Franske ITC-2480 Lab 10: Difference between revisions
Jump to navigation
Jump to search
BenFranske (talk | contribs) |
BenFranske (talk | contribs) No edit summary |
||
Line 6: | Line 6: | ||
== Setup a 2nd NIC Interface == | == Setup a 2nd NIC Interface == | ||
<ol> | |||
<li>To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.</li> | |||
<pre>auto | <li> Open ''/etc/network/interfaces'' with your favorite text editor. Go to the bottom of the file and add the following to configure the second interface with a static IP of 192.168.1.1/24: | ||
iface | <pre>auto ens224 | ||
iface ens224 inet static | |||
address 192.168.1.1 | address 192.168.1.1 | ||
netmask 255.255.255.0</pre> | netmask 255.255.255.0</pre></li> | ||
<li>As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.</li> | |||
<li>Once this is done, save the file and then run '''ifup ens224''' to enable the new interface.</li> | |||
<li>Verify the second interface is up and running with the correct IP address</li> | |||
== Enable NAT == | == Enable NAT == | ||
<ol> | <ol> | ||
<li>Now we will need to enable NAT so we can | <li>Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.</li> | ||
<li>In your console, you will need to | <li>In your console, you will need to edit ''/etc/sysctl.conf''. This file is used to change and tweak multiple system variables. Scroll down until you find the following: | ||
<pre># Uncomment the next line to enable packet forwarding for IPv4 | <pre># Uncomment the next line to enable packet forwarding for IPv4 | ||
#net.ipv4.ip_forward=1 | #net.ipv4.ip_forward=1 | ||
</pre></li> | </pre></li> | ||
<li> | <li>Follow the instructions in the file to enable packet forwarding in the kernel. When you are done, save the file.</li> | ||
<li>Changes to the sysctl.conf file require a reboot, but most can be set without a reboot by echoing response codes to files in /proc. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine | <li>Changes to the ''sysctl.conf'' file require a reboot, but most can be set without a reboot by echoing response codes to "files" in ''/proc''. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: '''echo 1 > /proc/sys/net/ipv4/ip_forward'''</li> | ||
* Note: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the /proc/sys/net/ipv4/ip_forward file (check the permissions by using ls). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.</li> | * Note: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the ''/proc/sys/net/ipv4/ip_forward file'' (check the permissions by using ls). Read [http://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr this similar question] for more details and possible solutions.</li> | ||
<li>Now we will | <li>Now we will use Webmin to setup ''iptables'' and allow for NAT so that we can use private addresses on our internal LAN. In Webmin, Go to ''Networking'', then ''Linux Firewall''. You will be taken to a page that will ask you to setup ''iptables'' for the first time. To start, select the option "Block all except SSH, IDENT, ping and high ports on interface eth0." Also select the Enable firewall at boot time option, then press Setup Firewall.</li> | ||
<li>You will now be shown the firewall setup page. notice how webmin was nice enough to create a handful of default rules for you. We will get into creating custom rules later in this lab, but for now we need to enable NAT in iptables.</li> | <li>You will now be shown the firewall setup page. notice how webmin was nice enough to create a handful of default rules for you. We will get into creating custom rules later in this lab, but for now we need to enable NAT in iptables.</li> | ||
<li>On the top of the page where it says Showing IPtable:, change the dropdown option to Network address translation (nat).</li> | <li>On the top of the page where it says Showing IPtable:, change the dropdown option to Network address translation (nat).</li> |
Revision as of 23:09, 9 March 2018
Introduction
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
- Have a browser window set to the webmin interface for your linux VM.
Setup a 2nd NIC Interface
- To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.
- Open /etc/network/interfaces with your favorite text editor. Go to the bottom of the file and add the following to configure the second interface with a static IP of 192.168.1.1/24:
auto ens224 iface ens224 inet static address 192.168.1.1 netmask 255.255.255.0
- As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.
- Once this is done, save the file and then run ifup ens224 to enable the new interface.
- Verify the second interface is up and running with the correct IP address
- Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.
- In your console, you will need to edit /etc/sysctl.conf. This file is used to change and tweak multiple system variables. Scroll down until you find the following:
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
- Follow the instructions in the file to enable packet forwarding in the kernel. When you are done, save the file.
- Changes to the sysctl.conf file require a reboot, but most can be set without a reboot by echoing response codes to "files" in /proc. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: echo 1 > /proc/sys/net/ipv4/ip_forward
- Note: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the /proc/sys/net/ipv4/ip_forward file (check the permissions by using ls). Read this similar question for more details and possible solutions.
- Now we will use Webmin to setup iptables and allow for NAT so that we can use private addresses on our internal LAN. In Webmin, Go to Networking, then Linux Firewall. You will be taken to a page that will ask you to setup iptables for the first time. To start, select the option "Block all except SSH, IDENT, ping and high ports on interface eth0." Also select the Enable firewall at boot time option, then press Setup Firewall.
- You will now be shown the firewall setup page. notice how webmin was nice enough to create a handful of default rules for you. We will get into creating custom rules later in this lab, but for now we need to enable NAT in iptables.
- On the top of the page where it says Showing IPtable:, change the dropdown option to Network address translation (nat).
