1,234
edits
Changes
no edit summary
** Note that "Auto-assign Public IP" is enabled by default, but don't change it.
** Wait till it starts, then go to "Elastic IPs" and associate elastic IP with router
** In AWS console go to the router/Networking, click on the network interface once, name it router-nic. Then click it, Manage IP addresses, add 10.3.45.10 (first 4 addresses on AWS subnet are not usable). This change requires a reboot.
= Firewalls =
= Port forwarding SSH =
* Create another VM the same way as "router" but without the elastic IP. Call it www.Name the network interface www-nic and set a secondary private IP to 10.3.45.11
** We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
* Port firewall:** iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html** forward incoming tcp port 2211 packets to port 22 on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22</source>** allow forwarding SSHto www<source>iptables -I FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT</source>** don't recheck existing forwarded connections, including replies to accepted traffic <source>iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</source>** Disable perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>** trubleshooting <source>iptables -I FORWARD -j LOGtail -f /var/log/messages </source>** resulting firewall looks like this:<source># iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHEDACCEPT tcp -- 0.0.0.0/0 10.3.45.11 tcp dpt:22REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT)target prot opt source destination # iptables -t nat -L -nChain PREROUTING (policy ACCEPT)target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22 Chain INPUT (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination checks on router Chain POSTROUTING (policy ACCEPT)target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 </source> * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1sysctl -pcat /proc/sys/net/ipv4/ip_forward</source> * test: <source>tcpdump -n -i eth0 port 2211</source> * aws:** allow access to port 2211 in security group**disable source/dest check for router in aws console ~. will break out of locked up ssh session