Difference between revisions of "OPS235 Lab 6 - CentOS7"

From CDOT Wiki
Jump to: navigation, search
 
(209 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Configuring a Network Using Virtual Machines =
+
{{Admon/caution|THIS IS AN OLD VERSION OF THE LAB|'''This is an archived version. Do not use this in your OPS235 course.'''}}
 +
=LAB PREPARATION=
  
==Overview==
+
==Purpose / Objectives of Lab 6==
 +
[[Image:network.png|thumb|right|150px|Setting up networks is an essential operation for a system administrator. Maintaining network connectivity and securing the network are also essential operations for a system administrator.]]
  
* In this lab, you will learn the basics of networking by using your Virtual Machines and your c6host machine.
 
  
* In addition, you will learn to associate network services with port numbers, and learn how to backup files by date/time.
+
In this lab, you will learn the basics of networking by using your '''Virtual Machines''' and your '''c7host''' machine. You will first set up a virtual private network among those machines. In addition, you will learn to set up '''network names''' (to associate with server's IP Addresses), '''associate network services with port numbers''' for troubleshooting purposes, and setup '''firewall policies''' via the '''iptables''' command.
 +
 
 +
<u>Main Objectives</u>
 +
 
 +
# Configure a private (virtual) network for your '''VMs''' and your '''c7host''' machine
 +
# Configure network interfaces for your Virtual Machines using both '''graphical''' and '''command-line''' utilities.
 +
# Use '''local hostname resolution''' to resolve simple server names with their corresponding IP Addresses
 +
# Backup more recent files (eg. '''incremental backup''') using the '''find''' command and a '''date/time-stamp''' file
 +
# Use common networking utilities to associate network services with port numbers for troubleshooting purposes
 +
# Gain initial exposure to the '''iptables''' command used to configure and maintain a firewall for protection and troubleshooting
 +
# Configure '''iptables''' to '''allow/disallow/forward''' different types of network traffic
  
== Objectives ==
 
# Configure a virtual network for Virtual Machines
 
# Use the CemtOS GUI program to configure network interfaces with static IP configuration and host name resolution
 
# Use the <code>find</code> command to locate the configuration files modified by the GUI  network configuration program
 
# To examine some of the Linux's TCP/IP configuration files in the <code>/etc/</code> directory
 
# To configure a CentOS host with static network configuration without a GUI tool
 
# To configure the linux firewall <code>iptables</code> to allow/disallow/forward different types of network traffic using simple rules
 
  
 
==Minimum Required Materials==
 
==Minimum Required Materials==
Line 29: Line 33:
 
|}
 
|}
 
==My Toolkit (CLI Reference)==
 
==My Toolkit (CLI Reference)==
Each Link below displays online manpages for each command (via [http://linuxmanpages.com/ http://linuxmanpages.com]):
 
  
 
{|width="100%" cellpadding="5" width="50%"
 
{|width="100%" cellpadding="5" width="50%"
Line 45: Line 48:
 
* [[IPTables]] Reference
 
* [[IPTables]] Reference
 
|
 
|
*[http://man7.org/linux/man-pages/man8/find.8.html find]
+
*[http://man7.org/linux/man-pages/man1/find.1.html find]
*[http://man7.org/linux/man-pages/man8/tail.8.html tail]
+
*[http://man7.org/linux/man-pages/man1/tail.1.html tail]
*[http://man7.org/linux/man-pages/man8/cp.8.html cp]
+
*[http://man7.org/linux/man-pages/man1/cp.1.html cp]
 
|}
 
|}
  
 +
=INVESTIGATION 1: CONFIGURING A VIRTUAL PRIVATE NETWORK=
 +
 +
For the remainder of this course, we will focus on networking involving our VMs and our c7host machine. This lab will focus on setting up a virtual private network ('''VPN'''), connecting our VMs and c7host machine to the VPN, and configuring our VPN to make more convenient to use, troubleshoot and protect. '''Lab 7''' will focus more on configuring SSH and making access to the VPN more secure. Finally, '''lab 8''' will focus on configuring the network for fixed workstations, mobile devices, or both at the same time.
  
== Current Configuration ==
+
There are several reasons for creating '''VPNs'''. The main reason is to '''safely connect servers together''' (i.e. to safely limit but allow share information among computer network users). This allows for a secure connection of computers yet controlling access to and monitoring (protecting) access to permitted users (discussed in more depth in lab7).
Currently you should have the following network configuration:<br /><br />[[Image:network-config-centos.png]]
 
* '''CentOS host''' has 1 active network interface (probably <code>eth0</code> or <code>eth1</code>) that receives IP configuration from the School's DHCP server.
 
* '''CentOS host''' has 1 active network interface (<code>'''virbr0'''</code>) that has a static default configuration of '''192.168.122.1/255.255.255.0'''
 
* '''CentOS1 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your CentOS Host
 
* '''CentOS2 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your CentOS Host
 
* '''CentOS3 VM''' has 1 active interface (<code>'''eth0'''</code>) that receives a dynamic configuration from your CentOS Host
 
  
== Configuring a Network Using Virtual Machines ==
 
  
=== Investigation 1: How do you create a new virtual network. ===
+
==Part 1: Configuring a Private Network (Via Virtual Machine Manager) ==
{{Admon/note | Use the c6host | Complete the following steps on your '''c6host''' computer system.}}
 
  
Before configuring our network we want to turn off dynamic network configuration for our Virtual Machines by turning off the "default" virtual network.
+
[[Image:network-config-centos.png|thumb|600px|right|This diagram shows the current network configuration of your '''c7host''' machine in relation to your '''Virtual Machines'''. In this section, you will be learning to change the default network settings for both your '''c7host''' machine and '''VMs''' to belong to a '''virtual network''' using fixed IP Addresses. ]]
# Turn off your virtual machines
+
If we are going to setup a private network, we must do 2 major operations: First, '''define a new private network in the Virtual Manager application'''; and second, '''configure each of our VMs to connect to this new private network'''. In Part 1, we will be perform the first operation. In parts 2, 3, and 4, we will be performing the second operation for all VMS (graphical and command-line).
# Start Virtual Machine Manager
+
 
 +
 
 +
# Perform this section in your '''c7host''' machine.<br><br>'''NOTE:''' Before configuring our network we want to '''turn off dynamic network configuration for our Virtual Machines''' by turning off the '''"default"''' virtual network. We will then define our virtual private network. Follow the steps in order to perform these operations. <br><br>
 +
# Make certain that <u>'''ALL'''</u> virtual machines are powered off.
 
# In the Virtual Machine Manager dialog box, Select '''Edit'''-> '''Connection Details'''.
 
# In the Virtual Machine Manager dialog box, Select '''Edit'''-> '''Connection Details'''.
# In the '''Hosts''' Details dialog box, select the '''Virtual Networks''' tab
+
# In the '''c7host Connection Details''' dialog box, select the '''Virtual Networks''' tab
# Disable the default configuration from starting at boot by '''deselecting''' '''"Autostart"''' (on boot) checkbox.
+
# Disable the default configuration from starting at boot by '''<u>deselecting</u>''' '''Autostart (on boot)''' check-box and click the '''Apply''' button.
# Stop the default network configuration by clicking on the '''stop''' button at the bottom left-side of the dialog box.
+
# Then Stop the default network configuration by clicking on the '''stop''' button at the bottom left-side of the dialog box.
 
# Click the '''add''' button (the button resembles a "plus sign") to add a new network configuration.
 
# Click the '''add''' button (the button resembles a "plus sign") to add a new network configuration.
# Give your new network a name (i.e. '''network1''')
+
# Give your new network a name (i.e. '''network1''') then click the '''Forward''' button.
# Enter in the new network IP address space:
+
# In the next screen, enter in the new network IP address space:
#*'''192.168.235.0/24'''
+
#:'''192.168.235.0/24'''
# Disable DHCP by '''deselecting''' the check box.
+
# Disable DHCP4 by '''deselecting''' the check box and click the '''Forward''' button twice (accepting the defaults).
# Enable Network Forwarding by Selecting '''Forwarding to physical network'''
+
# Enable Network Forwarding by Selecting '''Forwarding to physical network''', the destination should be '''Any physical device''' and the mode should be '''NAT'''
# The destination should be '''Any physical device''' and the mode should be '''NAT'''
+
# Proceed with changes, and click '''Finish'''.
# Proceed with changes, and select '''Finish'''.
 
