= THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE = ''' The current schedule for OPS345 is here: [[OPS335_Weekly_Schedule]] = AWS Networking = * VPCs, subnets* Default dynamic public IP* Default private network/IP* Reserving a static public IP under "Elastic IPs", cost of doing that* VPC dashboard: ** httpshttp://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html** New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6** Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/25 (to fit inside the VPC but leave room for other subnets later)** Edit subnet, enable auto-assign public IPv4 addresses** Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345** Create new Route table ops345-route-table, add route for 0.0wiki.0littlesvr.0ca/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345* Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.* Create a new VM named "router", in the new vpcwiki/subnet, with primary IP 10.3.45.10 (first 4 addresses on AWS subnet are not usable), default storage, ops345sg.** Follow the instructions in lab 1 to set up your user, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-all-aws-machines** Note that "Auto-assign Public IP" is enabled by default, but don't change it.** Wait till it starts, then go to "Elastic IPs" and associate an elastic IP with routerOPS345_Lab_2 This page has moved. Call the elastic ip router_public_ip** Name the network interface router-nic = Firewalls = * The purpose of a firewall on a server on the internet* AWS Security Groups and iptables = iptables setup = * Install iptables-services, then enable and start the service (same as you did in OPS245).* iptables fundamentals* Securing services that need to be publicly accessible = Port forwarding SSH = * Create another VM the same way as "router" but without the elastic IP. Call it www. Set the private IP to 10.3.45.11** We won't set it up as a web server in this lab, we just need something to forward SSH requests to.* firewall:** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>** allow forwarding to www (or just remove default reject rule)<source>iptables -D FORWARD 1</source>** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>** trubleshooting <source>iptables -I FORWARD -j LOGtail -f /var/log/messages </source>** resulting firewall looks like this:<source>[root@router ~]# iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@router ~]# [root@router ~]# iptables -L -n -t natChain PREROUTING (policy ACCEPT)target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22 Chain INPUT (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination Chain POSTROUTING (policy ACCEPT)target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 </source> * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1sysctl -pcat /proc/sys/net/ipv4/ip_forward</source> * test: <source>tcpdump -n -i eth0 port 2211</source> * aws:** allow access to port 2211 in security group** disable source/dest check for router in aws console (might not be necessary)* Save the iptables rules when it looks like they're working. ~. will break out of locked up ssh session = Private security group = * Create a new security group "ops345sgprivate" to be used later for all VMs except the router.* Add an inbound rule for ssh from ops345sg only