Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) SI455 – Advanced Computer Networking Lab3: Building a Minimal Router (v1.1) Due 6 Mar by start of class WHAT TO HAND IN: 1. Complete diagram of the message traffic you expect to see (Appendix A) 2. Complete diagram of the message traffic you actually see (Appendix B) Only the second item (Appendix B) will be checked for correctness. The purpose of filling out a pre-build diagram in Appendix A is for you to see how close your intuition for network traffic is becoming. Goals: By the end of this lab, each student should be able to 1. Add a second (or nth) NIC to a VM and configure it for use 2. Configure iptables to NAT traffic between two NICs 3. Configure iptables for port-forwarding 4. Be able to explain how IP addresses and port numbers change when flowing across a NAT'ed router. How to Build a Minimal Router from Scratch We are going to clone our webservers and re-putpose them as our routers. The tools that we need are already installed. 1. Clone the webserver to a new VM a. Log into vSphare b. In the vSphere tree of VMs (left side of screen) RMB on your group's webserver adn select "Clone..." c. Name and Location: i. Name: colorrouterMin (e.g. greyrouterMin) ii. Location: Select "SI455" and your groups subdirectory iii. Click Next d. Specific host: i. Select mich-resx-06.cs.usna.edu ii. Click Next e. Storage: i. Select DataStore1 ii. Click Next 1 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) f. Guest Customization: i. Do not select "Power on this machine after" ii. Click Next g. Ready to Complete i. Click Finish ii. Wait several minutes for the cloning to complete 2. Add a second NIC a. Once the cloning is complete, select the router in the tree with LMB b. Select the Summary tab c. Click "Edit Settings" i. In the popup window, click "Add..." ii. Select "Ethernet Adapter" iii. Click Next iv. In "Named network with specified label" select "prism" v. Click Next vi. Click Finish vii. Verify that you have a second NIC and click "OK" d. In the Summary tab, verify that vSphere is now reporting you connected to two network switch: "colorprivate" and "prism" 3. Remove the apache2 webserver from the router Your new router is cloned from your webserver. It is running apache with a copy of your webpage. We want to remove it to minimize clutter and forgotten services. a. b. c. d. Power on your new router sudo service apache2 stop sudo apt-get purge apache2 sudo rm /var/www/* 4. Configure the router to use both NICs a. sudo nano /etc/network/interfaces b. We are going to use eth0 as the inward-facing NIC. Make the following changes to your eth0 block: auto eth0 iface eth0 inet static address 10.10.1.1 netmask 255.255.255.0 dns-name-servers 10.10.1.15 2 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) c. We are going to use eth1 as the internet-facing NIC. Create a new configuration block in this file to add eth1. Each group will have a unique IP address on the internet. Substitute the proper address in your file: Group Internet-facing IP address Grey 14.1.1.1 Red 14.2.2.2 Green 14.3.3.3 Blue 14.4.4.4 Purple 14.5.5.5 auto eth1 iface eth1 inet static address X.X.X.X netmask 255.0.0.0 d. e. f. g. Notice that our internet region is still in a subnet, just a really big one. Save the interfaces file and exit the editor sudo /etc/init.d/networking restart Verify that both interfaces are recognized: ifconfig | less Ping on both NICs to make sure your have connectivity: i. ping 14.29.4.91 # prism webserver ii. ping 10.10.1.10 # You group's webserver 5. Tell your workstations (All machines using DHCP) about the new router a. Select the dhcpserver in vSphere and log into it. b. sudo nano /etc/dhcp/dhcpd.conf c. Add the following option above the dns option: option routers 10.10.1.1; d. Save the file and exit the editor e. Restart the DHCP server to make the changes take effect: sudo service isc-dhcp-server restart f. Log into a single workstation VM i. Restart networking: sudo /etc/init.d/networking restart ii. Verify your new 'route': 1. Run route 3 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) 2. This program shows the OS's known routers. The first line should show a default gateway of 10.10.1.1, with a genmask of 0.0.0.0. This means that any message that is not destined for the local network or another router will be sent to 10.10.1.1. iii. Your workstations are all running dynamic addresses. They contact the DHCP server intermittently to get updates. The time defaults to once every 10 minutes. (As set by the default-lease value in your DHCP server’s /etc/dhcp/dhcpd.conf file.) You can just wait for this time to be up, then the other workstations will all be able to find the router eventually. 6. Tell your servers (All machines using static IP) about the new router a. Select the DHCP server in vSphere and log into it. b. sudo nano /etc/network/interfaces c. Add the following line at the bottom of the eth0 block: gateway 10.10.1.1 d. Save the file and exit the editor. e. Run route to see the current routes (The only available route is for 10.10.1.0, which is your subnet address. No other addresses can be reached.) f. sudo /etc/init.d/networking restart g. Run route to see the current routes (You now have the default gateway in the list, which will route any message not already matched by a router lower in the list.) h. Repeat steps a-h for the DNS server, webserver, and email server. 7. Try to connect to a remote machine from a workstation So are we done setting up our router? Let's run a test. a. Log into the router. Run 'sudo tcpdump -n -q' b. Log into a workstation. Run 'ping 14.29.4.91' c. Observe the results from both machines. Here is what you can expect to see: • • The ping never gets a reply. The router sees the ping bound for 14.29.4.91, but never replies or forwards the message. So here is what we still need to do: tell the router to forward the messages between eth0 to eth1. That is a router's single most important function. 