Difference between revisions of "OPS705 Lab 6 (2211)"

From CDOT Wiki
Jump to: navigation, search
m (Part 2: Editing Your IIS Website)
m (Chris.johnson moved page OPS705 Lab 6 to OPS705 Lab 6 (2211) without leaving a redirect)
 
(5 intermediate revisions by the same user not shown)
Line 35: Line 35:
 
# In the ''Actions'' menu column on the right, click '''Explore'''. This will open a new folder where your IIS web pages are stored.
 
# In the ''Actions'' menu column on the right, click '''Explore'''. This will open a new folder where your IIS web pages are stored.
 
# Right-click anywhere in that window, click '''New > Text Document'''. Name it '''index.html'''.
 
# Right-click anywhere in that window, click '''New > Text Document'''. Name it '''index.html'''.
# Open the text file, and write the same HTML code as Lab 5, changing the title tag to ''OPS705 IIS Web Server - Winter 2021''.
+
# Open the text file, and write the same HTML code as Lab 4, changing the title tag to ''OPS705 IIS Web Server - Winter 2021''.
 
# Refresh your browser page from ''Part 1''. You should see your new code.
 
# Refresh your browser page from ''Part 1''. You should see your new code.
 
# On your host computer, open a browser and navigate to the URL you used to remotely connect to your Windows Server VM. Unlike the Linux Server in Lab 5, the web page you created does not appear. We still have some work to do.
 
# On your host computer, open a browser and navigate to the URL you used to remotely connect to your Windows Server VM. Unlike the Linux Server in Lab 5, the web page you created does not appear. We still have some work to do.
Line 54: Line 54:
 
# Save and quit vim.
 
# Save and quit vim.
 
# At the command prompt, run: <code>sysctl -p</code>
 
# At the command prompt, run: <code>sysctl -p</code>
 +
# Confirm you've properly enabled system-level forwarding with the following command: <code>sysctl net.ipv4.ip_forward</code>
 +
# The response from the command above should say '''net.ipv4.ip_forward = 1'''. If not, revisit the steps in Part 2.
  
 
== Part 3: Port Forwarding Using NAT ==
 
== Part 3: Port Forwarding Using NAT ==
Line 59: Line 61:
 
# Remote SSH into your Linux Server VM, and elevate to root.
 
# Remote SSH into your Linux Server VM, and elevate to root.
 
# Confirm you can access the web server on your Windows VM by running: <code>curl '''IP-address-from-step-1'''</code> If you see plain HTML code displayed, move to the next step.
 
# Confirm you can access the web server on your Windows VM by running: <code>curl '''IP-address-from-step-1'''</code> If you see plain HTML code displayed, move to the next step.
 +
# We're going to be working with the NAT table. Let's look at the NAT rules listing with the following command: <code>iptables -t nat -nvL --line</code>
 
# Set up a port forwarding rule so all requests to your Linux VM on port 8080 get sent to your Windows VM on port 80. Run the following: <code>iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination ''windows-server-ip-from-step-1'':80</code>
 
# Set up a port forwarding rule so all requests to your Linux VM on port 8080 get sent to your Windows VM on port 80. Run the following: <code>iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination ''windows-server-ip-from-step-1'':80</code>
 
# Set up NAT for all forwarded traffic: <code>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code>
 
# Set up NAT for all forwarded traffic: <code>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code>
 +
# Confirm your new NAT table rules with the command from Step 4.
  
 
== Part 4: Adding Forwarding Firewall Rule Exceptions ==
 
== Part 4: Adding Forwarding Firewall Rule Exceptions ==
 
# Create a firewall rule to allow forwarded traffic destined for TCP port 80: <code>iptables -A FORWARD -p tcp --dport 80 -j ACCEPT</code>
 
# Create a firewall rule to allow forwarded traffic destined for TCP port 80: <code>iptables -A FORWARD -p tcp --dport 80 -j ACCEPT</code>
 
# Create a firewall rule to allow forwarded traffic sent from TCP port 80: <code>iptables -A FORWARD -p tcp --sport 80 -j ACCEPT</code>
 
# Create a firewall rule to allow forwarded traffic sent from TCP port 80: <code>iptables -A FORWARD -p tcp --sport 80 -j ACCEPT</code>
# Watch your firewall rules and their packet counters with the following command: <code>watch iptables -nvL --line-numbers</code>
+
# Watch your firewall rules and their packet counters with the following command: <code>watch iptables -nvL --line</code>
 
# In a browser on your own computer, paste the URL for your Linux VM, adding ''':8080''' to the end of the address, then hit Enter.
 
# In a browser on your own computer, paste the URL for your Linux VM, adding ''':8080''' to the end of the address, then hit Enter.
 
# If you've done your work right, the Windows IIS web page should appear!
 
# If you've done your work right, the Windows IIS web page should appear!
Line 75: Line 79:
 
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
 
Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:
 
# Browser window showing the Windows IIS page (on your computer, not displayed on your VM).
 
# Browser window showing the Windows IIS page (on your computer, not displayed on your VM).
# SSH session window with your iptables rules listed.
+
# SSH session window with your iptables rules listed. (Both normal and NAT rules)
  
 
Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.
 
Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.

Latest revision as of 23:50, 6 September 2021

LAB PREPARATION

Purpose / Objectives of Lab 6

In this lab, you will set up an IIS web server on your Windows Server VM, and learn how to set up port forwarding through your Linux Server VM to allow access to the IIS web server on the Internet.