- On this page, under the POSTROUTING category, press the Add Rule button. Use the following configuration to enable NAT:
Rule comment: Enable NAT for eth1 Action to take: Masquerade Source ports for masquerading: any IPs and ports to SNAT: Default Source address or network: Equals: 192.168.1.1/24 Outgoing Interfce: Equals: eth0
- When you are done, press the Create button at the bottom, and then on the firewall page press Apply Configuration. At this point you can use your linux VM as a router, but only with static IP addresses set on clients. So, next we will setup a DHCP server.
- To setup a DHCP server, we will first need to install the required software. In your SSH console use your favorite package manager to install isc-dhcp-server.
- After you install the package you may get a warning about isc-dhcp-server being unable to start. This is normal as we have yet to define the interface and settings we want used.
- Now back in Webmin, select the Refresh Modules option. After it is done, go to Servers, then DHCP Server.
- Before we define our DHCP range, we need to set our listening interface. Click on the Edit Network Interface option, and select eth1 and press save.
- Now under Subnets and Shared Networks, select Add a new subnet. Use the following settings:
- When you are done, press Create. Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.
- From here we will setup the default gateway and DNS servers for the clients to use. Under Default Routers, set the option to 192.168.1.1 and under DNS servers, set it to 192.168.1.1 as well. Notice how we are setting these options to the IP of eth1 that we setup. This is because our linux VM will act as the router and DNS for our clients as well.
- When you are done, press save, and then on the Edit Subnet page, press save again.
- Now that you are back on the DHCP server page, press the Start Server button. If all goes good, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.
- Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to our network we just created. For this though, we will be using Linux Mint instead of Debian so we have a user interface to help us with testing.
- You'll need to connect to the VMware server and verify that you have a machine with the same letter ID as you have been working with so far but with a -II suffix on the end. You'll also want to verify that the machine has the Linux Mint ISO in the virtual CD/DVD drive or correct that by browsing for the ISO in the SAN0 datastore.
- Boot the VM and get Linux Mint installed, installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.
- Once you have Linux Mint installed, reboot the machine and login. Notice how the machine is able to connect to the network. Now, press the Menu idcon in the lower left corner, and enter "Terminal". Then, open the terminal application.
- You now have a shell on the system. From here, use sudo ifconfig to check your network settings. Notice how you have a IP from the DHCP pool we created earlier. Now try pinging 172.17.50.1. Are you able to ping? If so, NAT is working properly on your network.
- Now run ping google.com. If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.
- Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.
- At this point we have a fully functional LAN environment.
- Spend a few more minutes exploring the functionality of the Linux GUI
- Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the IHITC network.
- So back in webmin, go to Networking, and then Linux Firewall. Now change the Showing IPTable option to Network Address Translation (nat). Now under PREROUTING, press Add Rule.
- For our rule we are going to forward port 2222 to port 22 on our Mint VM. You will need to know the IP address of the Ubuntu Machine, but for this example it will be 192.168.1.100
- Use the following information to create the new rule:
Rule comment: Forward 2222 to SSH Action to take: Destination NAT IPs and ports for DNAT: IP range: 192.168.1.100: Port range: 22 Network protocol: Equals: TCP Destination TCP or UDP Port: Equals: 2222
- Help: Use the following image for extra reference if required: Link
- When you are done press save, and then Apply Configuration. Now on the Mint VM, make sure openssh-server is installed. From a computer on the IHITC network, try to SSH to port 2222 on your original (Debian) VM. If everything was setup successfully, you will be able to sign into the Mint VM through the Debian VM.
- Now that you know how to create rules with webmin, lets learn how to do it from the command line.
- If you want to view the current rulesets applied on a system, or you want to backup your current configuration, you would use the iptables-save command. Run it, and review the output. Notice how all of the rules we created in webmin show up.
- Now if you want to backup your rules, you would use iptables-save > rules.txt. This would dump the current configuration into a file called rules.txt.
- To reload the rules into iptables, you would use iptables-restore. With the file we created, we would load it back in by running iptables-restore rules.txt
- Lastly you can create and delete select rules from the command line using the iptables command directly.
- At this point, we are now going to create some rules in webmin for the firewall. Back in webmin, go to Networking then Linux Firewall. Notice the default rules Webmin created for us earlier. Delete the following additional rules, but again DO NOT press the apply button:
- Now we need to open ports for our running services. First we will create a rule to allow webmin to continue running. Use the following configuration for the webmin rule:
- Now using the same format above, open ports for all running services. This includes SSH, DNS, SMTP, POP3, IMAP, and HTTP. Make sure to correctly figure out and set the protocol (TCP vs. UDP for each of these)
- When you are done creating the rules, press apply to have the rules enabled on your system.
Enable NAT
Setup a DHCP Server
Subnet description: LAN DHCP Range Network Address: 192.168.1.0 Netmask: 255.255.255.0 Address Ranges: 192.168.1.100-192.168.1.254
Setup a 2nd VM
Port Forwarding and Firewalling
iptables from the command line
Accept If protocol is TCP or UDP and destination port is 1024:65535 Drop If protocol is TCP and destination port is 2049:2050 Drop If protocol is TCP and destination port is 6000:6063 Drop If protocol is TCP and destination port is 7000:7010
Action to take: Accept Network Protocol: Equals: TCP Destination TCP or UDP port: Equals: 10000