4 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) 8. Set up IP forwarding and NAT on the router We are going to configure a tool named 'iptables'. iptables is another libpcap program that can read all network traffic. Here is the important difference between this program and tcpdump: NIC libpcap iptables Destination tcpdump Conceptually, iptables runs in series with the delivery of an incoming system from the NIC to its destination (e.g. a webserver on the local machine). iptables can decide to ACCEPT or DROP packets, as well as FORWARD them to other NICs. It can do the same for outbound traffic as well. tcpdump runs in parallel to the delivery system. It is notified of packets, but cannot change them. We can use iptables to forward packets from one NIC (eth0) to another (eth1). We can also configure it to automatically NAT the messages, changing their IP and port numbers as they pass. iptables can also be programmed as a rudimentary firewall. For example, it could drop all packets from a specific IP address or range of addresses. We will worry about that in a later lab. There is a good introductory reference for iptables here: https://help.ubuntu.com/community/IptablesHowTo Most of these commands are not going to make sense to you. We will spend more time learning how iptables works later. For now, just run these commands: a. Log into the router and run each of the following commands. They require 'sudo': # Flush any existing rules iptables -F iptables -t nat -F # Take a look at what an empty ruleset looks like: iptables -L 5 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) # Set default policies to handle unmatched traffic. The iptables rules are a hierarchy. The default rules are what gets run if none of the other rules match. iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -L # Allow forwarding across the two NICs: #(1) -I==Insert a new chain. Do not forward messages from eth0 that are bound for the private net. iptables -I FORWARD -i eth0 -d 10.10.1.0/255.255.255.0 -j DROP #(2) -A==Append to the chain. Forward messages from eth0 that originated in the private net. iptables -A FORWARD -i eth0 -s 10.10.1.0/255.255.255.0 -j ACCEPT #(3) -A==Append to the chain. Forward messages from eth1 that are bound for the private net. iptables -A FORWARD -i eth1 -d 10.10.1.0/255.255.255.0 -j ACCEPT #(4) Use Network Address Translation to let the router's external IP address masquerade as the entire network. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #(5) Tell the kernel to allow IP forwarding. # Edit this file and change the '0' to a '1': sudo nano /proc/sys/net/ipv4/ip_forward # Take a look at your current iptables ruleset: iptables -L b. Try to ping 14.29.4.91 from a workstation again. If you configured everything correctly, then the ping should return. If not, you can hand-edit the rules (see below) or run "sudo iptables -F; sudo iptables -t nat -F" to flush the rules and try again. 6 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) c. Save your ruleset and make sure the router will load it on reboot: # Save these rules in a file in the /etc/network/ directory. This will let us reload them at startup. cd /etc/network sudo sh -c "iptables-save > /etc/network/iptables.rules" cat iptables.rules # If you want to edit the rules by hand, use any editor on the file, then call this to load the new rules right away: sudo sh -c "iptables-restore < iptables.rules" # There are multiple ways to make the rules apply on reboot. We are going to load the rules from a script in the /etc/network/if-preup.d./ directory. Any script in this directory will automatically run immediately before the network restarts. cd /etc/network/if-pre-up.d/ sudo touch iptablesload sudo chmod ug+x iptablesload sudo nano iptablesload # Edit to file to add the following code: #!/bin/sh iptables-restore < /etc/network/iptables.rules echo 1 > /proc/sys/net/ipv4/ip_forward exit 0 # Save the file and exit the editor d. You should reboot your router to make sure that this works. After the reboot: i. Run 'sudo iptables -L' in the router to make sure rules are loaded. ii. ping 14.29.4.91 from a workstation 7 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) Tracking a web request Each student needs to hand in their own copies of the following two pages. On those pages, you map each packet that gets sent for a single web request from your personal workstation to the prism webserver. To map the request: 1. Fill in the diagram in Appendix A with what you think packet flow will look like across the router for a web request. *** Do not be afraid of being wrong on this part *** 2. Start tcpdump on the router 3. Open http://14.29.4.91 in your browser, let tcpdump capture the packets. 4. Stop tcpdump after the download is complete. 5. Fill in the diagram in Appendix B with what you actually observe from tcpdump For each packet, you need to indicate the following: • • • • • Source IP address & port number Destination IP address & port number Protocol (TCP or ARP) For ARP, indicate one of the following: (ARP Reques", ARP Reply) For TCP, indicate what flags are set: (SYN, FIN, PUSH, RST, ACK) o tcpdump displays them in brackets like this: [SFPR.] Here is an example of the detail I am after, using only two machines: 8 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) Name: Section: ________ Team color: _________ SI455 – Computer Networking Lab 3 Appendix A - Pre-tcpdump, Educated Guess Workstation 10.10.1.1__ Router 10.10.1.1 - 14._._._ 9 Prism webserver 14.29.4.91 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) Name: Section: ________ Team color: _________ SI455 – Computer Networking Lab 3 Appendix B - Tcpdump Observations Workstation 10.10.1.1__ Router 10.10.1.1 - 14._._._ 10 Prism webserver 14.29.4.91 Collaboration Policy: CP-6 (Work together as a group, but hand in individual submissions) 11