54
edits
Changes
no edit summary
=== Online Resources===
* [httpshttp://prezimatrix.comsenecac.on.ca/akyqt4h40oel~murray.saul/iptables-packet-filteringops335/ ops335_w3.pdf Week 3 Notes] Recommended to review and understand prior to performing this lab.
* [https://en.wikipedia.org/wiki/Iptables#Overview Overview] A excellent concise overview of iptables (ignore diagram).
* [https://wiki.centos.org/HowTos/Network/IPTables CentOS Wiki] Listing of basic commands (not all required to know).
:''The more you practice and get comfortable with iptables, the quicker you will be able to isolate and fix connection issues.''
:We don't expect you to become firewall experts, but there are some basics that you need to become familiar for this and future labs:
:* What is a '''chain'''?
:* '''Which chain''' applies to which traffic?
:* What's the '''default action''' for a chain and when that applies?
:* Understanding the differences between '''setting policies''', '''adding rules''', and '''inserting rules'''.
:* What In what '''order are the rules are executed in'''?
:* '''Reading and/or creating a rule''' for a specific service. That includes a basic understanding of:
:** '''Protocols'''
:** '''Ports'''
:** '''Protocols'''Source/Destination IPADDR:** HWADDR (MAC Address):** Network Interface name
:The best way to learn that is to <u>'''practice'''</u>.
'''Record essential concepts from this section into your OPS335 lab log-book'''
=INVESTIGATION 1: PREPARATION & GETTING TO KNOW IPTABLES=
'''Perform the Following Steps:'''
# Find Determine the ''MAC address'' of the virtual network device on your '''host machine''' and the ''IP address'' assigned to it. Record this information in your lab log book.
# Launch all three of your '''VMs'''.
# For each '''VM''':
#* Login as root.
#* Find the MAC address of the '''Network Interface''' and the '''IP address ''' assigned to it. Record this information on your lab log book.
# Change to your '''host machine''', open a terminal window, and perform the following connectivity tests for each vm:<br><br>
<source lang="bash">
ping -c 1 [ip-of-vm]
ssh [ip-of-vm]
'''Perform the Following Steps:'''
# Leave your VMs running for this section (which seems counter-intuitive).
# On your '''host machine''', stop the '''libvirtd''' service (refer to [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command), and '''restart ''' the '''iptables''' service.
# Run '''iptables -L -v''' but redirect the output to a text file called '''before.txt''' (you will be using this file later).
#You should notice the virtual machine manager no longer contains the lists your vms(i.e. vm1, vm2, or vm3).
#Close and then restart the virtual machine manager. What Happens?<br /> What are the states of your VMs? Record your observations in your lab logbook.
#Close the virtual machine manager application window again.
# '''Restart ''' the '''libvirtd''' service.
#Now, restart the virtual machine manager ('''note:''' it should indicate that the virtual machine manager connecting - be patient and wait until you are prompted you to enter the root password). What happens? What is the status of your VMs?
#What does this mean when you lose your vm connections (including the disruption of the libvirtd service)? <br>Record your observations in your lab logbook.
# Re-issue '''iptables -L -v''' commands making certain to redirect output to a second file ('''after.txt'''). This should provide a listing of the new state of your firewall settings.
# You now should have two text files representing the <u>before</u> and <u>after</u> states of your firewall. Compare differences between these two files using the '''diff''' command<br>(You should have used this tool in '''ULI101''').
#You can use these tools to compare any two text files, they often come in handy. Note in your lab logbook the iptables rules that were added automatically by the '''libvirtd''' service.
#Are there any differences between those 2 files? What does this mean if your VMs get disconnected in terms of the firewall rules?
{{Admon/tip|Graphically Compare File Differences|You can also install a graphical tool that makes it much easier to see differences: '''kompare before.txt after.txt<br><br>NOTE: Make certain to run the command as a regular user (not i.e. NOT root!).}}
=== Practice Setting Firewall Rules on Host Machine===
We will run some iptables commands on your '''host machine''' to practice and get a basic understanding of how to set rules. We will NOT be saving the iptables rules in this section, so you don't have to worry about "messing-up" your host machine - you can simply reboot your host machine to load the default iptables rules.