{{Admon/note | Repeat these steps for each VM | Complete the following steps on <u>each</u> of your virtual machines.}}
 
 
<ol>
 
<ol>
   <li value="15">Now we need to reconfigure our 3 VMs to use our new virtual network '''network1'''
+
   <li value="13">We will now reconfigure each of our VMs to use our new virtual network '''network1'''
<ol type="a" style="margin-left:2cm">
+
<ol type="a">
   <li value="1">Select the '''centos1''' VM and edit the '''Virtual Machine Details'''<br />(Note: the Virtual Machine window will appear - do not start virtual machine)</li>
+
   <li value="1">Let's start with our '''centos1 VM'''. Double-click on your '''centos1''' VM, but instead of running the VM, click on the '''view''' menu, and select: '''Details'''<br />(Note: the Virtual Machine window will appear - do not start virtual machine)</li>
  <li>Under View select '''Details'''</li>
 
 
   <li>In the '''left pane''' of the Virtual Machine window, select '''NIC:''' and note that this NIC is on the "default" virtual network</li>
 
   <li>In the '''left pane''' of the Virtual Machine window, select '''NIC:''' and note that this NIC is on the "default" virtual network</li>
   <li>Change it to '''Virtual Network network1''' : NAT</li>
+
   <li>Change it to '''Virtual Network network1: NAT''' (i.e. the VPN that you just created) and click the '''Apply''' button.</li>
 
</ol>
 
</ol>
 +
  </li>
 +
  <li>Repeat the same steps for your '''<u>centos2</u>''' and '''<u>centos3</u>''' VMs!</li>
 
   </li>
 
   </li>
 
</ol>
 
</ol>
  
'''Answer the Investigation 1 observations / questions in your lab log book.'''
+
'''Answer Part 1 observations / questions in your lab log book.'''
 +
 
 +
 
 +
== Part 2: Configuring VM Network Setup Graphically ('''system-config-network''')==
 +
 
 +
For Parts 2 and 3 of this investigation, we will be using a graphical tool to connect our '''centos1''' and '''centos2''' VMs to our private network.
  
=== Investigation 2: How do you configure a static network using <code>system-config-network</code>. ===
+
[[Image:new_network_dialog.png|right|thumb|250px|Although the private network has been setup via the '''Virtual Machine Manager''', each virtual machine requires to change its own network setting individually (either '''graphically''' or by '''command line''').]]
{{Admon/note | Use centos2 | Complete this investigation on your centos2 VM.}}
+
# On your '''c7host''' machine, run <b>ifconfig</b> and make note of the IP address assigned to the '''virbr1''' (i.e. "Virtual Bridge) interface. This will be the default gateway and DNS server for your VMs.
# Start '''centos2''' VM and login
+
# Start your '''centos1''' VM and login.
# On your '''centos host''' run <code>ifconfig</code> and make note of the IP address assigned to the <code>virbr1</code> interface. This will be the default gateway and DNS server for your VMs.[[Image:new_network_dialog.png|thumb|350px]]
+
# Within your centos1 VM, click '''Applications''' menu, then select '''System Tools''', and then '''Settings'''.
# Edit the existing wired connection
+
# In the ''Settings'' Dialog Box, click on the '''Network''' icon.
 +
# For the '''Wired''' connection, click the '''settings''' button (The <u>icon</u> appears as a <u>gear</u> located at the bottom right-hand corner of the dialog box).
 +
# Select the '''IPv4''' tab. Change Address from ''Automatic (DHCP)'' to '''Manual'''.
 +
# Edit the existing wired connection, using the information displayed below:
 
# In the '''IPv4 Settings''' tab change the method from "Automatic (DHCP)" to '''"Manual"'''.
 
# In the '''IPv4 Settings''' tab change the method from "Automatic (DHCP)" to '''"Manual"'''.
# In the '''Addresses section''', click '''"Add"'''.
+
# In the Addresses section, enter the following information:
# Manually set the IP configuration to:
+
#: IP Address: '''192.168.235.11'''
#: IP Address '''192.168.235.12'''
+
#: Subnet Mask: '''255.255.255.0'''
#: Subnet Mask '''255.255.255.0'''
+
#: Default Gateway: The IP address of '''virbr1''' on your centos host.
#: Default Gateway The IP address of <code>virbr1</code> on your centos host.
+
# Click on the '''DNS''' field and add The IP address (''virbr1''' on your centos host) as the primary DNS server.
# Click on the '''DNS''' field and add The IP address of <code>virbr1</code> on your centos host. as the primary DNS server.
+
# When finished, check your settings, and then click the '''Apply''' button.
# Your network connection may take a couple of minutes to reconfigure connect (view the Network Manager applet in the gnome panel at the top of the screen).
+
# Open a terminal and issue the '''ifconfig''' command to confirm the IP ADDRESS settings change.
# You should be able to use the service commands to restart your network.
+
# Verify that '''centos1'''VM is now connected to the VPN by issuing the following command from your '''c7host''' machine:<br><b><code><span style="color:#3366CC;font-size:1.2em;">ping 192.168.235.11</span></code></b>
#*<code>service network stop</code>
 
#*<code>service network start</code>
 
# Verify your new interface by examining the output of <code>ifconfig</code>
 
# To verify that centos2 has the correct default gateway configured, use the commands <code>route -n</code>, <code>ifconfig</code>, <code>nslookup</code>, and <code>ping</code>
 
  
'''Answer the Investigation 2 observations / questions in your lab log book.'''
+
'''Answer Part 2 observations / questions in your lab log book.'''
  
=== Investigation 3: What files does the <code>system-config-network</code> GUI tool change?. ===
+
== Part 3: Backing up Only Recent File Changes ==
{{Admon/note | Use centos1 | Complete this investigation on your centos1 VM.}}
 
  
{{Admon/note | Backing up Files |One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system.<br />The following is an example of a common backup system used in Business Unix/Linux systems:<br /><br />'''Full Backup''': Backup all specified files (eg. configuration, data files, etc)<br />'''Incremental Backup''': Backup of only files that have changed since last (full) backup<br /><br />When the system is required to be fully restored, then the '''full backup''' is recovered, followed by each .<br />In this investigation, you will learn how to perform an '''incremental backup''' using the <code>find</code> utility|}}
+
This part is a repeat of part2, except we will be demonstrating how to use the '''find''' command to backup recent changes to files. In this case, we will save date/time stamp information in a file, configure to connect '''centos2''' to the network, run the '''find''' command, and prove that the incremental backup worked (showing the files created as a result of the configuration of centos1 to the VPN).
  
# Start the '''centos1''' VM and login
+
{| width="40%" align="right" cellpadding="10"
# Before we configure centos1 we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool.
+
|- valign="top"
#* <code>date > /tmp/timestamp</code>
+
|{{Admon/note | Backing up Files |One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system. The following is an example of a common backup system used in Business Unix/Linux systems:<br /><br />'''Full Backup''': Backup all specified files (eg. configuration, data files, etc)<br>'''Incremental Backup''': Backup of only files that have changed since last (full) backup.|}}
# Run the network configuration tool and enter the following static configuration in the same way that you configured '''centos2'''.
+
|}
#* IP Address: '''192.168.235.11'''
+
 
 +
# Keep your '''centos1''' VM running (you will need it running later in this lab).
 +
# Start the '''centos2''' VM and login
 +
# Before we configure centos2 network configuration, we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool. Issue the following command:
 +
#: <b><code><span style="color:#3366CC;font-size:1.2em;">date > /tmp/timestamp</span></code></b>
 +
# Run the network configuration tool and enter the following static configuration in the same way that you configured '''centos1'''.
 +
#* IP Address: '''192.168.235.12'''
 
#* Subnetmask: '''255.255.255.0'''
 
#* Subnetmask: '''255.255.255.0'''
 
#* Default Gateway: '''192.168.235.1'''
 
#* Default Gateway: '''192.168.235.1'''
Line 129: Line 138:
 
# Save and exit the network configuration tool.
 
# Save and exit the network configuration tool.
 
# You may have to restart the network using the correct command.
 
# You may have to restart the network using the correct command.
# Verify the configuration by pinging centos host ('''192.168.235.1''') and centos2 ('''192.168.235.12''')
+
# Verify the configuration by pinging the VMs and c7host using their IP addresses.
 
