572
edits
Changes
→Part 3: Making iptables Policies Persistent
:'''Perform the following steps:'''
Some tasks in this part of the investigation '''require you to be connected ot to Seneca's VPN'''.*If you are running your installation through VMWare, then you can use [https://insidestudents.senecacollege.ca/itsspaces/186/it-services/wiki/view/1025/student-vpn/studentvpn.html the instructions provided by ITS] to connect to it from your Windows machine (your c7host and its nested VMs will use the VPN through the windows machine without further configuration).*If you installed your c7host '''directly onto a machine without using VMWare ''' as an intermediary (or the steps above do not work for you), use the following instructions:
::*Install the package openconnect
::*Run the following command as root (or with sudo): openconnect --protocol=gp studentvpn.senecacollege.ca -b
# Switch to your '''c7host''' VM.
# Create a file in your current directory of your c7host machine with some text in it called: '''myfile.txt'''
# Ensure you've successfully connected to the VPN required for Matrix (https://inside.senecacollege.ca/its/services/vpn/studentvpn.html). Then issue Issue the following command (using your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">scp myfile.txt yourmatrixid@matrix.senecac.onsenecacollege.ca:/home/yourmatrixid</span></code></b><br>(followed by your Matrix password)<br>What did this command do?# Issue the following single command (arguments are separated by a space - use your Matrix login id):<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh yourmatrixid@matrix.senecac.onsenecacollege.ca ls /home/yourmatrixid/myfile.txt</span></code></b><br>(followed by your Matrix password)<br>What did this command do?<br>Issue the following Linux command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">ssh yourmatrixid@matrix.senecac.onsenecacollege.ca cat /home/yourmatrixid/myfile.txt</span></code></b><br>How do these commands differ from using issuing the ssh command without the ls or cat command? How is this useful?<br><br>The client ssh application contains the utlities: '''ssh''', '''scp''' and '''sftp''' (learned in ULI101) to connect to remote Linux servers in order to issue commands or transfer files between Linux servers. You can install the SSH service on your Linux server, although this has already been performed upon installation. We will now confirm that the ssh service is running on all of your VMs.<br><br>
# OpenSSH should have been installed by default. Let's confirm this by issuing the command:<br /> <b><code><span style="color:#3366CC;font-size:1.2em;">rpm -qa | grep ssh</span></code></b>
# You should see a number of packages installed including <b>openssh-clients</b> and <b>openssh-server</b>
<pre style="font-family:monospace;background-color:white;border-style:none;padding-left:50px;">
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ops245yoursenecaid/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter passphrase again:
Your public key has been saved in /home/ops245yoursenecaid/.ssh/id_rsa.pub.
The key fingerprint is:
ef:de:31:67:f7:15:a4:43:39:15:5d:78:1b:e8:97:74 ops245yoursenecaid@centos3centos2
The key's randomart image is:
+--[ RSA 2048]----+
# Delete the rule in the INPUT chain that allows ICMP traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine.
# Delete the rule in your '''INPUT''' and '''FORWARD''' chains that '''REJECT'''s any traffic you haven't '''ACCEPT''ed. You are better protected by the default '''DROP''' policy you set.
#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo sh -c 'iptables-save > /etc/sysconfig/iptables'</span></code></b>(NOTE: redirections happen before the actual command execution and don't run with the elevated sudo privileges, therefore we need to use 'sh -c')<!-- [Ahad Mammadov] Added sh -c to skip the next step, and kept it here in case it's needed to be restored#You will notice that even when running the command with sudo, it isn't letting you write to <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/sysconfig/iptables</span></code></b>. Use <b><code><span style="color:#3366CC;font-size:1.2em;">sudo -i</span></code></b>, then try to save them again.When done, log out of root user (exit sudo).-->
# Verify that the file '''/etc/sysconfig/iptables''' exists.
# Restart your iptables service and test your configuration.
# Make certain ALL of your VMs are running.
# Switch to your '''c7host''' VM and change to your user's '''bin''' directory.
# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget https://ictraw.senecacollegegithubusercontent.cacom/~peter.callaghanOPS245/ops245labs/labsmain/lab7-check.bash</span></code></b>
# Give the '''lab7-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if there are any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><blockquote><span style="color:green;font-size:1.5em;">✓</span> '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote><span style="color:green;font-size:1.5em;">✓</span> '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <b><code><span style="color:#66cc00;border:thin solid black;font-size:1.2em;"> OK </span></code></b> messages)</li></ul></blockquote><span style="color:green;font-size:1.5em;">✓</span> '''Lab7''' log-book filled out.
#Upload a screenshot of proof from the previous step, along with your logbook, and the file generated by '''lab7-check.bash'''.
= Practice For Quizzes, Tests, Midterm & Final Exam =
