Franske ITC-2480 Lab 10
Revision as of 04:01, 16 March 2018 by BenFranske (talk | contribs) (→Port Forwarding and Firewalling)
Introduction
Lab Procedure
Prerequisites
- Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
- Have a browser window set to the webmin interface for your linux VM.
Setup a 2nd NIC Interface
- To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.
- Open /etc/network/interfaces with your favorite text editor. Go to the bottom of the file and add the following to configure the second interface with a static IP of 192.168.1.1/24:
auto ens224 iface ens224 inet static address 192.168.1.1 netmask 255.255.255.0
- As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.
- Once this is done, save the file and then run ifup ens224 to enable the new interface.
- Verify the second interface is up and running with the correct IP address
Enable Routing and NAT
- Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.
- In your console, you will need to edit /etc/sysctl.conf. This file is used to change and tweak multiple system variables. Scroll down until you find the following:
# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
- Follow the instructions in the file to enable packet forwarding in the kernel. When you are done, save the file.
- Changes to the sysctl.conf file require a reboot, but most can be set without a reboot by echoing response codes to "files" in /proc. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: echo 1 > /proc/sys/net/ipv4/ip_forward
- Note: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the /proc/sys/net/ipv4/ip_forward file (check the permissions by using ls). Read this similar question for more details and possible solutions.
- Now we will use Webmin to setup iptables and allow for NAT so that we can use private addresses on our internal LAN. In Webmin, go to the Networking section, then Linux Firewall. Recent versions of Debian will take you straight to a firewall settings page but we'd like to start with some default rules so if you're not taken to a page offering a few pre-set options click the Reset Firewall button on the bottom of the page.
- NOTE: Linux is in the process of transitioning from an iptables controlled firewall system to a new system called nftables. While the outcome and purpose is the same the nftables system uses a new command line utility named nft instead of the traditional iptables for controlling the firewall. At this time Webmin does not yet support nftables which is one of the disadvantages to using a third party control panel interface, it will always lag behind in adopting new technologies. It would likely be beneficial for you to do a little bit of research on Google about how nftables works and how it differs from iptables, especially if you plan to do further Linux system administration. While you're at it learning about ip sets which can work with iptables and are built into nftables to allow you to create dynamic rules where IP addresses can be added and removed from lists without re-loading the firewall.
- You will be taken to a page that will ask you to setup iptables for the first time. To start, select the option Block all except SSH, IDENT, ping and high ports on interface ens192. You should also check the box next to the Enable firewall at boot time option, then click Setup Firewall.
- You will now be shown the firewall configuration page. Notice how Webmin created a handful of default rules for you based on the option we previously selected. We will get into creating custom rules later in this lab, but for now we need to enable NAT in iptables so that our LAN hosts can access the Internet through a shared WAN IP address.
- On the top of the page where it says Showing IPtable:, change the dropdown option to Network address translation (nat).
- On the NAT table page, under the POSTROUTING category, press the Add Rule button. Use the following configuration to enable NAT:
Rule comment: Enable NAT for LAN Action to take: Masquerade Source ports for masquerading: any IPs and ports to SNAT: Default Source address or network: Equals: 192.168.1.1/24 Outgoing Interfce: Equals: ens192
- When you are done, press the Create button at the bottom, and then on the firewall page press Apply Configuration. At this point you can use your Linux VM as a router/default gateway, but only with static IP addresses set on the LAN clients, so next we will setup a DHCP server.
Setup a DHCP Server
- To setup a DHCP server, we will first need to install the required software. In your SSH console use your favorite package manager to install the isc-dhcp-server package.
- After you install the package you may get a warning about isc-dhcp-server being unable to start. This is normal as we have yet to define the interface and settings we want used.
- Now back in Webmin, select the Refresh Modules option. After it is done, go to Servers, then DHCP Server.
- Before we define our DHCP range, we need to set our listening interface. Click on the Edit Network Interface option, and select ens224 and press save.
- Now under Subnets and Shared Networks, select Add a new subnet. Use the following settings:
Subnet description: LAN DHCP Range Network Address: 192.168.1.0 Netmask: 255.255.255.0 Address Ranges: 192.168.1.100-192.168.1.254
- When you are done, press Create. Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.
- From here we will setup the default gateway and DNS servers for the clients to use. Under Default Routers, set the option to 192.168.1.1 and under DNS servers, set it to 192.168.1.1 as well. Notice how we are setting these options to the IP of eth1 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.
- When you are done, press save, and then on the Edit Subnet page, press save again.
- Now that you are back on the DHCP server page, press the Start Server button. If all goes good, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.
Setup a 2nd VM as a LAN Host
- Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.
