OPS345 Lab 2

From CDOT Wiki
Revision as of 21:12, 24 September 2021 by Andrew (talk | contribs) (Port forwarding SSH)
Jump to: navigation, search

THIS PAGE IS A DRAFT, NOT A REAL COURSE PAGE

The current schedule for OPS345 is here: OPS335_Weekly_Schedule

AWS Networking

  • VPCs, subnets
  • Default dynamic public IP
  • Default private network/IP
  • Reserving a static public IP under "Elastic IPs", cost of doing that
  • VPC dashboard:
    • https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
    • New VPC vpc-ops345 with CIDR block 10.3.45.0/24, no IPv6
    • Subnets: create a new one in vpc-ops345 named subnet-ops345, in us-east-1a, 10.3.45.0/25 (to fit inside the VPC but leave room for other subnets later)
    • Edit subnet, enable auto-assign public IPv4 addresses
    • Internet Gateway: Create ops345-internet-gateway, attach to vpc-ops345
    • Create new Route table ops345-route-table, add route for 0.0.0.0/0 through ops345-internet-gateway. Then add explicit subnet association to subnet-ops345
  • Create a new security group "ops345sg" in vpc-ops345 with only the SSH port open.
  • Create a new VM named "router", in the new vpc/subnet, with primary IP 10.3.45.10 (first 4 addresses on AWS subnet are not usable), default storage, ops345sg.
    • Follow the instructions in lab 1 to set up your user, except use the subnet-ops345 and ops345sg and assign private ip 10.3.45.10. Also create a new key called ops345-all-aws-machines
    • Note that "Auto-assign Public IP" is enabled by default, but don't change it.
    • Wait till it starts, then go to "Elastic IPs" and associate an elastic IP with router. Call the elastic ip router_public_ip
    • Name the network interface router-nic

Firewalls

  • The purpose of a firewall on a server on the internet
  • AWS Security Groups and iptables

iptables setup

  • Install iptables-services, then enable and start the service (same as you did in OPS245).
  • iptables fundamentals
  • Securing services that need to be publicly accessible

Port forwarding SSH

  • Create another VM the same way as "router" but without the elastic IP. Set the private IP to 10.3.45.11 during setup. Call it www. Name the network interface www-nic.
    • We won't set it up as a web server in this lab, we just need something to forward SSH requests to.
  • firewall:
    • iptables diagram source: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-firewall.html
    • forward incoming tcp port 2211 packets to port 22 on www 
      iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45.11:22
    • allow forwarding to www (or just remove default reject rule)
      iptables -I FORWARD -p tcp --dport 22 -d 10.3.45.11 -j ACCEPT
    • don't recheck existing forwarded connections, including replies to accepted traffic 
      iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • perform ip masquerading 
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    • trubleshooting 
      iptables -I FORWARD -j LOG
tail -f /var/log/messages
    • resulting firewall looks like this:
      # iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            10.3.45.11           tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:2211 to:10.3.45.11:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
  • kernel: 
    vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1
sysctl -p
cat /proc/sys/net/ipv4/ip_forward
  • test: 
    tcpdump -n -i eth0 port 2211
  • aws:
    • allow access to port 2211 in security group
    • disable source/dest check for router in aws console

~. will break out of locked up ssh session

Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OPS345_Lab_2&oldid=156174"