572
edits
Changes
→Part 3: Making iptables Policies Persistent
:'''Perform the following steps:'''
Some tasks in this part of the investigation '''require you to be connected ot to Seneca's VPN'''.*If you are running your installation through VMWare, then you can use [https://insidestudents.senecacollege.ca/itsspaces/186/it-services/wiki/view/1025/student-vpn/studentvpn.html the instructions provided by ITS] to connect to it from your Windows machine (your c7host and its nested VMs will use the VPN through the windows machine without further configuration).*If you installed your c7host '''directly onto a machine without using VMWare ''' as an intermediary (or the steps above do not work for you), use the following instructions:
::*Install the package openconnect
::*Run the following command as root (or with sudo): openconnect --protocol=gp studentvpn.senecacollege.ca -b
<pre style="font-family:monospace;background-color:white;border-style:none;padding-left:50px;">
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ops245yoursenecaid/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter passphrase again:
Your public key has been saved in /home/ops245yoursenecaid/.ssh/id_rsa.pub.
The key fingerprint is:
ef:de:31:67:f7:15:a4:43:39:15:5d:78:1b:e8:97:74 ops245yoursenecaid@centos3centos2
The key's randomart image is:
+--[ RSA 2048]----+
# Delete the rule in the INPUT chain that allows ICMP traffic from <b>anyone</b>, and replace it with one that only allows ssh traffic sent by your other machine.
# Delete the rule in your '''INPUT''' and '''FORWARD''' chains that '''REJECT'''s any traffic you haven't '''ACCEPT''ed. You are better protected by the default '''DROP''' policy you set.
#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <b><code><span style="color:#3366CC;font-size:1.2em;">sudo sh -c 'iptables-save > /etc/sysconfig/iptables'</span></code></b>(NOTE: redirections happen before the actual command execution and don't run with the elevated sudo privileges, therefore we need to use 'sh -c')<!-- [Ahad Mammadov] Added sh -c to skip the next step, and kept it here in case it's needed to be restored#You will notice that even when running the command with sudo, it isn't letting you write to <b><code><span style="color:#3366CC;font-size:1.2em;">/etc/sysconfig/iptables</span></code></b>. Use <b><code><span style="color:#3366CC;font-size:1.2em;">sudo -i</span></code></b>, then try to save them again.When done, log out of root user (exit sudo).-->
# Verify that the file '''/etc/sysconfig/iptables''' exists.
# Restart your iptables service and test your configuration.
# Make certain ALL of your VMs are running.
# Switch to your '''c7host''' VM and change to your user's '''bin''' directory.
# Issue the Linux command: <b><code><span style="color:#3366CC;font-size:1.2em;">wget https://ictraw.senecacollegegithubusercontent.cacom/~peter.callaghanOPS245/ops245labs/labsmain/lab7-check.bash</span></code></b>
# Give the '''lab7-check.bash''' file execute permissions (for the file owner).
# Run the shell script and if there are any warnings, make fixes and re-run shell script until you receive "congratulations" message.
#Arrange proof of the following on the screen:<br><blockquote><span style="color:green;font-size:1.5em;">✓</span> '''centos2''' VM:<blockquote><ul><li>have logged into centos3 VM using '''public key authentication''' (with a pass-phrase)</li></ul></blockquote><span style="color:green;font-size:1.5em;">✓</span> '''c7host''' Machine:<blockquote><ul><li>have tunneled Xwindows application from '''centos1''' via ssh</li><li>Run the '''lab7-check.bash''' script in front of your instructor (must have all <b><code><span style="color:#66cc00;border:thin solid black;font-size:1.2em;"> OK </span></code></b> messages)</li></ul></blockquote><span style="color:green;font-size:1.5em;">✓</span> '''Lab7''' log-book filled out.
#Upload a screenshot of proof from the previous step, along with your logbook, and the file generated by '''lab7-check.bash'''.
= Practice For Quizzes, Tests, Midterm & Final Exam =
