Open main menu

CDOT Wiki β

Changes

Lab 6 Warnings / Debrief

302 bytes removed, 10:09, 20 November 2015
no edit summary
In this lab, you will learn the basics of networking by using your '''Virtual Machines''' and your '''c7host''' machine. You will first set up a virtual private network among those machines. In addition, you will learn to set up '''network names''' (to associate with server's IP Addresses), '''associate network services with port numbers''' for troubleshooting purposes, and setup '''firewall policies''' via the '''iptables''' command.
<u>Main Objectives</u>==Investigation 1: Setup a VPN==
# Configure a private (virtual) network for your '''VMs''' and your '''c7host''' machine
# Configure network interfaces for your Virtual Machines using both '''graphical''' and '''command-line''' utilities.
# Use '''local hostname resolution''' to resolve simple server names with their corresponding IP Addresses
# Backup more recent files (eg. '''incremental backup''') using the '''find''' command and a '''date/time-stamp''' file
# Use common networking utilities to associate network services with port numbers for troubleshooting purposes
# Gain initial exposure to the '''iptables''' command used to configure and maintain a firewall for protection and troubleshooting
# Configure '''iptables''' to '''allow/disallow/forward''' different types of network traffic
  == <u>'''Configuring a Virtual Private Network (VPN) =='''</u>
{| width="40%" align="right" cellpadding="10"
You will be using the '''find''' command to backup recent changes to files. In this case, we will save '''date/time-stamp''' information in a file, configure to connect '''centos1''' to the network, run the '''find''' command, and run the find command to copy new (back-up file since date/time-stamp) in order to prove that the incremental backup worked (showing the files created as a result of the configuration of centos1 to the VPN).
== Investigation 2: Networking Tweaks ==
Connecting a private network is an important task, but a system administrator also needs to "tweak" the network to make it '''convenient to use''', make it '''safer from unauthorized access''', and use troubleshooting utilities to help '''troubleshoot''' network connectivity problems as they occur. This investigation will expose you to some useful tricks and utilities to help accomplish this task.
Topics Include:
 
:* Local Host-name Resolution
:* Obtaining MAC (Hardware) addresses on Network Computers
:* Creating Firewall Policies
<u>'''Local Host-name Resolution'''</u>
::192.168.235.1 c7host
::192.168.235.11 centos1
::192.168.235.12 centos2
::192.168.235.13 centos3<br><br>
<u>Purpose:</u>
'''[http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX'''consisting of a '''list of rules''' (or '''"tables of policies"'''). If data matches a specified <u>policy</u>, it must “jump” to an existing '''condition'''. Simple conditions include '''ACCEPT''', '''REJECT''', '''DROP''' and '''LOG''' but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
When using iptables, the '''Filter''' table is important because it contains the following essential '''chains''':<br><br>
'''INPUT:'''<br>Data is checked against the INPUT chain to see if it is <u>allowed into</u> the PC.<br><br>'''OUTPUT:'''<br>Data is checked against the OUTPUT chain to see if it is <u>allowed to go outside</u> of the PC.<br><br>'''FORWARD:'''<br>PC is acting as a router it does not actually send or receive data, it <u>FORWARDS</u> data from one machine to another.  <span style="font-family:courier; font-weight:bold;font-size:1.2em;"><u>Here is an Example:</u></span>  <span style="font-family:courier; font-weight:bold;font-size:1.5em;">iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</span>  Which can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''  '''Let's break down the <u>command displayed above</u> to see how it works:'''   {|cellpadding="15" width="60%"  |- valign="top" | | <span style="font-family:courier; font-weight:bold">-I</span> | | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example) |- valign="top" |width="75" | '''-p tcp''' | | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all''' |- valign="top"
<u>Example:<| |'''-s0/u>0'''
| |specifies the source IP address. iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROPmeans a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC
Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.|- valign="top"
| |'''Let's break down the command to see how it works:-d0/0'''
The '''-I''' switch tells iptables to INSERT this line into | |specifies the OUTPUT policydestination address. This means it will be It makes sense that this address is set to “anywhere” because if we want to block all requests to the first line in the policy. If WWW, we used a -A switch it would have appended will never know the line and it would be the last line specific IP address of the policy. If you are writing complex iptables rules where multiple matches can occur, it web server that is important that the lines go in the right order. If you follow the -I with a number, the new rule will trying to be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).accessed
The '''-p tcp''' switch tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all.
The '''|-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC.valign="top"
The | |'''-d0/0-dport 80''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.
The switch '''--dport 80''' | |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch.
'''-j''' means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.
|- valign="top" | |'''-j''' | |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''' , '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain  |- valign="top" | |'''DROP'''  | |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.  |}
Msaul
Administrators
13,420
edits
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/111761...113438"