+
# We will now create an '''Incremental Backup'''. Run the following Linux command as root:
{{Admon/note | Creating an Incremental Backup |
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">find /etc -newer /tmp/timestamp &gt; /root/netcfg.lst</span></code></b>
We will now be using the <code>find</code> command to:
+
#View the '''/root/netcfg.lst''' file. What does it contain?</li>
:*Locate the configuration files (contained in the <code>/etc</code> directory) that were modified by the GUI  network configuration program
+
#Create a new directory called: '''/tmp/lab6'''
:*Copy those configuration files to a "specified" directory for backup purposes
+
{| width="40%" align="right" cellpadding="10"
 
+
|- valign="top"
Previously, you created a file called <code>/tmp/timestamp</code> that just contains the current date and time prior to running the network configuration toool for centos1. Any files that were modified by the GUI network configuration program should have a timestamp later (or newer) than the "timestamp" file you created. All the Linux TCP/IP configuration files are stored under the '''/etc''' directory or its sub-directories. The <code>find</code> command (using the correct options) can be used to only list those files that have been recently created since the timestamp date contained in the <code>/tmp/timestamp</code> file.|}}
+
|{{Admon/tip | Tip | You can create a Bash Shell script file using the ''find'' command above, give the shell script executable permissions, and use the ''crontab'' command to schedule running this script on a periodic basis.}}
 
+
|}
 
<ol>
 
<ol>
  <li value="8">Run the following Linux command:
+
  <li value="11">Issue the following commands:
     <ul>
+
     <dl>
       <li><code>find /etc -newer /tmp/timestamp &gt; /root/netcfg.lst</code></li>
+
       <dd><b><code><span style="color:#3366CC;font-size:1.2em;">find /etc -newer /tmp/timestamp -exec cp {} /tmp/lab6 \;</span></code></b>
     </ul>
+
     </dl>
 
  </li>
 
  </li>
<li>View the <code>/root/netcfg.lst</code> file. What does it contain?</li>
+
  <li>View the contents of the '''/tmp/lab6''' directory. What does it contain?</li>
<li>Create a new directory called: <code>/tmp/lab6</code></li>
 
<li>Issue the following commands:
 
    <ul>
 
      <li><code>mkdir -p /tmp/lab6</code></li>
 
      <li><code>find /etc -newer /tmp/timestamp -exec cp {} /tmp/lab6 \;</code></li>
 
    </ul>
 
</li>
 
  <li>View the contents of the <code>/tmp/lab6</code> directory. What does it contain?</li>
 
 
</ol>
 
</ol>
  
{{Admon/tip | Tip | Just for interest, it is relatively simple to automate your backups. You just create a Bash Shell script file using the <code>find</code> command above, give the shell script executable permissions, and use the <code>crontab</code> command to schedule when this script is to be run. If you want to learn more about shell scripting, you can take or refer to the course called  '''OPS435''' .}}
 
  
'''Answer the Investigation 3 observations / questions in your lab log book.'''
+
'''Answer Part 3 observations / questions in your lab log book.'''
  
=== Investigation 4: How do I configure the network without a GUI tool? ===
+
== Part 4: Configuring VM Network Setup via Command Line ('''centos3''') ==
{{Admon/note | Use centos3 | Complete this investigation on your centos3 VM.}}
+
 
# Start '''centos3''' VM and login as root
+
Our centos3 VM is a '''text-based only''' system, thus we cannot use a graphical tool to configure centos3 to connect to our private network. Therefore we will learn how to perform this task by using command-line tools.
# Use the command <code>ifconfig</code> to list active interfaces, you should see one with a name of <code>eth0</code> or a similar name.
+
 
 +
# Leave your '''centos1''' and '''centos2''' VM running, but start your '''centos3''' VM, login, and su to '''root'''.
 +
# Use the command '''ifconfig''' to list active interfaces, you should see one with a name of '''eth0''' or a similar name.
 
# To configure your card with a static address use the following command:
 
# To configure your card with a static address use the following command:
#* <code>ifconfig eth0 192.168.235.13 netmask 255.255.255.0</code>
+
#:<b><code><span style="color:#3366CC;font-size:1.2em;">ifconfig eth0 192.168.235.13 netmask 255.255.255.0</span></code></b>
 
# To configure a default gateway for that interface enter the command:
 
# To configure a default gateway for that interface enter the command:
#* <code>route add default gw 192.168.235.1</code>
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">route add default gw 192.168.235.1</span></code></b>
# To configure your DNS server edit the file <code>/etc/resolv.conf</code>. Change the <code>nameserver</code> line to be:
+
# To configure a DNS server for this VM, edit the file '''/etc/resolv.conf'''. Change the nameserver line to read:
#* <code>nameserver 192.168.235.1</code>
+
#: <b>nameserver 192.168.235.1</b>
# Confirm your settings work by doing the following:
+
# Save your editing session.
#* <code>ifconfig</code>
+
# Confirm your settings work by doing the following (you might need to do the steps '''3''' and '''4''' a few times before it works; keep checking with the commands below and wait a bit before each attempt):
#* <code>route -n</code>
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">ifconfig</span></code></b>
#* <code>ping</code> your other VM's and centos host.
+
#:<b><code><span style="color:#3366CC;font-size:1.2em;">route -n</span></code></b>
#* <code>ssh</code> to your matrix account to test DNS
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">ping</span></code></b> (your other VM's and c7host)
 +
#: <b><code><span style="color:#3366CC;font-size:1.2em;">ssh</span></code></b> ( to your Seneca's Matrix account to test your DNS)
 
# Restart the <code>centos3</code> VM, or just wait a few minutes.
 
# Restart the <code>centos3</code> VM, or just wait a few minutes.
 
# Login and test your configuration again. What happened?
 
# Login and test your configuration again. What happened?
# While we can configure network settings from the command line those settings are not persistent. To configure persistent network configurations we need to edit the configuration files:
+
# While we can configure network settings from the command line those settings are not persistent. To configure persistent network configurations we need to edit the configuration files.
Change to the <code>/etc/sysconfig/network-scripts</code> directory on <code></code>
+
# Change to the '''/etc/sysconfig/network-scripts''' directory<br>[[Image:new-network-config.png|thumb|300px|right|This diagram should show the newer network configuration of your '''c7host''' machine in relation to your '''Virtual Machines'''.]]
#* List the contents of the directory and you should see 2 different types of files, network config scripts and network configuration files.
+
# List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.
#* Look for the config file for your original interface, it should be named <code>ifcfg-eth0</code>
+
# Look for the configuration file for your original interface, it should be named '''ifcfg-eth0'''
#* Make a backup of this file for later reference.
+
# Edit the new file for you interface and give it the following settings (or create a brand new file, might be easier than editing the old one):
#* Edit the new file for you interface and give it the following settings (or create a brand new file, might be easier than editing the old one):
+
#::DEVICE="eth0"
#**DEVICE="eth0"
+
#::IPADDR="192.168.235.13"
#**IPADDR="192.168.235.13"
+
#::NETMASK="255.255.255.0"
#**NETMASK="255.255.255.0"
+
#::GATEWAY="192.168.235.1"
#**GATEWAY="192.168.235.1"
+
#::HWADDR="52:54:00:3f:5c:fa" <-- '''DO NOT COPY THIS VALUE! Use MAC address for YOUR interface using:''' <code><span style="color:#3366CC;font-size:1.2em;">ifconfig eth0</span></code>
#**HWADDR="52:54:00:3f:5c:fa" <-- '''use the MAC address for YOUR interface
+
#::DNS1="192.168.235.1" '''
#**DNS1="192.168.235.1" '''
+
#::BOOTPROTO="static"
#**BOOTPROTO="static"
+
#::ONBOOT="yes"
#**ONBOOT="yes"
+
#::NM_CONTROLLED="yes"
#**NM_CONTROLLED="yes"
+
#::IPV6INIT="no"
#**IPV6INIT="no"
+
# Save the file and then restart the network connection by issuing the commands: <b><code><span style="color:#3366CC;font-size:1.2em;">ifdown eth0</span></code></b> and then <b><code><span style="color:#3366CC;font-size:1.2em;">ifup eth0</span></code></b>
# Save the file and then restart the network connection by issuing the commands: <code>ifdown eth1</code> and then <code>ifup eth1</code>
 
 
# Verify your configuration as you did before.
 
# Verify your configuration as you did before.
# Restart the <code>centos3</code> VM.
+
# Restart the '''centos3''' VM.
# Login and attempt to <code>ssh</code> to your matrix account to verify the settings.
+
# Login and attempt to '''ssh''' to your matrix account to verify the settings.
  
'''Answer the Investigation 4 observations / questions in your lab log book.'''
+
'''Answer Part 4 observations / questions in your lab log book.'''
  
=== Investigation 5: How do I setup local hostname resolution? ===
+
=INVESTIGATION 2: VIRTUAL NETWORKING ENVIRONMENT TWEAKS AND OTHER USEFUL UTILITIES=
{{Admon/note | Use each machine | Complete this investigation on all of your VM's and the centos host.}}
 
  
{{Admon/note | Hosts files vs. the Domain Name System | On large public networks like the Internet or even large private networks we use a network service called [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System (DNS)] to resolve the human friendly hostnames like '''centos.org''' to the numeric addresses used by the IP protocol. On smaller networks we can use the <code>/etc/hosts</code> on each system to resolve names to addresses.}}
+
Connecting a private network is an important task, but a system administrator also needs to "tweak" the network to make it '''convenient to use''', make it '''safer from unauthorized access''', and use troubleshooting utilities to help '''troubleshoot''' network connectivity problems as they occur. This investigation will expose you to some useful tricks and utilities to help accomplish this task.
  
# Use the <code>hostname</code> and <code>ifconfig</code> commands on your centos host and all 3 VM's to gather the information needed to configure the <code>/etc/hosts</code> file on the centos host and the 3 VM's.
+
'''NOTE:''' Lab 7 requires that you understand these concepts and have a good general understanding how to use these troubleshooting utilities (like '''netstat''' and '''iptables''').
# Edit the <code>/etc/hosts</code> file on <u>each</u> of the '''virtual machines and the centos host'''. Refer to the table below for information to enter in the <code>/etc/hosts</code> file.
 
  
  
{|class="collapsible" style="background: #c0c0c0" width="50%"
+
== Part 1: Using Local Hostname Resolution ==
!Sample /etc/hosts file
+
{| width="40%" align="right" cellpadding="10"
|-
+
|- valign="top"
|
+
|{{Admon/note | Hosts files vs. the Domain Name System | On large public networks like the Internet or even large private networks we use a network service called [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System (DNS)] to resolve the human friendly hostnames like '''centos.org''' to the numeric addresses used by the IP protocol. On smaller networks we can use the <code>/etc/hosts</code> on each system to resolve names to addresses.}}
<pre>
 
# hostname centos1 added to /etc/hosts by anaconda
 
127.0.0.1              localhost.localdomain localhost centos1
 
::1                    localhost6.localdomain6 localhost6 centos1
 
 
 
192.168.235.1          c6host
 
192.168.235.11          centos1
 
192.168.235.12          centos2
 
192.168.235.13          centos3
 
</pre>
 
 
|}
 
|}
  
 +
After setting up a private network, it can be hard to try to remember IP addresses. In this section, we will setup your network to associate easy-to-remember server names with IP ADDRESSES.
  
<ol>
+
# Complete this investigation on '''all of your VMs''' and the '''c7host''' machine.
  <li value="3">Confirm that each host can ping all three of the other hosts by name.</li>
+
# Use the <b><code><span style="color:#3366CC;font-size:1.2em;">hostname</span></code></b> and <b><code><span style="color:#3366CC;font-size:1.2em;">ifconfig</span></code></b> commands on your c7host machine and all of your 3 VM's to gather the information needed to configure the '''/etc/hosts''' file on all of your Linux systems.
</ol>
+
# Edit the '''/etc/hosts''' file on <u>each</u> of the '''virtual machines and host machine'''. Add the following contents to the <u>bottom</u> of the '''/etc/hosts''' file:<br><br>
 +
#::192.168.235.1          c7host
 +
#::192.168.235.11          centos1
 +
#::192.168.235.12          centos2
 +
#::192.168.235.13          centos3<br><br>
 +
#Confirm that each host can ping all three of the other hosts by name.
  
'''Answer the Investigation 5 observations / questions in your lab log book.'''
+
'''Answer Part 1 observations / questions in your lab log book.'''
  
== Obtaining MAC Address / Service Port / Firewall Information ==
+
== Part 2: Obtaining MAC (Hardware) addresses on Network Computers ==
 +
{| width="40%" align="right" cellpadding="10"
 +
|- valign="top"
 +
|{{Admon/note | Obtaining Remote MAC Addresses| The term '''MAC''' address stands for '''Media Access Control''' address, which provides a unique ID to prevent confusion among computer systems within a network. While we use '''32bit IP addresse'''s to communicate over an internet, on the local ethernet network packets are delivered to a '''48bit hardware address''' (sometimes called a MAC address). The '''ARP''' protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers to solve problems involving MAC addresses (such as '''Wake Up on Lan''').}}
 +
|}
  
 +
When our CentOS system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the '''netstat''' command.
  
=== Investigation 6: How do I collect the MAC (Hardware) addresses of computers on my network? ===
+
# Perform this section on your '''c7host''' machine.
{{Admon/note | Use your CentOS Host | Complete this investigation on your CentOS host.}}
+
# On the centos host '''ping''' each of your VM's
 
+
# Examine the contents of the ARP cache by using the command: <b><code><span style="color:#3366CC;font-size:1.2em;">arp</span></code></b>
{{Admon/note | Obtaining Remote MAC Addresses| The term '''MAC''' address stands for '''Media Access Control''' address, which provides a unique ID to prevent confusion among computer systems within a network. While we use '''32bit IP addresse'''s to communicate over an internet, on the local ethernet network packets are delivered to a '''48bit hardware address''' (sometimes called a MAC address). The '''ARP''' protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers on our local network.<br /><br />Being able to determine remote MAC address information is useful from troubleshooting networking programs to using '''WOL''' (Wake up on Lan) to automatically boot remote workstations via the network. In this investigation, you will learn how to obtain MAC address information for various network cards.}}
+
# Check the contents of the cache again by using the command: <b><code><span style="color:#3366CC;font-size:1.2em;">arp -n</span></code></b>
 
+
# What was the difference in output? For what other command did the option '''-n''' have a similar effect?
# On the centos host <code>ping</code> each of your VM's
+
# On your CentOS host execute the command: <b><code><span style="color:#3366CC;font-size:1.2em;">netstat -at</span></code></b>
# Examine the contents of the ARP cache by using the command <code>arp</code>
 
# Check the contents of the cache again by using the command <code>arp -n</code>
 
# What was the difference in output? For what other command did -n have a similar effect?
 
 
 
'''Answer the Investigation 6 observations / questions in your lab log book.'''
 
 
 
=== Investigation 7: How can I see what network services or ports are active on my CentOS system? ===
 
 
 
{{Admon/note | Use All Machines | Complete this investigation on all of your VM's and the CentOS host.}}
 
 
 
{{Admon/note | Network Ports | When our CentOS system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the <code>netstat</code> command.}}
 
 
 
# On your CentOS host execute the command: <code>netstat -at</code>
 
 
# This command will list all active TCP ports. Note the state of your ports.
 
# This command will list all active TCP ports. Note the state of your ports.
# TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the <code>ssh</code> service in a LISTEN state as it is waiting for connections.
+
# TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the '''ssh''' service in a LISTEN state as it is waiting for connections.
# From one of your VM's login to your host using <code>ssh</code>
+
# From one of your VM's login to your host using '''ssh'''
 
# On the CentOS host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
 
# On the CentOS host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
 
# Exit your ssh connection from the VM and rerun the command on the CentOS host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
 
# Exit your ssh connection from the VM and rerun the command on the CentOS host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
# On your CentOS host try the command <code>netstat -atn</code>. How is this output different?
+
# On your CentOS host try the command <b><code><span style="color:#3366CC;font-size:1.2em;">netstat -atn</span></code></b>. How is this output different?
# Without the <code>-n</code> option <code>netstat</code> attempts to resolve IP addresses to host names (using /etc/hosts) and port numbers to service names (using /etc/services)
+
# Without the <code>-n</code> option <code>netstat</code> attempts to resolve IP addresses to host names (using '''/etc/hosts''') and port numbers to service names (using '''/etc/services''')
# Examine the <code>/etc/services</code> file and find which ports are used for the services: <code>ssh, ftp, http</code>
+
# Examine the '''/etc/services''' file and find which ports are used for the services: '''ssh''', '''sftp''', '''http'''
# Now execute the command <code>netstat -au</code> What is the difference between <code>-at</code> and <code>-au</code>?
+
# Now execute the command <b><code><span style="color:#3366CC;font-size:1.2em;">netstat -au</span></code></b> What is the difference between the options: '''-at''' and '''-au'''?
 
# When examining UDP ports why is there no state?
 
# When examining UDP ports why is there no state?
# Using the <code>netstat</code> man page and experimentation make sure you understand how the following options work.
 
#* -at
 
#* -au
 
#* -atp
 
#* -aup
 
#* -atn
 
#* -aun
 
#* -autnp
 
  
'''Answer the Investigation 7 observations / questions in your lab log book.'''
+
'''Answer Part 2 observations / questions in your lab log book.'''
  
=== Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration ===
 
  
 +
== Part 3: Introduction to Firewalls: iptables ==
 +
{| width="40%" align="right" cellpadding="10"
 +
|- valign="top"
 +
|{{Admon/note | | '''[http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX'''consisting of a '''list of rules''' (or '''"tables of policies"'''). If data matches a specified <u>policy</u>, it must “jump” to an existing '''condition'''.  Simple conditions include '''ACCEPT''', '''DROP''' and '''LOG''' but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
  
{{Admon/note | Use c6host | Complete the following steps on your '''c6host''' machine.}}
+
When using iptables, the '''Filter''' table is important because it contains the following essential '''chains''':<br><br>
  
 +
'''INPUT:'''<br>Data is checked against the INPUT chain to see if it is <u>allowed into</u> the PC.<br><br>
 +
'''OUTPUT:'''<br>Data is checked against the OUTPUT chain to see if it is <u>allowed to go outside</u> of the PC.<br><br>
 +
'''FORWARD:'''<br>PC is acting as a router it does not actually send or receive data, it <u>FORWARDS</u> data from one machine to another.
 +
}}
 +
|}
  
{{Admon/note | | [http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX.  While this program can be controlled by different GUIs, we are going to investigate the powerful command line interface for this program to choose what data is allowed into, out of and through our computer.
+
Since Linux servers may be connected to the Internet, it is very important to run a firewall to control what comes into the computer system, what goes out of the computer system, and what may be forwarded to another computer. Linux uses the command called '''iptables''' to set the firewall rules. Although graphical programs can be used to configure iptables, it is important for students of Linux Administration to learn how to use the iptables command for more complex and automated configuration via shell scripting.
 
 
Essentially, Iptables is a list of rules.  Each rule is placed into a particular chain and when data is sent into, out of or through a PC the data is checked against these rules. If the data matches a particular rule, it then must “jump” to a condition.  Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
 
  
Iptables consists of multiple tables, each containing one or more chains of rules. For firewall purposes, the FILTER table is important; it contains these three chains: – INPUT, OUTPUT and FORWARD.  Here as brief explanation of these chains.
 
 
'''OUTPUT''' – When you want to do some research on the Web for something, you open a browser on your PC and navigate to http://www.google.ca.  When you do you are attempting to establish an HTTP or HTTPS session with the web server at http://www.google.ca.  A data packet is built with appropriate IP and TCP information and sent out of your computer but before it goes out to the Internet it will be compared to all of the rules in the OUTPUT chain to see if this data is allowed to go “out” of the PC.  If it is not allowed then the packet is dropped.
 
 
'''INPUT''' – If your data was allowed out and a request was sent to http://www.google.ca, this web server will send data back to your PC with an acknowledgement.  Before this data can be processed by your browser, it must first be checked against the INPUT chain to see if it is allowed into the PC.  If it is, your browser will process the data and move to it's next task.  If it is not, the packet will be dropped.
 
 
'''FORWARD''' – LINUX PC's are often used as routers or gateways for other PC's.  This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC.  Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here.  Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another.  When this process happens, the data is checked against the FORWARD chain to see if it is allowed through.  If it is the router will forward the data to it's destination.  If not, the packet is dropped.}}
 
 
{{Admon/important | Non-Persistent Changes to your Host System | Complete this lab on your host system (f16host).
 
 
 
It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded.}}
 
  
 +
# For the remainder of this section, use your '''c7host''' machine.
 
# As root on the CentOS host enter the following commands at the prompt:
 
# As root on the CentOS host enter the following commands at the prompt:
#* <code>iptables -F</code> (This flushes out or clears all of your rules from the chains)
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b>
#* <code>iptables -L</code>
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b>
# You should see something similar to this:<br /><br />Chain INPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain FORWARD (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain OUTPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />
+
# What did those commands issued above do? Refer to the ''manpages'' for ''iptables'' if not certain.
# Set the default policy for the INPUT chain to DROP:
+
# Set the default policy for the INPUT chain to DROP by issuing the command:
#* <code>iptables -P INPUT DROP</code>
+
#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
+
# Now try on your own to change the default policies for the OUTPUT and FORWARD chains to DROP
 
# Write the commands you executed in your lab book.
 
# Write the commands you executed in your lab book.
 
# Can we mix these policies?  Try to set the FORWARD chain policy to ACCEPT.  Did it work?
 
# Can we mix these policies?  Try to set the FORWARD chain policy to ACCEPT.  Did it work?
{{Admon/note | Chain Policies | Each chain has a default policy.  In my example here the default policy is ACCEPT.  This means that if  data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destination.  Conversely, if the policy is set to DROP then the packet will be dropped if there is no match. Flushing the table (<code>iptables -F</code>) when an ACCEPT policy is in place will cause all packets to be accepted; flushing the table when an DENY policy is in place will cause all packets to be dropped.}}
 
  
==== Testing policies ====
+
=== Testing iptables Policies ===
  
# Execute the command <code>iptables -L</code> and check that the policies on your INPUT and OUTPUT  chain are set to DROP
+
# Execute the command <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b> and check that the policies on your INPUT and OUTPUT  chain are set to DROP
 
# Open a browser and attempt to access the Internet.  Were you successful?
 
# Open a browser and attempt to access the Internet.  Were you successful?
 
# Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
 
# Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
 
# Open your browser and attempt to access the Internet again.  Were you successful?
 
# Open your browser and attempt to access the Internet again.  Were you successful?
 
# Change the policies on all of the chains to DROP
 
# Change the policies on all of the chains to DROP
# In the OUTPUT chain, add the following rule:
+
{| width="40%" align="right"
#* <code>iptables -A OUTPUT -j LOG</code>
+
 
# The above rule tells <code>iptables</code> to log packets and relevant information to <code>/var/log/messages</code>. 
+
|- valign="top"
# This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.
+
 
# Try to access the Internet again.  Because the policies have been set to DROP, you should be unsuccessful.  However, every packet of data that your PC attempted to send out was logged.  Let's have a look at the log file and analyze the data.
+
|{{Admon/note| Interpreting iptables commands |Here is the command you issue in step #15:
#* <code>tail /var/log/messages</code>
 
# This command shows us the last 10 lines of the file.  While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need.  Look for a line that looks similar to the following:<br /><br /><blockquote><code>Mar  3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0</code></blockquote>
 
# Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value. 
 
# When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80.  This is the standard port for the WWW.  Because we have set the default policy to DROP it drops these packets.  The problem is we are dropping all packets.  What if we just want to drop the WWW packets?
 
# Using the commands we already know, change the default policies on all of your chains to ACCEPT. 
 
# Open a browser and confirm that you can access the world wide web.
 
# Enter the command:
 
#* <code>iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</code>
 
# Try to access the Web.  If you have done everything right, you should not have been successful.
 
# After you have completed the test execute the following command:
 
#* <code>iptables -F</code>
 
{{Admon/note| Interpreting iptables commands |Here is the command you just used:
 
  
 
  iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
 
  iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
Line 336: Line 299:
 
Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.
 
Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.
  
Let's break down the command to see how it works.
+
'''Let's break down the command to see how it works:'''
  
 
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy.  This means it will be the first line in the policy.  If we used a -A switch it would have appended the line and it would be the last line of the policy.  If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).
 
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy.  This means it will be the first line in the policy.  If we used a -A switch it would have appended the line and it would be the last line of the policy.  If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).
Line 353: Line 316:
  
 
}}
 
}}
{{Admon/note|0/0 Addresses|Source and destination addresses of 0/0 will match all addresses. Therefore, they '''don't do anything''' and can be removed:
 
  
  iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
+
|}
 +
<ol>
 +
<li value="6"> In the OUTPUT chain, add the following rule:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -A OUTPUT -j LOG</span></code></b></li>
 +
<li>The above rule tells '''iptables''' to log packets and relevant information to '''/var/log/messages'''.</li>
 +
<li>This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.</li>
 +
<li>Try to access the Internet again.  Because the policies have been set to DROP, you should be unsuccessful.  However, every packet of data that your PC attempted to send out was logged.  Let's have a look at the log file and analyze the data:<br><b><code><span style="color:#3366CC;font-size:1.2em;">tail /var/log/messages</span></code></b></li>
 +
<li>This command shows us the last 10 lines of the file.  While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need.  Look for a line that looks similar to the following:<br /><blockquote><code>Jun 24 12:41:26 c7host kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16442 DF PROTO=TCP SPT=57151 DPT=5902 WINDOW=1024 RES=0x00 ACK URGP=0</code></blockquote></li>
 +
<li>Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.</li>
 +
<li>When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80.  This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets.  The problem is we are dropping all packets.  What if we just want to drop the WWW packets?</li>
 +
<li>Using the commands we already know, change the default policies on all of your chains to ACCEPT.</li>
 +
<li>Open a browser and confirm that you can access the world wide web.</li>
 +
<li>Enter the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</span></code></b></li>
 +
<li>Try to access the Web.  If you have done everything right, you should not have been successful.</li>
 +
<li>After you have completed the test execute the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b><br></li>
 +
<li>Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.</li>
 +
<li>After you have completed this task, flush the iptables again.</li>
 +
<li>Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.</li>
 +
<li>Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.</li>
 +
<li>Confirm that your rule works by testing from your VM's</li>
 +
<li>Does iptables close the port? Check using '''netstat'''</li>
 +
<li>Now insert a rule on the CentOS host that would ACCEPT connections from the centos2 VM only.</li>
 +
<li>Fully test your configuration.</li>
 +
</ol>
  
is equivalent to:
+
=== Making iptables Policies Persistent ===
  
iptables -I OUTPUT  -p tcp --dport 80 -j DROP
+
It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded. When your iptables service starts or at boot time it has to load the rules from the file '''/etc/sysconfig/iptables-config'''.
}}
 
