54
edits
Changes
no edit summary
#* Find the MAC address of the '''Network Interface''' and the '''IP address''' assigned to it. Record this information on your lab log book.
# Change to your '''host machine''', open a terminal window, and perform the following connectivity tests for each vm:<br><br>
<source lang="bash">
ping -c 1 [ip-of-vm]
ssh [ip-of-vm]
'''Perform the following steps for your <u>host </u> machine:'''
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Use the ifconfig or ip address command to determine the IP ADDRESS of your external facing address (i.e. IP address beginning with '''10192.x168.x40.x'''if you are using an SSD).# Find Open a partner to terminal on the Windows machine and '''ping''' your external facing IP address. Was your partner it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's ''their''' '''external internal facing interface''' (should be an internal address beginning with '''10192.x168.x40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your partner's Windows machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your partner's Windows machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They You should not be able to connectfrom your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show their your failed attempts to '''ssh''' to you with your '''customized''' message.# When you are confident the rules are working, save them by running <source lang='bash'>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
== COMPLETING THE LAB ==
===Online Submission (Peter Callaghan's Classes only)===
Follow the instructions for lab 2a on moodleblackboard.
===In Class Submission(Murray Saul's Classes only)===
[[Image:lab1_signoff.png|thumb|right|200px|Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.]]
'''Arrange evidence (command output) for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:'''
::<span style="color:green;font-size:1.5em;">✓</span>Proof that the iptables rules work for your host.
::<span style="color:green;font-size:1.5em;">✓</span>Issue command: '''journalctl --dmesg | grep -i MYSSH''' to confirm that outside ssh connections logged.
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck2a.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck2a.bash'''<br><br>set execute permission and run the shell script on your '''c7hosthost''' machine.
::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.
::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output to instructor.
