Mudanças entre as edições de "Minicluster:Firewall"

De WikiLICC
Ir para: navegação, pesquisa
m (Criou página com 'The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into …')
 
m (Understanding the Iptables Commands)
 
(6 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 17: Linha 17:
 
kwanous@gyrfalcon:~$</pre>
 
kwanous@gyrfalcon:~$</pre>
  
Most newer version of Debian (etch, sid, lenny) come with iptables installedHowever, to make sure iptables installed with the latest version, run
+
== Configurando IPTables ==
: <code>'''apt-get install iptables'''</code>
+
* IPTables geralmente é configurado direto na linha de comando (e não de um arquivo). Para que mudanças permaneçam depois de um reboot, um [[IPTables Script | script]] deve ser rodado na inicialização (usado para DNAT e SNAT translation). Crie o arquivo
 +
[root@one]$ vi /etc/init.d/local
 +
#!/bin/sh
 +
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 +
NAME=local
 +
DESC="local services"
 +
 +
# Replace this with your firewall's static IP
 +
EXTERNIP="X.X.X.X"
 +
 +
# The IP address of the internal machine that will respond to SSH requests
 +
SSHHOST="192.168.1.200"
 +
 +
# The IP range of the internal network
 +
LOCALNET="192.168.1.0/24"
 +
 +
  case "$1" in
 +
  start)
 +
        iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
 +
        iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
 +
        echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
 +
        ;;
 +
  stop)
 +
        echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
 +
        iptables -t nat -F
 +
        ;;
 +
    *)
 +
        N=/etc/init.d/$NAME
 +
        echo "Usage: $N {start|stop}" >&2
 +
        exit 1
 +
        ;;
 +
esac
 +
 +
exit 0
 +
Troque a permissão
 +
[root@one]$ chmod +x local
  
== Configuring IPTables ==
+
* Crie um link simbólico (adaptar fedora). Symlinks que iniciam com S são executados com argumento <code>start</code> e os que iniciam com K são executados com <code>stop</code>. O script <code>local</code> precisa ser executado antes do script networking (<code>S40networking</code>), assim deverá ser <code>S39</code>. 
IPTables is generally configured from the command line; it isn't read from a file. To make changes that "stick" after a reboot, a bash script run at startup can be used to enter all the configuration commands. We've already created a script for you - [[IPTables Script]].  Download this, save it as <code>local</code>, place it in <code>/etc/init.d/</code>, then change its status to be executable (<code>chmod +x local/code>).
+
ln -s /etc/init.d/local /etc/rcS.d/S39local
 +
ou
 +
ln -s /etc/init.d/local /etc/rc2.d/S39local  # 2 3 4 5 ???
  
Next the file needs to be symlinked to a place where it will be loaded as the firewall is started up.  Debian stores the files loaded during runtime in <code>/etc/rc*.d</code>, where * is the runlevel: 0, 1, 2, 3, 4, 5, 6, or S.  In Debian, run level 2 is the normal run level.  <code>/etc/rcS.d</code> stores the scripts that are run regardless of the run level.  Within a given run level directory, the scripts are run in order of lowest to highest numbered.  Symlinks that start with <code>S</code> are executed with the argument <code>start</code>, <code>K</code> (for kill) ones are executed with <code>stop</code>.
+
== Entendendo os comandos Iptables ==
 
+
Algumas variáveis foram setadas anteriormente.
To be the most secure and not allow any slips while the server is started up, the <code>local</code> script needs to be executed before the networking script.  Networking is <code>S40networking</code>, so <code>S39</code> will do.  Symlink the file with
+
;$LOCALNET: deve ser o IP range da rede local com a máscara CIDR.
 
+
;$EXTERNIP: deve ser o IP para a interface externa da firewall.
: '''<code>ln -s /etc/init.d/local /etc/rcS.d/S39local</code>'''
+
;$SSHHOST: deve ser o IP do nó mestre.
 
 
or to <code>/etc/rc2.d/S39local</code> if you prefer.
 
 
 
== Understanding the Iptables Commands ==
 
This iptables commands in the script use bash variables set earlier in the script, but they could just as easily be specified in plain within the script. Be sure to change the values to fit your network.  <code>$LOCALNET</code> should be the IP range of the local network specified as a CIDR mask, and $EXTERNIP should be the IP address for the firewall's external interface. $SSHHOST should be the head node's IP address.
 
  
 
=== Source Network Address Translation (SNAT) ===
 
=== Source Network Address Translation (SNAT) ===
The first iptables command does the SNAT - translating packets generated by computers on the internal interface to go out to the Internet. Any machines seeing packets on the Internet from the cluster will see them as coming from the firewall, and they will respond to the firewall. Rather than accepting the packets themselves, the firewall them forwards them to the inside of the network.
+
O primeiro comando faz o SNAT - traduz pacotes gerados por computadores na interface interna para sairem para a internet. Qualquer máquina vendo pacotes na internet do cluster verão eles como vindo da firewall e irão responder para a firewall. Ao invés de aceitar os pacotes, a firewall envia eles para dentro da rede.
 