 
 
==== Final Tasks ====
 
 
 
# Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
 
# After you have completed this task, flush the iptables again.
 
# Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.
 
# Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.
 
# Confirm that your rule works by testing from your VM's
 
# Does iptables close the port? Check using <code>netstat</code>
 
# Now insert a rule on the CentOS host that would ACCEPT connections from the centos2 VM only.
 
# Fully test your configuration.
 
 
 
{{Admon/note | iptables Service |When your iptables service starts or at boot time it has to load the rules from the file <code>/etc/sysconfig/iptables</code>.}}
 
  
<ol>
+
The final section below teaches you to make your iptables settings permanent.
  <li value="9">'''Make a backup of the file <code>/etc/sysconfig/iptables</code>'''</li>
 
  <li>Examine the file to see how rules are added.</li>
 
  <li>Issue the command: <code>iptables-save > /etc/sysconfig/iptables</code>  to save the rules you added with the iptables command, above.</li>
 
  <li>Verify that the file  <code>/etc/sysconfig/iptables</code> was updated with your new rules.</li>
 
  <li>Restart your iptables service and test your configuration. </li>
 
  <li>Write a short bash script to add a rule allowing the centos1 and centos3 VM's to connect to <code>ssh</code> on the CentOS host.</li>
 
</ol>
 
  
'''Answer the Investigation 8 observations / questions in your lab log book.'''
+
# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables-save > /etc/sysconfig/iptables.bk</span></code></b>
 +
#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables-save > /etc/sysconfig/iptables</span></code></b>
 +
# Verify that the file  '''/etc/sysconfig/iptables''' exists.
 +
# Restart your iptables service and test your configuration.
  
== New Configuration ==
 
  
Now you should have the following network configuration:<br /><br />
+
'''Answer the Part 3 observations / questions in your lab log book.'''
[[Image:new-network-config.png]]
 
  
* '''CentOS host''' has 1 active network interface (probably <code>'''em1'''</code>)that receives IP configuration from the School's DHCP server.
 
* '''CentOS host''' has 1 active network interface (<code>'''virbr1'''</code>) that has a static default configuration of '''192.168.235.1/255.255.255.0'''
 
* '''centos1''' VM has 1 active interface (<code>'''eth0'''</code>) that has a static configuration of '''192.168.235.11/255.255.255.0'''
 
* '''centos2''' VM has 1 active interface (<code>'''eth0'''</code>) that has a static configuration of '''192.168.235.12/255.255.255.0'''
 
* '''centos3''' VM has 1 active interface (<code>'''eth0'''</code>) that has a static configuration of '''192.168.235.13/255.255.255.0'''
 
  
== Completing the lab ==
+
= LAB 6 SIGN-OFF (SHOW INSTRUCTOR) =
 +
{{Admon/important|Time for a new backup, INCLUDING YOUR VIRTUAL HARD DRIVE!|If you have successfully completed this lab, make a new backup of your virtual machines. <br><br>'''Virtual hard-drives created lab5 are image files and may have data changed as a result of performing this lab. Therefore, you need to be backed up this hard disk image as well!'''.}}
  
{{Admon/important|Time for a new backup!|If you have successfully completed this lab, make a new backup of your virtual machines.}}
+
'''Arrange proof of the following on the screen:'''
  
Arrange proof of the following on the screen:
+
<ol><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''centos2''' VM:<blockquote><ul><li>Contents of '''/tmp/lab6''' directory.</li><li>'''ssh''' from centos2 to the CentOS host</li></ul></blockquote></li></li><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''<u>All</u> VMs''':<blockquote><ul><li>'''ifconfig''' information</li><li>Contents of '''/etc/hosts''' file</li></ul></blockquote></li><li><span style="color:green;font-size:1.5em;">&#x2713;</span>'''c7host''' machine<blockquote><ul><li>'''arp''' cache information</li><li>Contents of '''/etc/hosts''' file</li><li>Proof of backup</li><li>A list of your '''iptables''' rules</li></ul></blockquote></li><li><span style="color:green;font-size:1.5em;">&#x2713;</span> '''Lab6''' log-book filled out.</li></ol>
# <code>ifconfig</code> from all 3 VM's
 
# The contents of <code>/etc/hosts</code> on each machine
 
# The contents of your <code>arp</code> cache.
 
# <code>ssh</code> from centos2 to the CentOS host.
 
# Contents of <code>/tmp/lab6</code> directory.
 
# Fresh backup of the virtual machines.
 
# A list of your <code>iptables</code> rules.
 
  
== Preparing for Quizzes ==
+
== Practice For Quizzes, Tests, Midterm &amp; Final Exam ==
  
 
# What is a port?  
 
# What is a port?  

Latest revision as of 11:16, 27 November 2019

Stop (medium size).png
THIS IS AN OLD VERSION OF THE LAB
This is an archived version. Do not use this in your OPS235 course.

LAB PREPARATION

Purpose / Objectives of Lab 6

Setting up networks is an essential operation for a system administrator. Maintaining network connectivity and securing the network are also essential operations for a system administrator.


In this lab, you will learn the basics of networking by using your Virtual Machines and your c7host machine. You will first set up a virtual private network among those machines. In addition, you will learn to set up network names (to associate with server's IP Addresses), associate network services with port numbers for troubleshooting purposes, and setup firewall policies via the iptables command.

Main Objectives

  1. Configure a private (virtual) network for your VMs and your c7host machine
  2. Configure network interfaces for your Virtual Machines using both graphical and command-line utilities.
  3. Use local hostname resolution to resolve simple server names with their corresponding IP Addresses
  4. Backup more recent files (eg. incremental backup) using the find command and a date/time-stamp file
  5. Use common networking utilities to associate network services with port numbers for troubleshooting purposes
  6. Gain initial exposure to the iptables command used to configure and maintain a firewall for protection and troubleshooting
  7. Configure iptables to allow/disallow/forward different types of network traffic


Minimum Required Materials

Removable Hard Disk Pack (SATA)
USB key
(for backups)
Lab6 Log Book

My Toolkit (CLI Reference)

Networking Utilities: Additional Utilities:

INVESTIGATION 1: CONFIGURING A VIRTUAL PRIVATE NETWORK

For the remainder of this course, we will focus on networking involving our VMs and our c7host machine. This lab will focus on setting up a virtual private network (VPN), connecting our VMs and c7host machine to the VPN, and configuring our VPN to make more convenient to use, troubleshoot and protect. Lab 7 will focus more on configuring SSH and making access to the VPN more secure. Finally, lab 8 will focus on configuring the network for fixed workstations, mobile devices, or both at the same time.

There are several reasons for creating VPNs. The main reason is to safely connect servers together (i.e. to safely limit but allow share information among computer network users). This allows for a secure connection of computers yet controlling access to and monitoring (protecting) access to permitted users (discussed in more depth in lab7).


Part 1: Configuring a Private Network (Via Virtual Machine Manager)

This diagram shows the current network configuration of your c7host machine in relation to your Virtual Machines. In this section, you will be learning to change the default network settings for both your c7host machine and VMs to belong to a virtual network using fixed IP Addresses.

If we are going to setup a private network, we must do 2 major operations: First, define a new private network in the Virtual Manager application; and second, configure each of our VMs to connect to this new private network. In Part 1, we will be perform the first operation. In parts 2, 3, and 4, we will be performing the second operation for all VMS (graphical and command-line).


