worksheet 9 worksheet 9
play

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, - PowerPoint PPT Presentation

Feb 09, 2024 •152 likes •366 views

Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet filtering, traffic shaping shaping Linux as a router Linux as a router Capable of acting as a router, firewall, traffic Capable of acting as a

  1. Worksheet 9 Worksheet 9 Linux as a router, packet filtering, traffic Linux as a router, packet filtering, traffic shaping shaping

  2. Linux as a router Linux as a router Capable of acting as a router, firewall, traffic Capable of acting as a router, firewall, traffic shaper shaper (so are most other modern operating systems) (so are most other modern operating systems) T ools: T ools: netfilter/iptables netfilter/iptables tc tc

  3. Netfilter / Iptables Netfilter / Iptables The Linux Packet filtering framework The Linux Packet filtering framework 2 axes of organisation: 2 axes of organisation: Chains - when when does the interception occur? does the interception occur? Chains - T ables - what what can be done (functionality)? can be done (functionality)? T ables -

  4. Graphical Overview Graphical Overview

  5. Iptables: Chains Iptables: Chains Chains - when? Chains - when? PREROUTING - before remote/local decision - before remote/local decision PREROUTING INPUT - before locally destined traffic is admitted - before locally destined traffic is admitted INPUT OUTPUT - before locally generated traffic is routed - before locally generated traffic is routed OUTPUT FORWARD - non-local packets - non-local packets FORWARD POSTROUTING - before packet leaves system before packet leaves system POSTROUTING -

  6. Iptables: T ables Iptables: T ables T ables: functionality T ables: functionality filter (default) - block packets - block packets filter (default) on INPUT, OUTPUT, FORWARD INPUT, OUTPUT, FORWARD on nat - change packet src/dst address/port - change packet src/dst address/port nat on PREROUTING , POSTROUTING PREROUTING , POSTROUTING on ... ...

  7. The Matrix - common The Matrix - common uses uses PRE- INPUT OUTPUT FORWARD POST- ROUTIN ROUTING G filter filter filter filter incoming outgoing forwarded nat DNAT SNAT mangle mark, manipulate packets

  8. Anatomy of a chain Anatomy of a chain Essentially a list of tuples <pattern, target> Essentially a list of tuples <pattern, target> Pattern Target -s 10.1.2.3 ACCEPT -d 10.2.3.4 -p tcp --dport 3306 DROP -s 10.2.3.4 -p tcp --dport 22 -m state LOG --state=NEW ... ... First match wins! First match wins!

  9. Iptables invocation Iptables invocation T o add a rule to a chain: T o add a rule to a chain: iptables [-t <TABLE>] -A <CHAIN> <PATTERN> iptables [-t <TABLE>] -A <CHAIN> <PATTERN> -j <TARGET> -j <TARGET> List existing rules List existing rules iptables [-t <TABLE>] -L [<CHAIN>] [-v] [-n] iptables [-t <TABLE>] -L [<CHAIN>] [-v] [-n] Delete a rule from a chain Delete a rule from a chain iptables [-t <TABLE>] -D <CHAIN> rule num iptables [-t <TABLE>] -D <CHAIN> rule num As always: man iptables man iptables is your friend is your friend As always:

  10. Some rule patterns Some rule patterns -s 1.2.3.4 from source IP 1.2.3.4 -d 1.2.3.5 to destination IP 1.2.3.5 -p tcp protocol tcp tcp/udp : --[sd]port 80 src/destination port 80 icmp: --icmp-type echo- ping echo request request

  11. Some rule targets Some rule targets ACCEPT accept packet for this stage DROP drop packet immediately (and silently) LOG log packet to syslog REJECT drop packet and send an ICMP error message to the source

  12. Stateful Filtering Stateful Filtering Problem of stateless filters: Related packets flow in Problem of stateless filters: Related packets flow in both directions - how to correlate both directions - how to correlate TCP - can look at TCP-state (and rely on the TCP TCP - can look at TCP-state (and rely on the TCP state of the protected host to behave properly) state of the protected host to behave properly) UDP - stateless... UDP - stateless... How would you create a rule that matches How would you create a rule that matches „Answers to DNS queries that were sent out“ ? ? „Answers to DNS queries that were sent out“ => Stateful Filtering => Stateful Filtering

  13. Stateful Filtering: Stateful Filtering: Principles Principles The firewall tracks and maintains higher layer The firewall tracks and maintains higher layer communication state communication state „A has sent out a DNS query to B and is A has sent out a DNS query to B and is „ expecting an answer“ expecting an answer“ Rules can be built that match the protocol / Rules can be built that match the protocol / correspondence state correspondence state

