: \begin{verbatim} DEVICE=eth0 IPADDR=192.168.0.129 NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 ONBOOT=yes BOOTPROTO=none USERCTL=no \end{verbatim} \end{itemize} \section{Altering An Interface} \begin{itemize} \item It is perfectly allowable to alter interfaces while the system is running \item Requires only minimal disruption to network connectivity \begin{itemize} \item Not a reboot \end{itemize} \item Two simple steps \begin{enumerate} \item Make alterations (by hand or through GUI) \item Restart networking \end{enumerate} \item Networking is just another service \begin{itemize} \item {\cmdn /etc/rc.d/init.d/network restart} %FIXME: Check this is right for debian ... \item {\cmdn /etc/init.d/network restart} \end{itemize} \end{itemize} \section{Adding an Interface} \begin{itemize} \item Adding an alias is even easier! \begin{enumerate} \item Add the alias \item Activate it \end{enumerate} \item Example: Add the following to {\fn /etc/sysconfig/network-scripts/ifcfg-eth0:0} \begin{verbatim} DEVICE=eth0:0 USERCTL=no ONBOOT=yes BOOTPROTO=none BROADCAST=192.168.0.255 NETWORK=192.168.0.0 NETMASK=255.255.255.0 IPADDR=192.168.0.141 \end{verbatim} \item Then execute \begin{verbatim} $ ifup eth0:0 \end{verbatim}%$ \end{itemize} \section{The `Proper' Way} \label{sec:proper-way} \begin{itemize} \item Previous examples use scripts (not always provided) \item You can do everything manually \item Add an alias: \\ {\myss {\cmdn /sbin/ifconfig eth0:0 192.168.0.128}} \item Check with {\cmdn ifconfig} that it succeeded \item Setup routing to that interface:\\ {\myss {\cmdn /sbin/route add -host 192.168.0.128 dev eth0:0}} \item Removing an alias: \begin{itemize} \item {\myss {\cmdn /sbin/ifconfig eth0:0 down}} \item {\myss {\cmdn /sbin/route del 192.168.0.128}} \end{itemize} \item Adding an interface is similar \ldots \item Probably want to add a route to the entire network not just the host \\ {\myss {\cmdn /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1}} \end{itemize} \section{Drivers} \begin{itemize} \item Network drivers invariably handled by kernel modules \begin{itemize} \item PCI NE2000 card handled by {\cmdn ne2k-pci.o} \end{itemize} \item Kernel cannot tell which module should be used by which interface \begin{itemize} \item module loader uses lines from {\fn /etc/modules.conf} (older: {\fn /etc/conf.modules}), e.g., \begin{verbatim} alias eth0 ne alias eth1 ne options ne io=0x320,0x340 irq=2,12 \end{verbatim} \item Above says that interfaces {\cmdn eth0} and {\cmdn eth1} handled by {\cmdn ne} module (NE2000 ISA) \item Options line is module-specific; permits port/IRQ specification if not autodetected: this is common for old ISA cards. \end{itemize} \end{itemize} \section{The Secure Shell in Practice ({\pgn ssh})} \label{sec:ssh-in-practice} \begin{itemize} \item How you use {\cmdn ssh} varies across systems \item Some require stricter authentication than others \item For example, within a secure environment it may not require a password \begin{itemize} \item Works on `trusted host' concept \item \emph{Much} better than {\cmdn rsh} due to encryption and server key authentication \end{itemize} \item Can often be used as a drop-in replacement for {\cmdn rsh} or {\cmdn telnet} \item Has numerous advantages \ldots \begin{itemize} \item Sets up forwarding of X connections \item Can compress the data sent \item No passwords sent in plain text (and hence trivially read by others) \item Not trivially hijacked using {\pgn hunt} (from \url{http://lin.fsid.cvut.cz/~kra/}) and other such tools \end{itemize} \end{itemize} \section{Secure Copying in Practice ({\pgn scp})} \label{sec:scp-in-practice} \begin{itemize} \item Replacement for {\cmdn rcp} \item Much more secure \begin{itemize} \item Encrypts all traffic \item Uses same authentication as {\cmdn ssh} \end{itemize} \item Can copy local to remote, remote