Ergwave Cuhk
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ergwave Cuhk as PDF for free.
More details
- Words: 1,378
- Pages: 21
The router assignment SunMoon
Internet Sharing
Why?
Your ISP gives you a single IP addr (external IP addr)
But you can't assign this single addr to all your PCs
How?
Build a private network Setup a PC in the network takes that IP and helps other PCs to access the Internet
This is the gateway of your network, your router basically acts like a gateway 2
Internet Sharing
Build a private network
Your PCs are given IP addrs that belongs to a private subnet (e.g. 192.168.1.0/24) You should use ”DHCP server” to automatically assign IP addr, but now assume you setup manually. (using ifconfig)
3
Internet Sharing
Setup the gateway
First it should forward packets between the private network and the Internet
# echo 1 > /proc/sys/net/ipv4/ip_forward
But your PCs are using private IP addrs
So you need to setup NAT on the gateway
4
Internet Sharing
Setup NAT on gateway
What should the NAT do?
Replace ”src addr” of out-going packets with the external IP addr
Iptables help you do the tricks
In Iptables, the table ”nat” is for this purpose
You need to alter the ”POSTROUTING” chain PREROUTING chain
Routing Rules
POSTROUTING chain 5
Internet Sharing
Setup Iptables for NAT
To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)
iptables –t nat –A POSTROUTING –d ! 192.168.1.0/24 –s -p tcp –j MASQUERADE
Iptables –t nat –L –n
Other iptables options
Iptables –t nat –F: clear the table
Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain
Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one
Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule
6
Internet Sharing
The above slides are about the gateway, how about the other PCs? They should know who will forward the packet for them This is done by setting the gateway address:
route add default gw 192.168.1.1
7
Internet Sharing
Now the Internet Sharing part is completed. You can now share the Internet connection among your home PCs! Your homebrew router got basic function
8
Port forwarding
Say, you are hosting a web server at PC A
You want to open the server to people outside your network
They contact your server at <external IP address, port 80>
Your router should decide which PC should receive the packet
Change the dst address of IP packet, forward the packet to the destination PC
NAT again!
9
Port forwarding
Similar to the previous rule, but we now change the dst IP addr instead of src one Which chain to modify? PREROUTING or POSTROUTING? The dst IP addr is modified before the packet is routed, so answer is: PREROUTING (iptables -t nat –A PREROUTING -d 137.189.90.91 -s ! 192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination 192.168.1.78) PREROUTING chain
Routing Rules
POSTROUTING chain 10
Packet filtering
An example:
Suppose you want to stop your family members from connecting to a hazardous host Then your router should drop IP packets that heads to that host
Iptables can do this for you
The “filter” table controls the transmission of packets that…
headed for the router
originated from the router
forwarded through the router (i.e. the conversation between the home PCs and outsiders)
11
Packet filtering
There are three chains in the “filter” table For traffic that not originated from nor headed to the router, modify the FORWARD chain
Packets from LAN or WAN
PREROUTING
FORWARD
Routing Rules INPUT
OUTPUT
Router’s Local Processes
POSTROUTING
Packets to LAN or WAN
ERGWAVE-style login system
The desired feature:
Internet sharing is only for authenticated users Upon browsing external pages, non-authenticated users are redirected to the login page After successful login, the users are redirected back to the external pages
There are three problems
How do you redirect users to the login page? How do you NOT redirect authenticated user to the login page? How do you bring users back to the external pages?
ERGWAVE-style login system
Problem 1 – Redirection to login page
Like port forwarding, we use DNAT, modify the dst addr (and port if needed) of packets from home PCs Add a rule to the PREROUTING chain to modify the dst addr to the router ip The Apache server on the router should respond to the request But note that the URL (document path) in the HTTP request packet are left unchanged
You should setup a different web server to handle this
e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt Your Apache server will blame you with error 404 Setup a new Apache virtual host (covered in last tutorial), or Write a simple web server (sample code released)
Method of redirection: HTTP response 302 -- Moved temporarily (try to Google the protocol)
ERGWAVE-style login system
Problem 2 – Avoid redirection
The IP addresses of authenticated users are known
The redirection rule should be by-passed
Insert a rule to the PREROUTING chain, before the redirection rule
Rules in a chain are executed from top to bottom
Iptables –t nat –I PREROUTING 1 ….
