OPS705 Lab 4

From CDOT Wiki
Jump to: navigation, search

LAB PREPARATION

Purpose / Objectives of Lab 4

In this lab, you will set up a basic Apache web server (including some light HTML coding) and supporting iptables firewall rules. You will also set up an IIS-based web server on your Windows Server VM, and learn how to set up port forwarding through your Linux Server VM to allow access to the IIS web server on the Internet.

If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.

Minimum Requirements

Before beginning, you must have:

  1. Successfully completed Lab 3
  2. Watched the Week 5 video lecture
  3. Read through the Week 5 slides, and have them handy as a reference for concepts
  4. Your Azure-based Linux VM

INVESTIGATION 1: Setting Up A Web Server on CentOS

In this investigation, you'll install the Apache web server package from a Linux repository and set up the service.

Part 1: Setting Up and Managing the httpd (Apache) Service

  1. From within your Linux server, install the httpd package.
  2. Now that the package is installed, it's time to start up the web server. Using systemd commands, start the httpd service.
  3. Next, confirm the service has started without any errors. (Tip: Always check the status of a service you've just modified, whether you're starting, stopping, or restarting it.)
  4. Finally, check the web server is serving web pages by loading a page locally. Run: curl localhost If you get a bunch of HTML code, you've succeeded! (Curl doesn't render HTML code, so you see it as plain text. This is how we check the web server works without dealing with networking.)
  5. Remember from our lecture, there's a difference between start and enable. Ensure the web server starts up with the system every time.
  6. In a browser on your local computer, copy and paste the address for your Linux VM. It doesn't load, does it? We're not done. Move to Part 2 to deal with the firewall.

Part 2: Allowing Web Traffic

In this section, you will follow security best practices to allow web server traffic into your VM. We'll open a firewall exception to allow requests to our web server through, so we can access our new web server from the Internet.

  1. Before making changes, it's a good idea to review our current rules: iptables -L -vn --line-numbers
  2. Add your rule exception. Web traffic is typically served on TCP port 80, and that's what we'll use: iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  3. Go back to your local browser, and reload the page. Does it work now?
  4. If it does, congratulations! You're almost done.
  5. Back in you SSH session, save your new rules! Remember, changes you make will be erased when you shut down unless you save them.

Part 3: Editing Your Apache Website

Finally, modify the main page. Currently, it's displaying the default Apache splash page. Let's change that.

  1. Navigate to: /var/www/html
  2. List all files in this directory. There are none; this is expected.
  3. Open a new vim session for index.html in this location.
  4. Using HTML, give it a title of: OPS705 Linux Server - Winter 2022.
  5. Using HTML, add to the body: Name: yourname
  6. Using HTML, add to the body as a new line: Student Number: yourstudentnumber
  7. Save and quit the vim session.
  8. In your local browser, refresh the page. If your changes show up, you're done!

INVESTIGATION 2: Setting Up A Web Server on Windows Server 2019

Setting up an Internet Information Services web server on an Azure VM is incredibly easy, especially in contrast to the Apache setup.

Part 1: Updating and Securing Windows Server 2019

  1. Spin up your Windows Server VM, and wait until it's fully started up.
  2. In the Azure blade for your Windows Server VM, click on the Manage artifacts item in the menu bar to the left.
  3. In this new window, click on the Apply artifacts button. This will bring you to the Add artifacts screen.
  4. In the Add artifacts search field, type 'Time.
  5. Click on Set Time Zone in the results listing, then click Add in the next window.
  6. You'll be returned to the Add artifacts window.
  7. Add the following additional artifacts:
    1. Firefox
    2. Windows Firewall operations – Enable ICMP (Ping)
    3. Installs the latest Windows Updates
  8. You'll be returned to the Add artifacts window. Simply click OK to install them.
  9. The Manage Artifacts window will return, and a new entry for each artifact will appear. Their statuses will cycle through Pending, Installing, and finally Succeeded.
  10. When all artifacts are in a Succeeded state, move to Part 2. (This may take 10-20 minutes.)

