Changes

Jump to: navigation, search

SRT210 Lab 3

3,234 bytes added, 19:17, 28 May 2019
PART 2: NAT
** Note that if you're using a laptop on wireless - you probably have your c7host network adapter set to NAT instead of bridged mode. If that's the case - you might need to modify some steps from this lab.
* Now we'll configure port forwarding so that any requests to TCP port 80 arriving at c7host will be forwarded to lin1:
 <source># any inbound HTTP requests on ens33 are for Apache (running in linX)iptables -A PREROUTING -t nat -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.210.11:80 # any outbound HTTP requests on ens33 (originating from linX) are returned to same linXiptables -A POSTROUTING -t nat -o ens33 -p tcp -s 192.168.210.11 --sport 80 -j SNAT --to 192.168.210.11 # let c7host forward packets otherwise they won't reach linX
iptables -I FORWARD -p tcp -d 192.168.210.11 --dport 80 -j ACCEPT</source>
 * Don't just run those commands blindly - understand what they do.You can read more detail on the above rule set from [https://wiki.archlinux.org/index.php/Simple_stateful_firewall this website]
* Try accessing your c7host from a web browser again. You should see the web page from your lin1 web server.
In order to allow access to a machine on a private subnet you have to make a whitelist on the router, with every explicit service that's supposed to be accessible on your internal machine. All things being equal - a whitelist provides a greater level of security than a blacklist.
And at the end of the day if you screw up the setup of your router: the worst thing that will happen is that your internal service will be inaccessible. From a security point of view that is much better than a screwup with a firewall which can make ''everythingevery system and service'' accessible to ''everyoneon the internet''. = SELINUX BASICS = SELinux is a ridiculously complex topic. Very few people understand it fully, and you're not expected to either. But you need at least to have a grasp of the basics and be able to debug an SELinux-related problem when it's manifest. We'll use an example as an exercise to help us learn the basic concepts. The example is based on the better illustrated "SELinux Practical Examples" section from [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html ComputerNetworkingNotes]. * You should already have Apache running on lin1, and serving your custom index.html file.* If you run <code>ls -al /var/www/html</code> you'll find that only root has write access to that directory. Let's change that so it's more realistic.* Use the chown command to change the ownership of the /var/www/html directory and its contents from root/root to youruser/yourgroup.* Switch to your regular user in the terminal and go to your home directory.* Create a file named copytest.html and another called movetest.html with some text inside.* Run <code>ls -lZ</code> and save the output somewhere (you can write it down in your labbook for example).* Copy copytest.html to /var/www/html and move movetest.html to the same directory.* Try to access each file from a web browser. You should be able to access one but not the other.* Check the web server error log (/var/log/httpd/error_log) - it should tell you there's a problem with permissions.* Check your permisions with <code>ls -l</code>, they should apear to allow acces for everyone to read movetest.html** This is a good bit of learning to absorb. When there's a permission denied error that makes no sense - it's quite likely that SELinux is at fault.* Look for "movetest.html" in the SELinux log /var/log/audit/audit.log* You should find a line in there with the word "denied" in it. Instead of giving yourself a headache trying to descipher that log line, go and check the SELinux context on the files involved:** Run <code>ls -lZ</code> on /var/www/html and compare the output to the one you saved earlier.* The problem is the security context of the movetest.html file. Fix it using the chcon command (read [https://www.computernetworkingnotes.com/rhce-study-guide/selinux-explained-with-examples-in-easy-language.html the tutorial]).
= PART 3: YOUR TASKS =
Use what you learned so far and what you can learn online in order to set up the following:
# lin1 will allow access to Apache Fix any problems with your firewall from any sourcelast week.# c7host will allow Set up access to SSH lin1's Apache from hosts on the Seneca network, and test it. Ideally test it with other students' help.# Set up lin2 (192.168.210.* subnet 12) the same way you set up lin1. Make sure you have the firewall and deny networking tools installed, but you don't need Apache on it from why other source.# Set up IPTables on c7host to forward SSH requests to port 2221 to go to the SSH server on lin1, and port 2222 to go to the ssh server on lin2.# Complete the exercise in the SELinux section of the lab.
= Lab completion =
221
edits

Navigation menu