|
|
(61 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | = THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE =
| + | [http://wiki.littlesvr.ca/wiki/OPS345_Lab_2 This page has moved.] |
− | | |
− | ''' The current schedule for OPS345 is here: [[OPS335_Weekly_Schedule]]
| |
− | | |
− | = AWS Networking =
| |
− | | |
− | * VPCs, subnets
| |
− | * Default dynamic public IP
| |
− | * Default private network/IP
| |
− | * Reserving a static public IP under "Elastic IPs", cost of doing that
| |
− | * VPC dashboard:
| |
− | ** https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
| |
− | ** New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
| |
− | ** Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/24 (to fit inside the VPC)
| |
− | ** Edit subnet, enable auto-assign public IPv4 addresses
| |
− | ** Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
| |
− | ** Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
| |
− | * Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
| |
− | * Create a new VM named "router", in the new vpc/subnet.
| |
− | ** Follow the instructions in lab 1, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-allmachines-key
| |
− | ** Note that "Auto-assign Public IP" is enabled by default, but don't change it.
| |
− | ** Wait till it starts, then go to "Elastic IPs" and associate elastic IP with router. Call the elastic ip router_public_ip
| |
− | ** In AWS console go to the router/Networking, click on the network interface once, name it router-nic. Then click it, Manage IP addresses, add 10.3.45.10 (first 4 addresses on AWS subnet are not usable). This change requires a reboot.
| |
− | | |
− | = Firewalls =
| |
− | | |
− | * The purpose of a firewall on a server on the internet
| |
− | * AWS Security Groups and iptables
| |
− | | |
− | = iptables setup =
| |
− | | |
− | * Install iptables-services, then enable and start the service (same as you did in OPS245).
| |
− | * iptables fundamentals
| |
− | * Securing services that need to be publicly accessible
| |
− | | |
− | = Port forwarding SSH =
| |
− | | |
− | * Create another VM the same way as "router" but without the elastic IP. Call it www. Name the network interface www-nic and set a secondary private IP to 10.3.45.11
| |
− | ** We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
| |
− | * firewall:
| |
− | ** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
| |
− | ** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>
| |
− | ** allow forwarding to www (or just remove default reject rule)<source>iptables -I FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT</source>
| |
− | ** don't recheck existing forwarded connections, including replies to accepted traffic <source>iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</source>
| |
− | ** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>
| |
− | ** trubleshooting <source>iptables -I FORWARD -j LOG
| |
− | tail -f /var/log/messages </source>
| |
− | ** resulting firewall looks like this:<source># iptables -L -n
| |
− | Chain INPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
| |
− | ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
| |
− | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
| |
− | ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
| |
− | REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
| |
− | | |
− | Chain FORWARD (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
| |
− | ACCEPT tcp -- 0.0.0.0/0 10.3.45.11 tcp dpt:22
| |
− | REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
| |
− | | |
− | Chain OUTPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | # iptables -t nat -L -n
| |
− | Chain PREROUTING (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22
| |
− | | |
− | Chain INPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | Chain OUTPUT (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | | |
− | Chain POSTROUTING (policy ACCEPT)
| |
− | target prot opt source destination
| |
− | MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
| |
− | </source>
| |
− | * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
| |
− | sysctl -p
| |
− | cat /proc/sys/net/ipv4/ip_forward</source>
| |
− | * test: <source>tcpdump -n -i eth0 port 2211</source>
| |
− | * aws:
| |
− | ** allow access to port 2211 in security group
| |
− | ** disable source/dest check for router in aws console
| |
− | | |
− | ~. will break out of locked up ssh session
| |