Unit Three Objectives, CSCI 561, Computer Networks I Tobin Maginnis 23-Oct-07 Chapter Seven - Socket Options 1)Describe the role of get/setsockopt, fcntl, and ioctl functions and their overall role. 2)Explain the interaction among listen(), accept(), and get/setsockopt(). 3)Contrast three types of "broadcast" and the constraints (four parts). 4)Contrast the routing table, SO_DONTROUTE, & MSG_DONTROUTE. Boundary Zone - Iptables Handout 1)Contrast REJECT, DROP, MASQUERADE, ACCEPT, and "newtable." 2)Contrast PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. 3)Describe the x.x.x.x/y notation and give inter-byte and intra-byte examples. 4)Describe the following script: if [ -a /proc/sys/net/ipv4/conf/all/rp_filter ]; then for eachfile in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $eachfile done fi 5)Describe the following script: /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -t nat -A PREROUTING -p all -s 127.0.0.0/8 -i wp1_ppp -j DROP 6)Describe the following script: /sbin/iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT 7)Describe the following script, explain why the order is important, and explain how to reduce the number of REJECT rules. /sbin/iptables -A FORWARD -s $D2INTERACTIVEIP -d $PRIVATE1/24 -j REJECT /sbin/iptables -A FORWARD -s $D2INTERACTIVEIP -d $PRIVATE2/24 -j REJECT /sbin/iptables -A FORWARD -s $D2INTERACTIVEIP -j ACCEPT /sbin/iptables -A FORWARD -d $D2INTERACTIVEIP -j ACCEPT 8)Describe the following script: CHAT="204.71.200.0/22 216.115.105.0/22 216.136.175.0/24 64.4.13.0/24 64.12.163.199" for z in $CHAT; do /sbin/iptables -A FORWARD -s $EXTERNALIPS -d $z -j ACCEPT /sbin/iptables -A FORWARD -s $PRIVATE1/26 -d $z -j REJECT done 9)Describe the following script and explain why one line is not needed: /sbin/iptables -A FORWARD -p tcp -s $PRIVATE2/24 -d $PRIVATE1/24 --dport 22 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -s $PRIVATE2/24 -d $PRIVATE1/24 --dport 515 -j ACCEPT /sbin/iptables -A FORWARD -s $PRIVATE2/24 -d $PRIVATE1/24 -j REJECT /sbin/iptables -A FORWARD -s $PRIVATE2/24 -d $PRIVATE2/24 -j ACCEPT /sbin/iptables -A FORWARD -s $PRIVATE2/24 -d $PRIVATE3/24 -j REJECT 10)Describe the following script: /sbin/iptables -A FORWARD -p tcp -s 192.168.3.2 -d 192.168.1.252 -j ACCEPT /sbin/iptables -A FORWARD -p tcp -s $PRIVATE3/24 -d $PRIVATE1/24 -j REJECT /sbin/iptables -A FORWARD -p tcp -s $PRIVATE3/24 -d $PRIVATE2/24 -j REJECT 11)Describe the following script effects rsync and explain the use of "nat" /sbin/iptables -t nat -p tcp -A POSTROUTING -s 192.168.1.4 -d $DMZHOST --dport 873 -j ACCEPT /sbin/iptables -t nat -p udp -A POSTROUTING -s 192.168.1.4 -d $DMZHOST --dport 873 -j ACCEPT /sbin/iptables -t nat -p tcp -A POSTROUTING -d $EXTERNALIPS --dport 873 -j DROP /sbin/iptables -t nat -p udp -A POSTROUTING -d $EXTERNALIPS --dport 873 -j DROP 12)Describe how the following script relates to UPS Powerchute (TCP/3052) running on the firewall /sbin/iptables -t nat -p tcp -A POSTROUTING -s $PRIVATE1/28 --dport 3052 -j ACCEPT /sbin/iptables -p tcp -A INPUT -s $PRIVATE1/28 --dport 3052 -j ACCEPT /sbin/iptables -t nat -p tcp -A POSTROUTING --dport 3052 -j DROP /sbin/iptables -p tcp -A INPUT --dport 3052 -j DROP 13)Describe the following script: /sbin/iptables -t nat -A POSTROUTING -s $PRIVATE1/24 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -s $PRIVATE2/24 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -s 192.168.3.2 -j MASQUERADE 14)Assume the private intranets are masqueraded. Describe the following script and explain why private addresses are still "visible": /sbin/iptables -t nat -p udp -A POSTROUTING -s $FIREWALLIP -d 192.168.1.9 --dport 161 -j ACCEPT 15)Describe the following script: /sbin/iptables -A SRC_EGRESS -s 172.16.0.0/12 -j DROP /sbin/iptables -A SRC_EGRESS -s 224.0.0.0/3 -j DROP /sbin/iptables -t nat -A PREROUTING -d $EXTERNALIPS -p all -j SRC_EGRESS 16)Describe the following script and explain the two special circumstances of LOG action: /sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \ --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "Merry XMAS:" /sbin/iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -t nat -A PREROUTING -d $EXTERNALIPS -p tcp -j CHECK_FLAGS 17)Describe the following script: /sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p tcp --dport 54321 -s $DMZHOSTS -j DNAT --to 192.168.1.4:22 /sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p tcp --dport 54321 -j DNAT --to 192.168.1.19:80 /sbin/iptables -t nat -A PREROUTING -d $FIREWALLIP -p udp --dport 9000:9013 -j DNAT --to 192.168.1.37 18)Describe the following script: echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ifconfig eth0:0 192.168.1.1 /sbin/iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE /sbin/iptables -I INPUT -s 192.168.1.2 -d 192.168.1.1 -j ACCEPT Lecture 1)Describe the background behind the term "Network Neutrality" and the current technical and political forces at work. http://en.wikipedia.org/wiki/SBC_Communications http://en.wikipedia.org/wiki/Internet_neutrality Internetworking with TCP/IP by D. Comer Chapter 21 - Bootstrap and Autoconfiguration (BOOTP & DHCP) 1)Explain the limitation to ARP, or explain how it is possible for a host to obtain it's assigned IP address over the network without knowing IP addresses in advance. 2)Describe at least six types of information in a bootp packet. 3)Assuming the bootp protocol is in firmware, explain the two-step process to load an an OS and the significance of the two steps. 4)Explain how DHCP extends bootp (five parts). 5)Explain the basic limitation of DHCP (three parts). Internetworking with TCP/IP by D. Comer Chapter 22 - The Domain Name System (Service, Server) 1)Contrast "flat" versus "hierarchical" domain names. Explain how the Domain Name System allows both types. And explain the role of the "dots." 2)Explain the relationship between hierarchical names and hierarchical IP addresses. 3)Contrast the terms "official," "unofficial," "authorative," and "unauthorative" Domain Names. 4)Using section 22.9 and Figure 22.9 (p. 402), explain how a Domain Name may map to more than one item of information.