Refer to the following [https://prezi.com/akyqt4h40oel/iptables-packet-filtering/ OPS335 NOTES] if you need to review how to use the iptables command. You can also perform a Netsearch for additional examples (such as deleting iptables rules for a chain).
# Issue an iptables command to list rules to verify you correctly disabled all inbound traffic.
The remaining tasks iptables rules will relate to that same '''inbound''' traffic chain:
<ol><li value="3">Issue the command '''iptables -L INPUT''', and note the rules associated for ssh in your lab logbook.</li><li>Issue an ''iptables command'' to delete the default ssh rule, and issue another iptables command to verify.</li><li>Issue an ''iptables command'' to insert an iptables rule to ACCEPT SSH connections at the '''beginning''' of the SSH rule chain (refer to your lab logbook for details) .</li><li>Verify that you inserted that rule at the beginning top of the INPUT chain. Verify that did what you thought it did, and then issue an iptable rule to delete that rule at the top of the chain (i.e. by number), and verify that it that rule was deleted.</li><li>Issue an ''iptables command'' to append the SSH rule to the end of the chain, verify, delete that same rule, and verify.</li><li>Issue an ''iptables command'' to delete the related,established rule. Test your network connectivity between your hosts and vms. What happened?</li><li>Issue an ''iptables command'Shut down your VMs''' to and '''restorereboot your host machine''' (i.e. not flush) What happens to the iptables rules you created for your host machine? Note in your OPS335 lab logbook how to save and restore your firewall iptables rules, and what the difference of '''restoring iptables rules''' as opposed to its default settings'''flushing iptables rules'''.</li></ol>
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
<tr> <td>'''Always back-up the default iptables settings'''</td><td>When you install iptables in CentOS it already has some rules predefined.<br />Make a copy of the file that creates these rules (including the ones that allow communication with your other machines). This way you can always restore them to have a functional machine even if you completely mess up your rules.</td></tr>
<tr> <td>'''Place your iptables commands (i.e. Rules) within a bash Bash shell script'''</td><td>If you need to reset iptables, then you can run a shell script to quickly re-apply rules to save time.</td></tr>
<tr> <td>'''Don't Panic if disconnected from a VM'''</td><td> Some of the traffic between your host and VirtManager goes through IPtables.<br> When you mess with IPtables rules on the host, you might end up losing the console connection to the virtual machines.<br>'''Don't worry, the virtual machines are still running and you can still use them once you re-establish your connection'''.</td></tr>
'''Perform the following steps for your <u>host </u> machine:'''
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Use the ifconfig or ip address command to determine the IP ADDRESS of your external facing address (i.e. IP address beginning with 10'''192.x168.x40.x''' if you are using an SSD).# Find Open a partner to terminal on the Windows machine and '''ping ''' your external facing IP address. Was your partner it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's ''their''' '''external internal facing interface''' (should be an internal address beginning with '''10192.x168.x40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your partner's Windows machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your partner's Windows machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They You should not be able to connectfrom your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains. <br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show their your failed attempts to '''ssh ''' to youwith your '''customized''' message.# When you are confident the rules are working, save them by running <source lang='bash'>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
{{Admon/tipimportant |Time for Backup your VMs!|You MUST perform a new '''full backup!|Once have successfully completed this lab''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump command, make a new and you should use the Bash shell script that you were adviced to create in order to backup all of your virtual machinesVMs.}}
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.'''
===Online Submission(Peter Callaghan's Classes only)===Follow the instructions for lab 2a on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===[[Image:lab1_signoff.png|thumb|right|300px200px|Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.]]
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Proof that the iptables rules work for your host.
::<span style="color:green;font-size:1.5em;">✓</span>Issue command: '''journalctl --dmesg | grep -i MYSSH''' to confirm that outside ssh connections logged.
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck2a.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck2a.bash'''<br><br>set execute permission and run the shell script on your '''host''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
=EXPLORATION QUESTIONS=