to local or remote to remote \item Example: {\myss \begin{verbatim} $ scp localfilename user@remotehost:remotefilename \end{verbatim}}%$ \end{itemize} \section{Summary} \label{sec:practical-tcpip-summary} \begin{itemize} \item Wide range of network utilities available \begin{itemize} \item Both maintenance and user-orientated \end{itemize} \item {\em Very} flexible system \begin{itemize} \item Can be hard to setup/maintain \end{itemize} \item Pros outweigh cons \item Common jobs become second nature \end{itemize} {\normalsize \section{Exercises} %% FIXME: Split long questions into sections and add new questions, still to do (LW) %% FIXME: Also enumerate them! (LW) \begin{enumerate} \item Network tools \begin{enumerate} \item Use {\cmdn netstat -rn} to investigate the routes on your network. Explain each line of entry to a colleague. \item Read the man page for {\cmdn tcpdump}. Use it to monitor traffic on your host's network interface whilst other hosts are pinging each other. \end{enumerate} \item {\cmdn ipchains} \begin{enumerate} \item Use ipchains to set up the following configurations. In each case you should first set up the system by hand, check it. Then set it up so that the firewall rules are in place when the machine reboots. \begin{enumerate} \item Block all incoming ICMP packets \item Block only incoming ICMP `echo-request' packets \item Block all incoming telnet connections \item Block {\em all} telnet connections \item Block all outgoing web requests (Port 80) \end{enumerate} \end{enumerate} \item Network configuration \begin{enumerate} \item Using one of the admin tools ({\pgn linuxconf} or {\pgn control-panel} etc.) add an alias on your network interface so that your host can masquerade as some other host. DO NOT DO THIS IF YOU ARE NOT SURE YOU ARE USING A SPARE IP ADDRESS. Investigate what {\cmdn ifconfig} and {\cmdn netstat -rn} now report. Check that you can ping the alias from another host on the network. \item If possible, fit an extra network card to one of the hosts (host b) and configure it to be on a different network. Check it can be pinged from its own host. Go to another host (host a) on the original network and add a route to host b's new interface, using as a gateway host b's original network interface. Check that you can ping it and then use {\cmdn traceroute} to see the path taken by packets. Host b will have to have IPV4 forwarding enabled for this to work. Ask the tutor about which machine will be set up for this. \end{enumerate} \end{enumerate} \section{Solutions} \begin{enumerate} \item \begin{enumerate} \item If you don't understand the output check section~\ref{sec:netstat-in-practice} or the {\pgn netstat} manpage \item {\cmdn tcpdump -i eth0} should monitor all network traffic. If you want to see the traffic to a particular host use {\cmdn tcpdump dst host 10.0.0.3} \end{enumerate} \item \begin{enumerate} \item The following are the list of rules needed to satisfy each situation. You should flush the chains before each one ({\cmdn ipchains -F}). \begin{enumerate} \item {\cmdn ipchains -A input -p icmp -j DENY} \item {\cmdn ipchains -A input -p icmp \verb|--|icmp-type echo-request -j DENY} \item {\cmdn ipchains -A input -p tcp -d 127.0.0.1 \verb|--|dport telnet -j DENY}\\ {\cmdn ipchains -A input -p tcp -d 192.168.0.131 \verb|--|dport telnet -j DENY} \item {\cmdn ipchains -A output -p tcp -d 0/0 \verb|--|dport telnet -j DENY} {\cmdn ipchains -A input -p tcp -s 0/0 \verb|--|dport telnet -j DENY} \item {\cmdn ipchains -A output -p tcp -d 0/0 \verb|--|dport www -j DENY} \end{enumerate} \end{enumerate} \item \begin{enumerate} \item - \item Ask the tutor for details. \end{enumerate} \end{enumerate} } % end mns from chapter start } % end normalsize from start of Exercises %%% Local Variables: %%% mode: latex %%% TeX-master: "planet_intermediate_0-0_masterfile" %%% End: