OPS345 Lab 2

From CDOT Wiki
Revision as of 03:09, 22 September 2021 by Andrew (talk | contribs) (AWS Networking)
Jump to: navigation, search

THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE

The current schedule for OPS345 is here: OPS335_Weekly_Schedule

AWS Networking

  • VPCs, subnets
  • Default dynamic public IP
  • Default private network/IP
  • Reserving a static public IP under "Elastic IPs", cost of doing that
  • VPC dashboard:
    • https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
    • New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
    • Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/24 (to fit inside the VPC)
    • Edit subnet, enable auto-assign public IPv4 addresses
    • Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
    • Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
  • Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
  • Create a new VM named "router", in the new vpc/subnet.
    • Follow the instructions in lab 1, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-allmachines-key
    • Note that "Auto-assign Public IP" is enabled by default, but don't change it.
    • Wait till it starts, then go to "Elastic IPs" and associate elastic IP with router. Call the elastic ip router_public_ip
    • In AWS console go to the router/Networking, click on the network interface once, name it router-nic. Then click it, Manage IP addresses, add 10.3.45.10 (first 4 addresses on AWS subnet are not usable). This change requires a reboot.

Firewalls

  • The purpose of a firewall on a server on the internet
  • AWS Security Groups and iptables

iptables setup

  • Install iptables-services, then enable and start the service (same as you did in OPS245).
  • iptables fundamentals
  • Securing services that need to be publicly accessible

Port forwarding SSH

  • Create another VM the same way as "router" but without the elastic IP. Call it www. Name the network interface www-nic and set a secondary private IP to 10.3.45.11
    • We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
  • firewall:
    • iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
    • forward incoming tcp port 2211 packets to port 22 on www
      iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22
    • allow forwarding to www (or just remove default reject rule)
      iptables -I FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT
    • don't recheck existing forwarded connections, including replies to accepted traffic
      iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • perform ip masquerading
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    • trubleshooting
      iptables -I FORWARD -j LOG
      tail -f /var/log/messages
    • resulting firewall looks like this:
      # iptables -L -n
      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
      ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
      ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
      REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
      
      Chain FORWARD (policy ACCEPT)
      target     prot opt source               destination         
      ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
      ACCEPT     tcp  --  0.0.0.0/0            10.3.45.11           tcp dpt:22
      REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
      
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination         
      
      # iptables -t nat -L -n
      Chain PREROUTING (policy ACCEPT)
      target     prot opt source               destination         
      DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2211 to:10.3.45.11:22
      
      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination         
      
      Chain POSTROUTING (policy ACCEPT)
      target     prot opt source               destination         
      MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
  • kernel:
    vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
    sysctl -p
    cat /proc/sys/net/ipv4/ip_forward
  • test:
    tcpdump -n -i eth0 port 2211
  • aws:
    • allow access to port 2211 in security group
    • disable source/dest check for router in aws console

~. will break out of locked up ssh session