1 00:00:06,630 --> 00:00:09,363 - So let's talk about network address translation. 2 00:00:11,070 --> 00:00:13,320 How does network address translation work? 3 00:00:13,320 --> 00:00:16,203 Well, the purpose is to have a private network. 4 00:00:18,180 --> 00:00:19,110 So this network, 5 00:00:19,110 --> 00:00:22,830 the 10.0.0.0 network is considered private network. 6 00:00:22,830 --> 00:00:24,693 And here we have the public site. 7 00:00:25,530 --> 00:00:27,870 You want to protect your private network 8 00:00:27,870 --> 00:00:29,700 and at the same time you wanna make sure 9 00:00:29,700 --> 00:00:31,530 that nodes on your private network 10 00:00:31,530 --> 00:00:33,630 are capable of going outside. 11 00:00:33,630 --> 00:00:34,980 Now, how does that work? 12 00:00:34,980 --> 00:00:38,700 Well, that works by configuring network translation, 13 00:00:38,700 --> 00:00:40,980 network address translation 14 00:00:40,980 --> 00:00:43,683 that is on the outside interface of your router. 15 00:00:44,670 --> 00:00:46,410 So what is going to happen? 16 00:00:46,410 --> 00:00:48,750 Well, in network address translation, 17 00:00:48,750 --> 00:00:51,000 network addresses are translated. 18 00:00:51,000 --> 00:00:54,510 And in order to really understand how that works, 19 00:00:54,510 --> 00:00:58,920 well, we also need to to include some MAC addresses. 20 00:00:58,920 --> 00:01:02,820 So let's say that this is aa, this is MAC address bb 21 00:01:02,820 --> 00:01:04,623 and this is MAC address cc. 22 00:01:05,640 --> 00:01:07,110 This is very much simplified 23 00:01:07,110 --> 00:01:09,660 but we don't really care about MAC addresses 24 00:01:09,660 --> 00:01:11,070 in this drawing. 25 00:01:11,070 --> 00:01:14,520 So it all starts where this node is generating 26 00:01:14,520 --> 00:01:16,320 an outgoing packet. 27 00:01:16,320 --> 00:01:21,320 Let's say that this node is going to IP address, 1.1.1.1, 28 00:01:26,610 --> 00:01:31,037 and the source IP address will be 10.0.0.10. 29 00:01:36,210 --> 00:01:38,310 So this packet is forwarded 30 00:01:38,310 --> 00:01:40,230 according to the default router 31 00:01:40,230 --> 00:01:42,810 and it'll be forwarded to the router. 32 00:01:42,810 --> 00:01:44,820 Now, what is the router going to do? 33 00:01:44,820 --> 00:01:49,200 Well, the router is going to do network address translation. 34 00:01:49,200 --> 00:01:51,691 And this network address translation 35 00:01:51,691 --> 00:01:54,030 is where the router is going to change 36 00:01:54,030 --> 00:01:55,890 the source IP address. 37 00:01:55,890 --> 00:01:58,920 So the router is regenerating the packet 38 00:01:58,920 --> 00:02:01,410 in such a way that it is still addressed 39 00:02:01,410 --> 00:02:03,960 to 1.1.1.1, 40 00:02:03,960 --> 00:02:07,477 but now we have the 192.168.1.1, 41 00:02:08,523 --> 00:02:10,980 it's the source IP address. 42 00:02:10,980 --> 00:02:14,403 And then the packet can go out to the destination. 43 00:02:16,230 --> 00:02:18,183 Now, what is the destination thing? 44 00:02:19,109 --> 00:02:22,980 SO that this packet comes from 192.168.1.1. 45 00:02:22,980 --> 00:02:27,980 So what is a magic of this net trick to really work? 46 00:02:28,470 --> 00:02:31,470 Well, the magic is only understandable 47 00:02:31,470 --> 00:02:34,200 if you throw in some MAC dresses as well. 48 00:02:34,200 --> 00:02:37,740 So in a packet header, there's not just IP addresses, 49 00:02:37,740 --> 00:02:39,990 there is also MAC addresses. 50 00:02:39,990 --> 00:02:42,720 And the thing that is going to happen 51 00:02:42,720 --> 00:02:45,333 is that in the MAC address, 52 00:02:47,490 --> 00:02:50,730 a random MAC addresses generated by the net router. 