Ops535-online-lab-routing

From CDOT Wiki
Revision as of 21:40, 16 March 2021 by Rchan (talk | contribs) (OS Configuration)
Jump to: navigation, search

Objectives:

  • Learn and respect the DOs and DON'Ts in the OPS535 Virtual Lab
  • Learn how to use the VMWare EXSi web console to access your VMs
  • Configure VMs and routing in your Virtual LAN segment for building and testing web services (e.g. DNS, and SMTP)

Backgroud and Overview

OPS535 Virtual-lab

This is a learning environment created for students taking OPS535 to learn how to configure and secure Internet services. Although the virtual-lab is secured and protected by the perimeter layer of the college network with user authentication and firewalls, the VMs in the virtual-lab are not rock solid protected at the beginning to facilitate learning. Therefore, please follow the DOs and DON'Ts listed below to maintain a healthy and enjoyable learning environment for every one here.

DOs

  • Try your best to secure the VMs assigned to you by hardening the OS, Internet services, application programs as much as possible.
  • Regular user should be given access permissions on a as needed basis.
  • Report any irregularities as soon as possible to your professor and shut down your affected VM(s) if it is appropriate and necessary to do so.
  • Only use and test accounts and servers you have been assigned. Testing should never affect other users.

DON'Ts

  • Don't perform any actions/activities that could harm the reliability or integrity of any services and data on the machines in the virtual-lab. Examples of harmful activities that are not permitted include but not limit to: brute forcing, denial of server (DoS), flooding, etc.
  • Don't use scanners or automated tools on any network devices in the virtual-lab without written permission from the owner AND your professor.
  • If you are not sure whether you should perform a certain action, then the answer is DON'T do it.

Virtual Hardware of, and Software installed on each VM

  • Please refer to the output from your baseline information collection script given to you on Blackboard.

Configuration

OS Configuration

  • OS Configuration:
    • Do not install any software packages that is not needed,
    • Do not run any unnecessary server service.
  • Security Configuration:
    • iptables/firewalld services:
      • VM1: iptables (do not perform any NAT at this stage.)
      • VM2-VM4: firewalld Enable (
    • SELinux: in enforcing mode
  • Identification and authorization: verify and confirm that you have the "student" and your "Seneca user name" accounts. Make sure that both account allow you to ssh from matrix without prompting for login password.
Later labs and assignments will specify what additional software packages and services should be installed, activated, and enabled.

Network Configuration

Network Diagram

Please based on this SPR500 Virtual-lab Network Diagram to figure out the necessary network configuration so that all your VMs are reachable from all other VMs (i.e. all the VMs in our SPR500 Virtual-lab using the 192.168.x.y address space. Click here for more details network diagram for routing configuration.
Sample routing scripts (for reference only, do not use it as is) can be found here.
IMPORTANT: All the IP address 172.16.x.y (where 172.16.x is your network number, and y is the host part of the IP address) are assignment to your VMs by the DHCP server in the SPR500 Virtual-lab. This range of IP addresses are normally assigned to the virtual network adaptor named ens192 (may be changed in future) on each VM. Please do not change these IP addresses, otherwise, you will cut the VM off from the network and you won't be able to ssh back into it again.

Gateway VM Configuration

The VM1 on each student's LAN segment has three virtual network adaptors: ens192, ens224, and ens256 and will be used as the gateway. All incoming network traffic to 192.168.x.0/24 network (i.e. to VM2, VM3 and VM4) must go through your gateway. The three virtual network adaptors on VM1 are 'wired' for the following purpose:
  • ens192 for connecting to the Internet and also for gateway to gateway connection within the SPR500 Virtual Lab
  • ens224 for connecting to the other three VMs to form a local area private network
  • ens256 for connecting your gateway to an administrative network which includes other gateways and the course lab server.
    • leave the 172.16.x.y IP address that is assigned to your gateway's (VM1) ens192 intact. Do not change it.
    • assign 192.168.x.1/24 to its ens224 virtual network adapter.
    • we will config the ens256 interface in later lab.

