Introduction

Lab Procedure

Prerequisites

1. Open an SSH console to your Linux system using the PuTTY software, login with your standard user account
2. Have a browser window set to the webmin interface for your linux VM.

Configure a Firewall and NAT

• IMPORTANT NOTE: If you were using an old version of this lab which used the Webmin software to configure a firewall note that no longer functions correctly with recent versions of Debian which have switched from the old iptables firewall to the newer nftables system. You must delete and deactivate your Webmin firewall configuration before proceeding. You can do this by removing the /etc/iptables.up.rules file from your system and rebooting.

1. It is suggested that instead of managing a firewall directly using nftables tools (which would also require us to create a script to reload our rules each time the system is restarted) we use a firewall daemon program to manage it based on a set of rules we create and automatically setup the firewall based on those rules each time the system boots. There are many command line firewall management programs out there but for this lab we will use the firewalld package suggested by Debian. Begin by installing the firewalld package on your system.
2. First, let's check to see if the firewall is now up and running using the firewall-cmd --state command.
3. The firewall has been pre-configured with a couple of rules in it to prevent us from getting locked out. Let's see what those rules are by using the firewall-cmd --list-all command.
4. By default all interfaces are in the public zone (this is set in the /etc/firewalld/firewalld.conf file). Before we start working on rules for our firewall we should assign our outside interface to the external zone which is designed for NAT routing which we'll be setting up shortly. We can do this with the command firewall-cmd --zone=external --add-interface=ens192. We can create custom zones or use pre-defined security zones which will speed up configuring the firewall. Learn more about the pre-defined zones in firewalld documentation.
5. Since we have changed zones on our interface let's check and see what rules we have started with. Let's see what those rules are by using the firewall-cmd --zone=external --list-all command. You can also use the firewall-cmd --list-all-zones command to see a list of all available zones and their rules.
6. If you were watching carefully you may have noted that the dhcpv6-client service which was allowed in the public zone but is not allowed by default on the external zone. In our case we want to allow DHCPv6 to operate on our outside interface so we can re-enable it with the firewall-cmd --zone=external --add-service="dhcpv6-client" command.
7. Check to see what other services can be allowed on an interface with the firewall-cmd --get-services command.
8. If you check you will see that although you can connect with ssh (by default it's on the allowed service list you saw above) you can't connect to your webserver or Webmin anymore. Webmin is not a pre-defined service in the list we saw above so we could either set it up as a new service and then allow it or we could create a manual rule to allow the TCP traffic on port 10000 needed to access Webmin. In this case because the service only uses a single port and to see how manual rules can be created let's manually create a rule to allow access to TCP port 10000. Do this by running the firewall-cmd --zone=external --add-port=10000/tcp command. You should now be able to access Webmin again.
9. Using either service rules or manual port rules create additional rules so that the other services on your VM are again accessible from the outside (such as from your home PC over the VPN). Services we have setup so far include SSH, DNS, SMTP, IMAP, Samba, and HTTP. Make sure to test and ensure they are all working again!
10. Once you are satisfied your firewall is running correctly you can use the firewall-cmd --runtime-to-permanent command to set these rules to automatically load each time the system is started.

Setup a 2nd NIC Interface

1. To start this lab we will need to configure a second network interface, named ens224 on our virtual machines. In our simulated setup our existing ens192 interface will be our WAN interface and ens224 will be our LAN interface which could be connected to a switch and then to multiple allow other computers which will connect to the Internet through our server.
2. Open /etc/network/interfaces with your favorite text editor. Go to the bottom of the file and add the following to configure the second interface with a static IP of 192.168.1.1/24:

   auto ens224
   iface ens224 inet static
   	address 192.168.1.1
   	netmask 255.255.255.0

3. As this is a LAN only interface, we do not need to define a gateway for the server VM, as the server VM itself will be the gateway for this network.
4. Once this is done, save the file and then run ifup ens224 to enable the new interface.
5. Verify the second interface is up and running with the correct IP address

Enable Routing

1. Now we will need to enable NAT so we can route LAN traffic to the Internet and responding Internet traffic back to our LAN interface.
2. In your console, you will need to edit /etc/sysctl.conf. This file is used to change and tweak multiple system variables. Scroll down until you find the following:

   # Uncomment the next line to enable packet forwarding for IPv4
   #net.ipv4.ip_forward=1
   

3. Follow the instructions in the file to enable packet forwarding in the kernel. When you are done, save the file.
4. Changes to the sysctl.conf file require a reboot, but most can be set without a reboot by echoing response codes to "files" in /proc. We will get into that more in a later chapter, but for now run the following command to enable ip_forwarding without rebooting the machine: echo 1 > /proc/sys/net/ipv4/ip_forward
• Note: If you are receiving an error when trying to run that command it's likely that the user you are running it as does not have permission to modify the /proc/sys/net/ipv4/ip_forward file (check the permissions by using ls). Read this similar question for more details and possible solutions.

