Franske ITC-2480 Lab 10 - Revision history

BenFranske: /* Enabling NAT and Firewall Rules for the LAN */

2021-12-08T03:58:10Z

Enabling NAT and Firewall Rules for the LAN

← Older revision		Revision as of 03:58, 8 December 2021
Line 140:		Line 140:
	<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li>		<li>You should now take a minute to allow all of the same services and ports on the internal network that you have allowed on the external network. </li>
	:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.		:In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.
	:In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone).		<li>In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the default features of that zone).
	: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''		: ''HINT: you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.''
	: While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it.		<li>While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. To do this run the following command:</li>
	~~<li>~~To do this run the following command:</li>
	<code>firewall-cmd --add-service=dhcp --zone=internal</code>		<code>firewall-cmd --add-service=dhcp --zone=internal</code>
	<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li>		<li>Once you are satisfied your firewall is running correctly you can use this command to set these rules to automatically load each time the system is started.</li>

BenFranske: /* Enable Routing */

2021-12-08T03:56:28Z

Enable Routing

← Older revision		Revision as of 03:56, 8 December 2021
Line 95:		Line 95:
	: [[Media:Lab10_sysctl_after.png \| Click for larger image]]		: [[Media:Lab10_sysctl_after.png \| Click for larger image]]
	* When you are done, save the file.		* When you are done, save the file.
	<li> Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li>		<li> Changes to the ''sysctl.conf'' file require a reboot, but most can be set immediately (without a reboot) but temporarily (will be reset to default at next boot) by echoing response codes to "files" in the ''/proc'' virtual filesystem. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li>
	<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code>		<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code>
	: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''		: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''

BenFranske: /* Enable Routing */

2021-12-08T03:55:17Z

Enable Routing

← Older revision		Revision as of 03:55, 8 December 2021
Line 95:		Line 95:
	: [[Media:Lab10_sysctl_after.png \| Click for larger image]]		: [[Media:Lab10_sysctl_after.png \| Click for larger image]]
	* When you are done, save the file.		* When you are done, save the file.
	: Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''.		<li> Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li>
	~~<li>~~ We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: </li>
	<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code>		<code>'''echo 1 > /proc/sys/net/ipv4/ip_forward</code>
	: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''		: ''NOTE: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the '''/proc/sys/net/ipv4/ip_forward''' file (check the permissions by using '''ls'''). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.''

BenFranske: Update to mjnk version

2021-12-03T20:02:19Z

Update to mjnk version

Show changes

BenFranske: /* Configure a Firewall */

2021-11-30T22:30:48Z

Configure a Firewall

← Older revision		Revision as of 22:30, 30 November 2021
Line 9:		Line 9:
	<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>		<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>
	<li>First, let's check to see if the firewall is now up and running using the '''firewall-cmd --state''' command.</li>		<li>First, let's check to see if the firewall is now up and running using the '''firewall-cmd --state''' command.</li>
	* '''NOTE:''' There is a bug in iptables/nftables 1.8.2 which ships with Debian Buster which causes it to not work correctly with firewalld. If you have issues with firewalld having a state of failed this is likely the issue. Follow the instructions to add [https://backports.debian.org/Instructions/ Debain buster-backports] to your apt sources.list file. After running an apt update you should be able to (re)install iptables/~~debian-backports and ip6tables/debian~~-backports which will upgrade your system to newer versions which are compatible with firewalld.		* '''NOTE:''' There is a bug in iptables/nftables 1.8.2 which ships with Debian Buster which causes it to not work correctly with firewalld. If you have issues with firewalld having a state of failed this is likely the issue. Follow the instructions to add [https://backports.debian.org/Instructions/ Debain buster-backports] to your apt sources.list file. After running an apt update you should be able to (re)install iptables/buster-backports which will upgrade your system to newer versions which are compatible with firewalld.
	<li>The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. Let's see what those rules are by using the '''firewall-cmd --list-all''' command.</li>		<li>The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. Let's see what those rules are by using the '''firewall-cmd --list-all''' command.</li>
	<li>By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. We can do this with the command '''firewall-cmd --zone=external --add-interface=ens192'''. We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].</li>		<li>By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. We can do this with the command '''firewall-cmd --zone=external --add-interface=ens192'''. We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].</li>

