Network+ : Routing and Firewalls

  1. Network+ Certification
  2. Network+ : Introductions and Resources
  3. Network+ : Network Models
  4. Network+: Cabling
  5. Network+ : Topologies
  6. Network+ : Ethernet Basics
  7. Network+ : Contemporary Ethernet
  8. Network+ : Installing a Physical Network
  9. Network+ : Booting and Getting On the Network
  10. Network+ : TCP/IP Basics
  11. Network+ : Subnetting
  12. Network+: Routing Protocols
  13. Network+ : Routing and Firewalls
  14. Network+ : TCP/IP Ports and Applications
  15. Network+ : Network Naming and Sharing Resources
  16. Network+ : Secure Networking
  17. Network+ : Advanced Networking Devices
  18. Network+ : IPv6
  19. Network+ : Remote Connectivity
  20. Network+ : WiFi
  21. Network+ : Virtualization
  22. Network+ : Mobile Networking
  23. Network+ : Building a Real-World Network
  24. Network+ : Managing Risk
  25. Network+ : Protecting Your Network
  26. Network+ : Network Monitoring
  27. Network+ : Network Troubleshooting
  28. Network+: Network Monitoring

Unit 13

From the Linux+ Training Course.

This has always been a tough area, and it’s getting tougher.

route

Displays the route table. Compare:

netstat -r

If you have two NICs (i.e. you are a multihomed host) you can enable IP forwarding (which is to say, routing). Take a look at the relevant file:

cat /etc/sysctl.conf

For routing to occur you’ll need this line:

net.ipv4.ip_forward = 1

Routing

Hang on to your shorts. If you’re acting as the router between two networks or subnets, you’ll have to have defined routes. You can add routes to your routing table like this:

route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1
or
ip route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1

This says, in effect, “Send any packets bound for the 123.444.444.0 network to the router 123.555.555.1.”

Where this gets (really) complicated is when you have to map to several routers – both directions:

route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1
or
ip route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1

Typically, but not always, routers are given the .1 address (at least in examples). You will see them using .100 or almost any number in real life, within the constraints of the IP protocol.

Delete a route:

route del net 123.555.555.0 mask 255.0.0.0 123.444.444.1

Rebooting? You’ll need to issue these commands again. That’s why they’re commonly contained in a separate script that is called from /etc/rc.d/rc.local, the last file run by the boot process.

 

Troubleshoot your routing

traceroute 123.456.789.10

 

Automating routing

All this is why people make life easier by implementing an automated routing protocol, which updates routing tables on-the-fly.

RIP – Routing Information Protocol

OSPF – Open Shortest Path First

 

Firewall Services

This leads us to the service formerly known as iptables, before that formerly known as ipchains, now called netfilter.

Netfilter, to put it simply, accepts some packets and discards others. It does this by following chains or rules that specify:

An INPUT chain, which determines which packets to accept,

A FORWARD chain, for packets that will be routed through your computer, and

An OUTPUT chain, which filters outbound packets from your computer.

 

To create rules, you use the iptables command:

iptables -F #flush

iptables -P FORWARD DROP #sorry, we’re not routing

iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
#We’ll accept packets from the 192.168.2.0 network

iptables -L #list rules

To add rules permanently (after reboot) add them to /etc/sysconfig/iptables.

Common iptables options
-s <address> Specifies source address of packets
-d <address> Specifies destination address of packets
-p <protocol> Specifies the protocol used under a rule
-j <action> Specifies the action taken under a rule: ACCEPT or DROP.
-L <chain> Lists rules for the chain. With no argument, lists all rules.
-F <chain> Flush existing rules for chain from memory. With no argument, flushes all rules.
-P <policy> Sets the default chain policy for a given type of chain: INPUT, FORWARD or OUTPUT.
-D <number> Deletes a rule by number.
-R <number> Replace a rule by number.