53 00:02:50,730 --> 00:02:54,510 Let's say that that is dd as the source MAC address 54 00:02:54,510 --> 00:02:55,800 and here we have ee 55 00:02:55,800 --> 00:02:57,870 which is the destination of the internet. 56 00:02:57,870 --> 00:03:01,080 The ee doesn't really matter, the dd does. 57 00:03:01,080 --> 00:03:03,510 What the net router is going to register 58 00:03:03,510 --> 00:03:05,040 is that at the moment 59 00:03:05,040 --> 00:03:09,180 that a packet is going back to this dd address 60 00:03:09,180 --> 00:03:12,900 that it needs to be forwarded to the original note, 61 00:03:12,900 --> 00:03:16,440 which is 10.0.0.10. 62 00:03:16,440 --> 00:03:17,820 So what is happening? 63 00:03:17,820 --> 00:03:21,540 Well, the internet is going to send back a packet. 64 00:03:21,540 --> 00:03:25,950 And while sending back a packet, the the packet is addressed 65 00:03:25,950 --> 00:03:30,950 to 192.168.1.1 66 00:03:31,290 --> 00:03:34,570 coming from the internet IP address 1.1.1.1. 67 00:03:36,570 --> 00:03:38,670 The net router is looking up this packet 68 00:03:38,670 --> 00:03:42,150 in the net table and there it'll find 69 00:03:42,150 --> 00:03:46,023 that the packet needs to be forwarded to 10.0.0.10. 70 00:03:46,950 --> 00:03:50,250 So that means that we still keep the original source 71 00:03:50,250 --> 00:03:53,940 from the internet and we rewrite the packet header 72 00:03:53,940 --> 00:03:56,400 to 10.0.0.10. 73 00:03:56,400 --> 00:03:58,110 And that allows the packet finally 74 00:03:58,110 --> 00:04:00,453 to reach its destination right here. 75 00:04:01,320 --> 00:04:02,380 So what does that bring us? 76 00:04:02,380 --> 00:04:05,100 Well, that brings us that for the internet 77 00:04:05,100 --> 00:04:08,130 anything on the 10 network is not visible, 78 00:04:08,130 --> 00:04:10,710 but still the nodes on the 10 network 79 00:04:10,710 --> 00:04:13,860 by using this network address translation trick 80 00:04:13,860 --> 00:04:16,470 are capable of going out to the internet. 81 00:04:16,470 --> 00:04:17,970 And that's how net is working. 82 00:04:20,910 --> 00:04:23,520 So for this demo, we need two additional servers. 83 00:04:23,520 --> 00:04:26,760 I install server 3, which has an IP address 84 00:04:26,760 --> 00:04:31,760 192.168.29.230 as well as 10.0.0.10. 85 00:04:32,520 --> 00:04:35,280 So this is a multi-home server, it's a router, 86 00:04:35,280 --> 00:04:37,050 and that is what we are going to be configuring 87 00:04:37,050 --> 00:04:38,820 as the net server. 88 00:04:38,820 --> 00:04:41,430 Behind that net server there is server 4 89 00:04:41,430 --> 00:04:45,490 which is listening on IP address 10.0.0.11 90 00:04:47,220 --> 00:04:51,660 which is not directly reachable by the 192.168 servers. 91 00:04:51,660 --> 00:04:53,970 So here on the slide you can see what I'm going to do. 92 00:04:53,970 --> 00:04:55,020 Let me do it for you. 93 00:04:57,510 --> 00:05:00,690 Okay, I'm starting with --firewall cmd. 94 00:05:00,690 --> 00:05:04,260 There's get zones, which is just printing an overview 95 00:05:04,260 --> 00:05:06,450 of the different zones that are available. 96 00:05:06,450 --> 00:05:09,960 So to add the masquerading, I'm gonna use 97 00:05:09,960 --> 00:05:14,793 firewall cmd --zone=public --add-masquerade, 98 00:05:23,340 --> 00:05:24,640 with the permanent option. 99 00:05:26,400 --> 00:05:28,270 So now masquerading is added 100 00:05:29,250 --> 00:05:31,230 and let me do it without a permanent option 101 00:05:31,230 --> 00:05:33,603 to immediately bring it to runtime as well. 102 00:05:34,770 --> 00:05:37,650 Next I'm going to check my zone configuration. 103 00:05:37,650 --> 00:05:42,650 So fire firewall cmd --list-all --zone=public. 