This rule check if the IP addr is authenticated, if so, let the packet through and ignore the remaining rules
You may use “-j ACCEPT” (or “–j RETURN” which rely on default policy of the chain)
ERGWAVE-style login system
Problem 3 - Returning to the external site
The site URL should not be forgotten
How do you know the URL?
From the GET and HOST fields in HTTP request message Read it in your own simple web server, or PHP, or…
“Request packet” with no proxy
Through Proxy
GET / HTTP/1.1 Host: www.cse.cuhk.edu.hk User-Agent: Mozilla/5.0 … Firefox/2.0.0.11 GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Connection: keep-alive …
GET http://www/ HTTP/1.1 Host: www User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11 GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: slider1=slider1:4
ERGWAVE-style login system
Problem 3 - Returning to the external site
How do you remember it?
Encode into the URL of the router Web UI, or
Store in cookies (refer to the lecture notes), or
Store in router storage (Maintain a mapping between user IP address and external page URL)
Timeout
Feature:
In “login mode”, user got the right to access Internet after logged in. This access right got timeout after a specified time period The user will need to login again
This job of removing access right from user is automatic, perform at a certain time This can be done by cron
cron, crontab
Cron is a daemon to execute scheduled commands
Crontab is a utility that manipulate the schedule of cron
The schedule is in a table format, you may modify by using a text editor (try: crontab -e) Example - Adding a task in command prompt:
# echo “* * * * * date >> /root/beat.txt” | crontab -u root -
This will write the date and time info to the file every minute
Format of a line of task:
minute hour day month day_of_week command e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call at 7:30
crontab
The above command would override the cron schedule To append jobs to crontab, use “crontab -l” to dump the contents to a file first, append the new job to the file, and reload the crontab by “crontab filename” Note that cron is for repeating routines, for onetime-only jobs, you may use “atd”:
Restart atd daemon first: /etc/init.d/atd restart
echo “date > test.txt” | at NOW + 5 minutes
Questions?
Internet Sharing
Why?
Your ISP gives you a single IP addr (external IP addr)
But you can't assign this single addr to all your PCs
How?
Build a private network Setup a PC in the network takes that IP and helps other PCs to access the Internet
This is the gateway of your network, your router basically acts like a gateway 2
Internet Sharing
Build a private network
Your PCs are given IP addrs that belongs to a private subnet (e.g. 192.168.1.0/24) You should use ”DHCP server” to automatically assign IP addr, but now assume you setup manually. (using ifconfig)
3
Internet Sharing
Setup the gateway
First it should forward packets between the private network and the Internet
# echo 1 > /proc/sys/net/ipv4/ip_forward
But your PCs are using private IP addrs
So you need to setup NAT on the gateway
4
Internet Sharing
Setup NAT on gateway
What should the NAT do?
Replace ”src addr” of out-going packets with the external IP addr
Iptables help you do the tricks
In Iptables, the table ”nat” is for this purpose
You need to alter the ”POSTROUTING” chain PREROUTING chain
Routing Rules
POSTROUTING chain 5
Internet Sharing
Setup Iptables for NAT
To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)
iptables –t nat –A POSTROUTING –d ! 192.168.1.0/24 –s
Iptables –t nat –L –n
Other iptables options
Iptables –t nat –F: clear the table
Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain
Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one
Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule
6
Internet Sharing
The above slides are about the gateway, how about the other PCs? They should know who will forward the packet for them This is done by setting the gateway address:
route add default gw 192.168.1.1
7
Internet Sharing
Now the Internet Sharing part is completed. You can now share the Internet connection among your home PCs! Your homebrew router got basic function
8
Port forwarding
Say, you are hosting a web server at PC A
You want to open the server to people outside your network
They contact your server at <external IP address, port 80>
Your router should decide which PC should receive the packet
Change the dst address of IP packet, forward the packet to the destination PC
NAT again!