If you encounter technical issues, please contact your professor via e-mail or in your section's Microsoft Teams group.

Minimum Requirements

Before beginning, you must have:

  1. Successfully completed Lab 5
  2. Watched the Week 6 video lecture
  3. Read through the Week 6 slides, and have them handy as a reference for concepts
  4. Your Azure-based Linux VM
  5. Your Azure-based Windows VM

INVESTIGATION 1: Setting Up An IIS Web Server

Setting up an Internet Information Services web server on an Azure VM is incredibly easy, especially in contrast to Lab 4's Apache setup.

Part 1: Installing IIS

  1. Spin up your Windows Server VM, and wait until it's fully started up.
  2. In the Azure blade for your Windows Server VM, click on the Manage artifacts item in the menu bar to the left.
  3. In this new window, click on the Apply artifacts button. This will bring you to the Add artifacts screen.
  4. In the Add artifacts search field, type IIS.
  5. Click on Internet Information Services (IIS) in the results listing, then click Add in the next window.
  6. You'll be returned to the Add artifacts window. Simply click OK.
  7. The Manage Artifacts window will return, and a new entry for Internet Information Services (IIS) will appear. Its status will cycle through Pending, Installing, and finally Succeeded.
  8. Remotely connect to your Windows Server, open a browser in the VM, and navigate to http://localhost. You should see the IIS default splash page. Congratulations!

Part 2: Editing Your IIS Website

  1. Connect to your VM remotely.
  2. In a new file explorer window, find the View menu item near the top, and click File name extensions.
  3. Open Server Manager and click on the Local Server menu bar option.
  4. Towards the top of the window, click Tools > Internet Information Services (IIS) Manager
  5. In the new window in the Connections menu column on the left, expand the Sites folder and click on Default Web Site.
  6. In the Actions menu column on the right, click Explore. This will open a new folder where your IIS web pages are stored.
  7. Right-click anywhere in that window, click New > Text Document. Name it index.html.
  8. Open the text file, and write the same HTML code as Lab 4, changing the title tag to OPS705 IIS Web Server - Winter 2021.
  9. Refresh your browser page from Part 1. You should see your new code.
  10. On your host computer, open a browser and navigate to the URL you used to remotely connect to your Windows Server VM. Unlike the Linux Server in Lab 5, the web page you created does not appear. We still have some work to do.

INVESTIGATION 2: Routing Through Your Linux Server

In this investigation, you'll set up your Linux Server VM to forward requests to your Windows VM's IIS web server. This is an advanced topic. Reviewing the Week 5 and Week 6 material is highly recommended. The following investigation assumes you understand the concepts discussed in those lectures.

Part 1: Setting Up Your Firewall

  1. Remote SSH into your Linux Server VM.
  2. Replace firewalld with iptables: Lab 4 instructions
  3. Secure your firewall: Lab 4 instructions

Part 2: Enabling Forwarding on Your Linux Server

  1. Remote SSH into your Linux Server VM.
  2. Elevate to root.
  3. Use vim to open /etc/sysctl.conf
  4. Add the line: net.ipv4.ip_forward = 1 Make sure it's a new line, and that it doesn't start with a # symbol.
  5. Save and quit vim.
  6. At the command prompt, run: sysctl -p
  7. Confirm you've properly enabled system-level forwarding with the following command: sysctl net.ipv4.ip_forward
  8. The response from the command above should say net.ipv4.ip_forward = 1. If not, revisit the steps in Part 2.

Part 3: Port Forwarding Using NAT

  1. Remote into your Windows Server VM, open Command Prompt, and run ipconfig Write down the 10.x.x.x IP address displayed.
  2. Remote SSH into your Linux Server VM, and elevate to root.
  3. Confirm you can access the web server on your Windows VM by running: curl IP-address-from-step-1 If you see plain HTML code displayed, move to the next step.
  4. We're going to be working with the NAT table. Let's look at the NAT rules listing with the following command: iptables -t nat -nvL --line
  5. Set up a port forwarding rule so all requests to your Linux VM on port 8080 get sent to your Windows VM on port 80. Run the following: iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination windows-server-ip-from-step-1:80
  6. Set up NAT for all forwarded traffic: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  7. Confirm your new NAT table rules with the command from Step 4.

Part 4: Adding Forwarding Firewall Rule Exceptions

  1. Create a firewall rule to allow forwarded traffic destined for TCP port 80: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
  2. Create a firewall rule to allow forwarded traffic sent from TCP port 80: iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
  3. Watch your firewall rules and their packet counters with the following command: watch iptables -nvL --line
  4. In a browser on your own computer, paste the URL for your Linux VM, adding :8080 to the end of the address, then hit Enter.
  5. If you've done your work right, the Windows IIS web page should appear!
  6. Review the packet count from your watch command in Step 3. Notice the new forward rules are working! Keep this in mind for troubleshooting.
  7. In your SSH session, use the keyboard combination Ctrl and c to halt the watch program.
  8. Now that you know your new rules work, save your new rules

Lab Submission

Submit to Blackboard full-desktop screenshots (PNG/JPG) of the following:

  1. Browser window showing the Windows IIS page (on your computer, not displayed on your VM).
  2. SSH session window with your iptables rules listed. (Both normal and NAT rules)

Your professor will review your page directly; the screenshots are a backup in case of catastrophic issues.

Your professor will not check your lab until the screenshots have been submitted.

Make sure to shut down your virtual machines when you're done!