The router assignment

SunMoon
 Internet Sharing


Why?

Your ISP gives you a single IP addr (external IP addr)

But you can't assign this single addr to all your PCs

How?

Build a private network

Setup a PC in the network takes that IP and helps other PCs
to access the Internet

This is the gateway of your network, your router basically acts like a
gateway
2
 Internet Sharing


Build a private network

Your PCs are given IP addrs that belongs to a
private subnet (e.g. 192.168.1.0/24)

You should use ”DHCP server” to automatically
assign IP addr, but now assume you setup
manually. (using ifconfig)

3
 Internet Sharing


Setup the gateway

First it should forward packets between the private
network and the Internet

# echo 1 > /proc/sys/net/ipv4/ip_forward

But your PCs are using private IP addrs

So you need to setup NAT on the gateway

4
 Internet Sharing


Setup NAT on gateway

What should the NAT do?

Replace ”src addr” of out-going packets with the external
IP addr

Iptables help you do the tricks

In Iptables, the table ”nat” is for this purpose

You need to alter the ”POSTROUTING” chain

PREROUTING Routing POSTROUTING

chain Rules chain
5
 Internet Sharing

Setup Iptables for NAT

iptables –t nat –A POSTROUTING –d ! 192.168.1.0/24 –s <client_ip> -p tcp –j
MASQUERADE


To list the rules in the “nat” table (-n gives faster result by eliminating dns lookup)

Iptables –t nat –L –n


Other iptables options

Iptables –t nat –F: clear the table

Iptalbes –t nat –D POSTROUTING 1: delete the first rule in the POSTROUTING chain

Iptalbes –t nat –R POSTROUTING 2 …: replace the 2nd rule with new one

Iptalbes –t nat –I PREROUTING 3 …: insert a rule between the 3rd and 4th rule

6
 Internet Sharing


The above slides are about the gateway, how
about the other PCs?

They should know who will forward the packet
for them

This is done by setting the gateway address:

route add default gw 192.168.1.1

7
 Internet Sharing

Now the Internet Sharing part is completed.


You can now share the Internet connection
among your home PCs!

Your homebrew router got basic function

8
 Port forwarding


Say, you are hosting a web server at PC A

You want to open the server to people outside your network

They contact your server at <external IP address, port 80>

Your router should decide which PC should receive the packet

Change the dst address of IP packet, forward the packet to the
destination PC

NAT again!

9
 Port forwarding


Similar to the previous rule, but we now change the dst IP addr
instead of src one

Which chain to modify? PREROUTING or POSTROUTING?

The dst IP addr is modified before the packet is routed, so
answer is: PREROUTING

(iptables -t nat –A PREROUTING -d 137.189.90.91 -s !
192.168.1.0/24 –p tcp –dport 2222 –j DNAT –to-destination
192.168.1.78)

PREROUTING Routing POSTROUTING

chain Rules chain
10
 Packet filtering

An example:

Suppose you want to stop your family members from connecting to a
hazardous host

Then your router should drop IP packets that heads to that host

Iptables can do this for you

The “filter” table controls the transmission of packets that…

headed for the router

originated from the router

forwarded through the router (i.e. the conversation between the home
PCs and outsiders)

11
 Packet filtering


There are three chains in the “filter” table

For traffic that not originated from nor headed
to the router, modify the FORWARD chain
Packets PREROUTING FORWARD POSTROUTING Packets
from LAN or to LAN or
WAN WAN
Routing
Rules

INPUT OUTPUT

Router’s Local Processes

 ERGWAVE-style login system


The desired feature:

Internet sharing is only for authenticated users

Upon browsing external pages, non-authenticated users are
redirected to the login page

After successful login, the users are redirected back to the
external pages

There are three problems

How do you redirect users to the login page?

How do you NOT redirect authenticated user to the login
page?

How do you bring users back to the external pages?
 ERGWAVE-style login system

Problem 1 – Redirection to login page

Like port forwarding, we use DNAT, modify the dst addr (and port if
needed) of packets from home PCs

Add a rule to the PREROUTING chain to modify the dst addr to the
router ip

The Apache server on the router should respond to the request

But note that the URL (document path) in the HTTP request packet are
left unchanged

e.g. http://company_a.com/file.txt --> http://192.168.1.1/file.txt

Your Apache server will blame you with error 404

You should setup a different web server to handle this

Setup a new Apache virtual host (covered in last tutorial), or

Write a simple web server (sample code released)

Method of redirection: HTTP response 302 -- Moved temporarily (try to
Google the protocol)
 ERGWAVE-style login system


Problem 2 – Avoid redirection

The IP addresses of authenticated users are known

The redirection rule should be by-passed

Insert a rule to the PREROUTING chain, before the
redirection rule

Rules in a chain are executed from top to bottom

Iptables –t nat –I PREROUTING 1 ….

This rule check if the IP addr is authenticated, if so, let the
packet through and ignore the remaining rules

You may use “-j ACCEPT” (or “–j RETURN” which rely on default
policy of the chain)
 ERGWAVE-style login system

Problem 3 - Returning to the external site

The site URL should not be forgotten

How do you know the URL?

From the GET and HOST fields in HTTP request message

Read it in your own simple web server, or PHP, or…

“Request packet” with no proxy Through Proxy

GET / HTTP/1.1 GET http://www/ HTTP/1.1
Host: www.cse.cuhk.edu.hk Host: www
User-Agent: Mozilla/5.0 … User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
Firefox/2.0.0.11 GTB5 rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy)
Accept: Firefox/2.0.0.11 GTB5
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t Accept:
ext/plain;q=0.8,image/png,*/*;q=0.5 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,t
Accept-Language: en-us,en;q=0.5 ext/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5
Accept-Charset: UTF-8,* Accept-Encoding: gzip,deflate
Keep-Alive: 300 Accept-Charset: UTF-8,*
Connection: keep-alive Keep-Alive: 300
… Proxy-Connection: keep-alive
Cookie: slider1=slider1:4
 ERGWAVE-style login system


Problem 3 - Returning to the external site

How do you remember it?

Encode into the URL of the router Web UI, or

Store in cookies (refer to the lecture notes), or

Store in router storage (Maintain a mapping between
user IP address and external page URL)
 Timeout


Feature:

In “login mode”, user got the right to access Internet
after logged in.

This access right got timeout after a specified time
period

The user will need to login again

This job of removing access right from user is
automatic, perform at a certain time

This can be done by cron
 cron, crontab

Cron is a daemon to execute scheduled commands

Crontab is a utility that manipulate the schedule of cron

The schedule is in a table format, you may modify by using a
text editor (try: crontab -e)

Example - Adding a task in command prompt:

# echo “* * * * * date >> /root/beat.txt” | crontab -u root -

This will write the date and time info to the file every minute

Format of a line of task:

minute hour day month day_of_week command

e.g. “30 7 * * 1-5 alarm” means for every week day, makes the alarm call
at 7:30
 crontab

The above command would override the cron
schedule

To append jobs to crontab, use “crontab -l” to
dump the contents to a file first, append the
new job to the file, and reload the crontab by
“crontab filename”

Note that cron is for repeating routines, for one-
time-only jobs, you may use “atd”:

Restart atd daemon first: /etc/init.d/atd restart

echo “date > test.txt” | at NOW + 5 minutes
Questions?