  1. Perform this section in your c7host machine.

    NOTE: Before configuring our network we want to turn off dynamic network configuration for our Virtual Machines by turning off the "default" virtual network. We will then define our virtual private network. Follow the steps in order to perform these operations.

  2. Make certain that ALL virtual machines are powered off.
  3. In the Virtual Machine Manager dialog box, Select Edit-> Connection Details.
  4. In the c7host Connection Details dialog box, select the Virtual Networks tab
  5. Disable the default configuration from starting at boot by deselecting Autostart (on boot) check-box and click the Apply button.
  6. Then Stop the default network configuration by clicking on the stop button at the bottom left-side of the dialog box.
  7. Click the add button (the button resembles a "plus sign") to add a new network configuration.
  8. Give your new network a name (i.e. network1) then click the Forward button.
  9. In the next screen, enter in the new network IP address space:
    192.168.235.0/24
  10. Disable DHCP4 by deselecting the check box and click the Forward button twice (accepting the defaults).
  11. Enable Network Forwarding by Selecting Forwarding to physical network, the destination should be Any physical device and the mode should be NAT
  12. Proceed with changes, and click Finish.
  1. We will now reconfigure each of our VMs to use our new virtual network network1
    1. Let's start with our centos1 VM. Double-click on your centos1 VM, but instead of running the VM, click on the view menu, and select: Details
      (Note: the Virtual Machine window will appear - do not start virtual machine)
    2. In the left pane of the Virtual Machine window, select NIC: and note that this NIC is on the "default" virtual network
    3. Change it to Virtual Network network1: NAT (i.e. the VPN that you just created) and click the Apply button.
  2. Repeat the same steps for your centos2 and centos3 VMs!

Answer Part 1 observations / questions in your lab log book.


Part 2: Configuring VM Network Setup Graphically (system-config-network)

For Parts 2 and 3 of this investigation, we will be using a graphical tool to connect our centos1 and centos2 VMs to our private network.

Although the private network has been setup via the Virtual Machine Manager, each virtual machine requires to change its own network setting individually (either graphically or by command line).
  1. On your c7host machine, run ifconfig and make note of the IP address assigned to the virbr1 (i.e. "Virtual Bridge) interface. This will be the default gateway and DNS server for your VMs.
  2. Start your centos1 VM and login.
  3. Within your centos1 VM, click Applications menu, then select System Tools, and then Settings.
  4. In the Settings Dialog Box, click on the Network icon.
  5. For the Wired connection, click the settings button (The icon appears as a gear located at the bottom right-hand corner of the dialog box).
  6. Select the IPv4 tab. Change Address from Automatic (DHCP) to Manual.
  7. Edit the existing wired connection, using the information displayed below:
  8. In the IPv4 Settings tab change the method from "Automatic (DHCP)" to "Manual".
  9. In the Addresses section, enter the following information:
    IP Address: 192.168.235.11
    Subnet Mask: 255.255.255.0
    Default Gateway: The IP address of virbr1 on your centos host.
  10. Click on the DNS' field and add The IP address (virbr1 on your centos host) as the primary DNS server.
  11. When finished, check your settings, and then click the Apply button.
  12. Open a terminal and issue the ifconfig command to confirm the IP ADDRESS settings change.
  13. Verify that centos1VM is now connected to the VPN by issuing the following command from your c7host machine:
    ping 192.168.235.11

Answer Part 2 observations / questions in your lab log book.

Part 3: Backing up Only Recent File Changes

This part is a repeat of part2, except we will be demonstrating how to use the find command to backup recent changes to files. In this case, we will save date/time stamp information in a file, configure to connect centos2 to the network, run the find command, and prove that the incremental backup worked (showing the files created as a result of the configuration of centos1 to the VPN).

Note.png
Backing up Files
One very important aspect of system admin is performing backups. There are many methods for backing up the data on a a computer system. The following is an example of a common backup system used in Business Unix/Linux systems:

Full Backup: Backup all specified files (eg. configuration, data files, etc)
Incremental Backup: Backup of only files that have changed since last (full) backup.
  1. Keep your centos1 VM running (you will need it running later in this lab).
  2. Start the centos2 VM and login
  3. Before we configure centos2 network configuration, we should create a timestamp file that can be used to see which files have changed as a result of using the GUI tool. Issue the following command:
    date > /tmp/timestamp
  4. Run the network configuration tool and enter the following static configuration in the same way that you configured centos1.
    • IP Address: 192.168.235.12
    • Subnetmask: 255.255.255.0
    • Default Gateway: 192.168.235.1
    • DNS Server: 192.168.235.1
  5. Save and exit the network configuration tool.
  6. You may have to restart the network using the correct command.
  7. Verify the configuration by pinging the VMs and c7host using their IP addresses.
  8. We will now create an Incremental Backup. Run the following Linux command as root:
    find /etc -newer /tmp/timestamp > /root/netcfg.lst
  9. View the /root/netcfg.lst file. What does it contain?</li>
  10. Create a new directory called: /tmp/lab6
Idea.png
Tip
You can create a Bash Shell script file using the find command above, give the shell script executable permissions, and use the crontab command to schedule running this script on a periodic basis.
  1. Issue the following commands:
    find /etc -newer /tmp/timestamp -exec cp {} /tmp/lab6 \;
  2. View the contents of the /tmp/lab6 directory. What does it contain?


Answer Part 3 observations / questions in your lab log book.

Part 4: Configuring VM Network Setup via Command Line (centos3)

Our centos3 VM is a text-based only system, thus we cannot use a graphical tool to configure centos3 to connect to our private network. Therefore we will learn how to perform this task by using command-line tools.

  1. Leave your centos1 and centos2 VM running, but start your centos3 VM, login, and su to root.
  2. Use the command ifconfig to list active interfaces, you should see one with a name of eth0 or a similar name.
  3. To configure your card with a static address use the following command:
    ifconfig eth0 192.168.235.13 netmask 255.255.255.0
  4. To configure a default gateway for that interface enter the command:
    route add default gw 192.168.235.1
  5. To configure a DNS server for this VM, edit the file /etc/resolv.conf. Change the nameserver line to read:
    nameserver 192.168.235.1
  6. Save your editing session.
  7. Confirm your settings work by doing the following (you might need to do the steps 3 and 4 a few times before it works; keep checking with the commands below and wait a bit before each attempt):
    ifconfig
    route -n
    ping (your other VM's and c7host)
    ssh ( to your Seneca's Matrix account to test your DNS)
  8. Restart the centos3 VM, or just wait a few minutes.
  9. Login and test your configuration again. What happened?
  10. While we can configure network settings from the command line those settings are not persistent. To configure persistent network configurations we need to edit the configuration files.
  11. Change to the /etc/sysconfig/network-scripts directory
    This diagram should show the newer network configuration of your c7host machine in relation to your Virtual Machines.
  12. List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.
  13. Look for the configuration file for your original interface, it should be named ifcfg-eth0
  14. Edit the new file for you interface and give it the following settings (or create a brand new file, might be easier than editing the old one):
    DEVICE="eth0"
    IPADDR="192.168.235.13"
    NETMASK="255.255.255.0"
    GATEWAY="192.168.235.1"
    HWADDR="52:54:00:3f:5c:fa" <-- DO NOT COPY THIS VALUE! Use MAC address for YOUR interface using: ifconfig eth0
    DNS1="192.168.235.1"
    BOOTPROTO="static"
    ONBOOT="yes"
    NM_CONTROLLED="yes"
    IPV6INIT="no"
  15. Save the file and then restart the network connection by issuing the commands: ifdown eth0 and then ifup eth0
  16. Verify your configuration as you did before.
  17. Restart the centos3 VM.
  18. Login and attempt to ssh to your matrix account to verify the settings.

Answer Part 4 observations / questions in your lab log book.

INVESTIGATION 2: VIRTUAL NETWORKING ENVIRONMENT TWEAKS AND OTHER USEFUL UTILITIES

Connecting a private network is an important task, but a system administrator also needs to "tweak" the network to make it convenient to use, make it safer from unauthorized access, and use troubleshooting utilities to help troubleshoot network connectivity problems as they occur. This investigation will expose you to some useful tricks and utilities to help accomplish this task.

NOTE: Lab 7 requires that you understand these concepts and have a good general understanding how to use these troubleshooting utilities (like netstat and iptables).


Part 1: Using Local Hostname Resolution

Note.png
Hosts files vs. the Domain Name System
On large public networks like the Internet or even large private networks we use a network service called Domain Name System (DNS) to resolve the human friendly hostnames like centos.org to the numeric addresses used by the IP protocol. On smaller networks we can use the /etc/hosts on each system to resolve names to addresses.

