Networking 101 [Was: Re [Glastonbury] Firewall and Cable] [LONG]
Andrew M.A. Cater
glastonbury at mailman.lug.org.uk
Sun Jul 27 01:48:01 2003
OK. What is a network? Why do I need one? What is a firewall?
How do I connect my machine to ADSL?
[Apologies in advance to anyone for teaching egg sucking / inadvertent
mistakes. I'm sure I'll get them all pointed out.]
What is a network?
==================
A network is one or more machines connected together. The Internet is
a network connecting networks of machines (originally, a local call
connected you to your nearest machine and then another call to its
nearest machine on the next network and so on - delivering mail across
the US could be thirty or forty calls so most stuff was batched and sent
overnight). :)
Simplest example for today - dial up to an ISP
==========================
One machine (PC/Mac/whatever) dialling an Internet Service provider ...
Machine <--> modem <--> telephone line <--> ISP modem <--> ISP <-->
Internet "cloud" _______
____ _ _ { }
[____}------{_}-- phone line ---{_}--------( 'Net )
{_______}
Machine modem ISP modem
Once the modem connects, the ISP provides that machine with an IP
address, a "name" and routes traffic to and fro from it. Every time
you dial up, you add your machine to the ISP's network for as long
as you're connected.
Some ISP's provide you with a permanent host name e.g.
galactic.demon.co.uk and a permanent address (158.152.63.217) - most
give you a dynamic (changing) address from a pool of addresses they
hold and a temporary name that is meaningful only to them.
Your username and password establish that you are OK to join their
network and they then route mail to you/allow your machine to browse
the Web and so on. Once you disconnect, your machine is off the 'Net
and disconnected.
Next step up - a private network
============
Why could I possibly want a network / more than one machine?
"I have an upstairs machine and a downstairs machine. The colour
printer is downstairs attached to my daughter's computer ..."
Machine1 --> network cable --> hub/switch <-- network cable <--
Machine2--> parallel cable --> colour printer
___ ____ _____
[ ]--------------[____]------[ ] _¬_¬_
[___] [_____]----[____]
1 Hub 2 lpr
alice bob
192.168.1.2 192.168.1.3
Machine1 has a network card and a Cat 5 cable [Cat 5 cable has a
connector similar to a telephone handset connector but slightly
larger and is slightly thicker than telephone cable, normally round
section. Cat 5 will normally go to 100 Meg.] The hub has four
cable sockets or "ports". Machine2 has a network card and a Cat
5 cable. Plug a cable from each machine into two of the sockets
on the hub.
Set up TCP/IP networking so that each machine has an address
and a name and each machine lists the other one in its /etc/hosts
(lmhosts under Windows IIRC). The addresses chosen are from the
"private network" address space which is reserved. The idea
being that the packets will get dropped by the first properly
configured router should they "escape" onto the real 'Net.
127.0.0.1 localhost
192.168.1.2 alice.evilhome.net alice
192.168.1.3 bob.evilhome.net bob
Once this is set up, you can use ping (Packet INternet Groper)
and should be able to ping between the two by typing
ping bob
from alice and vice versa. At this point you're 90% of the way there.
On Windows, you'd configure the printer as a shared printer. On Linux
you just set up lpr / cups so that you can print to a remote printer
queue.
"But network bandwidth is expensive and I want to connect more than one
machine to make best use of my 256k ..."
The next step -- connecting a private network to the Internet.
=============
[It's at this point that you usually foul up your first attempts -
"Hey, where'd my Dial Up Connection go ..." :) ]
For ADSL, there is a relatively expensive "closed boxes" solution.
_________________________________
[ADSL Modem}-----{Network router with integral hub]
[________________________________]
| | \
---- ---- ----
[ ] [ ] [ ]
---- ---- ----
alice bob carol
The ADSL modem normally has a phone line on one side and either USB
or an Ethernet connector on the other. Some ADSL modems use PPP over
Ethernet (PPPoE) as a connection protocol and (IIRC) something
similar over USB i.e. not pure PPP or pure Ethernet. Whichever, Linux
has an appropriate module to deal with it.
The ADSL provider normally gives you a "semi-static" address via
Dynamic Host Configuration Protocol [DHCP] - it may potentially change,
but once you've connected initially to their DHCP server and continue to
reconnect on a fairly regular basis you will effectively get the
same address day in day out [the default lease is often a day].
The providers often register the MAC address on your Ethernet card.
This is their only guarantee that your machine is "you" (regardless of
the fact that the MAC address is now often programmable :) )
[Don't know how they sort out USB]
The ADSL router often has a user-settable MAC address. Set it to be
the same as your registered card and it _is_ "you" to the ADSL network
provider. The routers often provide an inbuilt hub/switch - plug your
machines in via their network cards and you're away. They often also
include a DHCP server on the internal network side - configure your
machines to expect address and other stuff served via DHCP and
everything "just works".
This is done internally by Network Address Translation (NAT'ing) or
IP masquerading as its sometimes called. The principle is simple.
<gedanken experiment>
Imagine a castle with a narrow gatehouse with portcullis and drawbridge.
Standing in the gatehouse, all but filling it, is the biggest Black
Knight in shining armour you've ever seen. He supervises what's coming
in and out. The outside world only sees the Black Knight and deals with
your gateway accordingly - they don't get to see the bustle inside the
castle because it's hidden from them by the Black Knight. People inside
the castle can send out anything they like - it all looks as if it
belongs to the Black Knight - but anything coming in has to be addressed
via the Black Knight _first_ and he'll pass it on.