 
 
  iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
 
  iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
  

Edição atual tal como às 10h16min de 6 de julho de 2010

The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into the Linux kernel. We'll also use IPTables to forward SSH requests for the firewall to the head node, making the firewall transparent. (Users of the cluster should interact with the head node, not the firewall.)

For my example (see Network Topology), this means that users will see something like the following. They specify the address of my firewall, eyrie, but then are deposited onto gyrfalcon, my head node.

kwanous@cassowary:~$ ssh eyrie.X.X.edu
kwanous@eyrie.X.X.edu's password:

Linux gyrfalcon 2.6.18-4-486 #1 Wed May 9 22:23:40 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
kwanous@gyrfalcon:~$

Configurando IPTables

  • IPTables geralmente é configurado direto na linha de comando (e não de um arquivo). Para que mudanças permaneçam depois de um reboot, um script deve ser rodado na inicialização (usado para DNAT e SNAT translation). Crie o arquivo
[root@one]$ vi /etc/init.d/local
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=local
DESC="local services"

# Replace this with your firewall's static IP
EXTERNIP="X.X.X.X"

# The IP address of the internal machine that will respond to SSH requests
SSHHOST="192.168.1.200"

# The IP range of the internal network
LOCALNET="192.168.1.0/24"

case "$1" in
  start)
       iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
       iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
       echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
       ;;
 stop)
       echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
       iptables -t nat -F
       ;;
    *)
       N=/etc/init.d/$NAME
       echo "Usage: $N {start|stop}" >&2
       exit 1
       ;;
esac

exit 0

Troque a permissão

[root@one]$ chmod +x local
  • Crie um link simbólico (adaptar fedora). Symlinks que iniciam com S são executados com argumento start e os que iniciam com K são executados com stop. O script local precisa ser executado antes do script networking (S40networking), assim deverá ser S39.
ln -s /etc/init.d/local /etc/rcS.d/S39local

ou

ln -s /etc/init.d/local /etc/rc2.d/S39local  # 2 3 4 5 ???

Entendendo os comandos Iptables

Algumas variáveis foram setadas anteriormente.

$LOCALNET
deve ser o IP range da rede local com a máscara CIDR.
$EXTERNIP
deve ser o IP para a interface externa da firewall.
$SSHHOST
deve ser o IP do nó mestre.

Source Network Address Translation (SNAT)

O primeiro comando faz o SNAT - traduz pacotes gerados por computadores na interface interna para sairem para a internet. Qualquer máquina vendo pacotes na internet do cluster verão eles como vindo da firewall e irão responder para a firewall. Ao invés de aceitar os pacotes, a firewall envia eles para dentro da rede.

iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
  • -t nat specifies that this rule's type is network address translation (NAT), aka IP masquerading
  • -A POSTROUTING appends a rule to the POSTROUTING chain, meaning it will be processed after all the other possible processing has been done
  • -d ! ${LOCALNET} means any packets destined for an IP not within ${LOCALNET}
  • -j SNAT means to jump to the SNAT rule
  • --to ${EXTERNIP} specifies that any packets leaving will assume the IP ${EXTERNIP}

All together in English, this rule says to take any packets not destined for sources within the internal network and send them out to their destination on the outside network after changing the source destination IP address to the firewall's IP.

Destination Network Address Translation (DNAT)

This rule does just the opposite. It takes SSH packets coming in from the Internet and sends them along to the head node.

iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
  • -t nat specifies network address translation (NAT), aka IP masquerading
  • -A PREROUTING appends a rule to the PREROUTING chain, meaning that this will take affect before any rules have a chance to work on the packet
  • --dst ${EXTERNIP} specifies original the destination of the packet (to the firewall)
  • -p tcp specifies tcp as the protocol
  • --dport 22 specifies the destination port of the packet
  • -j DNAT means to jump to the rule DNAT to do the destination network address translation

In English, this means to take any packets addressed to the firewall that are TCP packets on port 22 (SSH), change their destination to the head node, and forward them on to the internal network. This could be changed to forward all tcp packets inside by removing --dport 22, but a firewall that forwards everything inside the internal network wouldn't be much of a firewall.

Starting and Stopping NAT

Since the local script has been symlinked into the /etc/rcS.d/ or /etc/rc2.d/ directory, it will automatically load at boot. To start and stop the script from the command line, use

/etc/init.d/local start

or

/etc/init.d/local stop

Since this script is responsible for allowing the nodes inside the firewall their Internet access, be advised that stopping this script will kill the Internet connection to any machines behind the firewall.

References