Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
SI455 – Advanced Computer Networking
Lab3: Building a Minimal Router (v1.1)
Due 6 Mar by start of class
WHAT TO HAND IN:
1. Complete diagram of the message traffic you expect to see (Appendix A)
2. Complete diagram of the message traffic you actually see (Appendix B)
Only the second item (Appendix B) will be checked for correctness. The purpose of filling
out a pre-build diagram in Appendix A is for you to see how close your intuition for
network traffic is becoming.
Goals:
By the end of this lab, each student should be able to
1. Add a second (or nth) NIC to a VM and configure it for use
2. Configure iptables to NAT traffic between two NICs
3. Configure iptables for port-forwarding
4. Be able to explain how IP addresses and port numbers change when flowing across a
NAT'ed router.
How to Build a Minimal Router from Scratch
We are going to clone our webservers and re-putpose them as our routers. The tools that we
need are already installed.
1. Clone the webserver to a new VM
a. Log into vSphare
b. In the vSphere tree of VMs (left side of screen) RMB on your group's webserver adn
select "Clone..."
c. Name and Location:
i. Name: colorrouterMin (e.g. greyrouterMin)
ii. Location: Select "SI455" and your groups subdirectory
iii. Click Next
d. Specific host:
i. Select mich-resx-06.cs.usna.edu
ii. Click Next
e. Storage:
i. Select DataStore1
ii. Click Next
1
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
f. Guest Customization:
i. Do not select "Power on this machine after"
ii. Click Next
g. Ready to Complete
i. Click Finish
ii. Wait several minutes for the cloning to complete
2. Add a second NIC
a. Once the cloning is complete, select the router in the tree with LMB
b. Select the Summary tab
c. Click "Edit Settings"
i. In the popup window, click "Add..."
ii. Select "Ethernet Adapter"
iii. Click Next
iv. In "Named network with specified label" select "prism"
v. Click Next
vi. Click Finish
vii. Verify that you have a second NIC and click "OK"
d. In the Summary tab, verify that vSphere is now reporting you connected to two
network switch: "colorprivate" and "prism"
3. Remove the apache2 webserver from the router
Your new router is cloned from your webserver. It is running apache with a copy of your
webpage. We want to remove it to minimize clutter and forgotten services.
a.
b.
c.
d.
Power on your new router
sudo service apache2 stop
sudo apt-get purge apache2
sudo rm /var/www/*
4. Configure the router to use both NICs
a. sudo nano /etc/network/interfaces
b. We are going to use eth0 as the inward-facing NIC. Make the following changes to
your eth0 block:
auto eth0
iface eth0 inet static
address 10.10.1.1
netmask 255.255.255.0
dns-name-servers 10.10.1.15
2
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
c. We are going to use eth1 as the internet-facing NIC. Create a new configuration block
in this file to add eth1. Each group will have a unique IP address on the internet.
Substitute the proper address in your file:
Group
Internet-facing IP address
Grey
14.1.1.1
Red
14.2.2.2
Green
14.3.3.3
Blue
14.4.4.4
Purple
14.5.5.5
auto eth1
iface eth1 inet static
address X.X.X.X
netmask 255.0.0.0
d.
e.
f.
g.
Notice that our internet region is
still in a subnet, just a really big one.
Save the interfaces file and exit the editor
sudo /etc/init.d/networking restart
Verify that both interfaces are recognized: ifconfig | less
Ping on both NICs to make sure your have connectivity:
i. ping 14.29.4.91
# prism webserver
ii. ping 10.10.1.10
# You group's webserver
5. Tell your workstations (All machines using DHCP) about the new router
a. Select the dhcpserver in vSphere and log into it.
b. sudo nano /etc/dhcp/dhcpd.conf
c. Add the following option above the dns option:
option routers 10.10.1.1;
d. Save the file and exit the editor
e. Restart the DHCP server to make the changes take effect:
sudo service isc-dhcp-server restart
f. Log into a single workstation VM
i. Restart networking: sudo /etc/init.d/networking restart
ii. Verify your new 'route':
1. Run route
3
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
2. This program shows the OS's known routers. The first line should
show a default gateway of 10.10.1.1, with a genmask of 0.0.0.0. This
means that any message that is not destined for the local network or
another router will be sent to 10.10.1.1.
iii. Your workstations are all running dynamic addresses. They contact the DHCP
server intermittently to get updates. The time defaults to once every 10
minutes. (As set by the default-lease value in your DHCP server’s
/etc/dhcp/dhcpd.conf file.) You can just wait for this time to be up, then the
other workstations will all be able to find the router eventually.
6. Tell your servers (All machines using static IP) about the new router
a. Select the DHCP server in vSphere and log into it.
b. sudo nano /etc/network/interfaces
c. Add the following line at the bottom of the eth0 block:
gateway 10.10.1.1
d. Save the file and exit the editor.
e. Run route to see the current routes (The only available route is for 10.10.1.0, which
is your subnet address. No other addresses can be reached.)
f. sudo /etc/init.d/networking restart
g. Run route to see the current routes (You now have the default gateway in the list,
which will route any message not already matched by a router lower in the list.)
h. Repeat steps a-h for the DNS server, webserver, and email server.
7. Try to connect to a remote machine from a workstation
So are we done setting up our router? Let's run a test.
a. Log into the router. Run 'sudo tcpdump -n -q'
b. Log into a workstation. Run 'ping 14.29.4.91'
c. Observe the results from both machines.