BenFranske: /* Enabling NAT and Firewall Rules for the LAN */

2021-11-15T22:42:40Z

Enabling NAT and Firewall Rules for the LAN

← Older revision		Revision as of 22:42, 15 November 2021
Line 65:		Line 65:

	<li>Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. First, let's set our ens224 interface (LAN) to be in the internal zone with the '''firewall-cmd --zone=internal --add-interface=ens224''' command.</li>		<li>Now we will use firewalld to setup NAT so that we can use private addresses on our internal LAN but still have access to the public Internet. First, let's set our ens224 interface (LAN) to be in the internal zone with the '''firewall-cmd --zone=internal --add-interface=ens224''' command.</li>
	<li>You should now take a minute to ~~all~~ all of the same services and ports on the internal network that you have allowed on the external network. In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.</li>		<li>You should now take a minute to open all of the same services and ports on the internal network that you have allowed on the external network. In other words, make sure that Webmin, Samba, DNS, etc. are also allowed on the internal zone.</li>
	<li>In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone) but you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.</li>		<li>In order to activate NAT you need to turn on the "masquerade" feature on your outside interface. This is probably already done if you correctly assigned your outside interface to the pre-defined external zone (it's one of the features of that zone) but you can do this manually as well in case you setup a custom zone by running the '''firewall-cmd --add-masquerade --zone=external''' command.</li>
	<li>While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. To do this run the '''firewall-cmd --add-service=dhcp --zone=internal''' command.</li>		<li>While routing and NAT should be working for hosts on your LAN interface now they probably still can't get an IP address! Just like all the other services being blocked by the firewall DHCP is also blocked unless you specifically allow it. To do this run the '''firewall-cmd --add-service=dhcp --zone=internal''' command.</li>

BenFranske: /* Configure a Firewall */

2021-11-03T01:26:53Z

Configure a Firewall

← Older revision		Revision as of 01:26, 3 November 2021
Line 9:		Line 9:
	<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>		<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>
	<li>First, let's check to see if the firewall is now up and running using the '''firewall-cmd --state''' command.</li>		<li>First, let's check to see if the firewall is now up and running using the '''firewall-cmd --state''' command.</li>
			* '''NOTE:''' There is a bug in iptables/nftables 1.8.2 which ships with Debian Buster which causes it to not work correctly with firewalld. If you have issues with firewalld having a state of failed this is likely the issue. Follow the instructions to add [https://backports.debian.org/Instructions/ Debain buster-backports] to your apt sources.list file. After running an apt update you should be able to (re)install iptables/debian-backports and ip6tables/debian-backports which will upgrade your system to newer versions which are compatible with firewalld.
	<li>The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. Let's see what those rules are by using the '''firewall-cmd --list-all''' command.</li>		<li>The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. Let's see what those rules are by using the '''firewall-cmd --list-all''' command.</li>
	<li>By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. We can do this with the command '''firewall-cmd --zone=external --add-interface=ens192'''. We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].</li>		<li>By default all interfaces are in the public zone (this is set in the ''/etc/firewalld/firewalld.conf'' file). Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. We can do this with the command '''firewall-cmd --zone=external --add-interface=ens192'''. We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the [https://firewalld.org/documentation/zone/predefined-zones.html pre-defined zones in firewalld documentation].</li>

BenFranske: /* Setup a 2nd VM as a LAN Host */

2021-02-10T02:22:31Z

Setup a 2nd VM as a LAN Host

← Older revision		Revision as of 02:22, 10 February 2021
Line 83:		Line 83:
	# At this point we have a fully functional LAN environment.		# At this point we have a fully functional LAN environment.
	# In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.		# In order to allow automatic safe shutdown of your Linux Mint system and improve speed/efficiency use the package manager to install the ''open-vm-tools-desktop'' package. This provides better drivers and integration between the vmWare host which is running your Linux Mint virtual machine and the virtual machine itself.
			# Finally, in the next section we'll be setting up SSH access to Mint through the Firewall so you'll want to install the ''openssh-server'' package through the package manager. Once you've done this you should be able to use the ssh program on the command line in Debian to access your Mint system like '''ssh mintusername@192.168.1.x''' where you are using a valid username on the Mint system and the IP address of the Mint system.
	# Spend a few more minutes exploring the functionality of the Linux GUI and desktop.		# Spend a few more minutes exploring the functionality of the Linux GUI and desktop.