VMs Configuration

Other than VM1, the other three VMs on each student's LAN segment has two virtual network adaptors: ens192 and ens224. They are 'wired' for the following purpose:
  • ens192 for initial ssh login and as an emergency backdoor.
  • ens224 for normal local area private network connection.
    • Leave the 172.16.x.y IP address that is assigned to your VMs (VM2, VM3, and VM4) on ens192 intact. Do not change it.
    • assign 192.168.x.y to each VM's (y = 2, 3, 4 correspondingly for VM2, VM3, VM) ens224 virtual network adaptor.

Routing configuration

On your gateway VM (VM1)

There are thirty network segments in the SPR500 Virtual Lab, each network LAN segment should use the private network address space 192.168.x.0/24 for local traffic. VMs in each local LAN segment should be reachable via the gateway using the IP address 172.16.x.1 from other LAN segment in the lab. The value of x is also ranging from 1 to 30.
  • On each VM in your LAN segment, add a route for each LAN segment in the lab. You may need to add a maximum of 29 routes in order to reach the other 29 LAN segments managed by your classmates. You DO NOT need a route to your own LAN segment.
  • Use the command "route add -net 192.168.x.0 netmask 255.255.255.0 gw 172.16.x.1" for each network x that you want to reach. Replace x with the actual value when running the route command.
  • Use the "route -n" command or "netstat -rn" command to check your current kernel routing table.

ON each VM

  • Use the command "route -n" or "netstat -rn" to verify the default route in all your VMs' kernel routing table. It should point to 172.16.255.1. Report to your professor if it is not.
  • Add route(s) to each virtual LAN segement y managed by your classmate (talk to your classmates to find out their assigned network numbers) using 192.168.x.1 as the gateway (different from the default gateway) in each of your VMs.

Network Connectivity Testing

Pair up with one of the member in your group who has completed the routing configuration. The following steps assume that your network number is "x" and his/her network number is "y".Perform the following test with him/her:

  1. Ping from your gateway to his/her gateway's external IP address: 172.16.y.1. Move on to the next step if the result is positive.
  2. Ping from your gateway to his/her gateway's internal IP address: 192.168.y.1. Move on to the next step if the result is positive.
  3. Ping from your VM to your gateway's internal IP address: 192.168.x.1. Move on to the next step if the result is positive. (from VM2, VM3, VM4, one at a time, same below)
  4. Ping from your VM to your gateway's external IP address: 172.16.x.1. Move on to the next step if the result is positive.
  5. Ping from your VM to his/her gateway's external IP address: 172.16.y.1. Move on to the next step if the result is positive.
  6. Ping from your VM to his/her gateway's internal IP address: 192.168.y.1. Move on to the next step if the result is positive.
  7. Ping from your VM to his/her VM's IP address: 192.168.y.z. (z: 2,3,4)
  8. Ask your partner to repeat the same steps above.

If any of the tests mentioned above failed, you need to check the IP address assignment and/or the routing configuration on all VMs (yours and your partner's) and fix any mistakes until all the tests mentioned above are successful. Make sure that netfilter is not blocking the traffic.

Completing the Lab

  • On your gateway (the one with 3 network adaptors ), generate a public/private rsa key pair for SSH under your regular user account. Copy the public key to each of your VM to enable passwordless SSH session. Copy your public key to a file named [student_id].pub and upload to blackboard. Make sure to secure your private key.
  • Provide evidence to show that you have the followings in a PDF file name "student_id-lab2-ss.pdf":
    • your VMs have connectivity to your partner's VMs.
    • a screen shot of the generation of your public/private key pair.
  • Capture the output of the commands "sestatus", "ip addr", "ip route", and "iptables -L -v -n" on your gateway to a text file named "student_id-lab2.txt".Please add appropriate heading to each section in the text file.
  • Note: replace "student_id" with your actual Seneca user name.
  • Upload the pdf, pub, and txt file to blackboard by the due date.