20061107
From Wsms
previous next
GO TO:
Linux Class Notes
Networking Concepts, Tools & Security
Contents |
Interesting articles
Today's handout from Joe can been seen at: http://wsms.wikiplanet.com/html/TCP.htm
Joe showed us an interesting article about Linux titled, "The world just isn’t ready for Linux".
The author says that Linux could still be an utopic place to go and gripes about DRM, high costs and complexity in Vista.
See it at http://blogs.zdnet.com/hardware/?p=133&tag=nl.e622
An interesting link to understand TCP/IP: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ap1.htm
Request For Comments (RFC)
The official documentation that describes how the internet functions are know as Request For Comments (rfc's). The main rfc repository is located at: http://www.rfc-editor.org/ which is responsible for the final review of the documents.
The Requests for Comments (RFC) document series is a set of technical and organizational notes about the Internet (originally the ARPANET), beginning in 1969. Memos in the RFC series discuss many aspects of computer networking, including protocols, procedures, programs, and concepts, as well as meeting notes, opinions, and sometimes humor.
A few example RFCs:
1918 Address Allocation for Private Internets
2821 Simple Mail Transfer Protocol
2616 Hypertext Transfer Protocol -- HTTP/1.1
These documents reperesent the final authority as to how the various aspects of the internet are supposed to function.
Issues with TCP/IP and TCP/IP protocol
Joe passes some documentation about this issues, and we are going to study them today.
Sumarizing:
The comunication between computers will use TCP/IP (allways) if we are talking about internet. If the computers are connected not using the internet, we can talk about other protocols.
Sometimes, within a same computer, two applications can be using the TCP/IP protocol to comunicate each other. For example, when you run a browser in a server, and find a page in the server, using the name "http://localhost/file.htm". But, if you run the browser, and use an address like "file://c:/somewhere/file.htm", that has nothing to do with TCP/IP, and we will not talk about this today.
We can see TCP/IP as a stack
The use of TCP/IP is represented as a stack that has a number of layers on it, that are responsible of different kind of things that have to do with transmision of the data. At some level there are the browsers, the applications, etc.
At some point, there is a level that is hardware oriented (deals with wires, cables, signals), another level can be the addressing level, and we will talk about it later.
The machine that receives the data, has the same stack, and the data travels in the opposite direction in the stack, until finally reach the aplication level.
For the most part of this class, we don't need to know about the intermediate levels. We will take a look to the application level, ssl (security socket layers) level, addressing level, and hardware level.
Messages can be sent with two different protocols (TCP, or UDP) TCP is a conection oriented reliable protocol. UDP is know as connectionless and als unreliable. The udp protocol is very light, and can be used to send very short messages, and expect short responses (just like resolving ip addresses). TCP is heavier, and would make this easy things something that take forever to load.
Here is a site where you can find a graphical representation of the stack: http://technet2.microsoft.com/WindowsServer/en/library/3a9b874b-188a-4352-b542-27f433db07b01033.mspx?mfr=true
How does the messages system work?
The question is when a message comes to a machine, How does the receiving machine know that the message goes to certain application?
The answer is that the message goes to a specific TCP "port", that is asociated with an specific application.
On each computer, there is a table called /etc/services, that tells us which application is asociated with each port. This asociation is a standart, implemented by a company called IANA, that means something like internet something....
But things can be significantly more complex: When an application answers a message, how does it know where to answer? (in other words: what port to use?).. Well, there is a level at the TCP/IP stack, that takes care of it, and tells the applications where to answer each message.
- Socket
- This is a communication mechanism originally implemented on the BSD version of the UNIX operating system. Sockets are used as endpoints for sending and receiving data between computers. Basically, it is the combination of an IP address and a port number. It also can be seen as the mapping of a port number to an IP Address, and also as a simplified, generic connection to a TCP/IP network originated by Berkeley Software Distribution.
Example with a local network
When we see a 0 in a ip address, we can say that that part of the address is a host.
If two machines are identifyed with the same first numbers of their IP addresses, TCP/IP can comunicate directly with their stacks. The reason is that the two machines are in the same network.
Every machine in the world has it's own (in theory unique) physical address, and every server has a table that says wich internet IP addresses are asociated with wich physical address.
Every computer connected to the internet, has a "routing table" inside of it, that says where to send different messages. That table can be edited with a command called route adal or something like that, but we don't need to test it, because it is not manipulated by human hands any more, in this very modern times.
Some comments about the firewall
There are convinient tools to configurate the firewall, to open and close ports, to specify tcp/udp trafic, and to turn on or turn off the firewall.
The firewall that has been implemented in most newer version of Linux (last couple of years) is one called "iptables"
There should exist a configuration file called /etc/sysconfig/iptables
There are several tools to handle this file, but we are about to talk about the following:
system-config-securitylevel (wich is a graphic based tool) and
system-config-securitylevel-tui (wich is a text based tool) and
setup->firewall , wich manages the firewall.
With the firewall, we can for example block some specific address (just as the one that belongs to our friend in South Korea)
File /etc/sysconfig/iptables is critical. Believe Joe. This is a file that deals with messages, and wich ports are open and wich not. If you are going to do any change to this file, you better do a backup before, just in case you screw everything and nobody else can go into the server again.
There is a tremendous ammount of things you can do with iptables commands. You can see all of these commands by typing "man iptables". These commands are not directly related to linux. When you get yourself involved in this commands, it is not something you learn to support linux. You can be able to deal with almost every other kind of systems.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html is a good reference on iptables.
A custom firewall script
This is a custom script I wrote a few months ago--Ggeller 20:09, 7 November 2006 (PST)
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: netfiltercustom
# Required-Start: networking
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO
# Author: George Geller
# 20060823 August 23, 2006
# 20061107 November 7, 2006 - Revised
. /lib/lsb/init-functions
# See http://www.ubuntuforums.org/showthread.php?t=158785
# and http://doc.gwos.org/index.php/IptablesFirewall
# copy to /etc/init.d, chmod +x, then
# update-rc.d lincoln-iptables defaults 36
# 36 because it will start right after networking
# iptables commands were adapted from "Network Security Hacks" book
lincoln_iptables_start () {
# shut off everything
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp packets
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Allow port 53 for DNS
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
# Allow port 22 for SSH
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
}
lincoln_iptables_stop () {
# Reset
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
start)
log_action_begin_msg "Starting lincoln-iptables"
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true
# apply filters here
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true
lincoln_iptables_start
log_action_end_msg $?
;;
stop)
# remove filters here
log_action_begin_msg "Stopping lincoln-iptables"
lincoln_iptables_stop
log_action_end_msg $?
exit 0
;;
force-reload|restart)
log_action_begin_msg "Restarting lincoln-iptables"
lincoln_iptables_stop
lincoln_iptables_start
log_action_end_msg $?
;;
*)
echo "Usage: /etc/init.d/lincoln-iptables {start|stop|restart|force-reload}"
exit 1
;;
esac
exit 0