Here is what you can expect to see:
•
•
The ping never gets a reply.
The router sees the ping bound for 14.29.4.91, but never replies or forwards
the message.
So here is what we still need to do: tell the router to forward the messages between
eth0 to eth1. That is a router's single most important function.
4
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
8. Set up IP forwarding and NAT on the router
We are going to configure a tool named 'iptables'. iptables is another libpcap program
that can read all network traffic. Here is the important difference between this
program and tcpdump:
NIC
libpcap
iptables
Destination
tcpdump
Conceptually, iptables runs in series with the delivery of an incoming system from
the NIC to its destination (e.g. a webserver on the local machine). iptables can decide
to ACCEPT or DROP packets, as well as FORWARD them to other NICs. It can do
the same for outbound traffic as well.
tcpdump runs in parallel to the delivery system. It is notified of packets, but cannot
change them.
We can use iptables to forward packets from one NIC (eth0) to another (eth1). We
can also configure it to automatically NAT the messages, changing their IP and port
numbers as they pass.
iptables can also be programmed as a rudimentary firewall. For example, it could
drop all packets from a specific IP address or range of addresses. We will worry about
that in a later lab.
There is a good introductory reference for iptables here:
https://help.ubuntu.com/community/IptablesHowTo
Most of these commands are not going to make sense to you. We will spend more
time learning how iptables works later. For now, just run these commands:
a. Log into the router and run each of the following commands. They require 'sudo':
# Flush any existing rules
iptables -F
iptables -t nat -F
# Take a look at what an empty ruleset looks like:
iptables -L
5
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
# Set default policies to handle unmatched traffic. The iptables
rules are a hierarchy. The default rules are what gets run if none
of the other rules match.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -L
# Allow forwarding across the two NICs:
#(1) -I==Insert a new chain. Do not forward messages from eth0 that
are bound for the private net.
iptables -I FORWARD -i eth0 -d 10.10.1.0/255.255.255.0 -j DROP
#(2) -A==Append to the chain. Forward messages from eth0 that
originated in the private net.
iptables -A FORWARD -i eth0 -s 10.10.1.0/255.255.255.0 -j ACCEPT
#(3) -A==Append to the chain. Forward messages from eth1 that are
bound for the private net.
iptables -A FORWARD -i eth1 -d 10.10.1.0/255.255.255.0 -j ACCEPT
#(4) Use Network Address Translation to let the router's external IP
address masquerade as the entire network.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#(5) Tell the kernel to allow IP forwarding.
#
Edit this file and change the '0' to a '1':
sudo nano /proc/sys/net/ipv4/ip_forward
# Take a look at your current iptables ruleset:
iptables -L
b. Try to ping 14.29.4.91 from a workstation again. If you configured everything
correctly, then the ping should return. If not, you can hand-edit the rules (see below)
or run "sudo iptables -F; sudo iptables -t nat -F" to flush the
rules and try again.
6
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
c. Save your ruleset and make sure the router will load it on reboot:
# Save these rules in a file in the /etc/network/ directory. This
will let us reload them at startup.
cd /etc/network
sudo sh -c "iptables-save > /etc/network/iptables.rules"
cat iptables.rules
# If you want to edit the rules by hand, use any editor on the file,
then call this to load the new rules right away:
sudo sh -c "iptables-restore < iptables.rules"
# There are multiple ways to make the rules apply on reboot. We are
going to load the rules from a script in the /etc/network/if-preup.d./ directory. Any script in this directory will automatically
run immediately before the network restarts.
cd /etc/network/if-pre-up.d/
sudo touch iptablesload
sudo chmod ug+x iptablesload
sudo nano iptablesload
# Edit to file to add the following code:
#!/bin/sh
iptables-restore < /etc/network/iptables.rules
echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0
# Save the file and exit the editor
d. You should reboot your router to make sure that this works. After the reboot:
i. Run 'sudo iptables -L' in the router to make sure rules are loaded.
ii. ping 14.29.4.91 from a workstation
7
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
Tracking a web request
Each student needs to hand in their own copies of the following two pages. On those pages, you
map each packet that gets sent for a single web request from your personal workstation to the
prism webserver. To map the request:
1. Fill in the diagram in Appendix A with what you think packet flow will look like across
the router for a web request. *** Do not be afraid of being wrong on this part ***
2. Start tcpdump on the router
3. Open http://14.29.4.91 in your browser, let tcpdump capture the packets.
4. Stop tcpdump after the download is complete.
5. Fill in the diagram in Appendix B with what you actually observe from tcpdump
For each packet, you need to indicate the following:
•
•
•
•
•
Source IP address & port number
Destination IP address & port number
Protocol (TCP or ARP)
For ARP, indicate one of the following: (ARP Reques", ARP Reply)
For TCP, indicate what flags are set: (SYN, FIN, PUSH, RST, ACK)
o tcpdump displays them in brackets like this: [SFPR.]
Here is an example of the detail I am after, using only two machines:
8
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
Name:
Section: ________ Team color: _________
SI455 – Computer Networking
Lab 3 Appendix A - Pre-tcpdump, Educated Guess
Workstation
10.10.1.1__
Router
10.10.1.1 - 14._._._
9
Prism webserver
14.29.4.91
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
Name:
Section: ________ Team color: _________
SI455 – Computer Networking
Lab 3 Appendix B - Tcpdump Observations
Workstation
10.10.1.1__
Router
10.10.1.1 - 14._._._
10
Prism webserver
14.29.4.91
Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions)
11