Changes

Jump to: navigation, search

OPS335 Lab 2b

517 bytes removed, 12:11, 29 January 2021
Online Submission (Ahad Mammadov's Classes only)
== OBJECTIVE & PREPARATION ==
In Lab 2a, we set the firewall rules for your '''host''' machine. In this lab, we will '''create firewall rules for our virtual machines''' within our virtual private network. This lab will also apply '''"best practices"''' and '''"troubleshooting techniques"''' using iptables.
=== Online Resources===
* [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#Linux_Network_Connection_Configuration_Troubleshooting Test Network Connectivity] (From Lab1)
* [http://www.microhowto.info/troubleshooting/troubleshooting_iptables.html Troubleshooting iptables]
* [https://community.rackspace.com/products/f/25/t/248 Basic IPTABLES Troubleshooting]
 
==INVESTIGATION 1: CUSTOM IPTABLES RULES ON A VM==
<table border="1" cellspacing="0" cellpadding="5" >
<tr><th>Step</th><td>'''Procedure'''</td><td>'''Explanation'''</td></tr>
<tr> <th>1</th><td>'''Test Network Connectivity'''</td><td>You can use the [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS335_Lab_1#Linux_Network_Connection_Configuration_Troubleshooting steps in lab 1] as a guide, but keep in mind the firewall may be blocking pings and DNS requests.</td></tr>
<tr> <th>2</th><td>'''Verify Service is Running &amp; listening on the correct interfaces'''</td><td>You should learn to read the output of '''ss -atnp''' and '''ss -aunp''' to complement the '''systemctl status''' command.</td></tr>
<tr> <th>3</th><td>'''List your iptables Rules &amp; Perform a "Walk-Thru"'''</td><td>For many decades, when troubleshooting programs that don't run properly, programmers will resort to reading their "source-code" line-by-line and pretend they are the computer to perform the operation. The programmer "walks-through" the code to force them to think like a computer in order to spot and fix subtle problems.<br><br>Therefore, you can follow a packet's path as you understand it should follow. Keep in mind [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS335_Lab_2#How_Firewalls_.28iptables.29_Relate_to_the_Labs_in_this_Course the diagram from the lecture last week]. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?<br><br>Don't forget that even if you're tracing the path of outgoing traffic - the INPUT chain on your machine still applies (for the response that comes back to your request).</td></tr>
<tr> <th>4</th><td>'''Use the log target to list unexpected traffic'''</td><td>Add a final rule to your input chain to log all traffic. Any traffic you are allowing will have already been accepted and will not reach this rule, so you will start a log of all the packets you are not allowing. Observing the logs while you attempt to use the service that is not being allowed will show you the type of traffic you need to allow.</td></tr>
<tr> <th>5</th><td>'''Verify Network Connectivity by Deleting iptables Rules'''</td><td>As a last resort, if you have no idea what's going on and need to confirm that you're still sane - clear all the iptables rules and check your configuration then. Keep in mind that the '''iptables -F''' command will delete all your rules but will not set the default policies to ACCEPT. This will tell you for sure whether your problem was (or was not) caused by iptables.<br><br>Stopping the iptable service with '''systemctl stop iptables''' will also clear all iptables rules. Additionally, it will reset all policy to ACCEPT. <br><br>If you do this - have a ready way to restore the rules you just deleted. Restarting the iptables service is usually a good start and a '''shell script''' to add your custom rules is a reasonable next step.Don't forget to restart libvirtd service as well if this is being done on a kvm host</td></tr></table>
'''Record the troubleshooting checklist in your OPS335 lab log-book'''
 
==INVESTIGATION 3: HANDS-ON IPTABLES TROUBLESHOOTING==
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump or rsync command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
'''Record your observations in this section on your OPS335 lab log-book'''
 
== COMPLETING THE LAB ==
In completing this lab you have gained further practice using iptables. Each of your machines should now be protected by a custom firewall that we will continue to build on throughout the course. You have also gained experience troubleshooting iptables and determining what rules might need to be changed to allow desired traffic (or block undesired traffic).
'''Depending on your professor you will either be asked to submit the lab in class, or online. ===Online Submission ===Follow the appropriate set of instructions belowfor lab 2b on blackboard.<!--===Andrew'''s sections===
===Online Submission (Peter CallaghanYou may choose to:* Submit screenshots of your work on Blackboard, in which case you don's Classes only)===t need to come to the lab.Follow * Or come to the instructions for lab 2b on moodle, show me your work, and talk to me about it. I want to hear what you've learned and answer any questions you have.
===In Class Submission===[[Image:lab1_signoff.png|thumb|right|300px|Students should be prepared with You'''all required commands (system information) displayed in a terminal (or multiple terminals) prior ll get the same grade regardless of how you choose to calling the instructor for signoff'''submit your work.]]'''Arrange evidence (command output) for each Expected results of these items on your screen, then ask your instructor to review them and sign off on the this lab's completionare:'''
::<span style="color:green;font-size:1.5em;">&#x2713;</span>List iptables rules for ALL machines.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Prove that you can ping and ssh from your host machines to all of your vms.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Download the labcheck2b.bash checking bash shell script by issuing the command:<br><br>'''wget httpand run https://matrixict.senecac.onsenecacollege.ca/~peterandrew.callaghansmith/files/OPS335ops335/labcheck2b.bash'''<br><br>set execute permission and run the shell script on your '''host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.::<span style="color:green;font-size:1.5em;">&#x2713;</span>Completed Lab2 log-book notesBe able to explain how you debug a connectivity problem caused by iptables.-->
==EXPLORATION QUESTIONS==
#List 3 separate techniques that you used to help troubleshoot to detect and fix iptables from running the shell script in the previous section.<br><br>#Without looking at the table above, list tips for troubleshooting iptables.<br><br>
#After completing this lab, how does the above-mentioned shell script work to cause problems with iptables?

Navigation menu