Difference between revisions of "OPS335 Lab 2b"

From CDOT Wiki
Jump to: navigation, search
Line 27: Line 27:
 
<tr>  <th>2</th><td>'''Verify Service is Running &amp; Service can Connect to Network'''</td><td>You should learn to read the output of '''netstat -atnp''' and '''netstat -aunp''' to complement the '''systemctl status''' command.</td></tr>
 
<tr>  <th>2</th><td>'''Verify Service is Running &amp; Service can Connect to Network'''</td><td>You should learn to read the output of '''netstat -atnp''' and '''netstat -aunp''' to complement the '''systemctl status''' command.</td></tr>
 
<tr>  <th>3</th><td>'''Verify Network Connectivity by Deleting iptables Rules'''</td><td>If you have no idea what's going on and need to confirm that you're still sane - clear all the iptables rules and check your configuration then. Keep in mind that the '''iptables -F''' command will delete all your rules but will not set the deafult policies to ACCEPT. This will tell you for sure whether your problem was (or was not) caused by iptables.<br><br>If you do this - have a ready way to restore the rules you just deleted. Restarting the iptables service is usually a good start and a '''shell script''' to add your custom rules is a reasonable next step.</td></tr>
 
<tr>  <th>3</th><td>'''Verify Network Connectivity by Deleting iptables Rules'''</td><td>If you have no idea what's going on and need to confirm that you're still sane - clear all the iptables rules and check your configuration then. Keep in mind that the '''iptables -F''' command will delete all your rules but will not set the deafult policies to ACCEPT. This will tell you for sure whether your problem was (or was not) caused by iptables.<br><br>If you do this - have a ready way to restore the rules you just deleted. Restarting the iptables service is usually a good start and a '''shell script''' to add your custom rules is a reasonable next step.</td></tr>
<tr>  <th>4</th><td>'''List your iptables Rules &amp; Perform a "Walk-Thru"'''</td><td>For many decades, when troubleshooting programs that don't run properly, programmers will resort to reading their "source-code" line-by-line and pretend they are the computer to perform the operation. This allows the programmer to "separate their biases" and think like the the computer to spot and fix problems.<br><br>Therefore, you can follow a packet's path as you understand it should follow. Keep in mind [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_2#How_Firewalls_.28iptables.29_Relate_to_the_Labs_in_this_Course the diagram from the lecture last week]. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?</td></tr>
+
<tr>  <th>4</th><td>'''List your iptables Rules &amp; Perform a "Walk-Thru"'''</td><td>For many decades, when troubleshooting programs that don't run properly, programmers will resort to reading their "source-code" line-by-line and pretend they are the computer to perform the operation. The programmer "walks-through" the code to force them to think like a computer in order to spot and fix subtle problems.<br><br>Therefore, you can follow a packet's path as you understand it should follow. Keep in mind [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_2#How_Firewalls_.28iptables.29_Relate_to_the_Labs_in_this_Course the diagram from the lecture last week]. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?</td></tr>
 
<tr>  <th>5</th><td>x</td><td>x</td></tr>
 
<tr>  <th>5</th><td>x</td><td>x</td></tr>
  

Revision as of 09:39, 29 January 2016

ADDITIONAL IPTABLES TROUBLESHOOTING

Purpose

This lab will provide more hands-on experience with troubleshooting iptables issues.

IPTABLES and Routing Troubleshooting Resources

Some articles that you can use as a reference if you are still experiencing problems with iptables:


INVESTIGATION 1: IPTABLES TROUBLESHOOTING CHECKLIST

By now, you have probably discovered that a simple mistake in your iptables rules can have very serious and unexpected consequences for not only your services, but the network connectivity in general. There is a general process (checklist) that you can following to help troubleshoot iptables in order to fix the problem.


Refer to the following IPTABLES Troubleshooting Checklist:

StepProcedureExplanation
1Test Network ConnectivityYou can use the steps in lab 1 as a guide, but keep in mind the firewall may be blocking pings and DNS requests.
2Verify Service is Running & Service can Connect to NetworkYou should learn to read the output of netstat -atnp and netstat -aunp to complement the systemctl status command.
3Verify Network Connectivity by Deleting iptables RulesIf you have no idea what's going on and need to confirm that you're still sane - clear all the iptables rules and check your configuration then. Keep in mind that the iptables -F command will delete all your rules but will not set the deafult policies to ACCEPT. This will tell you for sure whether your problem was (or was not) caused by iptables.

If you do this - have a ready way to restore the rules you just deleted. Restarting the iptables service is usually a good start and a shell script to add your custom rules is a reasonable next step.
4List your iptables Rules & Perform a "Walk-Thru"For many decades, when troubleshooting programs that don't run properly, programmers will resort to reading their "source-code" line-by-line and pretend they are the computer to perform the operation. The programmer "walks-through" the code to force them to think like a computer in order to spot and fix subtle problems.

Therefore, you can follow a packet's path as you understand it should follow. Keep in mind the diagram from the lecture last week. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?
5xx


    • Don't forget that even if you're tracing the path of outgoing traffic - the INPUT chain on your mahchine still applies (for the response that comes back to your request).
  3. At this point you should be able to understand any iptables rules you'll see in this course, including the default ones in CentOS. If you see a rule you don't understand - you can delete it and see what happens. But if you do that - spend some time figuring out what that rule did and why you needed to delete it. It was likely there for a good reason.


Record troubleshooting checklist for INVESTIGATION 1 in your OPS335 lab log-book


INVESTIGATION 2: HANDS-ON IPTABLES TROUBLESHOOTING

Download and run the following script: http://scs.senecacollege.ca/~andrew.smith/ops335/labcheck_network_backup.sh

It will print out a menu of exercises. You can pick any of them in any order. The script will first reset the firewall settings to CentOS defaults and then make some modifications from those defaults.

Don't cheat. The point of the exercises is for you to find the problem using regular troubleshooting tools, not to reverse-engineer the lab.

Finish the exercises, and record any information you feel you'll need to remember to solve problems like this in the future (e.g. in a practical test).


Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book


COMPLETING THE LAB

Students should be prepared with all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff.

Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

x.


EXPLORATION QUESTIONS

  1. x
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OPS335_Lab_2b&oldid=114918"