Setup a DHCP Server

1. To setup a DHCP server, we will first need to install the required software. In your SSH console use your favorite package manager to install the isc-dhcp-server package.
2. After you install the package you may get a warning about isc-dhcp-server being unable to start. This is normal as we have yet to define the interface and settings we want used.
3. Now back in Webmin, select the Refresh Modules option. After it is done, go to Servers, then DHCP Server.
4. Before we define our DHCP range, we need to set our listening interface. Click on the Edit Network Interface option, and select ens224 and press save.
5. Now under Subnets and Shared Networks, select Add a new subnet. Use the following settings:

   Subnet description: LAN DHCP Range
   Network Address: 192.168.1.0
   Netmask: 255.255.255.0
   Address Ranges: 192.168.1.100-192.168.1.254

6. When you are done, press Create. Now, click on the network you just created to review the settings, then press Edit Client Options at the bottom.
7. From here we will setup the default gateway and DNS servers for the clients to use. Under Default Routers, set the option to 192.168.1.1 and under DNS servers, set it to 192.168.1.1 as well. Notice how we are setting these options to the IP of ens224 that we setup. This is because our Linux VM will act as the router and DNS for our clients as well.
8. When you are done, press save, and then on the Edit Subnet page, press save again.
9. Now that you are back on the DHCP server page, press the Start Server button. If all goes good, the button should change to "Stop Server". If this does not happen, then the server was unable start. If that happens, re-check your DHCP server configurations to make sure everything is correct.

Enabling NAT and Firewall Rules for the LAN

Setup a 2nd VM as a LAN Host

1. Now we are going to setup a 2nd VM on the VMware server so we can have a client to connect to the LAN network segment we just created. For this though, we will be using Linux Mint instead of Debian so we have a graphical user interface to help us with testing.
2. You'll need to connect to the VMware server and verify that you have a machine with the same letter ID as you have been working with so far but with a -II suffix on the end. You'll also want to verify that the machine has the Linux Mint ISO in the virtual CD/DVD drive or correct that by browsing for the ISO in the SAN0 datastore.
3. Boot the VM and get Linux Mint installed, installation settings are not critical as we'll be using the system primarily to explore a Linux GUI and to test web browsing capability from our private network.
   • NOTE: By default Linux Mint will boot into a "Live CD" environment where you can use the system without installing. However, the Live CD environment is much slower and memory limited compared with a full installation to the hard drive so be sure to start an installation and reboot into the installed copy instead of from the Live CD. You will know you're working from an installed copy if you are prompted for your username and password when logging in and don't see a link on the desktop to Install Linux Mint anymore.
4. Once you have Linux Mint installed, reboot the machine and login. Notice how the machine is able to connect to the network. Now, press the Menu icon in the lower left corner, and enter "Terminal". Then, open the terminal application.
5. You now have a shell on the system. From here, use ip address show to check your network settings. Notice how you have a IP from the DHCP pool we created earlier. Now try pinging 172.17.50.1. Are you able to ping? If so, NAT is working properly on your network because the 172.17.50.0/24 network is outside of the LAN segment this machine is attached to (192.168.1.0/24).
   • NOTE: Notice how some Linux distributions like Mint haven't switched from the old naming of network interfaces with eth to the new ens style. You can also try using the older ifconfig way of checking the IP address and compare the output to the new ip address show method which we have been using so far in Debian.
6. Now run ping google.com. If you are able to ping, this shows that not only is NAT working, but DNS resolving as well.
7. Open a web browser on the system (you can use a graphical browser this time since you have a GUI) and test browsing to a few websites.
8. At this point we have a fully functional LAN environment.
9. Spend a few more minutes exploring the functionality of the Linux GUI and desktop.

Port Forwarding and Firewalling

1. Now we are going to enable port forwarding to our VM. This will allow you to access the 2nd VM from the ITC network and VPN.
2. Because we are already using port 22 on our outside interface to provide SSH access to our main Debian system we need to use a different port to access the Mint system. Instead of changing the port number in the SSH server software on Mint we can have our firewall do it at the same time the NAT masquerading is occurring. Set up a rule by running the firewall-cmd --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.1.100 --zone=external command. Note that this rule is a little unstable because it forwards the port to 192.168.1.100 which is currently the IP of our Mint system (if yours has a different IP you should change it in the command) but because that system gets an IP from DHCP it is subject to change which would break the rule. Therefore, if we wanted this to be stable in the long term, we would want to set up a static IP on any machines we were forwarding ports to.
3. From a computer on the ITC network, such as one connected to the VPN, try to SSH to port 2222 on the outside (17.17.50.xx) IP address of your Debian system. If everything was setup successfully, you should be able to sign into the Mint VM based on the port forwarding rule we have put in place.
4. Once you are satisfied your firewall is running correctly you can use the firewall-cmd --runtime-to-permanent command to set these rules to automatically load each time the system is started.
5. When you are done testing this section of the lab please power off your new Linux Mint VM as these require far more resources to run than the Debian VMs on our servers.