104 00:05:46,110 --> 00:05:48,360 I wanna see the configuration for the public zone 105 00:05:48,360 --> 00:05:49,890 and we can see that in the public zone 106 00:05:49,890 --> 00:05:51,297 there is ENS 33. 107 00:05:51,297 --> 00:05:53,815 ENS 33 is the network cart 108 00:05:53,815 --> 00:05:57,240 that's the 192.168 IP address. 109 00:05:57,240 --> 00:06:01,020 And let's also do this for the internal zone 110 00:06:01,020 --> 00:06:05,730 where we can see that ENS 34 is in the internal zone 111 00:06:05,730 --> 00:06:07,330 and that's exactly what we need. 112 00:06:08,310 --> 00:06:10,410 Now, if you have the default configuration, 113 00:06:10,410 --> 00:06:13,410 you may see that both interfaces are in the public zone 114 00:06:13,410 --> 00:06:14,550 and then you can use 115 00:06:14,550 --> 00:06:19,080 this command firewall cmd --zone=internal 116 00:06:19,080 --> 00:06:21,783 change interface is ENS 34. 117 00:06:23,010 --> 00:06:26,220 Good, we don't have to do that because it's already done. 118 00:06:26,220 --> 00:06:31,220 So firewall cmd --get-active-zones. 119 00:06:33,510 --> 00:06:35,640 It's showing the current zone configuration 120 00:06:35,640 --> 00:06:37,650 with the network cards that are in there. 121 00:06:37,650 --> 00:06:39,600 That's just to verify. 122 00:06:39,600 --> 00:06:44,600 So that is cool and that means that I can do the next step, 123 00:06:45,630 --> 00:06:46,620 and the next step 124 00:06:46,620 --> 00:06:49,200 is where we are going to configure the port forwarding 125 00:06:49,200 --> 00:06:51,450 because that's mission of this demo. 126 00:06:51,450 --> 00:06:55,170 We want to make sure that on the firewall server 127 00:06:55,170 --> 00:06:56,790 that is server 3, 128 00:06:56,790 --> 00:07:01,563 a port is forwarded to the SSH service on server 4. 129 00:07:02,700 --> 00:07:05,428 That will be the firewall CMD command. 130 00:07:05,428 --> 00:07:10,428 - -zone=public --add-forward-port=Port=2022: 131 00:07:23,130 --> 00:07:28,130 proto=tcp:toport=22:toaddress=10.0.0.11. 132 00:07:39,900 --> 00:07:40,733 Let's verify. 133 00:07:40,733 --> 00:07:43,080 So add forward port, that's what we need. 134 00:07:43,080 --> 00:07:46,020 And then we have the different arguments, 135 00:07:46,020 --> 00:07:48,180 the different items that need to be configured. 136 00:07:48,180 --> 00:07:51,450 So port is 2022, that is what we are exposing 137 00:07:51,450 --> 00:07:54,690 on the public side of this firewall, 138 00:07:54,690 --> 00:07:57,840 the protocol is TCP, the to port is 22 139 00:07:57,840 --> 00:08:00,723 and the to address is 10.0.0.11. 140 00:08:02,100 --> 00:08:03,240 So that is successful 141 00:08:03,240 --> 00:08:05,850 and if we want it to stay around, 142 00:08:05,850 --> 00:08:07,830 we also need --permanent. 143 00:08:07,830 --> 00:08:10,593 And now we can go to server 1 for testing. 144 00:08:12,570 --> 00:08:13,980 So how do we test? 145 00:08:13,980 --> 00:08:18,420 Simple, ssh student@192.168.29.230 -p 2022. 146 00:08:25,470 --> 00:08:27,810 And well, we can see that we get an answer 147 00:08:27,810 --> 00:08:29,160 from an SSH process, 148 00:08:29,160 --> 00:08:30,690 that's already good news. 149 00:08:30,690 --> 00:08:32,670 So yes, I am sure 150 00:08:32,670 --> 00:08:34,860 and here is my password. 151 00:08:34,860 --> 00:08:35,760 And look at that, 152 00:08:35,760 --> 00:08:37,713 I have a prompt on server 4. 153 00:08:42,300 --> 00:08:43,980 And if I type ip a, 154 00:08:43,980 --> 00:08:47,790 then you can see that we are really on 10.0.0.11. 155 00:08:47,790 --> 00:08:50,010 So that is a combination of port forwarding 156 00:08:50,010 --> 00:08:52,563 with Network Catalyst translation up and running.