54
edits
Changes
no edit summary
#* Find the MAC address of the '''Network Interface''' and the '''IP address''' assigned to it. Record this information on your lab log book.
# Change to your '''host machine''', open a terminal window, and perform the following connectivity tests for each vm:<br><br>
<source lang="bash">
ping -c 1 [ip-of-vm]
ssh [ip-of-vm]
'''Perform the following steps for your <u>host</u> machine:'''
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Use the ifconfig or ip address command to determine the IP ADDRESS of your external facing address (i.e. IP address beginning with '''10192.x168.x40.x'''if you are using an SSD).# Find Open a partner to terminal on the Windows machine and '''ping''' your external facing IP address. Was your partner it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's ''their''' '''external internal facing interface''' (should be an internal address beginning with '''10192.x168.x40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your partner's Windows machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your partner's Windows machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They You should not be able to connectfrom your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show their your failed attempts to '''ssh''' to you with your '''customized''' message.# When you are confident the rules are working, save them by running <source lang='bash'>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 2a on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===
[[Image:lab1_signoff.png|thumb|right|200px|Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.]]
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Proof that the iptables rules work for your host.
::<span style="color:green;font-size:1.5em;">✓</span>Issue command: '''journalctl --dmesg | grep -i MYSSH''' to confirm that outside ssh connections logged.
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck2a.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck2a.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
