Difference between revisions of "SRT210 Lab 2"

From CDOT Wiki
Jump to: navigation, search
(PART 2: BASIC NETWORKING)
(PART 2: IPTABLES)
Line 78: Line 78:
 
* Use yum to uninstall firewalld and install iptables-services
 
* Use yum to uninstall firewalld and install iptables-services
 
* Use systemctl to start the iptables service and configure it to be started on boot.
 
* Use systemctl to start the iptables service and configure it to be started on boot.
 +
 +
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:
 +
 +
* '''How iptables works'''
 +
* '''How to understand the current state of the firewall'''
 +
* '''How to make useful changes to the firewall'''
 +
 +
== IPtables overview ==
 +
 +
We will use an example of setting up a firewall on a web server.
 +
 +
[[Image:iptables.png]]
 +
 +
'''There are some important things to be aware of in terms of this diagram:'''
 +
 +
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.
 +
 +
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.
 +
 +
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:
 +
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.
 +
::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.
 +
 +
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul>
 +
 +
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br>
 +
::::<pre>ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED</pre>
 +
 +
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to.  For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTP)'', '''addresses''', and many other things.
 +
 +
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):
 +
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''
 +
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''
 +
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
 +
 +
:* 'Most other services work in a similar way as discussed above.

Revision as of 11:17, 14 January 2019

Objectives

  • Set up a nested virtual machine
  • Get familiar with basic networking setup and utilities used on Linux

PART 1: NESTED VIRTUAL MACHINE

Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.

  • Change the settings for your c7host to have at least 4GB of RAM, and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.
  • Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils
  • Make sure (using systemctl enable) that the libvirtd service starts at boot.
  • Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.
  • Create a new virtual machine with the following settings:

After you're done - you'll have a command-line-only CentOS machine (lin1) running inside a graphical CentOS desktop (c7host).

PART 2: BASIC NETWORKING

Simple commands

Use these commands to check the curent network settings on lin1:

  • ip link (show interfaces)
  • ip address (the MAC address, IP address, and subnet mask for every interface)
  • ip route (the routing table)
  • cat /etc/resolv.conf (the DNS server you're configured to query)
  • arp -n (the ARP table)

Note if you're missing a command - you can figure out what package contains in by using yum whatprovides

New virtual network

By default a KVM setup has a NAT network with a DHCP server. That works nicely out of the box but won't work for us because we'll need to configure network settings manually.

  1. Power off lin1
  2. In the Connection Details dialog box, select the Virtual Networks tab
  3. Click to de-select the Autostart (on boot) check-box options and click the Apply button.
  4. Stop the default network by clicking on the stop button at the bottom left-side of the dialog box.
  5. Click the add button to add a new network configuration.
  6. Leave the default network name network1.
  7. In the next screen, enter the new network IP address space called: 192.168.210.0/24
  8. Disable DHCPv4
  9. Enable Network Forwarding by Selecting Forwarding to physical network, the destination should be Any physical device and the mode should be NAT

Network settings on lin1

  • Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.
  • After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).
  • Configure your wired interface by editing the file .
  • Change to the /etc/sysconfig/network-scripts directory.
  • List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.
  • Look for the configuration file for your interface. It should have the name of the interface in the filename and the interface's MAC address in its contents.
  • Edit that file and give it the following settings:
DEVICE=eth0
IPADDR=192.168.210.11
NETMASK=255.255.255.0
GATEWAY=192.168.210.1
HWADDR=xx:xx:xx:xx:xx:xx # Make sure it's the right MAC address
DNS1=192.168.210.1
BOOTPROTO=static
ONBOOT=yes
NM_CONTROLLED=yes
IPV6INIT=no
  • Ask yourself where did the IP address 192.168.210.1 come from and why it's your default gateway and DNS server.

PART 2: IPTABLES

CentOS comes with firewalld installed by default. We will not be using that, instead we'll do all our firewall work with iptables. Therefore we'll need to uninstall firewalld and install iptables management tools:

  • Use systemctl to stop firewalld and disable it from starting on boot.
  • Use yum to uninstall firewalld and install iptables-services
  • Use systemctl to start the iptables service and configure it to be started on boot.

IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:

  • How iptables works
  • How to understand the current state of the firewall
  • How to make useful changes to the firewall

IPtables overview

We will use an example of setting up a firewall on a web server.

Iptables.png

There are some important things to be aware of in terms of this diagram:

  • There are two sets of IPtables rules (chains) that apply: OUTPUT/INPUT on the client and INPUT/OUTPUT on the server.
    It is important to think about trafic from the perspective from the client as well as the server.
  • Outbound traffic is rarely blocked unless there is a security policy to prevent some kind of traffic.
    Even in that case, that security policy is usually performed on a router.
  • Inbound traffic is of two distinct types. Our diagram shows:
  1. New incoming connections (what you normally think of as inbound traffic): the web server receives a new incoming connection.
  2. Incoming data that client receives as a response from the server: the web page that the server sent back in the diagram above.
The analogy would be like making a telephone call:
  • A NEW packet is like the phone ringing
  • An ESTABLISHED packet is the connection and the packet says "hello", along with any further communication.
  • A RELATED packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).
We normally don't want to do anything special for the response. It is safe to assume that a connection that was allowed to be established should be allowed to receive a response. This is accomplished with the following INPUT chain rule that should be there by default on your machines:
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
  • Rules are applied to: chains (e.g. input/output) and contain information regarding the type of traffic they apply to. For example, protocols such as tcp/udp/icmp, port numbers such as 22 (SSH), 80 (HTTP), 443 (SHTTP), addresses, and many other things.
Let's look at how these rules would apply to a simple web connection (HTTP - port 80):
  1. For the request, the source port (sport) for the example in the above diagram is 40112 and the destination port (dport) is 80
  2. For the response, the source port (sport) is 80 and the destination port (dport) is 40112
  3. Since the RELATED,ESTABLISHED rule already exists, we are only concerned about controlling the incoming traffic on the server, which in our example, the chain is: INPUT, the protocol is: tcp, and the destination is: port 80.
  • 'Most other services work in a similar way as discussed above.