Difference between revisions of "OPS235 Lab 6 - Fedora17"

From CDOT Wiki
Jump to: navigation, search
(Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration)
 
(285 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 +
[[Category:OPS235]]
 +
{{Admon/caution|Draft Lab|This lab has NOT been released for regular distribution. When the lab is ready to be released, this caution banner will disappear.}}
 
= Configuring a Network Using Virtual Machines =
 
= Configuring a Network Using Virtual Machines =
[[Category:OPS235]][[Category:OPS235 Labs]]
+
 
{{Admon/caution | Caution! | This lab is very much under construction. Please do not start it until this warning is removed.}}
+
 
 +
==Overview==
 +
 
 +
* In this lab, you will learn the basics of networking by using your Virtual Machines and your f17host machine.  
 +
 
 +
* In addition, you will learn to associate network services with port numbers, and learn how to backup files by date/time.
 +
 
 
== Objectives ==
 
== Objectives ==
* Configure a virtual network for Virtual Machines
+
# Configure a virtual network for Virtual Machines
* Use the Fedora GUI program to configure network interfaces with static IP configuration and host name resolution
+
# Use the Fedora GUI program to configure network interfaces with static IP configuration and host name resolution
* Use the <code>find</code> command to locate the configuration files modified by the GUI  network configuration program
+
# Use the <code>find</code> command to locate the configuration files modified by the GUI  network configuration program
 +
# To examine some of the Linux's TCP/IP configuration files in the <code>/etc/</code> directory
 +
# To configure a Fedora host with static network configuration without a GUI tool
 +
# To configure the linux firewall <code>iptables</code> to allow/disallow/forward different types of network traffic using simple rules
 +
 
 +
 
 +
 
 +
==Required Materials (Bring to All Labs)==
 +
 
 +
* Fedora 17 LIVE CD
 +
* Fedora 17 x86_64 Installation DVD
 +
* SATA Hard Disk (in removable disk tray)
 +
* USB Memory Stick
 +
* Lab Logbook
 +
 
 +
==Prerequisites==
 +
 
 +
* Completion and Instructor "Sign-off" of Lab 5: [[OPS235 Lab 5]]
 +
 
 +
 
 +
==Linux Command Online Reference==
 +
Each Link below displays online manpages for each command (via [http://linuxmanpages.com/ http://linuxmanpages.com]):
  
* To examine some of the Linux's TCP/IP configuration files in the <code>/etc/</code> directory
+
{|width="100%" cellpadding="5" width="50%"
* To configure a Fedora host with static network configuration without a GUI tool
+
|'''Networking Utilities:'''
* To use and interpret the <code>netstat</code> command to troubleshoot and monitor network services
+
|'''Additional Utilities:'''
 +
|
 +
|- valign="top"
 +
|
 +
*[http://linuxmanpages.com/man8/ifconfig.8.php ifconfig]
 +
*[http://fedoramobile.org/Members/MrHappy/system-config-network system-config-network]
 +
*[http://linuxmanpages.com/man8/route.8.php route]
 +
*[http://linuxmanpages.com/man8/ping.8.php ping]
 +
*[http://linuxmanpages.com/man8/arp.8.php arp]
 +
*[http://linuxmanpages.com/man8/netstat.8.php netstat]
 +
*[http://linuxmanpages.com/man8/iptables.8.php iptables]
 +
|
 +
*[http://www.linuxcertif.com/man/1/systemctl/ systemctl]
 +
*[http://linuxmanpages.com/man1/find.1.php find]
 +
*[http://linuxmanpages.com/man1/tail.1.php tail]
 +
*[http://linuxmanpages.com/man1/cp.1.php cp]
 +
|}
  
* To configure the linux firewall <code>iptables</code> to allow/disallow/forward different types of network traffic using simple rules
 
  
== Reference ==
+
==Resources on the web==
* [http://linuxmanpages.com/ man pages] for find, ifconfig, ping, netstat, NetworkManager, nslookup, iptables, arp
+
Additional links to tutorials and HOWTOs:
* Online reading material for week 8.
+
* [http://en.wikipedia.org/wiki/Virtual_network Virtual Network - Definition]
 +
* [http://www.reallylinux.com/docs/networkingadmin.shtml Important Linux Networking Commands] (Also refer to lab 6 notes)
 +
* [http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html Linux Network Configuration]
 +
* [[IPTables]] Reference
 +
* Lab6 Notes: [http://zenit.senecac.on.ca/wiki/index.php/OPS235_Lab_6#Investigation_8:_How_do_I_view_and_configure_the_IPTABLES_firewall.3F_--_Basic_Function.2FConfiguration IPTABLES Firewall]
  
== Required materials ==
 
* [http://fedoraproject.org/get-fedora Fedora 12] Live CD or a classmate on the same pod
 
* USB flash drive, 64 MB or more in size (Warning: the contents of this drive will be erased)
 
* One SATA hard disk in a removable drive tray with Fedora host and 3 Fedora Virtual Machines installed
 
  
 
== Current Configuration ==
 
== Current Configuration ==
Currently you should have the following network configuration:
+
Currently you should have the following network configuration:<br /><br />[[Image:network-config1.png]]
[[Image:network-config1.png]]
+
* '''Fedora host''' has 1 active network interface (probably <code>'''em1'''</code>) that receives IP configuration from the School's DHCP server.
* Fedora host has 1 active network interface (probably <code>eth0</code>)that receives IP configuration from the School's DHCP server.
+
* '''Fedora host''' has 1 active network interface (<code>'''virbr0'''</code>) that has a static default configuration of '''192.168.122.1/255.255.255.0'''
* Fedora host has 1 active network interface (<code>virbr0</code>) that has a static default configuration of 192.168.122.1/255.255.255.0
+
* '''Fedora1 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your Fedora Host
* Fedora1 VM has 1 active interface (<code>eth0</code>) that receives a dynamic configuration from your Fedora Host
+
* '''Fedora2 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your Fedora Host
* Fedora2 VM has 1 active interface (<code>eth0</code>) that receives a dynamic configuration from your Fedora Host
+
* '''Fedora3 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your Fedora Host
* Fedora3 VM has 1 active interface (<code>eth0</code>) that receives a dynamic configuration from your Fedora Host
+
 
  
 
== Lab Preparation ==
 
== Lab Preparation ==
{{Admon/important | Important | It is advisable to perform a <code>yum update</code> on your Fedora host and all 3 VM's.}}
+
{{Admon/important | Live disc installations and system-config-network | The '''fedora1''' VM was installed from Live CD. It is missing the GUI Network Configuration tool we will be using. Use the command <code>yum install system-config-network</code> to install it.}}
{{Admon/important | Important | The fedora1 VM was installed from Live CD. It is missing the GUI Network Configuration tool we will be using. Use the command <code>yum install system-config-network</code> to install it.}}
+
{{Admon/important | Backup your VMs before proceeding | Stop all of your VMs and backup your VM disk images. Do not start the VMs until told to start them.}}
{{Admon/important | Important  We will be working with your 3 VM's | Backup your VM disk images and then stop all 3 VM's for until told to start them.}}
 
  
== Lab Investigations ==
+
== Configuring a Network Using Virtual Machines ==
  
 
=== Investigation 1: How do you create a new virtual network. ===
 
=== Investigation 1: How do you create a new virtual network. ===
{{Admon/note | Note! | Complete this investigation on your fedora host.}}
+
{{Admon/note | Use the f17host | Complete the following steps on your '''f17host''' computer system.}}
  
 
Before configuring our network we want to turn off dynamic network configuration for our Virtual Machines by turning off the "default" virtual network.
 