  14. Stateful Filtering in Stateful Filtering in iptables iptables Rules match communication state Rules match communication state ... -m state --state NEW|ESTABLISHED|RELATED ... -m state --state NEW|ESTABLISHED|RELATED State automatically tracked by the conntrack conntrack State automatically tracked by the module module TCP state TCP state UDP <src_ip,srcport,dst_ip, dst_port> tuples w/ UDP <src_ip,srcport,dst_ip, dst_port> tuples w/ timeout timeout application specific helper modules (FTP) application specific helper modules (FTP)

  15. Traffic Shaping Traffic Shaping limit bandwidth allocation to specific classes of limit bandwidth allocation to specific classes of service service by nature of the Internet: can only limit what by nature of the Internet: can only limit what you send send , not what you , not what you receive receive you ... but most of the bulky traffic will adapt! (TCP ... but most of the bulky traffic will adapt! (TCP Slowstart) Slowstart)

  16. The principle: T oken The principle: T oken bucket bucket Kurose, Ross Kurose, Ross bucket can hold b tokens bucket can hold b tokens tokens generated at rate r token/sec unless tokens generated at rate r token/sec unless bucket full bucket full only send packet if you have a token only send packet if you have a token

  17. T oken buckets in Linux T oken buckets in Linux tc can be used with the tbf tbf (token bucket) (token bucket) tc can be used with the qdisc (queing discipline) to limit throughput on (queing discipline) to limit throughput on qdisc an interface: an interface: tc qdisc add dev <DEV> root tbf rate <rate>kbit tc qdisc add dev <DEV> root tbf rate <rate>kbit latency <latency>ms burst <burst_rate>kbit latency <latency>ms burst <burst_rate>kbit Parameters: Parameters: rate maximum allowed average bandwidth maximum allowed average bandwidth rate burst - maximum allowed burst bandwidth - maximum allowed burst bandwidth burst

  18. Classful Trafficshaping: Classful Trafficshaping: HTB HTB HTB := Hierarchical T oken Bucket HTB := Hierarchical T oken Bucket Can define a hierarchy of traffic classes hierarchy of traffic classes , and , and Can define a assign limits assign limits rate - the average allowed bandwidth - the average allowed bandwidth rate ceil - burst bandwidth allowed when buckets are - burst bandwidth allowed when buckets are ceil present present prio - priority for spare bandwidth - classes with - priority for spare bandwidth - classes with prio lower prios are offered the bandwidth first lower prios are offered the bandwidth first

  19. Deploying HTB (I) Deploying HTB (I) 1. Enable qdisc qdisc (Queuing discipline) for the (Queuing discipline) for the 1. Enable device and define a root class handle (1:0) device and define a root class handle (1:0) tc qdisc add dev <DEVICE> root handle 1:0 tc qdisc add dev <DEVICE> root handle 1:0 htb default <default_class> htb default <default_class> 2. Define a class (1:10 here) 2. Define a class (1:10 here) tc class add dev <DEVICE> parent 1:0 classid 1:10 tc class add dev <DEVICE> parent 1:0 classid 1:10 htb rate 100kbit ceil 150kbit prio 0 htb rate 100kbit ceil 150kbit prio 0

  20. Deploying HTB (II) Deploying HTB (II) 3. Mark packets that should belong to the class, using iptables‘ mangle 3. Mark packets that should belong to the class, using iptables‘ mangle facility (there is other ways, but follow me on this) facility (there is other ways, but follow me on this) 4. Stuff marked packets with x into class x and assign to appropriate 4. Stuff marked packets with x into class x and assign to appropriate qdisc. qdisc. iptables -A POSTROUTING -t mangle <PATTERN> iptables -A POSTROUTING -t mangle <PATTERN> -j MARK --set-mark 10 -j MARK --set-mark 10 tc filter add dev <DEV> parent 1:0 prio 0 tc filter add dev <DEV> parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 protocol ip handle 10 fw flowid 1:10

  21. That‘s all! That‘s all! Worksheet 9 is due Worksheet 9 is due Friday, July 3th, 2009, 08:00 Friday, July 3th, 2009, 08:00 am am

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Worksheet 10 A bit of SNMP Organisational stuff short extra-credit worksheet worth 50 points

Worksheet 10 A bit of SNMP Organisational stuff short extra-credit worksheet worth 50 points

Worksheet 10 A bit of SNMP Organisational stuff short extra-credit worksheet worth 50 points wont add to the required total score (885) =&gt; you need 663 to pass, 840 for a strait 1.0 &lt;25% rule still counts (and includes this worksheet)

660 views • 11 slides
Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet,

Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet,

Magic Wand One-Page Proposal Worksheet Visit www.GrantsMagic.org for downloadable worksheet, examples, and FREE video training to get you started! Purpose: The Magic Wand One-Page Proposal Worksheet (next page) is one of the mightiest

