|
|
(47 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | = THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE =
| + | [http://wiki.littlesvr.ca/wiki/OPS345_Lab_2 This page has moved.] |
− | | |
− | ''' The current schedule for OPS345 is here: [[OPS335_Weekly_Schedule]]
| |
− | | |
− | = AWS Networking =
| |
− | | |
− | The fundamentals you've learned about networking in your previous courses apply to AWS as well. The only difference from what you may be used to is that most of it is virtual in AWS. There are obviously still wires and cables and switches and routers, but their infrastructure has a layer of software on top to allow it to be more dynamic to deploy, configure, and use.
| |
− | | |
− | | |
− | | |
− | * VPCs, subnets
| |
− | * Default dynamic public IP
| |
− | * Default private network/IP
| |
− | * Reserving a static public IP under "Elastic IPs", cost of doing that
| |
− | * VPC dashboard:
| |
− | ** https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
| |
− | ** New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
| |
− | ** Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/25 (to fit inside the VPC but leave room for other subnets later)
| |
− | ** Edit subnet, enable auto-assign public IPv4 addresses
| |
− | ** Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
| |
− | ** Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
| |
− | * Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
| |
− | * Create a new VM named "router", in the new vpc/subnet, with primary IP 10.3.45.10 (first 4 addresses on AWS subnet are not usable), default storage, ops345sg.
| |
− | ** Follow the instructions in lab 1 to set up your user, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-all-aws-machines
| |
− | ** Note that "Auto-assign Public IP" is enabled by default, but don't change it.
| |
− | ** Wait till it starts, then go to "Elastic IPs" and associate an elastic IP with router. Call the elastic ip router_public_ip
| |
− | ** Name the network interface router-nic
| |
− | | |
− | = Firewalls =
| |
− | | |
− | * The purpose of a firewall on a server on the internet
| |
− | * AWS Security Groups and iptables
| |
− | | |
− | = iptables setup =
| |
− | | |
− | * Install iptables-services, then enable and start the service (same as you did in OPS245).
| |
− | * iptables fundamentals
| |
− | * Securing services that need to be publicly accessible
| |
− | | |
− | = Port forwarding SSH =
| |
− | | |
− | * Create another VM the same way as "router" but without the elastic IP. Call it www. Name the network interface www-nic and set a secondary private IP to 10.3.45.11
| |
− | ** We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
| |
− | * firewall:
| |
− | ** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
| |
− | ** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>
| |
− | ** allow forwarding to www (or just remove default reject rule)<source>iptables -D FORWARD 1</source>
| |
− | ** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>
| |
− | ** trubleshooting <source>iptables -I FORWARD -j LOG
| |
− | tail -f /var/log/messages </source>
| |
− | ** resulting firewall looks like this:<source>[root@router ~]# iptables -L -n
| |
− | Chain INPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
| |
− | ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
| |
− | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
| |
− | ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
| |
− | REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
| |
− | | |
− | Chain FORWARD (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | Chain OUTPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | [root@router ~]#
| |
− | [root@router ~]# iptables -L -n -t nat
| |
− | Chain PREROUTING (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22
| |
− | | |
− | Chain INPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | Chain OUTPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | Chain POSTROUTING (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
| |
− | </source>
| |
− | * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
| |
− | sysctl -p
| |
− | cat /proc/sys/net/ipv4/ip_forward</source>
| |
− | * test: <source>tcpdump -n -i eth0 port 2211</source>
| |
− | * aws:
| |
− | ** allow access to port 2211 in security group
| |
− | ** disable source/dest check for router in aws console (might not be necessary)
| |
− | * Save the iptables rules when it looks like they're working.
| |
− | | |
− | ~. will break out of locked up ssh session
| |
− | | |
− | = Private security group =
| |
− | | |
− | * Create a new security group "ops345sgprivate" to be used later for all VMs except the router.
| |
− | * Add an inbound rule for ssh from ops345sg only
| |
− | | |
− | [[Category:OPS345]]
| |