Difference between revisions of "Lab 6 Warnings / Debrief"

Latest revision as of 10:09, 20 November 2015

Purpose / Objectives of Lab 6

Setting up networks is an essential operation for a system administrator. Maintaining network connectivity and securing the network are also essential operations for a system administrator.

In this lab, you will learn the basics of networking by using your Virtual Machines and your c7host machine. You will first set up a virtual private network among those machines. In addition, you will learn to set up network names (to associate with server's IP Addresses), associate network services with port numbers for troubleshooting purposes, and setup firewall policies via the iptables command.

Investigation 1: Setup a VPN

Configuring a Virtual Private Network (VPN)

The first step in setting up a Virtual Private Network (VPN) is to edit the Network settings to add a new private network in the Virtual Machine Manager for each VM (centos1, centos2, centos3) prior to starting each VM.

After adding a new private network for each VM, you need to launch each VM and configure the network settings for each VM in order for each VM so they can connect to the new private network.

For the remainder of this course, we will focus on networking involving our VMs and our c7host machine. This lab will focus on setting up a virtual private network (VPN), connecting our VMs and c7host machine to the VPN, and configuring our VPN to make more convenient to use, troubleshoot and protect. Lab 7 will focus more on configuring SSH and making access to the VPN more secure. Finally, lab 8 will focus on configuring the network for fixed workstations, mobile devices, or both at the same time.

There are several reasons for creating VPNs. The main reason is to safely connect servers together (i.e. to safely limit but allow share information among computer network users). This allows for a secure connection of computers yet controlling access to and monitoring (protecting) access to permitted users (discussed in more depth in lab7).

Two Steps Required to Setup a VPN

If we are going to setup a private network, we must do 2 major operations: First, define a new private network in the Virtual Manager application; and second, configure each of our VMs to connect to this new private network. In Part 1, we will be perform the first operation. In parts 2, 3, and 4, we will be performing the second operation for all VMS (graphical and command-line).

Backing up Only Recent File Changes

Backing up Files |One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system. The following is an example of a common backup system used in Business Unix/Linux systems:

Full Backup: Backup all specified files (eg. configuration, data files, etc)
Incremental Backup: Backup of only files that have changed since last (full) backup.

You will be using the find command to backup recent changes to files. In this case, we will save date/time-stamp information in a file, configure to connect centos1 to the network, run the find command, and run the find command to copy new (back-up file since date/time-stamp) in order to prove that the incremental backup worked (showing the files created as a result of the configuration of centos1 to the VPN).

Investigation 2: Networking Tweaks

Connecting a private network is an important task, but a system administrator also needs to "tweak" the network to make it convenient to use, make it safer from unauthorized access, and use troubleshooting utilities to help troubleshoot network connectivity problems as they occur. This investigation will expose you to some useful tricks and utilities to help accomplish this task.

Local Host-name Resolution

After setting up a private network, it can be hard to try to remember IP addresses. In this section, we will setup your network to associate easy-to-remember server names with IP ADDRESSES.

You simply edit the /etc/hosts file on each of the virtual machines and host machine:

192.168.235.1 c7host

192.168.235.11 centos1

192.168.235.12 centos2

192.168.235.13 centos3

Obtaining MAC (Hardware) addresses on Network Computers

When our CentOS system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the netstat command.

Creating Firewall Policies

Purpose:

Iptables is the built-in firewall for LINUX consisting of a list of rules (or "tables of policies"). If data matches a specified policy, it must “jump” to an existing condition. Simple conditions include ACCEPT, REJECT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.

When using iptables, the Filter table is important because it contains the following essential chains:

INPUT: Data is checked against the INPUT chain to see if it is allowed into the PC.
OUTPUT: Data is checked against the OUTPUT chain to see if it is allowed to go outside of the PC.
FORWARD: PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another.

Here is an Example:

iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP

Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.

Let's break down the command displayed above to see how it works:

-I	tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, `-I 3 OUTPUT` will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)
-p tcp	tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all
-s0/0	specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC
-d0/0	specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed
--dport 80	tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the `--sport` switch
-j	means when condition is met, then jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain
DROP	means drop the packet – make it disappear - and do not continue processing rules. REJECT is similar, but causes an error packet to be sent back to the source host. ACCEPT causes the packet to be processed. LOG causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it

Common Mistakes / Warnings

Be Aware of the Following Issues
Be aware of these common mistakes that students make that can cause problems for their future labs.

Not following instructions
Not constantly issuing commands to verify previous command were properly executed

Preparing for Lab Sign-Off

Students should be prepared with all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff.

