Sample solutions to select homework problems, chapter 5 and second iptables lab -------------- Chapter 5 (TCP) problems: # 5, 8, 14a, 26 (27), #2: UDP is connection-less, which means it does not keep track of packets that are part of the same connection (but the OS kernel might track it). The only way to know if a two packets *might* be related is to look at their port numbers. So the following is possible client 1 connects to server from source port 50000 client 1 exists abrupted client 2 connects to same server from same port 50000 server responds with file fragment to destination port 50000 client 2 gets part of file requested by client 1 A related question would be can this happen with TCP. Not likely, because even if client 1 exited without initiating the closing handshake (and TIMEWAIT state), client 2 would need to establish a new connection using the opening handshake. The server (the OS of the server) would clearly see that the new connection request conflicts with an existing one, which is using the same port and ip numbers. A malicious program may try to assemble a TCP packet to hijack a connection, but it would have to guess correctly the sequence numbers being used (as well as masquerade as the same ip/port numbers because the original client is likely still running). This is theoretically possible, and the solution to most of these kinds of vulnerabilities is to use cryptographic encryption and authentication (i.e. use sftp instead of ftp). #5: Both the active (initiating) and passive sides have to exchange fin's and ack's. Each side's fin should be acknowledged. In this scenario, the active side's last action is to send, and the passive side is to receive. Once the passive side received the ack for it's final fin, it knows that the other side has completed the closing sequence (that is, it knows it's OK to close), and therefore can close safely. It need not wait any longer. The purpose of the timeout on the active side is to ensure that the final ack has been successfully received by the passive side. If the active side closes immediately after the final send, it cannot be certain that that the other side will also close, since the final ack can been lost. In that case, the passive side will not know that's it's OK to close, and will try to retransmit its final fin, which could have unpredictable consequences. #8: This question sounds more complicated than it actually is. The initial sequence number is not 0, but some random number, so of course it could wrap around to 0 before 4gigs are sent. #14a: How does the passive side ("server") distinguish between a new syn and a retransmission of the old syn from the same ip:port? First, there's the sequence number again, which will be likely different if the syn is that of a completely new connection. Secondly, the initial 3-way handshake would not have been complete - for the syn could be a retransmission only if the client did not receive the server's syn+ack. So any new syn received in the ESTABLISHED state from the same port and ip must be that of a completely new connection. #26: (Jacobson/Karels) - using initial deviation of 25: #include #include #define delta 0.125 int main(int argc, char **argv) { double ERTT,SRTT,Diff,Dev,Timeout; ERTT = 4.0; SRTT = 1.0; Dev = 25; // (same as suggested in book) int counter = 0; Timeout = ERTT + 4*Dev; // initial timeout while (Timeout >= 4.0) { printf("ERTT %f\t Dev %f\t Timeout %f\n",ERTT,Dev,Timeout); Diff = SRTT - ERTT; ERTT = ERTT + delta*Diff; Dev = Dev + delta*(abs(Diff)-Dev); Timeout = ERTT + 4*Dev; counter++; } printf("--Final--\nERTT %f\t Dev %f\t Timeout %f\n",ERTT,Dev,Timeout); printf("counter == %d\n",counter); exit(0); } /* output: ERTT 4.000000 Dev 25.000000 Timeout 104.000000 ERTT 3.625000 Dev 22.250000 Timeout 92.625000 ERTT 3.296875 Dev 19.718750 Timeout 82.171875 ERTT 3.009766 Dev 17.503906 Timeout 73.025391 ERTT 2.758545 Dev 15.565918 Timeout 65.022217 ERTT 2.538727 Dev 13.745178 Timeout 57.519440 ERTT 2.346386 Dev 12.152031 Timeout 50.954510 ERTT 2.178088 Dev 10.758027 Timeout 45.210196 ERTT 2.030827 Dev 9.538274 Timeout 40.183922 ERTT 1.901973 Dev 8.470989 Timeout 35.785931 ERTT 1.789227 Dev 7.412116 Timeout 31.437690 ERTT 1.690573 Dev 6.485601 Timeout 27.632979 ERTT 1.604252 Dev 5.674901 Timeout 24.303856 ERTT 1.528720 Dev 4.965539 Timeout 21.390874 ERTT 1.462630 Dev 4.344846 Timeout 18.842015 ERTT 1.404801 Dev 3.801740 Timeout 16.611763 ERTT 1.354201 Dev 3.326523 Timeout 14.660293 ERTT 1.309926 Dev 2.910708 Timeout 12.952756 ERTT 1.271185 Dev 2.546869 Timeout 11.458662 ERTT 1.237287 Dev 2.228510 Timeout 10.151329 ERTT 1.207626 Dev 1.949947 Timeout 9.007413 ERTT 1.181673 Dev 1.706203 Timeout 8.006486 ERTT 1.158964 Dev 1.492928 Timeout 7.130675 ERTT 1.139093 Dev 1.306312 Timeout 6.364341 ERTT 1.121707 Dev 1.143023 Timeout 5.693798 ERTT 1.106493 Dev 1.000145 Timeout 5.107074 ERTT 1.093182 Dev 0.875127 Timeout 4.593689 ERTT 1.081534 Dev 0.765736 Timeout 4.144478 --Final-- ERTT 1.071342 Dev 0.670019 Timeout 3.751418 counter == 28 */ -------------------------- Solutions to select lab exercises (secound iptables assignment) 6. In the first iptables assignment, you wrote a set of rules that blocked access to DNS servers other than those that should be used. With NAT, we can now also redirect attempts to access illegitimate servers to the ones that we approve. Write a iptables rule that redirects all attempts to access a nameserver (upd,tcp port 53) other than 10.1.0.98 to 10.1.0.98. On a router: iptables -t nat -A PREROUTING -p udp --dport 53 -d ! 10.1.0.98 -j DNAT --to 10.1.0.98 iptables -t nat -A PREROUTING -p tcp --dport 53 -d ! 10.1.0.98 -j DNAT --to 10.1.0.98 Note that this effects all packets forwarded because the PREROUTING chain is traversed before the FORWARD chain. 7a. 7a. Write a iptables rule to block all TCP state NEW connections to your host on ports < 1024 from 10.2.0.0/16 (using -m state). iptables -A INPUT -p tcp --dport 0:1023 -s 10.2.0.0/16 -m state --state NEW,INVALID -j DROP 7b. Write a rule to redirect tcp connections to port 5000 to port 22 (ssh). iptables -t nat -A PREROUTING -p tcp --dport 5000 -j DNAT --to 127.0.0.1:22 or iptables -t nat -A PREROUTING -p tcp --dport 5000 -j REDIRECT --to-port 22