Before configuring our network we want to turn off dynamic network configuration for our Virtual Machines by turning off the "default" virtual network.
# On the fedora host start Virtual Machine Manager
+
# On your '''f17host''' machine start Virtual Machine Manager
# Under Edit->Host Details select the Virtual Networks tab
+
# In the Virtual Machine Manager dialog box, Select '''Edit'''-> '''Connection Details'''.
# Disable the default configuration from starting at boot by deselecting the "Autostart On Boot" checkbox.
+
# In the '''Hosts''' Details dialog box, select the '''Virtual Networks''' tab
# Stop the default network configuration by clicking on the stop button at the bottom of the window.
+
# Disable the default configuration from starting at boot by '''deselecting''' '''"Autostart"''' (on boot) checkbox.
# Click on the add button to add a new network configuration.
+
# Stop the default network configuration by clicking on the '''stop''' button at the bottom left-side of the dialog box.
# Give your new network a name (network1)
+
# Click the '''add''' button (the button resembles a "plus sign") to add a new network configuration.
 +
# Give your new network a name (i.e. '''network1''')
 
# Enter in the new network IP address space:
 
# Enter in the new network IP address space:
#*192.168.235.0/24
+
#*'''192.168.235.0/24'''
# Disable DHCP by deselecting the check box.
+
# Disable DHCP by '''deselecting''' the check box.
# Enable Network Forwarding by Selecting "Forwarding to physical network"
+
# Enable Network Forwarding by Selecting '''Forwarding to physical network'''
 +
# The destination should be '''Any physical device''' and the mode should be '''NAT'''
 +
# Proceed with changes, and select '''Finish'''.
 +
# Before proceeding, check the "<u>default</u>" network connection (in the Virtual Networks section) to verify '''Autostart''' is disabled, and that you have created the '''network1''' configuration. You might be required to click Apply when the default '''Autostart''' option is deselected.  If you have any problems launching your VMs, then it is recommend to reboot your main system.
 +
# '''Close''' the Virtual Manager, '''reboot''' your f16host, '''log-back into your f16host computer''', and '''restart''' the Virtual Machine Manager.
 +
{{Admon/note | Repeat these steps for each VM | Complete the following steps on <u>each</u> of your virtual machines.}}
 +
<ol>
 +
  <li value="15">Now we need to add our new virtual network '''network1''' to the 3 VM's
 +
<ol type="a" style="margin-left:2cm">
 +
  <li value="1">Select the '''fedora1''' VM and edit the '''Virtual Machine Details'''<br />(Note: the Virtual Machine window will appear - do not start virtual machine)</li>
 +
  <li>Under View select '''Details'''</li>
 +
  <li>In the '''left pane''' of the Virtual Machine window, select '''NIC:''' and note that this NIC is on the "default" virtual network</li>
 +
  <li>Click on the '''Remove''' button at the bottom right-side of the dialog box.</li>
 +
  <li>Click on '''Add Hardware''' on the bottom left-side of the dialog box and add a new network</li>
 +
  <li>For the host device, locate and select '''Virtual Network network1''' : NAT</li>
 +
  <li>Click finish to exit the Virtual Machine Details dialog box.</li>
 +
</ol>
 +
  </li>
 +
  <li value="16">Repeat steps '''a - g''' for '''fedora2''' and '''fedora3''' VM's.</li>
 +
</ol>
  
# The destination should be "Any physical device" and the mode should be "NAT"
+
'''Answer the Investigation 1 observations / questions in your lab log book.'''
# Now we need to add our new virtual network "network1" to the 3 VM's
 
## Select the fedora1 VM and edit the VM details
 
## Under View select Details
 
## In the left pane select the NIC and note that this NIC is on the "default" virtual network
 
## Click on the Remove button
 
## Click on "Add Hardware" and add a new network
 
## For the host device select "Virtual Network network1" : NAT
 
# Repeat these steps for fedora2 and fedora3 VM's
 
# Answer the Investigation 1 question in your lab log book.
 
  
 
=== Investigation 2: How do you configure a static network using <code>system-config-network</code>. ===
 
=== Investigation 2: How do you configure a static network using <code>system-config-network</code>. ===
{{Admon/note | Note! | Complete this investigation on your fedora2 VM.}}
+
{{Admon/note | Use fedora2 | Complete this investigation on your fedora2 VM.}}
# Start fedora2 VM and login
+
# Start '''fedora2''' VM and login
# On your fedora host run <code>ifconfig</code> and make note of the IP address assigned to the <code>virbr1</code> interface. This will be your default gateway for your Vm's.
+
# On your '''fedora host''' run <code>ifconfig</code> and make note of the IP address assigned to the <code>virbr1</code> interface. This will be your default gateway for your Vm's.[[Image:new_network_dialog.png|thumb|350px]]
# To configure a new interface on fedora2 go to System->Administration->Network and click on the "New" button
+
# Make certain to return to your fedora2 VM.
# Select Ethernet Device and choose the network card named <code>eth1</code>
+
# To configure a new interface on fedora2 go to '''Applications'''->'''Other'''->'''Network Connections'''.
 +
# Make certain there are no '''"Wired"''' connections (even if you have to click on the connection name and click the '''Delete''' button.
 +
# Create a new wired connection, with the "Connection Name" at the top to read '''eth1'''
 +
# Click on the '''Add''' button, and select the '''IPv4 Settings''' tab.
 +
# Change the method from "Automatic (DHCP)" to '''"Manual"'''.
 +
# In the '''Addresses section''', click '''"Add"'''.
 +
# Manually set the IP configuration to:
 +
#: IP Address '''192.168.235.12'''
 +
#: Subnet Mask '''255.255.255.0'''
 +
#: Default Gateway '''192.168.235.1''' (The IP address of <code>virbr1</code> on your fedora host.)
 +
# Click on the '''DNS''' field and add '''192.168.235.1''' as the primary DNS server.
 +
# Click '''Save''' to Finish, and exit the Network Connections dialog box.
 +
# Your network connection may connect (view the Network Manager applet in the gnome panel at the top of the screen). If there is no connection after a few minutes, you should be able to right-click on the applet and click "eth1" to connect.
 +
# You should be able to use the systemctl command to restart your network.
 +
#'''Restart your network''' on fedora2 by issuing the commands:
 +
#*<code>systemctl stop NetworkManager.service</code>
 +
#*<code>systemctl start NetworkManager.service</code>
 +
# Verify your new interface by examining the output of <code>ifconfig</code>
 +
# To verify that fedora2 has the correct default gateway configured, enter the command: <code>route -n</code>
 +
# Verify the network by using: <code>ping 192.168.235.1</code>
  
# Statically set the IP configuration:
+
'''Answer the Investigation 2 observations / questions in your lab log book.'''
#* IP Address 192.168.235.12
 
#* Subnet Mask 255.255.255.0
 
#* Default Gateway 192.168.235.1 (The IP address of <code>virbr1</code> on your fedora host.)
 
# Click on the DNS tab and add 192.168.235.1 as the primary DNS server.
 
# Save then Quit
 
# Restart your network on fedora2. <code>service NetworkManager restart</code>
 
# Verify your new interface by examining the output of <code>ifconfig</code>
 
# To verify that fedora2 has the correct default gateway configured, enter the command <code>route -n</code>
 
# Verify the network by using <code>ping 192.168.235.1</code>
 
# Record the answer to Investigation 2 in your logbook.
 
  
 
=== Investigation 3: What files does the <code>system-config-network</code> GUI tool change?. ===
 
=== Investigation 3: What files does the <code>system-config-network</code> GUI tool change?. ===
{{Admon/note | Note! | Complete this investigation on your fedora1 VM.}}
+
{{Admon/note | Use fedora1 | Complete this investigation on your fedora1 VM.}}
# Start fedora1 VM and login
+
 
 +
{{Admon/note | Backing up Files |One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system.<br />The following is an example of a common backup system used in Business Unix/Linux systems:<br /><br />'''Full Backup''': Backup all specified files (eg. configuration, data files, etc)<br />'''Incremental Backup''': Backup of only files that have changed since last (full) backup<br /><br />When the system is required to be fully restored, then the '''full backup''' is recovered, followed by each .<br />In this investigation, you will learn how to perform an '''incremental backup''' using the <code>find</code> utility|}}
 +
 
 +
# Start '''fedora1''' VM and login
 
# Before we configure fedora1 we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool.
 
# Before we configure fedora1 we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool.
 
#* <code>date > /tmp/timestamp</code>
 
#* <code>date > /tmp/timestamp</code>
# Run the network configuration tool and enter the following static configuration in the same way that you configured fedora2.
+
# Run the network configuration tool and enter the following static configuration in the same way that you configured '''fedora2'''.
#* IP Address: 192.168.235.11
+
#* IP Address: '''192.168.235.11'''
#* Subnetmask: 255.255.255.0
+
#* Subnetmask: '''255.255.255.0'''
#* Default Gateway: 192.168.235.1
+
#* Default Gateway: '''192.168.235.1'''
#* DNS Server: 192.168.235.1
+
#* DNS Server: '''192.168.235.1'''
# Save and quit and restart NetworkManager
+
# Save and exit the network configuration tool.
# Verify the configuration by pinging fedora host (192.168.235.1) and fedora2 (192.168.235.12)
+
# Restart the NetworkManager service.
 +
# Verify the configuration by pinging fedora host ('''192.168.235.1''') and fedora2 ('''192.168.235.12''')
 
