Linux Based Advanced

Routing with Firewall and

Traffic ControlPresented By,

Sandeep Sreenivasan

B.E Computer Science and Engineering

Abstract

• Routing and Bandwidth management have become essential for every organization because of its limited resource and therefore must be utilized efficiently

• There are various ways to do it either by using hardware or a software. Both methods lets you allocate specific bandwidth to internet traffic that can be further classified into web, mail, ftp etc

• Using a hardware device like a router requires a high cost to maintain and keep it functioning

• Using bandwidth management, the traffic of each service or network is at assured level at all times and administrator can change these levels at fixed time slots during the day, which is not possible in a pre tuned hardware device like a router

• Bandwidth Management helps in prioritizing the traffic and hence, makes sure that a rise in one type does not lead to a clogging of another, perhaps a more critical traffic

Abstract (Contd…)

OUTLINE

Motivation

Existing System

Major Problems

Proposed System

Project Modules Study

Working Model Samples

Performance Analysis

Future Enhancements

Motivation

• Routing is fundamental to the design of the Internet

Protocol

• Most fully-featured IP-aware networked devices run on

UNIX or Linux

• The hardware devices used for routing are very costly as

compared to the software routing algorithms

• Finally, Firewalls are easier to implement and more

effective in Linux based Systems

Existing System

• Basic Static routing algorithms implemented in UNIX

based systems

• No firewalls or Traffic control mechanisms provided in

the system

• Low efficiency of static routing algorithms for heavy

traffic flow environments

• Routing tables are manually updated only when

damaged route is found by the system

Existing System

Workstation NWorkstation 2

Workstation 1

Static Software Router

………………

Major Problems

• Use of Static algorithms causes low bandwidth utilization

• Absence of firewalls causes leakage of information from

servers

• Absence of Traffic control mechanisms causes improper

delivery of packets

• Routing table updation is not time based but route based

Proposed System

• This Project is mainly intended to build a system with Advanced

Routing and Firewall with Traffic Control mechanisms on Linux

Platform to save cost and to do effective management of Traffic

• A system which can do all the necessary functions performed by a

router with additional capabilities to filter the packets by using a

firewall and complete Traffic control options • To classify, prioritize, share and limit both inbound and outbound

traffic

Proposed System

Hardware and Software Requirements• Hardware Requirements:-

- Intel machines with 512 MB RAM/ 80GB HDD - 10 Nos

- Two Machines with Two Network Interface Cards and rest with one Network Interface card

- Internet Connection

• Software Requirements: -

- Red Hat Enterprise Linux 4.0 - Fedora 10 - Iproute2 package source - Zebra package - Bash Shell Scripting

Project Modules Study

• The various modules of the Project are:

» Module 1: Dynamic Routing using OSPF Protocol

» Module 2: Secured Tunneling using GRE

» Module 3: Firewall and bandwidth management

» Module 4: Setup Web Server and DNS Server

» Module 5: Thin Client Setup

• Dynamic Routing using OSPF Protocol

• The Dynamic Routing involves setting up OSPF areas to gather data from neighbourhood routers

and check for live path between fixed time intervals

• In our setup, the router checks for live paths every two seconds and updates the table with alternate path upon detection of a broken link

• Once the areas are configured, then the router functions perfectly with utmost efficiency

Module 1

ZEBRA Daemon

• The ZEBRA daemon is used to configure OSPF protocol in Linux

• It links with various protocols like BGP,RIPD etc..

+-------+ +--------+ +---------+ +-----------+|bgpd| |ripd| |ospfd| |zebra|+-------+ +--------+ +---------+ +----|-------+ | ||+--------------------------------------------------V-----+| | UNIX Kernel routing table |+----------------------------------------------------------+

ZEBRA ARCHITECTURE

Sample Config File

• Below is a sample configuration file for the zebra daemon

! ! Zebra configuration file !

hostname Router

password zebra

enable password zebra

! log stdout !

!

OSPF Protocol• OSPF is a Open Protocol, used by Cisco in its routers to

implement

• We have used this protocol for the very first time in PC based routing technique

Sample Config File

• Below is a sample configuration file for the OSPF Protocol

!

! OSPF configuration file !

hostname Router

password zebra

network 192.168.0.0/24 area 0

network 200.0.0.0/24 area 1

network 10.0.0.0/8 area 2

! log stdout !

!

• GRE Tunneling

• Generic Routing Encapsulation techniques is used to create a logical tunnel between two end points for secured data transmission

• GRE Tunnels have the following structure:

Module 2

Original Header Original Data

Outer Header GRE Header Original Header Original Data

New Header New Data

Sample Config File

• Router A:

interface Ethernet0/1 ip address

10.2.2.1 255.255.255.0

interface Serial0/0 ip address

192.168.4.1 255.255.255.0

interface Tunnel0 ip address

1.1.1.2 255.0.0.0

tunnel source Serial0/0

tunnel destination 192.168.4.2

• Router B:

interface FastEthernet0/1 ip address

10.1.1.1 255.255.255.0

interface Serial0/0 ip address

192.168.4.2 255.255.255.0

interface Tunnel0 ip address

1.1.1.1 255.0.0.0

tunnel source Serial0/0

tunnel destination 192.168.4.1

Module 3

• Firewalls

• Internet firewalls are intended to keep the flames of Internet hell out of the private LAN. Or, to keep the members of the LAN pure and chaste by denying them access to all the evil Internet temptations

• The firewall in Linux is based on IPTABLES and its predecessor IPCHAINS, where explicit rules are written to control the operating policies of the firewall

• Two Types of Firewalls:» Packet Filtering Firewalls :- that block selected network packets

