Changes

Jump to: navigation, search

SRT210 Lab 2

1,729 bytes added, 04:50, 2 July 2019
PART 1: NESTED VIRTUAL MACHINE
* Set up a nested virtual machine
* Get familiar with basic networking setup and utilities used on Linux
* Understand how the IPtables firewall works and use it to make simple rules
= PART 1: NESTED VIRTUAL MACHINE =
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.
* Change the settings for your c7host to have at least 4GB of RAM(8 would be better), and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils
* Make sure (using <code>systemctl enablestatus</code>) that the libvirtd service starts at boot.
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.
* Create a new virtual machine with the following settings:
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/
** 2GB of RAM(needed for installation, you should change it to 512MB after the install is done)
** 10GB of disk
** NAT for networking
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).
* Configure your wired interface by editing the file as described in the steps below.
* Change to the '''/etc/sysconfig/network-scripts''' directory.
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre>
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTPHTTPS)'', '''addresses''', and many other things.
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):
::# For the ''request''(originating from browser on local machine), the '''source port (sport) for the example in the above diagram is 40112(browser on local machine)''' and the '''destination port (dport) is 80(webserver on remote machine)'''::# For the ''response''(originating from server on remote machine), the '''source port (sport) is 80(webserver on remote machine)''' and the '''destination port (dport) is 40112(browser on local machine)'''
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
* Install the Apache web server on lin1 (the package is called httpd).
* Enable and start that service.
* Install links elinks (a command-line web browser) and see if you can connect to http://localhost (it should work by default).* Try to use Using Firefox on c7host to see , check whether you can view the same webpage from in lin1 (it should not work by defaultyou wont).* If you Next, check your the iptables rules you should be able in lin1 and try to figure out why you can't Firefox could not connectfrom c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.* Add If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule on to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should. If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal: * iptables --flush will erase all the rules* Restarting the iptables service will revert all the rules to the defaults. = PART 3: YOUR TASKS = Use what you learned so far and what you can learn online in order to set up the following: # lin1 will allow access to Apache from any source.# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source. = Lab completion = * Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.* Have notes in your labbook from this lab.* Show your work to the professor and have them sign your labbook.

Navigation menu