After setting up a private network, it can be hard to try to remember IP addresses. In this section, we will setup your network to associate easy-to-remember server names with IP ADDRESSES.

  1. Complete this investigation on all of your VMs and the c7host machine.
  2. Use the hostname and ifconfig commands on your c7host machine and all of your 3 VM's to gather the information needed to configure the /etc/hosts file on all of your Linux systems.
  3. Edit the /etc/hosts file on each of the virtual machines and host machine. Add the following contents to the bottom of the /etc/hosts file:

    192.168.235.1 c7host
    192.168.235.11 centos1
    192.168.235.12 centos2
    192.168.235.13 centos3

  4. Confirm that each host can ping all three of the other hosts by name.

Answer Part 1 observations / questions in your lab log book.

Part 2: Obtaining MAC (Hardware) addresses on Network Computers

Note.png
Obtaining Remote MAC Addresses
The term MAC address stands for Media Access Control address, which provides a unique ID to prevent confusion among computer systems within a network. While we use 32bit IP addresses to communicate over an internet, on the local ethernet network packets are delivered to a 48bit hardware address (sometimes called a MAC address). The ARP protocol resolves 32bit IP addresses to 48bit MAC addresses by using a broadcast and caching the results. We can examine the ARP cache to get the MAC addresses of other computers to solve problems involving MAC addresses (such as Wake Up on Lan).

When our CentOS system provides any services on a network, those services are accessible through a port number. All network services are configured to be accessed on a particular port number. By examining which ports are active on our system we can know what services (and points of attack) are available on our system. The ability to examine this information is important for troubleshooting network services and securing our systems. One great tool for this is the netstat command.

  1. Perform this section on your c7host machine.
  2. On the centos host ping each of your VM's
  3. Examine the contents of the ARP cache by using the command: arp
  4. Check the contents of the cache again by using the command: arp -n
  5. What was the difference in output? For what other command did the option -n have a similar effect?
  6. On your CentOS host execute the command: netstat -at
  7. This command will list all active TCP ports. Note the state of your ports.
  8. TCP is a connection oriented protocol that uses a handshaking mechanism to establish a connection. Those ports that show a state of LISTEN are waiting for connection requests to a particular service. For example you should see the ssh service in a LISTEN state as it is waiting for connections.
  9. From one of your VM's login to your host using ssh
  10. On the CentOS host rerun the command and in addition to the LISTEN port it should list a 2nd entry with a state of ESTABLISHED. This shows that there is a current connection to your ssh server.
  11. Exit your ssh connection from the VM and rerun the command on the CentOS host. Instead of ESTABLISHED it should now show a state of CLOSE_WAIT. Indicating that the TCP connection is being closed.
  12. On your CentOS host try the command netstat -atn. How is this output different?
  13. Without the -n option netstat attempts to resolve IP addresses to host names (using /etc/hosts) and port numbers to service names (using /etc/services)
  14. Examine the /etc/services file and find which ports are used for the services: ssh, sftp, http
  15. Now execute the command netstat -au What is the difference between the options: -at and -au?
  16. When examining UDP ports why is there no state?

Answer Part 2 observations / questions in your lab log book.


Part 3: Introduction to Firewalls: iptables

Note.png

Iptables is the built-in firewall for LINUXconsisting of a list of rules (or "tables of policies"). If data matches a specified policy, it must “jump” to an existing condition. Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.

When using iptables, the Filter table is important because it contains the following essential chains:

INPUT:
Data is checked against the INPUT chain to see if it is allowed into the PC.

OUTPUT:
Data is checked against the OUTPUT chain to see if it is allowed to go outside of the PC.

FORWARD:
PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another.

Since Linux servers may be connected to the Internet, it is very important to run a firewall to control what comes into the computer system, what goes out of the computer system, and what may be forwarded to another computer. Linux uses the command called iptables to set the firewall rules. Although graphical programs can be used to configure iptables, it is important for students of Linux Administration to learn how to use the iptables command for more complex and automated configuration via shell scripting.


  1. For the remainder of this section, use your c7host machine.
  2. As root on the CentOS host enter the following commands at the prompt:
    iptables -L
    iptables -F
  3. What did those commands issued above do? Refer to the manpages for iptables if not certain.
  4. Set the default policy for the INPUT chain to DROP by issuing the command:
    iptables -P INPUT DROP
  5. Now try on your own to change the default policies for the OUTPUT and FORWARD chains to DROP
  6. Write the commands you executed in your lab book.
  7. Can we mix these policies? Try to set the FORWARD chain policy to ACCEPT. Did it work?

Testing iptables Policies

  1. Execute the command iptables -L and check that the policies on your INPUT and OUTPUT chain are set to DROP
  2. Open a browser and attempt to access the Internet. Were you successful?
  3. Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
  4. Open your browser and attempt to access the Internet again. Were you successful?
  5. Change the policies on all of the chains to DROP
Note.png
Interpreting iptables commands
Here is the command you issue in step #15:
iptables -I OUTPUT  -p tcp -s0/0 -d 0/0 --dport 80 -j DROP

Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.

Let's break down the command to see how it works:

The -I switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, -I 3 OUTPUT will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example).

The -p tcp switch tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all.

The -s0/0 switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC.

The -d0/0 switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.

The switch --dport 80 tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the --sport switch.

-j means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.

DROP means drop the packet – make it disappear - and do not continue processing rules. REJECT is similar, but causes an error packet to be sent back to the source host. ACCEPT causes the packet to be processed. LOG causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.

  1. In the OUTPUT chain, add the following rule:
    iptables -A OUTPUT -j LOG
  2. The above rule tells iptables to log packets and relevant information to /var/log/messages.
  3. This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.
  4. Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged. Let's have a look at the log file and analyze the data:
    tail /var/log/messages
  5. This command shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:
    Jun 24 12:41:26 c7host kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16442 DF PROTO=TCP SPT=57151 DPT=5902 WINDOW=1024 RES=0x00 ACK URGP=0
  6. Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.
  7. When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?
  8. Using the commands we already know, change the default policies on all of your chains to ACCEPT.
  9. Open a browser and confirm that you can access the world wide web.
  10. Enter the command:
    iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP
  11. Try to access the Web. If you have done everything right, you should not have been successful.
  12. After you have completed the test execute the following command:
    iptables -F
  13. Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
  14. After you have completed this task, flush the iptables again.
  15. Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.
  16. Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.
  17. Confirm that your rule works by testing from your VM's
  18. Does iptables close the port? Check using netstat
  19. Now insert a rule on the CentOS host that would ACCEPT connections from the centos2 VM only.
  20. Fully test your configuration.

Making iptables Policies Persistent

It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded. When your iptables service starts or at boot time it has to load the rules from the file /etc/sysconfig/iptables-config.

The final section below teaches you to make your iptables settings permanent.

  1. Make a backup of the file /etc/sysconfig/iptables by issuing the command:
    iptables-save > /etc/sysconfig/iptables.bk
  2. To make the iptables rules persistent (i.e. keeps rules when system restarts), you issue the command:
    iptables-save > /etc/sysconfig/iptables
  3. Verify that the file /etc/sysconfig/iptables exists.
  4. Restart your iptables service and test your configuration.


Answer the Part 3 observations / questions in your lab log book.


LAB 6 SIGN-OFF (SHOW INSTRUCTOR)

Important.png
Time for a new backup, INCLUDING YOUR VIRTUAL HARD DRIVE!
If you have successfully completed this lab, make a new backup of your virtual machines.

Virtual hard-drives created lab5 are image files and may have data changed as a result of performing this lab. Therefore, you need to be backed up this hard disk image as well!.

Arrange proof of the following on the screen:

  1. centos2 VM:
    • Contents of /tmp/lab6 directory.
    • ssh from centos2 to the CentOS host
  2. All VMs:
    • ifconfig information
    • Contents of /etc/hosts file
  3. c7host machine
    • arp cache information
    • Contents of /etc/hosts file
    • Proof of backup
    • A list of your iptables rules
  4. Lab6 log-book filled out.

Practice For Quizzes, Tests, Midterm & Final Exam

  1. What is a port?
  2. What command will set your IP configuration to 192.168.55.22/255.255.255.0 ?
  3. What file contains the systems iptables rules?
  4. What is the difference between UDP and TCP?
  5. What port number is used for DHCP servers?
  6. What is the function of the file /etc/services ?
  7. What is the function of the file /etc/hosts ?
  8. What is the purpose of the file /etc/sysconfig/network-scripts/ifcfg-eth0 ?
  9. What tool is used to show you a list of current TCP connections?