» Proxy Servers :- that make network connections

• Packet Filtering Firewalls

• A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet

• Filtering firewalls are more transparent to the user. The user does not have to setup rules in their applications to use the Internet. With most proxy servers this is not true

• Filtering firewalls can be thought of as a type of router. Because of this one needs a deep understanding of IP packet structure to work

with one

• Proxy Servers

• Proxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data

• This lowers bandwidth requirements and decreases the access of the same data for the next user. It also gives unquestionable evidence of what was transferred

• We have used a Proxy server called SQUID to limit the inbound and outbound traffic by constantly monitoring the visited web pages

• It also prevents access to irrelevant sites and prevents DoS attacks at the client side

• Bandwidth Management

• The most essential task for an efficient routing architecture is bandwidth management

• It helps utilize the available bandwidth efficiently by splitting the access between various server types and balancing the load

• We have built a bandwidth managed server that allows 30% bandwidth to FTP and 70% bandwidth to HTTP

Module 4

IPROUTE 2

• IPROUTE 2 is the daemon in Linux that handles the bandwidth management process

• It supports various protocols and management of each protocol and balances the load automatically between the managed paths

ip route add default scope global nexthop via $P1 dev $IF1 weight 1nexthop via $P2 dev $IF2 weight 1

• The above mentioned code is an example of balancing the load between two paths $P1 and $P2 that are connected by devices $IF1 and $IF2

• The weight parameter is used to specify the load limit of packets in each device

Module 5

• Thin Clients

• The thin client is a PC with less of everything.

• In designing a computer system, there are decisions to be made about processing, storage, software and user interface

• A gigabit/s network is faster than a PCI Bus and many hard drives, so each function can be in a different location

• In a thin client/server system, the only software that is installed on the thin client is the user interface, certain frequently used applications, and a networked operating system.

• This software can be loaded from a local drive, the server at boot, or as needed

• By simplifying the load on the thin client, it can be a very small, low-powered device giving lower costs to purchase and to operate per seat

• The server, or a cluster of servers has the full weight of all the applications, services, and data

• Easier system management and lower costs, as well as all the advantages of networked computing: central storage/backup and easier security

• A single PC can usually power five or more thin clients. A more powerful PC or server can support up to a hundred thin clients at a time. A high-end server can power over 700 clients

Thin Client Architecture

Thin Client Server

Cost Comparison Chart

ComponentGeneral PC Client

RequirementsThin Client

Requirements

Hard Disk 80 GB 0

RAM 1 GB 256 MB

Motherboard Any Any

Processor Intel Dual Core Pentium 3/4

Average Total Cost

Rs. 14,000 Rs. 7,000

• The Average cost of a PC based CPU client is almost two times that of a thin client based setup. The same set of software can be run on a thin client based system at a minimal cost.

Advantages of Thin Client

Lower IT administration costs

Easier to secure

Lower hardware costs

Less energy consumption

Easier hardware failure management

Worth less to most thieves

Operable in Hostile Environments

Less network bandwidth

• Thin Clients have various advantages of use over commercial PC based clients.

• Some of the noteworthy advantages are:

Working Model Samples

1. Server Widgets (Main, Staff, Student)

2. General Mode Port Configuration Details

3. Routing Table Entry – Before Zebra Starts

4. Routing Table Entry – After Zebra Starts

5. GRE Tunnels

6. DNS Widget

7. Web Server Widget

8. General Mode Client Widget

9. Exam Mode Client Widget

10. Main Web Page

11. Year Selection Page

12. Exam Selection Page

13. Question Display Page

14. Required Software Opens

Performance Analysis

• PERFORMANCE OF LINUX ROUTER – Test Setup

The test setup in our computer lab uses a 100Base-T Ethernet. The NICs and switching hubs are 100Base-T.

All platforms are running Linux 2.2 kernels, and the Linux router is the default gateway for all of them.

JMETER software, coded in java was used to provide the necessary node input to simulate as much new node request as required

Node Discovery Time

Number of Nodes

Response Time ( milli sec )

Static Routing Technique

Dynamic Routing Technique

100 0.234 0.259

200 0.467 0.49

300 0.662 0.671

400 0.733 0.755

500 0.9 0.985

Input Values List

Node Discovery Time

Result Chart

Broken Link Discovery Time

TEST SETUP

Broken Link Name

Packet Delivery time( milli sec )

Dynamic Routing

Static Routing(Without

Alternate path)

Static Routing

(With Alternate

path)

Link 1 0.633 0 0.855

Link 1 and 2 0.945 0 1.33

Link 1,2 and 3 1.233 0 2.56

Broken Link Discovery Time

Input Values List

Broken Link Discovery Time

Result Chart

Bandwidth Management Test

10 Mbps LAN Link

50 Kbps Managed Link

Test Setup

Bandwidth Management Test

Result Chart

Future Enhancements

• An Improved Hardware Configuration can be used to implement the Thin Clients in Real Time

• Added Firewall rules can be incorporated for efficient packet filtering

• Tunneling can be expanded to all the nodes for a more secured transmission strategy

• Bandwidth can be further managed efficiently by utilizing IPROUTE2 package bandwidth management technology

References

• Kaleem Anwar, Muhammad Amir, Ahmad Saeed, Muhammad Imran

“The Linux Router”, Jan 8th 2006 [www.linuxjournal.com/article/5826]

• William Stallings, 1997, Data and Computer Communication Fifth

Edition, Prentice Hall of India

• Andrew S.Tenenbaum, 1996, Computer Networks Third Edition,

Prentice Hall of India

• Addison Wesley, Fred Hallsall, 1992, Data Communications in

Computer Networks and Open Systems, Prentice Hall of India