# To verify that fedora1 has the correct default gateway configured, enter the command <code>route -n</code>
 
# To verify that fedora1 has the correct default gateway configured, enter the command <code>route -n</code>
# Use the <code>find</code> command to locate the configuration files modified by the GUI  network configuration program
 
#* Previously, you created a file called <code>/tmp/timestamp</code>. Any files that were modified by the GUI network configuration program should have a timestamp later (or newer) than the "timestamp" file you created. All the Linux TCP/IP configuration files are stored under the "/etc" directory or its sub-directories. The following command when run as root will give you a list of all the files under the <code>/etc</code> directory with a file modification date newer than the date of the "timestamp" file:
 
#**<code>find /etc -newer /tmp/timestamp</code>
 
# Capture the output to a file called <code>netcfg.lst</code> under user root's home directory.
 
  
# Create a new directory called <code>/tmp/lab6</code> and copy all the files from the <code>find</code> command to it.
+
{{Admon/note | Creating an Incremental Backup |
#* There are a number of ways to accomplish this:
+
We will now be using the <code>find</code> command to:
#** Edit <code>netcfg.lst</code> and turn it into a bash script.
+
:*Locate the configuration files (contained in the <code>/etc</code> directory) that were modified by the GUI  network configuration program
#** Copy the files manually using the <code>cp</code> command.
+
:*Copy those configuration files to a "specified" directory for backup purposes
#** Investigate the <code>-exec</code> option of the <code>find</code> command to see how to find and copy the files with a single command.
+
 
# Record the answer to the investigation in your lab log.
+
Previously, you created a file called <code>/tmp/timestamp</code> that just contains the current date and time prior to running the network configuration toool for fedora2.. Any files that were modified by the GUI network configuration program should have a timestamp later (or newer) than the "timestamp" file you created. All the Linux TCP/IP configuration files are stored under the '''/etc''' directory or its sub-directories. The <code>find</code> command (using the correct options) can be used to only list those files that have been recently created since the timestamp date contained in the <code>/tmp/timestamp</code> file.|}}
 +
 
 +
<ol>
 +
<li value="8">Run the following Linux command:
 +
    <ul>
 +
      <li><code>find /etc -newer /tmp/timestamp &gt; /root/netcfg.lst</code></li>
 +
    </ul>
 +
</li>
 +
<li>View the <code>/root/netcfg.lst</code> file. What does it contain?</li>
 +
<li>Create a new directory called: <code>/tmp/lab6</code></li>
 +
<li>Issue the following commands:
 +
    <ul>
 +
      <li><code>mkdir -p /tmp/lab6</code></li>
 +
      <li><code>find /etc -newer /tmp/timestamp -exec cp {} /tmp/lab6 \;</code></li>
 +
    </ul>
 +
</li>
 +
<li>View the contents of the <code>/tmp/lab6</code> directory. What does it contain?</li>
 +
</ol>
 +
 
 +
{{Admon/tip | Tip | Just for interest, it is relatively simple to automate your backups. You just create a Bash Shell script file using the <code>find</code> command above, give the shell script executable permissions, and use the <code>crontab</code> command to schedule when this script is to be run. If you want to learn more about shell scripting, you can take or refer to the course called  '''OPS435''' .}}
 +
 
 +
'''Answer the Investigation 3 observations / questions in your lab log book.'''
  
=== Investigation 4: How do I configure the network without a GUI tool?. ===
+
=== Investigation 4: How do I configure the network without a GUI tool? ===
{{Admon/note | Note! | Complete this investigation on your fedora3 VM.}}
+
{{Admon/note | Use fedora3 | Complete this investigation on your fedora3 VM.}}
# Start fedora3 VM and login as root
+
# Start '''fedora3''' VM and login as root
# Use the command <code>ifconfig</code> to list active interfaces, you should see one with a name of <code>eth1</code> or a similar name.
+
# Use the command <code>ifconfig</code> to list active interfaces, you should see one with a name of <code>eth0</code> or a similar name.
# To configure your card with a static address use the command:
+
# To configure your card with a static address use the following command:
#* <code>ifconfig eth1 192.168.235.13 netmask 255.255.255.0</code>
+
#* <code>ifconfig eth0 192.168.235.13 netmask 255.255.255.0</code>
 
# To configure a default gateway for that interface enter the command:
 
# To configure a default gateway for that interface enter the command:
 
#* <code>route add default gw 192.168.235.1</code>
 
#* <code>route add default gw 192.168.235.1</code>
Line 129: Line 213:
 
#* List the contents of the directory and you should see 2 different types of files, network config scripts and network configuration files.
 
#* List the contents of the directory and you should see 2 different types of files, network config scripts and network configuration files.
 
#* look for the config file for your original interface, it should be named <code>ifcfg-eth0</code>
 
#* look for the config file for your original interface, it should be named <code>ifcfg-eth0</code>
#* Copy that file to <code>ifcfg-eth1</code> or whatever name matches your current eth interface.
+
#* Copy that file to <code>ifcfg-eth<b>N</b></code> where <b>N</b> relates to your current eth interface number (we will use <b>eth1</b> as an example).
 
#* Edit the new file for you interface and give it the following settings:
 
#* Edit the new file for you interface and give it the following settings:
#**GATEWAY=192.168.235.1
+
#**DEVICE="eth1" <-- '''or the interface name YOU have '''
#**DNS1=192.168.235.1
+
#**IPADDR="192.168.235.13"
#**DEVICE=eth1           '''<-- or the interface name you have'''
+
#**NETMASK="255.255.255.0"
#**BOOTPROTO=none
+
#**GATEWAY="192.168.235.1"
#**NETMASK=255.255.255.0
+
#**HWADDR="52:54:00:3f:5c:fa" <-- '''use the HWADDR for YOUR interface
#**TYPE=Ethernet
+
#**DNS1="192.168.235.1" '''
#**HWADDR=52:54:00:3f:5c:fa '''<--use the HWADDR for your interface'''
+
#**BOOTPROTO="static"
#**IPADDR=192.168.235.13
+
#**ONBOOT="yes"
#**IPV6INIT=no
+
#**NM_CONTROLLED="yes"
#**ONBOOT=yes
+
#**IPV6INIT="no"
#**USERCTL=no
+
# Save the file and then restart the network connection by issuing the commands: <code>ifdown eth1</code> and then <code>ifup eth1</code><br /><br ><b>NOTE: </b>If there are errors, check that the hardware address in the config file matches the hardware address of the device its configuring<br /><br />
# Save the file and restart the <code>NetworkManager</code> service
 
 
# Verify your configuration as you did before.
 
# Verify your configuration as you did before.
 
# Finally the kickstart file used to install this VM did not set the hostname. Edit the file <code>/etc/sysconfig/network</code> and set the hostname to <code>fedora3</code>
 
# Finally the kickstart file used to install this VM did not set the hostname. Edit the file <code>/etc/sysconfig/network</code> and set the hostname to <code>fedora3</code>
 
# Restart the <code>fedora3</code> VM.
 
# Restart the <code>fedora3</code> VM.
 
# Login and attempt to <code>ssh</code> to your matrix account to verify the settings.
 
# Login and attempt to <code>ssh</code> to your matrix account to verify the settings.
# Answer the Investigation question in your logbook.
+
 
 +
'''Answer the Investigation 4 observations / questions in your lab log book.'''
  
 
=== Investigation 5: How do I setup local hostname resolution? ===
 
=== Investigation 5: How do I setup local hostname resolution? ===
{{Admon/note | Note! | Complete this investigation on all of your VM's and the Fedora host.}}
+
{{Admon/note | Use each machine | Complete this investigation on all of your VM's and the Fedora host.}}
  
{{Admon/note | Please take note! | On large public networks like the Internet or even large private networks we use a network service called [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System (DNS)] to resolve the human friendly hostnames like '''fedoraproject.org''' to the computer friendly 32bit numeric addresses used by the IP protocol. On smaller ad-hoc networks we can use the <code>/etc/hosts</code> on each system to resolve names to addresses.}}
+
{{Admon/note | Hosts files vs. the Domain Name System | On large public networks like the Internet or even large private networks we use a network service called [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System (DNS)] to resolve the human friendly hostnames like '''fedoraproject.org''' to the numeric addresses used by the IP protocol. On smaller networks we can use the <code>/etc/hosts</code> on each system to resolve names to addresses.}}
  
 +
# Use the <code>hostname</code> and <code>ifconfig</code> commands on your fedora host and all 3 VM's to gather the information needed to configure the <code>/etc/hosts</code> file on the fedora host and the 3 VM's.
 +
# Edit the <code>/etc/hosts</code> file on <u>each</u> of the '''virtual machines and the fedora host'''. Refer to the table below for information to enter in the <code>/etc/hosts</code> file.
  