In order to properly complete your lab and move to the next lab, you must have your instructor "sign-off" on your lab

Each "signed-off" lab (before due date) is worth 1% of your final grade.
Signing-off on labs help to spot errors that can cause problems with future labs.
Do not ask the instructor what to check for! Read at the bottom of the lab the requirements, and have all proof available for instructor to view at the same time.
Failing to be prepared and asking instructor what to check when assignment is mark will result in deduct of marks!
For example, open multiple terminals with command results. If properly set-up ahead of sign-off, the process should only take instructor approx 20 seconds to sign-off your lab.
If you do not have your lab-logbook, you MUST show your work and your lab log-book to your instructor for sign-off in the next class. This may cause a late penalty if past the required due date.

Lab 6 Debrief

What is a port?
What command will set your IP configuration to 192.168.55.22/255.255.255.0 ?
What file contains the systems iptables rules?
What is the difference between UDP and TCP?
What port number is used for DHCP servers?
What is the function of the file /etc/services ?
What is the function of the file /etc/hosts ?
What is the purpose of the file /etc/sysconfig/network-scripts/ifcfg-eth0 ?
What tool is used to show you a list of current TCP connections?

@@ Line 5: / Line 5: @@
 In this lab, you will learn the basics of networking by using your '''Virtual Machines''' and your '''c7host''' machine. You will first set up a virtual private network among those machines. In addition, you will learn to set up '''network names''' (to associate with server's IP Addresses), '''associate network services with port numbers''' for troubleshooting purposes, and setup '''firewall policies''' via the '''iptables''' command.
-<u>Main Objectives</u>
+==Investigation 1: Setup a VPN==
-# Configure a private (virtual) network for your '''VMs''' and your '''c7host''' machine
-# Configure network interfaces for your Virtual Machines using both '''graphical''' and '''command-line''' utilities.
-# Use '''local hostname resolution''' to resolve simple server names with their corresponding IP Addresses
-# Backup more recent files (eg. '''incremental backup''') using the '''find''' command and a '''date/time-stamp''' file
-# Use common networking utilities to associate network services with port numbers for troubleshooting purposes
-# Gain initial exposure to the '''iptables''' command used to configure and maintain a firewall for protection and troubleshooting
-# Configure '''iptables''' to '''allow/disallow/forward''' different types of network traffic
+<u>'''Configuring a Virtual Private Network (VPN)'''</u>
+{| width="40%" align="right" cellpadding="10"
+|- valign="top"
+|
+[[Image:vpn1.png|thumb|right|400px|The first step in setting up a Virtual Private Network (VPN) is to edit the Network settings to add a new private network in the '''Virtual Machine Manager''' for '''<u>each</u>''' VM (''centos1'', ''centos2'', ''centos3'') prior to starting each VM.]]
+|
+[[Image:vpn2.png|thumb|right|400px|After adding a new private network for each VM, you need to '''launch each VM and configure the network settings''' for '''<u>each</u>''' VM in order for <u>each</u> VM so they can connect to the new private network. ]]
+|}
-== Configuring a Virtual Private Network (VPN) ==
 For the remainder of this course, we will focus on networking involving our VMs and our c7host machine. This lab will focus on setting up a virtual private network ('''VPN'''), connecting our VMs and c7host machine to the VPN, and configuring our VPN to make more convenient to use, troubleshoot and protect. '''Lab 7''' will focus more on configuring SSH and making access to the VPN more secure. Finally, '''lab 8''' will focus on configuring the network for fixed workstations, mobile devices, or both at the same time.
@@ Line 24: / Line 24: @@
-<u>Two Steps Required to Setup a VPN</u>
+<u>'''Two Steps Required to Setup a VPN'''</u>
-[[Image:steps.png|thumb|600px|right|Explain 2 major steps to do - Configure in virt-manager, and then configure (either graphically or command line for each VM. ]]
 If we are going to setup a private network, we must do 2 major operations: First, '''define a new private network in the Virtual Manager application'''; and second, '''configure each of our VMs to connect to this new private network'''. In Part 1, we will be perform the first operation. In parts 2, 3, and 4, we will be performing the second operation for all VMS (graphical and command-line).
-== Backing up Only Recent File Changes ==
+<u>'''Backing up Only Recent File Changes'''</u>
 Backing up Files |One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system. The following is an example of a common backup system used in Business Unix/Linux systems:<br /><br />'''Full Backup''': Backup all specified files (eg. configuration, data files, etc)<br>'''Incremental Backup''': Backup of only files that have changed since last (full) backup.
@@ Line 37: / Line 36: @@
 You will be using the '''find''' command to backup recent changes to files. In this case, we will save '''date/time-stamp''' information in a file, configure to connect '''centos1''' to the network, run the '''find''' command, and run the find command to copy new (back-up file since date/time-stamp) in order to prove that the incremental backup worked (showing the files created as a result of the configuration of centos1 to the VPN).
+== Investigation 2: Networking Tweaks ==