BenFranske: /* Setup a 2nd VM as a LAN Host */

2021-01-13T22:27:09Z

Setup a 2nd VM as a LAN Host

← Older revision		Revision as of 22:27, 13 January 2021
Line 72:		Line 72:
	== Setup a 2nd VM as a LAN Host ==		== Setup a 2nd VM as a LAN Host ==
	# Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.		# Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.
	# You'll need to ~~connect~~ to ~~the VMware server~~ and ~~verify~~ that ~~you have a machine with~~ the ~~same letter ID as you have been working with so far but with a -II suffix~~ on the ~~end. You'll also want~~ to ~~verify that the~~ machine ~~has the~~ Linux Mint ~~ISO in the~~ virtual CD~~/DVD drive or correct that by browsing for the ISO in the SAN0 datastore~~.		# You'll need to make a Netlab reservation to work with your Mint system's GUI so go ahead and do that, enter the lab on Netlab, and click the "Linux Desktop" tab to access your Mint machine.
	~~# Boot the VM and get~~ Linux Mint installed, installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.		# The VM should be booting from a Linux Mint virtual CD image. Get Linux Mint installed using the link on the desktop, installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.
	#* NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.		#* NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.
	# Once you have Linux Mint installed, reboot the machine and login. ~~Notice how~~ the machine is able to connect to the ~~network~~. ~~Now, press~~ the Menu icon in the lower left corner, and enter "Terminal". Then, open the terminal application.		# Once you have Linux Mint installed, reboot the machine and login. Hopefully the machine is able to connect to the Internet through your Debian server which is acting as a DHCP server and router (see the topology diagram tab in Netlab to see a diagram of how they are connected).
			# Press the Menu icon in the lower left corner, and enter "Terminal". Then, open the terminal application.
	# You now have a shell on the system. From here, use '''ip address show''' to check your network settings. Notice how you have a IP from the DHCP pool we created earlier. Now try pinging ''172.17.50.1''. Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).		# You now have a shell on the system. From here, use '''ip address show''' to check your network settings. Notice how you have a IP from the DHCP pool we created earlier. Now try pinging ''172.17.50.1''. Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).
	#* NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.		#* NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with ''eth'' to the new ''ens'' style. You can also try using the older '''ifconfig''' way of checking the IP address and compare the output to the new '''ip address show''' method which we have been using so far in Debian.

BenFranske: /* Configure a Firewall */

2021-01-13T17:43:00Z

Configure a Firewall

← Older revision		Revision as of 17:43, 13 January 2021
Line 6:		Line 6:

	== Configure a Firewall ==		== Configure a Firewall ==
	* '''IMPORTANT NOTE:''' If you were using an old version of this lab which used the Webmin software to configure a firewall note that no longer functions correctly with recent versions of Debian which have switched from the old ''iptables'' firewall to the newer ''nftables'' system. You must delete and deactivate your Webmin firewall configuration before proceeding. You can do this by going to the Linux Firewall module of Webmin and resetting the firewall (there's a button at the bottom), choosing to allow all traffic, and then choosing NOT to activate it at boot which is another setting at the bottom of the firewall module. Be sure to click apply after choosing not to activate at boot. If you are unable to access Webmin you can try going to the command line and running '''sudo rm /etc/iptables.up.rules''' then rebooting, then running '''sudo nft flush ruleset'''
	<ol>		<ol>
	<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>		<li>It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the [https://firewalld.org/ firewalld] package suggested by Debian. Begin by installing the ''firewalld'' package on your system.</li>