</gedanken experiment>
This is how your surfing works. Inside machine (alice) browses the
'Web on port 80. 192.168.1.1:80 is internally translated to 123.1.2.3:80
(the external web interface address) and so all the traffic appears to
come from 123.1.2.3. Coming back in 123.1.2.3:80 --> 192.168.1.1:80
- and the same for FTP, ssh and so on. You may also have another
machine on concurrently - everything coming out appears to come from one
IP address.
[Remember: an IP address relates to and attaches to a physical interface
- USB/serial/network card - not to a machine. A cluster of 256 nodes
in a Beowulf may only have one "real" IP that they can be reached at /
one machine could have 256 IP addresses]
There are two sorts of problems here with the black box approach.
1.) The functionality inside your router hardware may be limited /
firmware and software may not be readily upgradeable - does it include
virus checking, for example? Can you upgrade the inbuilt firewall
rules, if applicable?
2.) The black box router must be talked to somehow, usually by a Web
browser interface / telnet. This opens up additional network ports and
is inherently potentially insecure - what can you do if someone hacks
your Web interface and disables all your protection?
The Linux box solution - also works for OpenBSD :)
======================
This assumes you have an old machine that you can dedicate to this.
Something like an old P100 with 32M of memory - the sort of stuff
businesses put into the skip - is ideal. You may not need more than
a 500M - 1GB disk.
__ _______ ______ Alice (192.168.1.2)
{__}------------[ ] Ethernet |
ADSL (USB) [ }-------------------{HUB}`--- Bob (192.168.1.3)
[_____] 192.168.1.1 |
|__ Carol (192.168.1.4)
123.1.2.3
Set up Linux on the box. Minimal Linux. Ideally, no X, almost no
functionality, few accounts - almost no features. Possibly not
even mail. [The less features, the less security holes to chase down]
KEEP IT UP TO DATE ON SECURITY PATCHES :)
Load the appropriate kernel modules for masquerading and IP tables.
Set up IPtables and masquerading rules.
Set your "internal" machines to use your new firewall as their gateway
to the net.
Practical use
=============
Here, for example, I can run seven machines of different hardware types
from one cable modem. Check terms and conditions - Telewest will only
help you on the one registered machine and they forbid "servers" but
don't define what a server is. The modem installer said "don't tell
them about the network inside - if you can administer it, they don't
care too much because they are in the business of selling you
bandwidth" :)
Last and final example {B-)
======================
One machine supporting three network interfaces. One for the outside
world. One for your "private" network. One for your mail server.
Mail server has two interfaces and serves as an application proxy.
'Net
^ 10.0.0.1 <- Mailbox
_|________ _____________
[ }--------------{_____________]
[ ] [ ]
[_________] [ 192.168.1.5 ] DMZ
\ |--------------
| |
| V
------------------------------------------
| | |
Alice Bob Carol
Effectively, your internal network is completely filtered off.
Public mail (and hackers) can potentially only get to your mailserver.
The mailserver checks incoming traffic for validity and also does
antispam filtering and virus checking before passing the mail on over
the 192.168.* interface to the internal network. [Internal NAT going on
here within the mailserver box]
The mailserver sends out on another interface to the firewall,
which does NAT to send it out to the real world.
Result - no one can crash your whole network by sending you something
nasty via email and you can effectively have a world facing mailserver
which is on the edge of your internal network and isolated from it.
The Masquerading-Simple-HOWTO is your friend :)
On Fri, Jul 25, 2003 at 03:21:31PM -0700, Maurice Onmaplate wrote:
>
> I've SuSe not the latest but fairly recent, does that
> make a differance?
>
Should be OK.
> >
> > Alternatively, think of the following e.g. bastion
> > host topology using
> > USB.
> >
> > [USB] --> to ADSL/cable modem. Probably DHCP with
> > PPPoE (PPP over
> > Ethernet).
>
> This is all provided by Cable Company, I'd think?
>
Does the above explain it better?
> >
> > [card0] --> to "untrusted, open to outside world"
> > web server etc. - a
> > DMZ -- 10.0.0.1. Throw a cheap PC on the end of
> DMZ ? DeMilitarized Zone??
>
> > this to serve your
> > web pages / anonymous FTP / CVS etc. to the rest of
> > the world.
>
> I have no web pages held locally - all held on hosts,
> I'm not sure I ever need anonymous FTP and what is
> CVS? Can't be CV's?
Concurrent Version System - all your beautifully written
source code checked in so that other people can check
it out and help you with collaborative development.
>
> >
> > [card1] --> to private network(s) -- 192.168.1.0 --
> > NAT'ed with private
> > DNS. The gateway machine for your other machines.
>
> NAT'ed? Networked?
>
> Thanks, I still feel like it's all a foriegn language.
> I suppose you Linux chaps like to hide machine ID's
> as protection from any sort of intrusion?
> >
No, we like to get value for money. The (relative) freedom from
intrusion / viruses / bloody great big buffer overflow security
holes affecting eight years worth of Windows operating systems
(including the allegedly bug fixed/security tested Windows Server
2003) [see latest Microsoft critical updates] is a bonus :)
HTH more than just me :)
Andy