+Connecting a private network is an important task, but a system administrator also needs to "tweak" the network to make it '''convenient to use''', make it '''safer from unauthorized access''', and use troubleshooting utilities to help '''troubleshoot''' network connectivity problems as they occur. This investigation will expose you to some useful tricks and utilities to help accomplish this task.
+<u>'''Local Host-name Resolution'''</u>
+After setting up a private network, it can be hard to try to remember IP addresses. In this section, we will setup your network to associate easy-to-remember server names with IP ADDRESSES.
+You simply edit the '''/etc/hosts''' file on <u>each</u> of the '''virtual machines and host machine''':
+::192.168.235.1           c7host
+::192.168.235.11          centos1
+::192.168.235.12          centos2
+::192.168.235.13          centos3<br><br>
+<u>'''Obtaining MAC (Hardware) addresses on Network Computers'''</u>
+When our CentOS system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the '''netstat''' command.
+<u>'''Creating Firewall Policies'''</u>
+<u>Purpose:</u>
+'''[http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX''' consisting of a '''list of rules''' (or '''"tables of policies"'''). If data matches a specified <u>policy</u>, it must “jump” to an existing '''condition'''.  Simple conditions include '''ACCEPT''', '''REJECT''', '''DROP''' and '''LOG''' but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
+When using iptables, the '''Filter''' table is important because it contains the following essential '''chains''':<br><br>
+'''INPUT:''' Data is checked against the INPUT chain to see if it is <u>allowed into</u> the PC.<br>
+'''OUTPUT:''' Data is checked against the OUTPUT chain to see if it is <u>allowed to go outside</u> of the PC.<br>
+'''FORWARD:''' PC is acting as a router it does not actually send or receive data, it <u>FORWARDS</u> data from one machine to another.
+<span style="font-family:courier; font-weight:bold;font-size:1.2em;"><u>Here is an Example:</u></span>
+<span style="font-family:courier; font-weight:bold;font-size:1.5em;">iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</span>
+Which can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''
+'''Let's break down the <u>command displayed above</u> to see how it works:'''
+{|cellpadding="15" width="60%"
+|- valign="top"
+| | <span style="font-family:courier; font-weight:bold">-I</span>
+| | tells iptables to INSERT this line into the OUTPUT policy.  This means it will be the first line in the policy.  If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy.  If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)
+|- valign="top"
+|width="75" | '''-p tcp'''
+| |  tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''
+|- valign="top"
+| |'''-s0/0'''
+| |specifies the source IP address.  0/0 means a source address of “anywhere.”  this has been put into the lab because your ip address will change because it is dynamically assigned.  You can change this value if you want to the IP address that has been specifically assigned to your PC
+|- valign="top"
+| |'''-d0/0'''
+| |specifies the destination address.  It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed
+|- valign="top"
+| |'''--dport 80'''
+| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch
+|- valign="top"
+| |'''-j'''
+| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain
+|- valign="top"
+| |'''DROP'''
+| |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it
+|}
@@ Line 44: / Line 142: @@
 {{Admon/important |Be Aware of the Following Issues| Be aware of these common mistakes that students make that can cause problems for their future labs.}}
+* Not following instructions
+* Not constantly issuing commands to verify previous command were properly executed
@@ Line 53: / Line 154: @@
 * Each "signed-off" lab (before due date) is worth 1% of your final grade.
 * Signing-off on labs help to spot errors that can cause problems with future labs.
-* Do you ask the instructor what to check for! Read at the bottom of the lab the requirements, and have all proof available for instructor to view at same time.
+* Do not ask the instructor what to check for! Read at the bottom of the lab the requirements, and have all proof available for instructor to view at the same time.
 * Failing to be prepared and asking instructor what to check when assignment is mark will result in deduct of marks!
 * For example, open multiple terminals with command results. If properly set-up ahead of sign-off, the process should only take instructor approx 20 seconds to sign-off your lab.
 * If you do not have your lab-logbook, you MUST show your work and your lab log-book to your instructor for sign-off in the next class. This may cause a late penalty if past the required due date.
 == Lab 6 Debrief ==
+# What is a port?
+# What command will set your IP configuration to 192.168.55.22/255.255.255.0 ?
+# What file contains the systems <code>iptables</code> rules?
+# What is the difference between UDP and TCP?
+# What port number is used for DHCP servers?
+# What is the function of the file <code>/etc/services</code> ?
+# What is the function of the file <code>/etc/hosts</code> ?
+# What is the purpose of the file <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code> ?
+# What tool is used to show you a list of current TCP connections?
 [[Category:OPS235]]
 [[Category:OPS235 Labs]]

Difference between revisions of "Lab 6 Warnings / Debrief"

Latest revision as of 10:09, 20 November 2015

Contents

Purpose / Objectives of Lab 6

Investigation 1: Setup a VPN

Investigation 2: Networking Tweaks

Common Mistakes / Warnings

Preparing for Lab Sign-Off

Lab 6 Debrief

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

get involved with CDOT

courses

course projects

links

Tools