# Use the <code>hostname</code> and <code>ifconfig</code> commands on your fedora host and all 3 VM's to gather the information needed to configure the <code>/etc/hosts</code> file on the fedora host and the 3 VM's.
 
# Edit the <code>/etc/hosts</code> file on each of them so that they can all ping each other by name.
 
# Answer the investigation in your logbook.
 
  
 
{|class="collapsible" style="background: #c0c0c0" width="50%"
 
{|class="collapsible" style="background: #c0c0c0" width="50%"
Line 168: Line 251:
 
::1                    localhost6.localdomain6 localhost6 fedora1
 
::1                    localhost6.localdomain6 localhost6 fedora1
  
192.168.235.1          f12host
+
192.168.235.1          f17host
 
192.168.235.11          fedora1
 
192.168.235.11          fedora1
 
192.168.235.12          fedora2
 
192.168.235.12          fedora2
Line 174: Line 257:
 
</pre>
 
</pre>
 
|}
 
|}
 +
 +
 +
<ol>
 +
  <li value="3">Confirm that each host can ping all three of the other hosts by name.</li>
 +
</ol>
 +
 +
'''Answer the Investigation 5 observations / questions in your lab log book.'''
 +
 +
== Obtaining MAC Address / Service Port / Firewall Information ==
 +
  
 
=== Investigation 6: How do I collect the MAC (Hardware) addresses of computers on my network? ===
 
=== Investigation 6: How do I collect the MAC (Hardware) addresses of computers on my network? ===
{{Admon/note | Note! | Complete this investigation on your Fedora host.}}
+
{{Admon/note | Use your Fedora Host | Complete this investigation on your Fedora host.}}
  
While we use 32bit IP addresses to communicate over an internetwork, on the local ethernet network packets are delivered to a 48bit hardware address (sometimes called a MAC address). The ARP protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers on our local network.
+
{{Admon/note | Obtaining Remote MAC Addresses| The term '''MAC''' address stands for '''Media Access Control''' address, which provides a unique ID to prevent confusion among computer systems within a network. While we use '''32bit IP addresse'''s to communicate over an internetwork, on the local ethernet network packets are delivered to a '''48bit hardware address''' (sometimes called a MAC address). The '''ARP''' protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers on our local network.<br /><br />Being able to determine remote MAC address information is useful from troubleshooting networking programs to using '''WOL''' (Wake up on Lan) to automatically boot remote workstations via the network. In this investigation, you will learn how to obtain MAC address information for various network cards.}}
  
 
# On the fedora host <code>ping</code> each of your VM's
 
# On the fedora host <code>ping</code> each of your VM's
Line 184: Line 277:
 
# Check the contents of the cache again by using the command <code>arp -n</code>
 
# Check the contents of the cache again by using the command <code>arp -n</code>
 
# What was the difference in output?
 
# What was the difference in output?
# Answer the investigation question in your logbook
+
 
 +
'''Answer the Investigation 6 observations / questions in your lab log book.'''
 +
 
  
 
=== Investigation 7: How can I see what network services or ports are active on my Fedora system? ===
 
=== Investigation 7: How can I see what network services or ports are active on my Fedora system? ===
  
{{Admon/note | Note! | Complete this investigation on all of your VM's and the Fedora host.}}
+
{{Admon/note | Use All Machines | Complete this investigation on all of your VM's and the Fedora host.}}
  
{{Admon/note | Please take note! | When our Fedora system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the <code>netstat</code> command.}}
+
{{Admon/note | Network Ports | When our Fedora system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the <code>netstat</code> command.}}
  
* On your fedora host execute the command <code>netstat -at</code>
+
# On your fedora host execute the command: <code>netstat -at</code>
* This command will list all active TCP ports. Note the state of your ports.
+
# This command will list all active TCP ports. Note the state of your ports.
* TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the <code>ssh</code> service in a LISTEN state as it is waiting for connections.
+
# TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the <code>ssh</code> service in a LISTEN state as it is waiting for connections.
* From one of your VM's login to your host using <code>ssh</code>
+
# From one of your VM's login to your host using <code>ssh</code>
* On the fedora host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
+
# On the fedora host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
* Exit your ssh connection from the VM and rerun the command on the fedora host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
+
# Exit your ssh connection from the VM and rerun the command on the fedora host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
* On your fedora host try the command <code>netstat -atn</code>. How is this output different?
+
# On your fedora host try the command <code>netstat -atn</code>. How is this output different?
* Without the <code>-n</code> option <code>netstat</code> attempts to resolve IP addresses to host names (using /etc/hosts) and port numbers to service names (using /etc/services)
+
# Without the <code>-n</code> option <code>netstat</code> attempts to resolve IP addresses to host names (using /etc/hosts) and port numbers to service names (using /etc/services)
* Examine the <code>/etc/services</code> file and find which ports are used for the services <code>ssh ftp http</code>
+
# Examine the <code>/etc/services</code> file and find which ports are used for the services: <code>ssh, ftp, http</code>
* Now execute the command <code>netstat -au</code> What is the difference between <code>-at</code> and <code>-au</code>?
+
# Now execute the command <code>netstat -au</code> What is the difference between <code>-at</code> and <code>-au</code>?
* When examining UDP ports why is there no state?
+
# When examining UDP ports why is there no state?
 +
# Using the <code>netstat</code> man page and experimentation make sure you understand how the following options work.
 +
#* -at
 +
#* -au
 +
#* -atp
 +
#* -aup
 +
#* -atn
 +
#* -aun
 +
#* -autnp
 +
 
 +
'''Answer the Investigation 7 observations / questions in your lab log book.'''
  
* Using the <code>netstat</code> man page and experimentation make sure you understand how the following options work.
 
** -at
 
** -au
 
** -atp
 
** -aup
 
** -atn
 
** -aun
 
** -autnp
 
* Answer the investigation your logbook
 
  
 
=== Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration ===
 
=== Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration ===
 +
 +
 +
{{Admon/note | Use the f17host | Complete the following steps on your '''f17host''' computer system.}}
 +
  
 
{{Admon/note | | [http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX.  While this program can be controlled by different GUI's, we are going to investigate the powerful command line interface for this program to choose what data is allowed into, out of and through our computer.
 
{{Admon/note | | [http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX.  While this program can be controlled by different GUI's, we are going to investigate the powerful command line interface for this program to choose what data is allowed into, out of and through our computer.
Line 220: Line 320:
 
Essentially, Iptables is a list of rules.  Each rule is placed into a particular chain and when data is sent into, out of or through a PC the data is checked against these rules.  If the data matches a particular rule, it then must “jump” to a condition.  Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
 
Essentially, Iptables is a list of rules.  Each rule is placed into a particular chain and when data is sent into, out of or through a PC the data is checked against these rules.  If the data matches a particular rule, it then must “jump” to a condition.  Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
  
Iptables consists of three chains of rules – INPUT, OUTPUT and FORWARD.  Here as brief explanation of these chains.
+
Iptables consists of multiple tables, each containing one or more chains of rules. For firewall purposes, the FILTER table is important; it contains these three chains: – INPUT, OUTPUT and FORWARD.  Here as brief explanation of these chains.
  
 
'''OUTPUT''' – When you want to do some research on the Web for something, you open a browser on your PC and navigate to http://www.google.ca.  When you do you are attempting to establish an HTTP or HTTPS session with the web server at http://www.google.ca.  A data packet is built with appropriate IP and TCP information and sent out of your computer but before it goes out to the Internet it will be compared to all of the rules in the OUTPUT chain to see if this data is allowed to go “out” of the PC.  If it is not allowed then the packet is dropped.
 