- You'll need to connect to the VMware server and verify that you have a machine with the same letter ID as you have been working with so far but with a -II suffix on the end. You'll also want to verify that the machine has the Linux Mint ISO in the virtual CD/DVD drive or correct that by browsing for the ISO in the SAN0 datastore.
- Boot the VM and get Linux Mint installed, installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.
- NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.
- Once you have Linux Mint installed, reboot the machine and login. Notice how the machine is able to connect to the network. Now, press the Menu icon in the lower left corner, and enter "Terminal". Then, open the terminal application.
- You now have a shell on the system. From here, use ip address show to check your network settings. Notice how you have a IP from the DHCP pool we created earlier. Now try pinging 172.17.50.1. Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).
- NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with eth to the new ens style. You can also try using the older ifconfig way of checking the IP address and compare the output to the new ip address show method which we have been using so far in Debian.
- Now run ping google.com. If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.
- Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.
- At this point we have a fully functional LAN environment.
- Spend a few more minutes exploring the functionality of the Linux GUI and desktop.
Port Forwarding and Firewalling
- Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the IHITC network.
- In Webmin, go to Networking, and then Linux Firewall. Change the Showing IPTable option to Network Address Translation (nat) to display the contents of the NAT table. Under the PREROUTING rules section click Add Rule.
- For our rule we are going to forward port 2222 to port 22 on our Mint VM. This will allow someone connecting to port 2222 on our outside (172.17.50.xx) IP address to actually be connected to port 22 on our Mint VM (the SSH port). You will need to know and use the IP address of the Mint Machine, but in this example configuration it will be 192.168.1.100
- Use the following information to create the new rule:
Rule comment: Forward 2222 to SSH Action to take: Destination NAT IPs and ports for DNAT: IP range: 192.168.1.100: Port range: 22 Network protocol: Equals: TCP Destination TCP or UDP Port: Equals: 2222
- Help: Use the following image for extra reference if required: Link
- When you are done click Save, and then Apply Configuration. On the Mint VM, make sure openssh-server package is installed so that you actually have SSH server software listening on port 22.
- From a computer on the IHITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (17.17.50.xx) IP address of your Debian system. If everything was setup successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.
- When we originally setup our firewall in Webmin we chose the option to Block all except SSH, IDENT, ping and high ports on interface ens192. While this worked to get NAT up and running it also means that all of our other services we've had up and running such as our web server, email server, Samba fileserver, etc. are all currently blocked by our firewall. There are also some high ports (above 1024) which are open but don't need to be so it would be a good idea to close those off.
- First, review all the current rules in the filter table in Webmin. You'll see the rules which allow most traffic on ports above 1024:
Accept If protocol is TCP or UDP and destination port is 1024:65535 Drop If protocol is TCP and destination port is 2049:2050 Drop If protocol is TCP and destination port is 6000:6063 Drop If protocol is TCP and destination port is 7000:7010
- Delete these four rules but be sure NOT to click the Apply button! Think about why it might be a bad idea to apply these changes. How are you connected to the server and making changes to the firewall right now? Using your web browser you're connected to a webserver running as part of Webmin on TCP port 10000. The first rule we deleted is currently allowing you to access port 10000 but if we delete it and apply the changes our browser will no longer be able to connect to the Webmin webserver! If you accidentally do click Apply you will need to use the command line iptables utility to put a rule back in place which allows access to port 10000 before Webmin will work again. The next section of the lab explains some about the use of the command line iptables utilities.
- In order to prevent problems use Webmin to create a new rule in the filter table specifically allowing access on TCP port 10000 like this:
Action to take: Accept Network Protocol: Equals: TCP Destination TCP or UDP port: Equals: 10000
- Once you've created this rule it should be safe to click Apply because you now have access to port 10000. Of course, if you make a mistake or typo it's still possible you lock yourself out of Webmin and will need to use the iptables command line utilities to view and fix the firewall configuration.
- Using the same type of Accept rules in the filter table create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP. Make sure to correctly identify the port number(s) and protocols (TCP or UDP) that are needed for each of these and after clicking Apply test to ensure they are working!
iptables from the command line
- Now that you know how to create rules with Webmin, let's learn how to do it from the command line using the iptables utilities.
- If you want to view the current rulesets applied on a system, or you want to backup your current configuration, you can use the iptables-save command. Run it, and review the output. Notice how all of the rules we created in Webmin show up.
- To backup your rules, you would use iptables-save > rules.txt. This would dump the current configuration into a file called rules.txt using standard command redirection as previously covered in the course.
- To reload the rules into iptables, you would use iptables-restore. This command can load a text file full of rules back into the firewall by specifying a file to load like iptables-restore rules.txt.
- Lastly, you can create and delete select rules from the command line using the iptables command directly. Review the readings and the man page for iptables for additional details.