Jump to: navigation, search

OPS335 Lab 2b

437 bytes removed, 2 January
Online Submission (Peter Callaghan's Classes only)
We will now '''set iptables rules for your vm1 machine'''. As an alternative to editing the configuration file, you can '''place iptables commands in a script''' to be executed any time the machine boots (or any other time to you need to refresh your rules). In this way, then you can '''apply your new iptables rules to your vm2 and vm3 machines''' by using the scp command and run your shell script.
'''Perform the following Steps:'''
# Issue an ''iptables command'' to set the policy to disable '''all forwarding traffic''', and remove the rule that is rejecting it.
# Next, set the default policy to drop '''all inbound traffic''', and remove the rule that is rejecting traffic.
# Issue an iptables command to list rules for verification.<br /><br />The remaining tasks will relate to that same '''inbound''' traffic chain.:<br /><br />
# Issue an ''iptables command'' to delete the default ssh rule.
# Issue an ''iptables command'' to add a rule that allows ssh traffic (i.e. tcp packets with destination port 22) that originates from any machine within your virtual network.
# Issue an ''iptables command'' to allow icmp traffic from addresses in your virtual network.
# Test that your machines can still use ping and ssh to communicate with each other.
# Store the commands you used to modify Save your rules in the location that iptables into a shell script called: '''firewall_restorewill automatically read from when it starts.bash'''# Set up a cron entry so Reboot your machine and check that your the new rules are automatically being applied every time the machine boots. If they are not, resolve this issue before moving on.# Now copy the script file to your other VMs and make it apply to them when they boot as well.
# Reboot each machine and make sure this works before you move on.
<tr> <th>3</th><td>'''List your iptables Rules &amp; Perform a "Walk-Thru"'''</td><td>For many decades, when troubleshooting programs that don't run properly, programmers will resort to reading their "source-code" line-by-line and pretend they are the computer to perform the operation. The programmer "walks-through" the code to force them to think like a computer in order to spot and fix subtle problems.<br><br>Therefore, you can follow a packet's path as you understand it should follow. Keep in mind [ the diagram from the lecture last week]. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?<br><br>Don't forget that even if you're tracing the path of outgoing traffic - the INPUT chain on your machine still applies (for the response that comes back to your request).</td></tr>
<tr> <th>4</th><td>'''Use the log target to list unexpected traffic'''</td><td>Add a final rule to your input chain to log all traffic. Any traffic you are allowing will have already been accepted and will not reach this rule, so you will start a log of all the packets you are not allowing. Observing the logs while you attempt to use the service that is not being allowed will show you the type of traffic you need to allow.</td></tr>
<tr> <th>5</th><td>'''Verify Network Connectivity by Deleting iptables Rules'''</td><td>As a last resort, if you have no idea what's going on and need to confirm that you're still sane - clear all the iptables rules and check your configuration then. Keep in mind that the '''iptables -F''' command will delete all your rules but will not set the default policies to ACCEPT. This will tell you for sure whether your problem was (or was not) caused by iptables.<br><br>Stopping the iptable service with '''systemctl stop iptables''' will also clear all iptables rules. Additionally, it will reset all policy to ACCEPT. <br><br>If you do this - have a ready way to restore the rules you just deleted. Restarting the iptables service is usually a good start and a '''shell script''' to add your custom rules is a reasonable next step.Don't forget to restart libvirtd service as well if this is being done on a kvm host</td></tr></table>
'''Record the troubleshooting checklist in your OPS335 lab log-book'''
'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.'''
===Online Submission (Peter CallaghanAhad Mammadov's Classes only)===Follow the instructions for lab 2b on moodleblackboard.
===In Class SubmissionAndrew's sections===[[ImageYou may choose to:lab1_signoff.png|thumb|right|300px|Students should be prepared with * Submit screenshots of your work on Blackboard, in which case you don'''all required commands (system information) displayed in a terminal (or multiple terminals) prior t need to come to calling the instructor for signoff'''lab.]]'''Arrange evidence (command output) for each of these items on * Or come to the lab, show me your screenwork, then ask your instructor and talk to me about it. I want to review them hear what you've learned and sign off on answer any questions you have. You'll get the same grade regardless of how you choose to submit your work. Expected results of this lab's completionare:'''
::<span style="color:green;font-size:1.5em;">&#x2713;</span>List iptables rules for ALL machines.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Prove that you can ping and ssh from your host machines to all of your vms.
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Download the labcheck2b.bash checking bash shell script by issuing the command:<br><br>'''wget httpand run'''<br><br>set execute permission and run the shell script on your '''c7host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.::<span style="color:green;font-size:1.5em;">&#x2713;</span>Completed Lab2 log-book notesBe able to explain how you debug a connectivity problem caused by iptables
#List 3 separate techniques that you used to help troubleshoot to detect and fix iptables from running the shell script in the previous section.<br><br>#Without looking at the table above, list tips for troubleshooting iptables.<br><br>
#After completing this lab, how does the above-mentioned shell script work to cause problems with iptables?

Navigation menu