'''OUTPUT''' – When you want to do some research on the Web for something, you open a browser on your PC and navigate to http://www.google.ca.  When you do you are attempting to establish an HTTP or HTTPS session with the web server at http://www.google.ca.  A data packet is built with appropriate IP and TCP information and sent out of your computer but before it goes out to the Internet it will be compared to all of the rules in the OUTPUT chain to see if this data is allowed to go “out” of the PC.  If it is not allowed then the packet is dropped.
Line 228: Line 328:
 
'''FORWARD''' – LINUX PC's are often used as routers or gateways for other PC's.  This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC.  Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here.  Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another.  When this process happens, the data is checked against the FORWARD chain to see if it is allowed through.  If it is the router will forward the data to it's destination.  If not, the packet is dropped.}}
 
'''FORWARD''' – LINUX PC's are often used as routers or gateways for other PC's.  This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC.  Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here.  Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another.  When this process happens, the data is checked against the FORWARD chain to see if it is allowed through.  If it is the router will forward the data to it's destination.  If not, the packet is dropped.}}
  
{{Admon/important | Note! | We will complete this lab on the host machine.
+
{{Admon/important | Non-Persistent Changes to your Host System | Complete this lab on your host system (f16host).
 
    
 
    
It should be noted that all of the commands that we do here with iptables will not be persistent.
+
It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded.}}
  
That means if you re-boot, the default iptables configuration will be loaded.}}
+
# As root on the fedora host enter the following commands at the prompt:
 +
#* <code>iptables -F</code> (This flushes out or clears all of your rules from the chains)
 +
#* <code>iptables -L</code>
 +
# You should see something similar to this:<br /><br />Chain INPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain FORWARD (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain OUTPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />
 +
# Set the default policy for the INPUT chain to DROP:
 +
#* <code>iptables -P INPUT DROP</code>
 +
# Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
 +
# Write the commands you executed in your lab book.
 +
# Can we mix these policies?  Try to set the FORWARD chain policy to ACCEPT.  Did it work?
 +
{{Admon/note | Chain Policies | Each chain has a default policy.  In my example here the default policy is ACCEPT.  This means that if data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destination.  Conversely, if the policy is set to DROP then the packet will be dropped if there is no match. Flushing the table (<code>iptables -F</code>) when an ACCEPT policy is in place will cause all packets to be accepted; flushing the table when an DENY policy is in place will cause all packets to be dropped.}}
  
 +
==== Testing policies ====
  
* As root on the fedora host enter the following commands at the prompt:
+
# Execute the command <code>iptables -L</code> and check that the policies on your INPUT and OUTPUT  chain are set to DROP
** <code>iptables -F</code> (This flushes out or clears all of your rules from the chains)
+
# Open a browser and attempt to access the Internet.  Were you successful?
** <code>iptables -L</code>
+
# Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
*You should see something similar to this:
+
# Open your browser and attempt to access the Internet again.  Were you successful?
<pre>
+
# Change the policies on all of the chains to DROP
    Chain INPUT (policy ACCEPT)
+
# In the OUTPUT chain, add the following rule:
 +
#* <code>iptables -A OUTPUT -j LOG</code>
 +
# The above rule tells <code>iptables</code> to log packets and relevant information to <code>/var/log/messages</code>
 +
# This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.
 +
# Try to access the Internet again.  Because the policies have been set to DROP, you should be unsuccessful.  However, every packet of data that your PC attempted to send out was logged.  Let's have a look at the log file and analyze the data.
 +
#* <code>tail /var/log/messages</code>
 +
# This command shows us the last 10 lines of the file.  While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need.  Look for a line that looks similar to the following:<br /><br /><blockquote><code>Mar  3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0</code></blockquote>
 +
# Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value. 
 +
# When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80.  This is the standard port for the WWW.  Because we have set the default policy to DROP it drops these packets.  The problem is we are dropping all packets.  What if we just want to drop the WWW packets?
 +
# Using the commands we already know, change the default policies on all of your chains to ACCEPT
 +
# Open a browser and confirm that you can access the world wide web.
 +
# Enter the command:
 +
#* <code>iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</code>
 +
# Try to access the Web.  If you have done everything right, you should not have been successful.
 +
# After you have completed the test execute the following command:
 +
#* <code>iptables -F</code>
 +
{{Admon/note| Interpreting iptables commands |Here is the command you just used:
  
    target prot opt source destination
+
iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
  
    Chain FORWARD (policy ACCEPT)
+
Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.
  
    target prot opt source destination
+
Let's break down the command to see how it works.
  
    Chain OUTPUT (policy ACCEPT)
+
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy.  This means it will be the first line in the policy.  If we used a -A switch it would have appended the line and it would be the last line of the policy.  If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).
  
    target prot opt source destination
+
The '''-p tcp''' switch tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all.
</pre>
 
  
{{Admon/note | | Each chain has a default policy.  In my example here the default policy is ACCEPTThis means that if data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destinationConversely, if the policy is set to DROP then the packet will be dropped if there is no match.
+
The '''-s0/0''' switch specifies the source IP address0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assignedYou can change this value if you want to the IP address that has been specifically assigned to your PC.
  
See the MAN page for <code>iptables</code> for detailed information on switches and options.}}
+
The '''-d0/0''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.
  
* Set the default policy for the INPUT chain to DROP:
+
The switch '''--dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch.
** <code>iptables -P INPUT DROP</code>
 
  
{{Admon/note| |The <code>-P</code> switch stands for POLICY. This tells <code>iptables</code> that we are changing the policy for the INPUT chain. The policy is to be changed to DROP. 
+
'''-j''' means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.
  
Note that <code>iptables</code> commands (as well as all other Linux commands) are case sensitive.  Check your syntax carefully.}}
+
'''DROP''' means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.
  
* Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
+
}}
* Write the commands you executed in your lab book.
+
{{Admon/note|0/0 Addresses|Source and destination addresses of 0/0 will match all addresses. Therefore, they '''don't do anything''' and can be removed:
* Can we mix these policies?  Try to set the FORWARD chain policy to ACCEPT.  Did it work?
 
  
'''Testing policies'''
+
iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
  
* Execute the command <code>iptables -L</code> and check that the policies on your INPUT and OUTPUT  chain are set to DROP
+
is equivalent to:
* Open a browser and attempt to access the Internet.  Were you successful?
 
* Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
 
* Open your browser and attempt to access the Internet again.  Were you successful?
 
  
* Change the policies on all of the chains to DROP
+
iptables -I OUTPUT -p tcp --dport 80 -j DROP
* In the OUTPUT chain, add the following rule:
+
}}
** <code>iptables -A OUTPUT -j LOG</code>
 
* The above rule tells <code>iptables</code> to log packets and relevant information to <code>/var/log/messages</code>. 
 
* This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.
 
* Try to access the Internet again.  Because the policies have been set to DROP, you should be unsuccessful.  However, every packet of data that your PC attempted to send out was logged.  Let's have a look at the log file and analyze the data.
 
** <code>tail /var/log/messages</code>
 
* This command shows us the last 10 lines of the file.  While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need.  Look for a line that looks similar to the following:
 
  
Mar  3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0
+
==== Final Tasks ====
  
 +
# Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
 +
# After you have completed this task, flush the iptables again.
 +
# Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice. 
 +
# Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.
 +
# Confirm that your rule works by testing from your VM's
 +
# Does iptables close the port? Check using <code>netstat</code>
 +
# Now insert a rule on the fedora host that would ACCEPT connections from the fedora2 VM only.
 +
# Fully test your configuration.
  
Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.  When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80.  This is the standard port for the WWW. Because we have set the default policy to it drops these packets.  The problem is we are dropping all packets.  What if we just want to drop the WWW packets?
+
{{Admon/note | iptables Service |When your iptables service starts or at boot time it has to load the rules from the file <code>/etc/sysconfig/iptables</code>.}}
  
10.  Using the commands we already know, change the default policies on all of your chains to ACCEPT.    Open a browser and confirm that you can access the world wide web.
+
<ol>
 
+
  <li value="9">'''Make a backup of the file <code>/etc/sysconfig/iptables</code>'''</li>
11.  Enter the following from the command prompt:
+
  <li>Examine the file to see how rules are added.</li>
 
+
  <li>Issue the command: <code>iptables-save > /etc/sysconfig/iptables</code>  to save the rules you added with the iptables command, above.</li>
'''iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 –dport 80 -j DROP'''
+
  <li>Verify that the file <code>/etc/sysconfig/iptables</code> was updated with your new rules.</li>
 
+
  <li>Restart your iptables service and test your configuration. </li>
This command can be read like this:  Insert a line into the iptables  OUTPUT chain that will look at tcp information and DROP any packet with a source address from anywhere, to a destination address to anywhere if the destination port = 80 (WWW.)  Let's break down the command to see how it works.
+
  <li>Write a short bash script to add a rule allowing the fedora1 and fedora3 VM's to connect to <code>ssh</code> on the fedora host.</li>
 
+
</ol>
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy.  This means it will be the first line in the policy.  If we used a -A switch it would have appended the line and it would be the last line of the policy.  If you are writing complex iptables where multiple matches can occur, it is important that the lines go in the right order. Most people simply write scripts to ensure this.
 