418 views • 5 slides
WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they

WORKSHEET 1: ANALYSIS What are the strengths and weaknesses of your community? How will they impact your marketing strategy? Brand Acceleration, Inc. | Indianapolis, IN 317-536-6255 | brandaccel.com WORKSHEET 2: TARGETS Based on your

290 views • 3 slides
ANTHROPOMETRIC MEASUREMENT TRAINING Michigan WIC 201920 Anthropometric PRINT PRINT

ANTHROPOMETRIC MEASUREMENT TRAINING Michigan WIC 201920 Anthropometric PRINT PRINT

7/17/2020 ANTHROPOMETRIC MEASUREMENT TRAINING Michigan WIC 201920 Anthropometric PRINT PRINT Measurement Training ATTACHMENTS Worksheet 1 Worksheet 2 Worksheet 3 LINKS LINKS Worksheet 4 Worksheet 5 Agenda PowerPoint Pgs. 1 36

999 views • 59 slides
Collecting Today's Homework - Worksheet Handed out Yesterday HW Due tomorrow: Maze Worksheet

Collecting Today's Homework - Worksheet Handed out Yesterday HW Due tomorrow: Maze Worksheet

March 08, 2016 Unit: Solving Equations Aim : How do we solve linear equations? Date: 3-8-2016 OCW : Maze Worksheet Collecting Today's Homework - Worksheet Handed out Yesterday HW Due tomorrow: Maze Worksheet March 08, 2016 Unit: Solving

177 views • 6 slides
MINNESOTA HFMA 2019 Regulatory Conference Worksheet S-10 Here To Stay: A First Look at MAC S-10

MINNESOTA HFMA 2019 Regulatory Conference Worksheet S-10 Here To Stay: A First Look at MAC S-10

MINNESOTA HFMA 2019 Regulatory Conference Worksheet S-10 Here To Stay: A First Look at MAC S-10 Audits November 7, 2019 Jeff Norman, Senior Manager Kyle Pennington, Manager OUTLINE Uncompensated Care Background Worksheet S-10

488 views • 44 slides
Data Collection Worksheet After you have collected your vibrating beam data in the CRSC

Data Collection Worksheet After you have collected your vibrating beam data in the CRSC

2005 SAMSI/CRSC Undergraduate Workshop: May 30 June 3 Data Collection Worksheet After you have collected your vibrating beam data in the CRSC Laboratory, please take some time to com- plete this worksheet. Work in your teams. We will discuss

412 views • 3 slides
Apco 1p01 Working within a Spreadsheet Creating a Worksheet What is a Spreadsheet? n

Apco 1p01 Working within a Spreadsheet Creating a Worksheet What is a Spreadsheet? n

13-09-20 Apco 1p01 Working within a Spreadsheet Creating a Worksheet What is a Spreadsheet? n Spreadsheet is a tool to organize numerical data n Spreadsheet, sheet and worksheet are terms that are used interchangeably n Used in

327 views • 8 slides
OUTLINE Overview of FY 2020 IPPS Proposed Rule as it pertains to Worksheet S-10 Worksheet

OUTLINE Overview of FY 2020 IPPS Proposed Rule as it pertains to Worksheet S-10 Worksheet

5/7/2019 Worksheet S-10 Here To Stay: A First Look at MAC S-10 Audits May 14, 2019 Jeff Norman, Senior Client Relations Manager Kyle Pennington, Client Relations Manager Region 9 Webinar 1 OUTLINE Overview of FY 2020 IPPS Proposed Rule

629 views • 27 slides
Tutorial worksheet 10 What you have done so far. You have so far configured VLANs

Tutorial worksheet 10 What you have done so far. You have so far configured VLANs

Tutorial worksheet 10 What you have done so far. You have so far configured VLANs Routing protocols with in the backbone network (RIP, OSPF, BGP). Wireless mesh networking. IPv6 Firewall policies on linux. And

205 views • 19 slides
Homework Due date Tucker Rosen Mat 3770 4/7 4.1 9.6, set 1 Week 11 4/7 DijkstraI

Homework Due date Tucker Rosen Mat 3770 4/7 4.1 9.6, set 1 Week 11 4/7 DijkstraI

Homework Due date Tucker Rosen Mat 3770 4/7 4.1 9.6, set 1 Week 11 4/7 DijkstraI worksheet 4/9 9.6, set 2 4/9 DijkstraII worksheet Spring 2014 4/11 3.4 10.5 4/11 TSP worksheet 1 2 Week 11 More Student

420 views • 7 slides
2. Effective Writing: Student will demonstrate the ability to write effectively for a variety of

2. Effective Writing: Student will demonstrate the ability to write effectively for a variety of

ELO Presentation of Learning Worksheet Use this worksheet to ensure you are ready for your presentation of learning. Each section will list the ELO competency and/or content competency and indicators. There will be a space for you to list your