9
Port forwarding
Similar to the previous rule, but we now change the dst IP addr instead of src one Which chain to modify? PREROUTING or POSTROUTING? The dst IP addr is modified before the packet is routed, so answer is: PREROUTING (iptables -t nat –A PREROUTING -d 137.189.90.91 -s ! 192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination 192.168.1.78) PREROUTING chain
Routing Rules
POSTROUTING chain 10
Packet filtering
An example:
Suppose you want to stop your family members from connecting to a hazardous host Then your router should drop IP packets that heads to that host
Iptables can do this for you
The “filter” table controls the transmission of packets that…
headed for the router
originated from the router
forwarded through the router (i.e. the conversation between the home PCs and outsiders)
11
Packet filtering
There are three chains in the “filter” table For traffic that not originated from nor headed to the router, modify the FORWARD chain
Packets from LAN or WAN
PREROUTING
FORWARD
Routing Rules INPUT
OUTPUT
Router’s Local Processes
POSTROUTING
Packets to LAN or WAN
ERGWAVE-style login system
The desired feature:
Internet sharing is only for authenticated users Upon browsing external pages, non-authenticated users are redirected to the login page After successful login, the users are redirected back to the external pages
There are three problems
How do you redirect users to the login page? How do you NOT redirect authenticated user to the login page? How do you bring users back to the external pages?
ERGWAVE-style login system
Problem 1 – Redirection to login page
Like port forwarding, we use DNAT, modify the dst addr (and port if needed) of packets from home PCs Add a rule to the PREROUTING chain to modify the dst addr to the router ip The Apache server on the router should respond to the request But note that the URL (document path) in the HTTP request packet are left unchanged
You should setup a different web server to handle this
e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt Your Apache server will blame you with error 404 Setup a new Apache virtual host (covered in last tutorial), or Write a simple web server (sample code released)
Method of redirection: HTTP response 302 -- Moved temporarily (try to Google the protocol)
ERGWAVE-style login system
Problem 2 – Avoid redirection
The IP addresses of authenticated users are known
The redirection rule should be by-passed
Insert a rule to the PREROUTING chain, before the redirection rule
Rules in a chain are executed from top to bottom
Iptables –t nat –I PREROUTING 1 ….
This rule check if the IP addr is authenticated, if so, let the packet through and ignore the remaining rules
You may use “-j ACCEPT” (or “–j RETURN” which rely on default policy of the chain)
ERGWAVE-style login system
Problem 3 - Returning to the external site
The site URL should not be forgotten
How do you know the URL?
From the GET and HOST fields in HTTP request message Read it in your own simple web server, or PHP, or…
“Request packet” with no proxy
Through Proxy
GET / HTTP/1.1 Host: www.cse.cuhk.edu.hk User-Agent: Mozilla/5.0 … Firefox/2.0.0.11 GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Connection: keep-alive …
GET http://www/ HTTP/1.1 Host: www User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11 GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: slider1=slider1:4
ERGWAVE-style login system
Problem 3 - Returning to the external site
How do you remember it?
Encode into the URL of the router Web UI, or
Store in cookies (refer to the lecture notes), or
Store in router storage (Maintain a mapping between user IP address and external page URL)
Timeout
Feature:
In “login mode”, user got the right to access Internet after logged in. This access right got timeout after a specified time period The user will need to login again
This job of removing access right from user is automatic, perform at a certain time This can be done by cron
cron, crontab
Cron is a daemon to execute scheduled commands
Crontab is a utility that manipulate the schedule of cron
The schedule is in a table format, you may modify by using a text editor (try: crontab -e) Example - Adding a task in command prompt:
# echo “* * * * * date >> /root/beat.txt” | crontab -u root -
This will write the date and time info to the file every minute
Format of a line of task:
minute hour day month day_of_week command e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call at 7:30
crontab
The above command would override the cron schedule To append jobs to crontab, use “crontab -l” to dump the contents to a file first, append the new job to the file, and reload the crontab by “crontab filename” Note that cron is for repeating routines, for onetime-only jobs, you may use “atd”:
Restart atd daemon first: /etc/init.d/atd restart
echo “date > test.txt” | at NOW + 5 minutes
Questions?
Related Documents
More Documents from "Ben Croxogod"
My Skype Client Becomes A Sn
May 2020 1