 
 
The '''-p''' tcp switch tells iptables to filter data by looking at TCP information in the packets.  For now, we simply want to filter data by source and destination TCP ports so we need this switch.
 
 
 
The '''-s0/0''' switch specifies the source IP address.  0/0 means a source address of “anywhere.”  this has been put into the lab because your ip address will change because it is dynamically assigned.  You can change this value if you want to the IP address that has been specifically assigned to your PC.
 
 
 
The '''-d0/0''' switch specifies the destination address.  It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.
 
  
The switch '''–dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80
+
'''Answer the Investigation 8 observations / questions in your lab log book.'''
  
'''-j''' means jump to a particular condition – Basic conditions are ACCEPT, DROP and LOG.  There are others and you also have the ability to create your own.
+
== New Configuration ==
  
'''DROP''' means drop the packet – do not let it leave the computer.
+
Now you should have the following network configuration:<br /><br />
 +
[[Image:network-config2.png]]
  
Try to access the Web. If you have done everything right, you should not have been successful.
+
* '''Fedora host''' has 1 active network interface (probably <code>'''em1'''</code>)that receives IP configuration from the School's DHCP server.
 +
* '''Fedora host''' has 1 active network interface (<code>'''virbr1'''</code>) that has a static default configuration of '''192.168.235.1/255.255.255.0'''
 +
* '''Fedora1''' VM has 1 active interface (<code>'''eth1'''</code>) that has a static configuration of '''192.168.235.11/255.255.255.0'''
 +
* '''Fedora2''' VM has 1 active interface (<code>'''eth1'''</code>) that has a static configuration of '''192.168.235.12/255.255.255.0'''
 +
* '''Fedora3''' VM has 1 active interface (<code>'''eth1'''</code>) that has a static configuration of '''192.168.235.13/255.255.255.0'''
  
12.  After you have completed the test execute the following command:
 
  
'''iptables -F'''
+
== Completing the lab ==
  
Additional Exercises
+
{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines.}}
  
This will flush out all of the rules for iptables. Using the information you have, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
+
Arrange proof of the following on the screen:
 +
# A list of your <code>iptables</code> rules.
 +
# The contents of your <code>arp</code> cache.
 +
# <code>ssh</code> from fedora2 to fedora host.
 +
# <code>ifconfig</code> from all 3 VM's
 +
# Contents of <code>/tmp/lab6</code> directory.
 +
# Fresh backup of the virtual machines.
  
After you have completed this task, flush the iptables again.
 
  
Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.  Once you have confirmed that ssh is running on the host machine, modify the iptables setup on the host machine to prevent access to the ssh server from the virtual machine.
+
== Preparing for Quizzes ==
  
Open a text editor and write a script that will accomplish the above task for you when you run it.  Show the script to your professor and execute it.
+
# What is a port?
 +
# What command will set your IP configuration to 192.168.55.22/255.255.255.0 ?
 +
# What file contains the systems <code>iptables</code> rules?
 +
# What is the difference between UDP and TCP?
 +
# What port number is used for DHCP servers?
 +
# What is the function of the file <code>/etc/services</code> ?
 +
# What is the function of the file <code>/etc/hosts</code> ?
 +
# What is the purpose of the file <code>/etc/sysconfig/network-scripts/ifcfg-eth0</code> ?
 +
# What tool is used to show you a list of current TCP connections?

Latest revision as of 18:53, 3 January 2014

Stop (medium size).png
Draft Lab
This lab has NOT been released for regular distribution. When the lab is ready to be released, this caution banner will disappear.

Configuring a Network Using Virtual Machines

Overview

  • In this lab, you will learn the basics of networking by using your Virtual Machines and your f17host machine.
  • In addition, you will learn to associate network services with port numbers, and learn how to backup files by date/time.

Objectives

  1. Configure a virtual network for Virtual Machines
  2. Use the Fedora GUI program to configure network interfaces with static IP configuration and host name resolution
  3. Use the find command to locate the configuration files modified by the GUI network configuration program
  4. To examine some of the Linux's TCP/IP configuration files in the /etc/ directory
  5. To configure a Fedora host with static network configuration without a GUI tool
  6. To configure the linux firewall iptables to allow/disallow/forward different types of network traffic using simple rules


Required Materials (Bring to All Labs)

  • Fedora 17 LIVE CD
  • Fedora 17 x86_64 Installation DVD
  • SATA Hard Disk (in removable disk tray)
  • USB Memory Stick
  • Lab Logbook

Prerequisites

  • Completion and Instructor "Sign-off" of Lab 5: OPS235 Lab 5


Linux Command Online Reference

Each Link below displays online manpages for each command (via http://linuxmanpages.com):

Networking Utilities: Additional Utilities:


Resources on the web

Additional links to tutorials and HOWTOs:


Current Configuration

Currently you should have the following network configuration:

Network-config1.png

  • Fedora host has 1 active network interface (probably em1) that receives IP configuration from the School's DHCP server.
  • Fedora host has 1 active network interface (virbr0) that has a static default configuration of 192.168.122.1/255.255.255.0
  • Fedora1 VM has 1 active interface (eth0) that receives a dynamic configuration from your Fedora Host
  • Fedora2 VM has 1 active interface (eth0) that receives a dynamic configuration from your Fedora Host
  • Fedora3 VM has 1 active interface (eth0) that receives a dynamic configuration from your Fedora Host


Lab Preparation

Important.png
Live disc installations and system-config-network
The fedora1 VM was installed from Live CD. It is missing the GUI Network Configuration tool we will be using. Use the command yum install system-config-network to install it.
Important.png
Backup your VMs before proceeding
Stop all of your VMs and backup your VM disk images. Do not start the VMs until told to start them.

Configuring a Network Using Virtual Machines

Investigation 1: How do you create a new virtual network.

Note.png
Use the f17host
Complete the following steps on your f17host computer system.

Before configuring our network we want to turn off dynamic network configuration for our Virtual Machines by turning off the "default" virtual network.

  1. On your f17host machine start Virtual Machine Manager
  2. In the Virtual Machine Manager dialog box, Select Edit-> Connection Details.
  3. In the Hosts Details dialog box, select the Virtual Networks tab
  4. Disable the default configuration from starting at boot by deselecting "Autostart" (on boot) checkbox.
  5. Stop the default network configuration by clicking on the stop button at the bottom left-side of the dialog box.
  6. Click the add button (the button resembles a "plus sign") to add a new network configuration.
  7. Give your new network a name (i.e. network1)
  8. Enter in the new network IP address space:
    • 192.168.235.0/24
  9. Disable DHCP by deselecting the check box.
  10. Enable Network Forwarding by Selecting Forwarding to physical network
  11. The destination should be Any physical device and the mode should be NAT
  12. Proceed with changes, and select Finish.
  13. Before proceeding, check the "default" network connection (in the Virtual Networks section) to verify Autostart is disabled, and that you have created the network1 configuration. You might be required to click Apply when the default Autostart option is deselected. If you have any problems launching your VMs, then it is recommend to reboot your main system.
  14. Close the Virtual Manager, reboot your f16host, log-back into your f16host computer, and restart the Virtual Machine Manager.
Note.png
Repeat these steps for each VM
Complete the following steps on each of your virtual machines.
  1. Now we need to add our new virtual network network1 to the 3 VM's
    1. Select the fedora1 VM and edit the Virtual Machine Details
      (Note: the Virtual Machine window will appear - do not start virtual machine)
    2. Under View select Details
    3. In the left pane of the Virtual Machine window, select NIC: and note that this NIC is on the "default" virtual network
    4. Click on the Remove button at the bottom right-side of the dialog box.
    5. Click on Add Hardware on the bottom left-side of the dialog box and add a new network
    6. For the host device, locate and select Virtual Network network1 : NAT
    7. Click finish to exit the Virtual Machine Details dialog box.
  2. Repeat steps a - g for fedora2 and fedora3 VM's.

Answer the Investigation 1 observations / questions in your lab log book.

Investigation 2: How do you configure a static network using system-config-network.

