Let’s dive in!
Fire up Kali and run all commands as root.
In my previous posts, I’ve covered how ifconfig helps identify network information.
Ubuntu, by default, controls network configurations with Netplan.
Let’s install a better program called ifupdown. It’s much easier to use- all of the network information can be configured in one simple file.
Install ifupdown by running this command:
apt install ifupdown -y
Now remove the Netplan configurations from your device. Run the command:
apt remove netplan.io -y
Autoremove will find any dependencies that are no longer needed and delete them. It’s not necessary, but I like to run this command anytime I remove something.
Now identify physical interfaces on the network:
ip link show
You’ll see the physical interfaces on your network and whether they’re up or not. We’ll come back to this when we set static IPs and configure bridges.
In my case, I have lo (the loopback address) and eth0.
- Note: to complete this tutorial, you must have a wired connection to the internet. This is because ifupdown does not support bridging wireless devices.
We need to edit our interfaces file. Vim the file /etc/network/interfaces
You’ll see this:
Change the file to this:
As you see here, we can assign each interface the labels loopback or dhcp. This means the interface’s IP will either be the loopback address, or it will be assigned by a DHCP (dynamic host control protocol.)
We can also make these assignments static or manual. Let me break down the difference between the two:
STATIC
The DHCP server checks the device’s MAC address. If it’s on the “static assignments” list, it assigns the IP you specified to that device. If not, it gets the next available IP address.
MANUAL
The interface will ask the gateway for a specific IP. If it’s available, the gateway assigns it to the interface. If you go this route and set up the rules incorrectly, the device will not get an IP.
If I rebooted my machine right now, eth0 would get an address from the DHCP.
My device’s IP is currently 192.168.254.103 (here’s the screenshot from the beginning of the post)
But what if I want it to be .102 each time the machine boots up? I’ll set the static IP in the etc/network/interfaces file.
Each time you set a static IP, you need to set these 3 things:
- Address
- Netmask
- Gateway
- The gateway address is usually the first available in the subnet. This is not always the case though- always confirm the gateway address with the client.
:wq the VIM file and reboot the machine. You’ll see that it’s using the new IP!
Simple and effective. Now onto transparent bridges.
To create a bridge, we can make a switch out of one or more interfaces on a device.
When a device acts as a switch, you can see all traffic going through the interfaces connected to it. You can capture the packets, analyze them, and make blocking decisions.
We need a program called bridge-utils to make bridges. Install it with apt:
You can check out the documentation here to know more.
Here’s how to configure the bridge:
Look at how we changed the eth0 interface from static to manual. We didn’t need to do this, but I wanted to show that you can assign the IP to the bridge interface. The bridge will take the MAC of one of your physical interfaces (usually the lowest ordered one, but not always.)
There are 4 arguments for bridges that we declared:
1. bridge_ports
- This is how you determine which ports to put on the bridge. We only have eth0 in the example above, but if you wanted to place more interfaces on the bridge, you could add eth1, eth2, etc.
2. bridge_fd
- This is set to 0 so it forwards packets immediately.
3. bridge_maxwait
- This is an additional argument to have it forward packets immediately (by setting it to 0.)
4. bridge_stp
- STP refers to spanning tree protocol. We won’t create a switching loop by plugging devices into two ports, so we keep this turned off.
Set these arguments and reboot the box. Then run ifconfig.
Check it out! There’s a new interface (br0), and it has the same MAC address (ether) as eth0. It also picked up it own IP address through DHCP, and eth0 now has no IP.
One more thing on bridges: you can treat them as if they’re separate interfaces. Thinking of making it a static IP? Add the same arguments you did for setting eth0, like this:
auto br0
iface br0 inet static
address 10.0.0.208
netmask 255.255.255.0
gateway 10.0.0.1
bridge_ports eth0 #eth1 eth2
bridge_fd 0
bridge_maxwait 0
bridge_stp off
Let’s discuss blocking IPs with IPTables.
Run iptables -h
This process can be complicated, so I’ll make it as simple as possible.
Imagine you want to block google.com. You’d first find the IP with nslookup. After that, you’d ping it to see if you get a response:
I’m doing this now (and I encourage you to do it) to verify that we’re actually blocking google.com when we run our blocking commands later.
Let me unpack the next screenshot:
IPTables can block IPs on specific interfaces, under specific circumstances, and at specific layers of network communications. We’re going to block the simplest and fastest possible layer available to IPTables- the prerouting layer.
Run this command:
iptables -t raw -A PREROUTING -s <ip> -j DROP
It instructs the machine to instantly drop any communications coming from this IP. This rule alone is extremely fast and effective.
To see all IPs you’re blocking, run this command:
iptables -nL -t raw
The screenshot shows that we’re blocking the Google IP we specified earlier.
Now let’s ping it to verify that we can’t:
100% packet loss. Perfect!
To “flush” the firewall and delete all of our rules, run:
iptables -t raw -F
Check our rules again, and you’ll see that it’s gone. You can also ping the blocked IP.
What if you wanted to block this IP all the time? This is where rc.local comes in.
rc.local is a program that runs each time you boot the machine. Run this command:
vim /etc/rc.local
And add these lines:
Make the file executable:
Now we need the file that will run on rc.local upon startup:
Note: /opt is a good place to put general purpose server files and directories.
Let’s make a basic bash script to block Google:
Now make the script executable:
Then start the rc.local service:
systemctl start rc-local.service
If you don’t see errors, this means everything is running correctly!
To verify that it’s working, check the firewall blocklists:
Now reboot the machine and check it again to ensure it runs on startup.
That’s all for today! In summary, you learned:
- Setting static IPs with ifupdown in /etc/network/interfaces
- Configuring bridges with bridge-utils in the interfaces file
- Blocking IPs with IPTables
- Running programs on startup with rc.local
Thanks for reading!