Part 2: Installing and Verifying the IIS Web Server

  1. Spin up your Windows Server VM, and wait until it's fully started up.
  2. In the Azure blade for your Windows Server VM, add and apply the Internet Information Services (IIS) artifact.
  3. When complete, open a browser inside the Windows Server VM, and navigate to http://localhost. You should see the IIS default splash page. Congratulations!

Part 3: Editing Your IIS Website

  1. First: In a new file explorer window, find the View menu item near the top, and click File name extensions.
  2. Next: Open Server Manager from the Start menu and click on the Local Server menu bar option.
  3. Towards the top of the window, click Tools > Internet Information Services (IIS) Manager
  4. In the new window in the Connections menu column on the left, expand the Sites folder and click on Default Web Site.
  5. In the Actions menu column on the right, click Explore. This will open a new folder where your IIS web pages are stored.
  6. Right-click anywhere in that window, click New > Text Document. Name it index.html.
  7. Open the text file, and write the same HTML code as Investigation 1, changing the title tag to: OPS705 IIS Web Server - Winter 2022.
  8. Refresh your browser page from Part 2. You should see your new code.
  9. On your host computer, open a browser and navigate to the URL you used to remotely connect to your Windows Server VM. Unlike the Linux Server in Lab 3, the web page you created does not appear. We still have some work to do.

INVESTIGATION 3: Routing Through Your Linux Server

In this investigation, you'll set up your Linux Server VM to forward requests to your Windows VM's IIS web server. This is an advanced topic. Reviewing the Week 5 material is highly recommended. The following investigation assumes you understand the concepts discussed in those lectures.

Part 1: Enabling System-Level Forwarding on Your Linux Server

  1. Remote SSH into your Linux Server VM.
  2. Elevate to root.
  3. Use vim to open /etc/sysctl.conf
  4. Add the line: net.ipv4.ip_forward = 1 Make sure it's a new line, and that it doesn't start with a # symbol.
  5. Save and quit vim.
  6. At the command prompt, run: sysctl -p
  7. Confirm you've properly enabled system-level forwarding with the following command: sysctl net.ipv4.ip_forward
  8. The response from the command above should say net.ipv4.ip_forward = 1. If not, revisit the steps in Part 2.

Part 2: Port Forwarding Using NAT

  1. Remote into your Windows Server VM, open Command Prompt, and run ipconfig Write down the 10.x.x.x IP address displayed.
  2. Remote SSH into your Linux Server VM, and elevate to root.
  3. Confirm you can access the IIS web server on your Linux VM by running: curl IP-address-from-step-1 If you see plain HTML code displayed, move to the next step.
  4. We're going to be working with the NAT table. Let's look at the NAT rules listing with the following command: iptables -t nat -nvL --line
  5. Set up a port forwarding rule so all requests to sent your Linux VM on port 8080 get forwarded to your Windows VM on port 80. Run the following: iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination windows-server-ip-from-step-1:80
  6. Set up NAT for all forwarded traffic: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  7. Confirm your new NAT table rules with the command from Step 4.

Part 3: Adding Forwarding Firewall Rule Exceptions

  1. Create a firewall rule to allow forwarded traffic destined for TCP port 80: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
  2. Create a firewall rule to allow forwarded traffic sent from TCP port 80: iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
  3. Watch your firewall rules and their packet counters with the following command: watch iptables -nvL --line
  4. In a browser on your local computer, paste the URL for your Linux VM, adding :8080 to the end of the address, then hit Enter.
  5. If you've done your work right, the Windows IIS web page should appear!
  6. Review the packet count from your watch command in Step 3. Notice the new forward rules are working! Keep this in mind for troubleshooting.
  7. In your SSH session, use the keyboard combination Ctrl and c to halt the watch program.
  8. Now that you know your new rules work, save your new rules!

Lab Submission

Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:

  1. Browser window showing the Linux Apache page (on your local computer, not displayed on your VM).
  2. Browser window showing the Windows IIS page (on your local computer, not displayed on your VM).
  3. SSH session window with your iptables rules listed.
  4. SSH session window with your iptables NAT table rules listed.

Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.

Your professor will not check your lab until the screenshot has been submitted.

Make sure to shut down your virtual machines when you're done!