Note.png
Use fedora2
Complete this investigation on your fedora2 VM.
  1. Start fedora2 VM and login
  2. On your fedora host run ifconfig and make note of the IP address assigned to the virbr1 interface. This will be your default gateway for your Vm's.
    New network dialog.png
  3. Make certain to return to your fedora2 VM.
  4. To configure a new interface on fedora2 go to Applications->Other->Network Connections.
  5. Make certain there are no "Wired" connections (even if you have to click on the connection name and click the Delete button.
  6. Create a new wired connection, with the "Connection Name" at the top to read eth1
  7. Click on the Add button, and select the IPv4 Settings tab.
  8. Change the method from "Automatic (DHCP)" to "Manual".
  9. In the Addresses section, click "Add".
  10. Manually set the IP configuration to:
    IP Address 192.168.235.12
    Subnet Mask 255.255.255.0
    Default Gateway 192.168.235.1 (The IP address of virbr1 on your fedora host.)
  11. Click on the DNS field and add 192.168.235.1 as the primary DNS server.
  12. Click Save to Finish, and exit the Network Connections dialog box.
  13. Your network connection may connect (view the Network Manager applet in the gnome panel at the top of the screen). If there is no connection after a few minutes, you should be able to right-click on the applet and click "eth1" to connect.
  14. You should be able to use the systemctl command to restart your network.
  15. Restart your network on fedora2 by issuing the commands:
    • systemctl stop NetworkManager.service
    • systemctl start NetworkManager.service
  16. Verify your new interface by examining the output of ifconfig
  17. To verify that fedora2 has the correct default gateway configured, enter the command: route -n
  18. Verify the network by using: ping 192.168.235.1

Answer the Investigation 2 observations / questions in your lab log book.

Investigation 3: What files does the system-config-network GUI tool change?.

Note.png
Use fedora1
Complete this investigation on your fedora1 VM.
Note.png
Backing up Files
One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system.
The following is an example of a common backup system used in Business Unix/Linux systems:

Full Backup: Backup all specified files (eg. configuration, data files, etc)
Incremental Backup: Backup of only files that have changed since last (full) backup

When the system is required to be fully restored, then the full backup is recovered, followed by each .
In this investigation, you will learn how to perform an incremental backup using the find utility
  1. Start fedora1 VM and login
  2. Before we configure fedora1 we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool.
    • date > /tmp/timestamp
  3. Run the network configuration tool and enter the following static configuration in the same way that you configured fedora2.
    • IP Address: 192.168.235.11
    • Subnetmask: 255.255.255.0
    • Default Gateway: 192.168.235.1
    • DNS Server: 192.168.235.1
  4. Save and exit the network configuration tool.
  5. Restart the NetworkManager service.
  6. Verify the configuration by pinging fedora host (192.168.235.1) and fedora2 (192.168.235.12)
  7. To verify that fedora1 has the correct default gateway configured, enter the command route -n
Note.png
Creating an Incremental Backup

We will now be using the find command to:

  • Locate the configuration files (contained in the /etc directory) that were modified by the GUI network configuration program
  • Copy those configuration files to a "specified" directory for backup purposes
Previously, you created a file called /tmp/timestamp that just contains the current date and time prior to running the network configuration toool for fedora2.. Any files that were modified by the GUI network configuration program should have a timestamp later (or newer) than the "timestamp" file you created. All the Linux TCP/IP configuration files are stored under the /etc directory or its sub-directories. The find command (using the correct options) can be used to only list those files that have been recently created since the timestamp date contained in the /tmp/timestamp file.
  1. Run the following Linux command:
    • find /etc -newer /tmp/timestamp > /root/netcfg.lst
  2. View the /root/netcfg.lst file. What does it contain?
  3. Create a new directory called: /tmp/lab6
  4. Issue the following commands:
    • mkdir -p /tmp/lab6
    • find /etc -newer /tmp/timestamp -exec cp {} /tmp/lab6 \;
  5. View the contents of the /tmp/lab6 directory. What does it contain?
Idea.png
Tip
Just for interest, it is relatively simple to automate your backups. You just create a Bash Shell script file using the find command above, give the shell script executable permissions, and use the crontab command to schedule when this script is to be run. If you want to learn more about shell scripting, you can take or refer to the course called OPS435 .

Answer the Investigation 3 observations / questions in your lab log book.

Investigation 4: How do I configure the network without a GUI tool?

Note.png
Use fedora3
Complete this investigation on your fedora3 VM.
  1. Start fedora3 VM and login as root
  2. Use the command ifconfig to list active interfaces, you should see one with a name of eth0 or a similar name.
  3. To configure your card with a static address use the following command:
    • ifconfig eth0 192.168.235.13 netmask 255.255.255.0
  4. To configure a default gateway for that interface enter the command:
    • route add default gw 192.168.235.1
  5. To configure your DNS server edit the file /etc/resolv.conf. Change the nameserver line to be:
    • nameserver 192.168.235.1
  6. Confirm your settings work by doing the following:
    • ifconfig
    • route -n
    • ping your other VM's and fedora host.
    • ssh to your matrix account to test DNS
  7. Restart the fedora3 VM
  8. Login and test your configuration again. What happened?
  9. While we can configure network settings from the command line those settings are not persistent. To configure persistent network configurations we need to edit the configuration files:
    • Change to the /etc/sysconfig/network-scripts directory on fedora3
    • List the contents of the directory and you should see 2 different types of files, network config scripts and network configuration files.
    • look for the config file for your original interface, it should be named ifcfg-eth0
    • Copy that file to ifcfg-ethN where N relates to your current eth interface number (we will use eth1 as an example).
    • Edit the new file for you interface and give it the following settings:
      • DEVICE="eth1" <-- or the interface name YOU have
      • IPADDR="192.168.235.13"
      • NETMASK="255.255.255.0"
      • GATEWAY="192.168.235.1"
      • HWADDR="52:54:00:3f:5c:fa" <-- use the HWADDR for YOUR interface
      • DNS1="192.168.235.1"
      • BOOTPROTO="static"
      • ONBOOT="yes"
      • NM_CONTROLLED="yes"
      • IPV6INIT="no"
  10. Save the file and then restart the network connection by issuing the commands: ifdown eth1 and then ifup eth1

    NOTE: If there are errors, check that the hardware address in the config file matches the hardware address of the device its configuring

  11. Verify your configuration as you did before.
  12. Finally the kickstart file used to install this VM did not set the hostname. Edit the file /etc/sysconfig/network and set the hostname to fedora3
  13. Restart the fedora3 VM.
  14. Login and attempt to ssh to your matrix account to verify the settings.

Answer the Investigation 4 observations / questions in your lab log book.

Investigation 5: How do I setup local hostname resolution?

Note.png
Use each machine
Complete this investigation on all of your VM's and the Fedora host.
Note.png
Hosts files vs. the Domain Name System
On large public networks like the Internet or even large private networks we use a network service called Domain Name System (DNS) to resolve the human friendly hostnames like fedoraproject.org to the numeric addresses used by the IP protocol. On smaller networks we can use the /etc/hosts on each system to resolve names to addresses.
  1. Use the hostname and ifconfig commands on your fedora host and all 3 VM's to gather the information needed to configure the /etc/hosts file on the fedora host and the 3 VM's.
  2. Edit the /etc/hosts file on each of the virtual machines and the fedora host. Refer to the table below for information to enter in the /etc/hosts file.


Sample /etc/hosts file
# hostname fedora1 added to /etc/hosts by anaconda
127.0.0.1               localhost.localdomain localhost fedora1
::1                     localhost6.localdomain6 localhost6 fedora1

192.168.235.1           f17host
192.168.235.11          fedora1
192.168.235.12          fedora2
192.168.235.13          fedora3


  1. Confirm that each host can ping all three of the other hosts by name.

Answer the Investigation 5 observations / questions in your lab log book.

Obtaining MAC Address / Service Port / Firewall Information

Investigation 6: How do I collect the MAC (Hardware) addresses of computers on my network?

Note.png
Use your Fedora Host
Complete this investigation on your Fedora host.
Note.png
Obtaining Remote MAC Addresses
The term MAC address stands for Media Access Control address, which provides a unique ID to prevent confusion among computer systems within a network. While we use 32bit IP addresses to communicate over an internetwork, on the local ethernet network packets are delivered to a 48bit hardware address (sometimes called a MAC address). The ARP protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers on our local network.

