Difference between revisions of "OPS345 Lab 2"
(→Port forwarding SSH) |
|||
Line 41: | Line 41: | ||
** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html | ** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html | ||
** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source> | ** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source> | ||
− | ** allow forwarding to www (or just remove default reject rule)<source>iptables - | + | ** allow forwarding to www (or just remove default reject rule)<source>iptables -D FORWARD 1</source> |
− | |||
** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source> | ** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source> | ||
** trubleshooting <source>iptables -I FORWARD -j LOG | ** trubleshooting <source>iptables -I FORWARD -j LOG | ||
tail -f /var/log/messages </source> | tail -f /var/log/messages </source> | ||
− | ** resulting firewall looks like this:<source># iptables -L -n | + | ** resulting firewall looks like this:<source>[root@router ~]# iptables -L -n |
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
Line 57: | Line 56: | ||
Chain FORWARD (policy ACCEPT) | Chain FORWARD (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
− | |||
− | |||
− | |||
Chain OUTPUT (policy ACCEPT) | Chain OUTPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
− | + | [root@router ~]# | |
− | # iptables | + | [root@router ~]# iptables -L -n -t nat |
Chain PREROUTING (policy ACCEPT) | Chain PREROUTING (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
Line 77: | Line 73: | ||
Chain POSTROUTING (policy ACCEPT) | Chain POSTROUTING (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
− | MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 | + | MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 |
</source> | </source> | ||
* kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1 | * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1 | ||
Line 85: | Line 81: | ||
* aws: | * aws: | ||
** allow access to port 2211 in security group | ** allow access to port 2211 in security group | ||
− | ** disable source/dest check for router in aws console | + | ** disable source/dest check for router in aws console (might not be necessary) |
+ | * Save the iptables rules when it looks like they're working. | ||
~. will break out of locked up ssh session | ~. will break out of locked up ssh session |
Revision as of 21:37, 24 September 2021
Contents
THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE
The current schedule for OPS345 is here: OPS335_Weekly_Schedule
AWS Networking
- VPCs, subnets
- Default dynamic public IP
- Default private network/IP
- Reserving a static public IP under "Elastic IPs", cost of doing that
- VPC dashboard:
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
- New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
- Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/25 (to fit inside the VPC but leave room for other subnets later)
- Edit subnet, enable auto-assign public IPv4 addresses
- Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
- Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
- Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
- Create a new VM named "router", in the new vpc/subnet, with primary IP 10.3.45.10 (first 4 addresses on AWS subnet are not usable), default storage, ops345sg.
- Follow the instructions in lab 1 to set up your user, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-all-aws-machines
- Note that "Auto-assign Public IP" is enabled by default, but don't change it.
- Wait till it starts, then go to "Elastic IPs" and associate an elastic IP with router. Call the elastic ip router_public_ip
- Name the network interface router-nic
Firewalls
- The purpose of a firewall on a server on the internet
- AWS Security Groups and iptables
iptables setup
- Install iptables-services, then enable and start the service (same as you did in OPS245).
- iptables fundamentals
- Securing services that need to be publicly accessible
Port forwarding SSH
- Create another VM the same way as "router" but without the elastic IP. Call it www. Name the network interface www-nic and set a secondary private IP to 10.3.45.11
- We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
- firewall:
- iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
- forward incoming tcp port 2211 packets to port 22 on www
iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22
- allow forwarding to www (or just remove default reject rule)
iptables -D FORWARD 1
- perform ip masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- trubleshooting
iptables -I FORWARD -j LOG tail -f /var/log/messages
- resulting firewall looks like this:
[root@router ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@router ~]# [root@router ~]# iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
- kernel:
vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1 sysctl -p cat /proc/sys/net/ipv4/ip_forward
- test:
tcpdump -n -i eth0 port 2211
- aws:
- allow access to port 2211 in security group
- disable source/dest check for router in aws console (might not be necessary)
- Save the iptables rules when it looks like they're working.
~. will break out of locked up ssh session