Difference between revisions of "OPS345 Lab 2"

From CDOT Wiki
Jump to: navigation, search
(Port forwarding SSH)
(Replaced content with "[http://wiki.littlesvr.ca/wiki/OPS345_Lab_2 This page has moved.]")
 
(56 intermediate revisions by the same user not shown)
Line 1: Line 1:
= THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE =
+
[http://wiki.littlesvr.ca/wiki/OPS345_Lab_2 This page has moved.]
 
 
''' The current schedule for OPS345 is here: [[OPS335_Weekly_Schedule]]
 
 
 
= AWS Networking =
 
 
 
* VPCs, subnets
 
* Default dynamic public IP
 
* Default private network/IP
 
* Reserving a static public IP under "Elastic IPs", cost of doing that
 
* VPC dashboard:
 
** https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
 
** New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
 
** Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/25 (to fit inside the VPC but leave room for other subnets later)
 
** Edit subnet, enable auto-assign public IPv4 addresses
 
** Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
 
** Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
 
* Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
 
* Create a new VM named "router", in the new vpc/subnet, with primary IP 10.3.45.10 (first 4 addresses on AWS subnet are not usable), default storage, ops345sg.
 
** Follow the instructions in lab 1 to set up your user, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-all-aws-machines
 
** Note that "Auto-assign Public IP" is enabled by default, but don't change it.
 
** Wait till it starts, then go to "Elastic IPs" and associate an elastic IP with router. Call the elastic ip router_public_ip
 
** Name the network interface router-nic
 
 
 
= Firewalls =
 
 
 
* The purpose of a firewall on a server on the internet
 
* AWS Security Groups and iptables
 
 
 
= iptables setup =
 
 
 
* Install iptables-services, then enable and start the service (same as you did in OPS245).
 
* iptables fundamentals
 
* Securing services that need to be publicly accessible
 
 
 
= Port forwarding SSH =
 
 
 
* Create another VM the same way as "router" but without the elastic IP. Set the private IP to 10.3.45.11 during setup. Call it www. Name the network interface www-nic.
 
** We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
 
* firewall:
 
** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
 
** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>
 
** allow forwarding to www (or just remove default reject rule)<source>iptables -I FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT</source>
 
** don't recheck existing forwarded connections, including replies to accepted traffic <source>iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</source>
 
** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>
 
** trubleshooting <source>iptables -I FORWARD -j LOG
 
tail -f /var/log/messages </source>
 
** resulting firewall looks like this:<source># iptables -L -n
 
Chain INPUT (policy ACCEPT)
 
target    prot opt source              destination       
 
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0         
 
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0         
 
ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
 
REJECT    all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
 
 
Chain FORWARD (policy ACCEPT)
 
target    prot opt source              destination       
 
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 
ACCEPT    tcp  --  0.0.0.0/0            10.3.45.11          tcp dpt:22
 
REJECT    all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
 
 
Chain OUTPUT (policy ACCEPT)
 
target    prot opt source              destination       
 
 
 
# iptables -t nat -L -n
 
Chain PREROUTING (policy ACCEPT)
 
target    prot opt source              destination       
 
DNAT      tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2211 to:10.3.45.11:22
 
 
 
Chain INPUT (policy ACCEPT)
 
target    prot opt source              destination       
 
 
 
Chain OUTPUT (policy ACCEPT)
 
target    prot opt source              destination       
 
 
 
Chain POSTROUTING (policy ACCEPT)
 
target    prot opt source              destination       
 
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0     
 
</source>   
 
* kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
 
sysctl -p
 
cat /proc/sys/net/ipv4/ip_forward</source>
 
* test: <source>tcpdump -n -i eth0 port 2211</source>
 
* aws:
 
** allow access to port 2211 in security group
 
** disable source/dest check for router in aws console
 
 
 
~. will break out of locked up ssh session
 

Latest revision as of 03:43, 28 February 2022