Being able to determine remote MAC address information is useful from troubleshooting networking programs to using WOL (Wake up on Lan) to automatically boot remote workstations via the network. In this investigation, you will learn how to obtain MAC address information for various network cards.
  1. On the fedora host ping each of your VM's
  2. Examine the contents of the ARP cache by using the command arp
  3. Check the contents of the cache again by using the command arp -n
  4. What was the difference in output?

Answer the Investigation 6 observations / questions in your lab log book.


Investigation 7: How can I see what network services or ports are active on my Fedora system?

Note.png
Use All Machines
Complete this investigation on all of your VM's and the Fedora host.
Note.png
Network Ports
When our Fedora system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the netstat command.
  1. On your fedora host execute the command: netstat -at
  2. This command will list all active TCP ports. Note the state of your ports.
  3. TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the ssh service in a LISTEN state as it is waiting for connections.
  4. From one of your VM's login to your host using ssh
  5. On the fedora host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
  6. Exit your ssh connection from the VM and rerun the command on the fedora host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
  7. On your fedora host try the command netstat -atn. How is this output different?
  8. Without the -n option netstat attempts to resolve IP addresses to host names (using /etc/hosts) and port numbers to service names (using /etc/services)
  9. Examine the /etc/services file and find which ports are used for the services: ssh, ftp, http
  10. Now execute the command netstat -au What is the difference between -at and -au?
  11. When examining UDP ports why is there no state?
  12. Using the netstat man page and experimentation make sure you understand how the following options work.
    • -at
    • -au
    • -atp
    • -aup
    • -atn
    • -aun
    • -autnp

Answer the Investigation 7 observations / questions in your lab log book.


Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration

Note.png
Use the f17host
Complete the following steps on your f17host computer system.


Note.png

Iptables is the built-in firewall for LINUX. While this program can be controlled by different GUI's, we are going to investigate the powerful command line interface for this program to choose what data is allowed into, out of and through our computer.

Essentially, Iptables is a list of rules. Each rule is placed into a particular chain and when data is sent into, out of or through a PC the data is checked against these rules. If the data matches a particular rule, it then must “jump” to a condition. Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.

Iptables consists of multiple tables, each containing one or more chains of rules. For firewall purposes, the FILTER table is important; it contains these three chains: – INPUT, OUTPUT and FORWARD. Here as brief explanation of these chains.

OUTPUT – When you want to do some research on the Web for something, you open a browser on your PC and navigate to http://www.google.ca. When you do you are attempting to establish an HTTP or HTTPS session with the web server at http://www.google.ca. A data packet is built with appropriate IP and TCP information and sent out of your computer but before it goes out to the Internet it will be compared to all of the rules in the OUTPUT chain to see if this data is allowed to go “out” of the PC. If it is not allowed then the packet is dropped.

INPUT – If your data was allowed out and a request was sent to http://www.google.ca, this web server will send data back to your PC with an acknowledgement. Before this data can be processed by your browser, it must first be checked against the INPUT chain to see if it is allowed into the PC. If it is, your browser will process the data and move to it's next task. If it is not, the packet will be dropped.

FORWARD – LINUX PC's are often used as routers or gateways for other PC's. This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC. Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here. Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another. When this process happens, the data is checked against the FORWARD chain to see if it is allowed through. If it is the router will forward the data to it's destination. If not, the packet is dropped.
Important.png
Non-Persistent Changes to your Host System
Complete this lab on your host system (f16host). It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded.
  1. As root on the fedora host enter the following commands at the prompt:
    • iptables -F (This flushes out or clears all of your rules from the chains)
    • iptables -L
  2. You should see something similar to this:

    Chain INPUT (policy ACCEPT)

    target prot opt source destination

    Chain FORWARD (policy ACCEPT)

    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)

    target prot opt source destination

  3. Set the default policy for the INPUT chain to DROP:
    • iptables -P INPUT DROP
  4. Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
  5. Write the commands you executed in your lab book.
  6. Can we mix these policies? Try to set the FORWARD chain policy to ACCEPT. Did it work?
Note.png
Chain Policies
Each chain has a default policy. In my example here the default policy is ACCEPT. This means that if data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destination. Conversely, if the policy is set to DROP then the packet will be dropped if there is no match. Flushing the table (iptables -F) when an ACCEPT policy is in place will cause all packets to be accepted; flushing the table when an DENY policy is in place will cause all packets to be dropped.

Testing policies

  1. Execute the command iptables -L and check that the policies on your INPUT and OUTPUT chain are set to DROP
  2. Open a browser and attempt to access the Internet. Were you successful?
  3. Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
  4. Open your browser and attempt to access the Internet again. Were you successful?
  5. Change the policies on all of the chains to DROP
  6. In the OUTPUT chain, add the following rule:
    • iptables -A OUTPUT -j LOG
  7. The above rule tells iptables to log packets and relevant information to /var/log/messages.
  8. This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.
  9. Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged. Let's have a look at the log file and analyze the data.
    • tail /var/log/messages
  10. This command shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:

    Mar 3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0
  11. Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.
  12. When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?
  13. Using the commands we already know, change the default policies on all of your chains to ACCEPT.
  14. Open a browser and confirm that you can access the world wide web.
  15. Enter the command:
    • iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
  16. Try to access the Web. If you have done everything right, you should not have been successful.
  17. After you have completed the test execute the following command:
    • iptables -F
Note.png
Interpreting iptables commands
Here is the command you just used:
iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP

Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.

Let's break down the command to see how it works.

The -I switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, -I 3 OUTPUT will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).

The -p tcp switch tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all.

The -s0/0 switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC.

The -d0/0 switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.

The switch --dport 80 tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the --sport switch.

-j means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.

DROP means drop the packet – make it disappear - and do not continue processing rules. REJECT is similar, but causes an error packet to be sent back to the source host. ACCEPT causes the packet to be processed. LOG causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.

Note.png
0/0 Addresses
Source and destination addresses of 0/0 will match all addresses. Therefore, they don't do anything and can be removed:
iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP

is equivalent to:

iptables -I OUTPUT  -p tcp --dport 80 -j DROP

Final Tasks

  1. Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
  2. After you have completed this task, flush the iptables again.
  3. Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.
  4. Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.
  5. Confirm that your rule works by testing from your VM's
  6. Does iptables close the port? Check using netstat
  7. Now insert a rule on the fedora host that would ACCEPT connections from the fedora2 VM only.
  8. Fully test your configuration.
Note.png
iptables Service
When your iptables service starts or at boot time it has to load the rules from the file /etc/sysconfig/iptables.
  1. Make a backup of the file /etc/sysconfig/iptables
  2. Examine the file to see how rules are added.
  3. Issue the command: iptables-save > /etc/sysconfig/iptables to save the rules you added with the iptables command, above.
  4. Verify that the file /etc/sysconfig/iptables was updated with your new rules.
  5. Restart your iptables service and test your configuration.
  6. Write a short bash script to add a rule allowing the fedora1 and fedora3 VM's to connect to ssh on the fedora host.

Answer the Investigation 8 observations / questions in your lab log book.

New Configuration

Now you should have the following network configuration:

Network-config2.png

  • Fedora host has 1 active network interface (probably em1)that receives IP configuration from the School's DHCP server.
  • Fedora host has 1 active network interface (virbr1) that has a static default configuration of 192.168.235.1/255.255.255.0
  • Fedora1 VM has 1 active interface (eth1) that has a static configuration of 192.168.235.11/255.255.255.0
  • Fedora2 VM has 1 active interface (eth1) that has a static configuration of 192.168.235.12/255.255.255.0
  • Fedora3 VM has 1 active interface (eth1) that has a static configuration of 192.168.235.13/255.255.255.0


Completing the lab

Important.png
Time for a new backup!
If you have successfully completed this lab, make a new backup of your virtual machines.

Arrange proof of the following on the screen:

  1. A list of your iptables rules.
  2. The contents of your arp cache.
  3. ssh from fedora2 to fedora host.
  4. ifconfig from all 3 VM's
  5. Contents of /tmp/lab6 directory.
  6. Fresh backup of the virtual machines.


Preparing for Quizzes

  1. What is a port?
  2. What command will set your IP configuration to 192.168.55.22/255.255.255.0 ?
  3. What file contains the systems iptables rules?
  4. What is the difference between UDP and TCP?
  5. What port number is used for DHCP servers?
  6. What is the function of the file /etc/services ?
  7. What is the function of the file /etc/hosts ?
  8. What is the purpose of the file /etc/sysconfig/network-scripts/ifcfg-eth0 ?
  9. What tool is used to show you a list of current TCP connections?