The router assignment


Internet Sharing


Your ISP gives you a single IP addr (external IP addr) But you can't assign this single addr to all your PCs


Build a private network Setup a PC in the network takes that IP and helps other PCs to access the Internet

This is the gateway of your network, your router basically acts like a gateway

Internet Sharing

Build a private network

Your PCs are given IP addrs that belongs to a private subnet (e.g. You should use ”DHCP server” to automatically assign IP addr, but now assume you setup manually. (using ifconfig)


Internet Sharing

Setup the gateway

First it should forward packets between the private network and the Internet # echo 1 > /proc/sys/net/ipv4/ip_forward But your PCs are using private IP addrs So you need to setup NAT on the gateway


Internet Sharing

Setup NAT on gateway

What should the NAT do?

Replace ”src addr” of out-going packets with the external IP addr

Iptables help you do the tricks

In Iptables, the table ”nat” is for this purpose You need to alter the ”POSTROUTING” chain

Routing Rules


Internet Sharing

Setup Iptables for NAT

iptables –t nat –A POSTROUTING –d ! –s <client_ip> -p tcp –j MASQUERADE

To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)

Iptables –t nat –L –n

Other iptables options

Iptables –t nat –F: clear the table Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule


Internet Sharing

The above slides are about the gateway, how about the other PCs? They should know who will forward the packet for them This is done by setting the gateway address:

route add default gw


Internet Sharing

Now the Internet Sharing part is completed. You can now share the Internet connection among your home PCs! Your homebrew router got basic function
 


Port forwarding

Say, you are hosting a web server at PC A You want to open the server to people outside your network They contact your server at <external IP address, port 80> Your router should decide which PC should receive the packet Change the dst address of IP packet, forward the packet to the destination PC

NAT again!


Port forwarding

Similar to the previous rule, but we now change the dst IP addr instead of src one Which chain to modify? PREROUTING or POSTROUTING? The dst IP addr is modified before the packet is routed, so answer is: PREROUTING (iptables -t nat –A PREROUTING -d -s ! –p tcp –dport 2222 –j DNAT –to-destination

Routing Rules


Packet filtering

An example:

Suppose you want to stop your family members from connecting to a hazardous host Then your router should drop IP packets that heads to that host

Iptables can do this for you The “filter” table controls the transmission of packets that…

headed for the router originated from the router forwarded through the router (i.e. the conversation between the home PCs and outsiders)


Packet filtering

There are three chains in the “filter” table For traffic that not originated from nor headed to the router, modify the FORWARD chain

Packets from LAN or WAN

Packets to LAN or WAN

Routing Rules

Router’s Local Processes

ERGWAVE-style login system

The desired feature:
 

Internet sharing is only for authenticated users Upon browsing external pages, non-authenticated users are redirected to the login page After successful login, the users are redirected back to the external pages How do you redirect users to the login page? How do you NOT redirect authenticated user to the login page? How do you bring users back to the external pages?

There are three problems
 

ERGWAVE-style login system

Problem 1 – Redirection to login page

Like port forwarding, we use DNAT, modify the dst addr (and port if needed) of packets from home PCs Add a rule to the PREROUTING chain to modify the dst addr to the router ip The Apache server on the router should respond to the request But note that the URL (document path) in the HTTP request packet are left unchanged
 

 

e.g. --> Your Apache server will blame you with error 404 Setup a new Apache virtual host (covered in last tutorial), or Write a simple web server (sample code released)

You should setup a different web server to handle this
 

Method of redirection: HTTP response 302 -- Moved temporarily (try to Google the protocol)

ERGWAVE-style login system

Problem 2 – Avoid redirection

The IP addresses of authenticated users are known The redirection rule should be by-passed Insert a rule to the PREROUTING chain, before the redirection rule

Rules in a chain are executed from top to bottom Iptables –t nat –I PREROUTING 1 ….

This rule check if the IP addr is authenticated, if so, let the packet through and ignore the remaining rules

You may use “-j ACCEPT” (or “–j RETURN” which rely on default policy of the chain)

ERGWAVE-style login system

Problem 3 - Returning to the external site

The site URL should not be forgotten How do you know the URL?
 

From the GET and HOST fields in HTTP request message Read it in your own simple web server, or PHP, or…

“Request packet” with no proxy
GET / HTTP/1.1 Host: User-Agent: Mozilla/5.0 … Firefox/ GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Connection: keep-alive …

Through Proxy
GET http://www/ HTTP/1.1 Host: www User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/ GTB5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t ext/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: UTF-8,* Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: slider1=slider1:4

ERGWAVE-style login system

Problem 3 - Returning to the external site

How do you remember it?
  

Encode into the URL of the router Web UI, or Store in cookies (refer to the lecture notes), or Store in router storage (Maintain a mapping between user IP address and external page URL)



In “login mode”, user got the right to access Internet after logged in. This access right got timeout after a specified time period The user will need to login again

This job of removing access right from user is automatic, perform at a certain time This can be done by cron

cron, crontab

Cron is a daemon to execute scheduled commands Crontab is a utility that manipulate the schedule of cron The schedule is in a table format, you may modify by using a text editor (try: crontab -e) Example - Adding a task in command prompt:

# echo “* * * * * date >> /root/beat.txt” | crontab -u root This will write the date and time info to the file every minute

Format of a line of task:

minute hour day month day_of_week command e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call at 7:30

The above command would override the cron schedule To append jobs to crontab, use “crontab -l” to dump the contents to a file first, append the new job to the file, and reload the crontab by “crontab filename” Note that cron is for repeating routines, for onetime-only jobs, you may use “atd”:


Restart atd daemon first: /etc/init.d/atd restart echo “date > test.txt” | at NOW + 5 minutes


Sign up to vote on this title
UsefulNot useful