381 views • 10 slides
BUDGET RESOURCES BUDGET DEVELOPMENT CALENDAR 2020-21 SUMMARY BUDGET WORKSHEET 2020-21

BUDGET RESOURCES BUDGET DEVELOPMENT CALENDAR 2020-21 SUMMARY BUDGET WORKSHEET 2020-21

BUDGET RESOURCES BUDGET DEVELOPMENT CALENDAR 2020-21 SUMMARY BUDGET WORKSHEET 2020-21 CAMPUS DETAIL BUDGET WORKSHEET BISD CAMPUS ALLOTMENT AVAILABLE ON DISTRICT WEBSITE FINANCE/FINANCIAL REPORTS/BUDGET/DISTRICT BUDGET PREPARATION

909 views • 68 slides
THERMAL ENERGY Part 4 MONDAY, 2.11.2019 1. Pick up a Motion Energy Games worksheet. 2. Todays

THERMAL ENERGY Part 4 MONDAY, 2.11.2019 1. Pick up a Motion Energy Games worksheet. 2. Todays

THERMAL ENERGY Part 4 MONDAY, 2.11.2019 1. Pick up a Motion Energy Games worksheet. 2. Todays Plan This weeks agenda Cheer celebration Momentum games MOMENTUM ACTIVITIES Choose two activities to fill out on the worksheet.

865 views • 29 slides
Employment First Collaborative Framework Worksheet Most states have an Employment First

Employment First Collaborative Framework Worksheet Most states have an Employment First

Employment First Collaborative Framework Worksheet Most states have an Employment First policy or initiative in place. However, systems-change cannot be realized without a strong coalition of partners, both in and outside state government,

182 views • 5 slides
MA-207 Day 6 Worksheet With the person sitting next to you, come up with some Activity 1:

MA-207 Day 6 Worksheet With the person sitting next to you, come up with some Activity 1:

MA-207 Day 6 Worksheet With the person sitting next to you, come up with some Activity 1: independent events and some dependent events. Activity 2: A consumer organization estimates that over a 1-year period 17% of cars will need to be

550 views • 8 slides
Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1

Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1

Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1 Policing on YouTube videos 2 Token bucket traffic policer Tokens filled at 1Mbps up to the bucket size (== burst) Packets arriving at 3Mbps Packet

560 views • 30 slides
Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic

Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic

Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic Shaping, Traffic Policing Enforce compliance of traffic to a given traffic profile (e.g., rate limiting) By delaying or dropping certain

389 views • 11 slides
Future Scientific Possibilities in Neutron Scattering at the European Spallation Source for

Future Scientific Possibilities in Neutron Scattering at the European Spallation Source for

Future Scientific Possibilities in Neutron Scattering at the European Spallation Source for Users from Academia and Industry Arno Hiess Scientific Activities Division European Spallation Source ERIC, Lund, Sweden

607 views • 19 slides
T oke Hiland Jrgensen's PhD defense Introduction Luca Muscariello Cisco Principal Engineer

T oke Hiland Jrgensen's PhD defense Introduction Luca Muscariello Cisco Principal Engineer

T oke Hiland Jrgensen's PhD defense Introduction Luca Muscariello Cisco Principal Engineer November 23, 2018 Removing Performance Barriers A timeline JUL 1980 Distributed congestion control Gallagher-Golestani A timeline JUL 1980

321 views • 15 slides
An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis, Luis Pedrosa, Yuchung Cheng, Tayeb Karim, Ethan Katz-Bassett, Ramesh Govindan policing-paper@google.com 1 Internet Service Provider Content

588 views • 39 slides
CS 356: Computer Network Architectures Lecture 24: IP Multicast and QoS [PD] Chapter 4.2, 6.5

CS 356: Computer Network Architectures Lecture 24: IP Multicast and QoS [PD] Chapter 4.2, 6.5

CS 356: Computer Network Architectures Lecture 24: IP Multicast and QoS [PD] Chapter 4.2, 6.5 Xiaowei Yang xwy@cs.duke.edu Overview Two historic important topics in networking Multicast QoS Limited Deployment IP Multicast

832 views • 70 slides
Linux Traffic Control Cong Wang Software Engineer Twitter, Inc. Layer 2 Overview Qdisc:

Linux Traffic Control Cong Wang Software Engineer Twitter, Inc. Layer 2 Overview Qdisc:

Linux Traffic Control Cong Wang Software Engineer Twitter, Inc. Layer 2 Overview Qdisc: how to queue the packets Class: tied with qdiscs to form a hierarchy Filter: how to classify or filter the packets Action: how to deal

459 views • 31 slides
Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle

Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle

Using TCP/IP Traffic shaping to achieve iSCSI service predictability Paper presentation Jarle Bjrgeengen University of Oslo / USIT November 11, 2010 Outline About resource sharing in storage devices Lab setup / job setup Experiment

538 views • 29 slides

More recommend