Created with The GIMP


2007 CHLUGger of the Year!
Mailing List
Help Open Source
Question of the Day

About Us

Directions to Meetings
Contact Us
Guest Speaker Info
Acceptable Use
Link To Us!
Our Blog

CHLUG Exclusives

Open Office 3.0- New and Enhanced Features New!
Linux Hacking and the Law New!
VOIP with Asterisk
Assessing OSS
Knoppix Ubiquitous Computing
Filesystem Hierarchy
Virtual Hosting
Emacs Talk Notes
Home Sweet ~
Top 100 CLIs
Device Drivers
Real Time Linux
Network Considerations Part II
Network Considerations Part I
Amanda Presentation
GNU/Linux Calculators Configuring Rio
Linux Sound
Samba notes
Network time protocol
C programming in Linux
Boot, startup and shutdown
hdparm HOWTO

Friends of CHLUG

Ubuntu NJ LoCo
Cherry Hill Library
LUG in Princeton
Useful Links

Loads of Linux Links
Art of UNIX Programming
More Links


Contact Congress
Why We Use Linux
Companies Using Linux
Linux in Business

Get Linux!

Get Firefox!


Created with The GIMP

Website Designer-

Network Considerations Part I
Gerald Neale
Demonstration Environment :

Machine #1 (Debian potato "internal user")
 -One NIC eth0 (internal ip
 -Connection (crossover cable) to firewall/gateway machine

Machine #2 (Red Hat 7.2 "firewall/gateway")
      -Two NICs
    One external IP eth0 (
    One internal IP eth1 (
      -Minimal services running on this machine
      -Packet filtering software running
      -Masquerading (NAT) running
Machine #3 (Red Hat 7.2 "the internet")
 -One NIC eth0 (external ip
 -Apache webserver and ssh server running for demonstration purposes


The purpose of the discussion/demostration is to bring a typical Linux network setup into a meeting and discuss the principles involved in setup and administration.
Many specifics will left out, but the main principles will be discussed in some detail.
They are as follows-
     1)Basic Linux Network Setup (as described above)
     3)Packet Filtering with Ipchains
     4)Network monitoring with tcpdump

1)Basic Linux Network Setup-
 A.Private Address space
 Class A- Contains the most available ip addresses
 Class B- Second most available ips
 Class C- Least available ips- We have choosen this for our interal network. IE gateway/firewall internal user
 B.Public Address space
 Pretty much anything except above ips
 These are the ips directly visible to the internet
 We have assigned these to our internet visible interfaces. IE gateway/firewall, internet
 Connection concepts
     Output must connect to an input and vice versa
     Due to the standardization of NICs we must use a "crossover" cable to connect two machines directly.
 D.Services that utilize the network
 Common network services (servers) on Linux firewall machines might be the apache webserver and ssh daemon.
 For our internal user they might be sendmail, pop, a web browser, an instant messaging client, etc.
 We must allow certain packets to be forwarded, denied and/or accepted to have a functional secure network.
We forward, deny or accept packets in our ipchains ruleset based on certain criteria.

Common ipchains examples
/sbin/ipchains -A forward -s -p tcp -j MASQ
/sbin/ipchains -A forward -s -p udp -j MASQ
/sbin/ipchains -A forward -s -p icmp -j MASQ
/sbin/ipchains -A input -i eth0 -p tcp -s 0/0 -d 0/0 0:1023 -y -j DENY
/sbin/ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT

See ipchains howto for more info.

 A.Packets are just chunks of data pakaged nicely for transport and inscribed with a "header".
 B.The three common protocols for packets are icmp, udp and tcp. The last (tcp) being the most common.
 C.TCP handshaking
  client sends syn
  server sends syn ack
  client sends ack
  server sends ack...
 D.The look of a packet
   run tcpdump to watch packets as they hit your default interface.
 E.Common port numbers
   less /etc/services for a description of common port uses
   "priveledged" ports 0-1023 are for root services
   "unpriveledged ports" 1024-65k are for non-root services
  In /etc/rc.d/rc.local enter this line  echo 1 > /proc/sys/net/ipv4/ip_forward
  In firewall script of firewall/gateway macihine allow masquerading from internal users (The Debian internal user in our example)
       -A forward -s -p tcp -j MASQ
       -A forward -s -p udp -j MASQ
       -A forward -s -p icmp -j MASQ
3)Packet Filtering with Ipchains-
  A.The "chain" filter concept
        -A packet attempts to pass by first rule. If successful, it attempts to pass by the second, third, etc. until it is accepted
        -A reject or deny rule drops the packet or "filters" it
  B.Default policy
     -Accept everything (the one we're demonstrating)
     -Deny everything (tighter security, more difficult to add services)
 C.Blocking packets for an accept everything firewall
     -Based on interface card
     -Based on ports
         priveledged range 0-1023
         unpriveledged range 1023 on up
     -Based on source ip
     -Based on your inteface's Input/Output stream
     -Based on the tcp handshake "flags"
     -Based on protocol
4)Network monitoring with tcpdump-
   A.Setting the promiscuous mode for a NIC
   B.An example
   C.Using grep to filter out noise
   D.You may want to limit realtime network monitoring to the machine you are on with direct console access. Remote machines will go into infinite loop.
   E.The solution to the above problem is to output tcpdump to a file on your remote machines.

See Part II for more details on this