Changes

===Purpose=OBJECTIVE & PREPARATION ==In Lab 2a, we set the firewall rules for your '''host''' machine. In this lab, we will '''create firewall rules for our virtual machines''' within our virtual private network. This lab will also apply '''"best practices"''' and '''"troubleshooting techniques"''' using iptables.

This lab will provide more hands-=== Online Resources=== * [http://zenit.senecac.on experience with .ca/wiki/index.php/OPS335_Lab_1#Linux_Network_Connection_Configuration_Troubleshooting Test Network Connectivity] (From Lab1)* [http://www.microhowto.info/troubleshooting /troubleshooting_iptables.html Troubleshooting iptables issues]* [https://community.rackspace.com/products/f/25/t/248 Basic IPTABLES Troubleshooting]

Some articles that you can use as We will now '''set iptables rules for your vm1 machine'''. '''Perform the following Steps:''' # Start your '''host''' machine, and launch your '''vm1''' machine.# Login to your '''root account''' on your '''vm1''' machine.# Issue a reference if command (like you are still experiencing problems with did in lab2a) to copy your default iptablesrules to the file pathname:* [http:<br>'''/etc/www.microhowto.infosysconfig/troubleshooting/troubleshooting_iptablesiptables.html Troubleshooting original'''# Issue an ''iptables]command'' to set the policy to disable '''all forwarding traffic''', and remove the rule that is rejecting it.* [https://community# Next, set the default policy to drop '''all inbound traffic''', and remove the rule that is rejecting traffic.rackspace# Issue an iptables command to list rules for verification.com<br /products><br /f>The remaining tasks will relate to that same '''inbound''' traffic chain:<br /25><br /t/248 Basic IPTABLES Troubleshooting]># Issue an ''iptables command'' to delete the default ssh rule.# Issue an ''iptables command'' to add a rule that allows ssh traffic (i.e. tcp packets with destination port 22) that originates from any machine within your virtual network.# Issue an ''iptables command'' to delete the default icmp rule.# Issue an ''iptables command'' to allow icmp traffic from addresses in your virtual network.# Test that your machines can still use ping and ssh to communicate with each other.* [http://serverfault# Save your rules in the location that iptables will automatically read from when it starts.com/questions/289040/troubleshooting-firewall-# Reboot your machine and-routing-check that the new rules are being applied. If they are not, resolve this issue before moving on-linux Troubleshooting Firewall .# Now copy the file to your other VMs and make it apply to them when they boot as well.# Reboot each machine and Routing make sure this works before you move on. '''Record your observations in this section on Linux]your OPS335 lab log-book'''

By now you've probably figured out that a simple mistake in your iptables rules can have very serious and unexpected consequences for not just your services but any network connectivity. There's a process you can follow 'Refer to figure out whatthe following IPTABLES Troubleshooting Checklist:'''s wrong.

# First figure out if you network is set up correctly. <table border="1" cellspacing="0" cellpadding="5" ><tr><th>Step</th><td>'''Procedure'''</td><td>'''Explanation'''</td></tr><tr> <th>1</th><td>'''Test Network Connectivity'''</td><td>You can use the [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_1#Linux_Network_Connection_Configuration_Troubleshooting steps in lab 1] as a guide, but keep in mind the firewall may be blocking pings and DNS requests.</td></tr># See if <tr> <th>2</th><td>'''Verify Service is Running &amp; listening on the service youcorrect interfaces'''re trying to connect to is actually running. </td><td>You should learn to read the output of '''netstat ss -atnp''' and '''netstat ss -aunp''' to complement the '''systemctl status''' command.</td></tr># If you have no idea what<tr> <th>3</th><td>''s going on and need to confirm that you're still sane - clear all the iptables rules and check List your configuration then. Keep in mind that the '''iptables Rules &amp; Perform a "Walk-FThru"'''</td><td>For many decades, when troubleshooting programs that don' command will delete all your rules but t run properly, programmers will not set the deafult policies resort to ACCEPT. This will tell you for sure whether your problem was (or was not) caused reading their "source-code" line-by iptables.#* If you do this - have a ready way line and pretend they are the computer to restore perform the rules you just deletedoperation. Restarting The programmer "walks-through" the iptables service is usually code to force them to think like a good start computer in order to spot and a script to add your custom rules is a reasonable next stepfix subtle problems.# Follow <br><br>Therefore, you can follow a packet's path as you understand it should follow. Keep in mind [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Lab_2#How_Firewalls_.28iptables.29_Relate_to_the_Labs_in_this_Course the diagram from the lecture last week]. What chain applies first on which machine? What's the first rule that matches the packet? What happens if no rules match the packet?#* <br><br>Don't forget that even if you're tracing the path of outgoing traffic - the INPUT chain on your mahchine machine still applies (for the response that comes back to your request).</td></tr># At <tr> <th>4</th><td>'''Use the log target to list unexpected traffic'''</td><td>Add a final rule to your input chain to log all traffic. Any traffic you are allowing will have already been accepted and will not reach this point rule, so you should be able will start a log of all the packets you are not allowing. Observing the logs while you attempt to use the service that is not being allowed will show you the type of traffic you need to understand any allow.</td></tr><tr> <th>5</th><td>'''Verify Network Connectivity by Deleting iptables rules Rules'''</td><td>As a last resort, if you have no idea what's going on and need to confirm that you'll see re still sane - clear all the iptables rules and check your configuration then. Keep in this course, including mind that the '''iptables -F''' command will delete all your rules but will not set the default ones in CentOSpolicies to ACCEPT. If This will tell you see a rule you donfor sure whether your problem was (or was not) caused by iptables.<br><br>Stopping the iptable service with '''systemctl stop iptables'''t understand - you can delete will also clear all iptables rules. Additionally, it and see what happenswill reset all policy to ACCEPT. But if <br><br>If you do that this - spend some time figuring out what that rule did and why have a ready way to restore the rules you needed to delete itjust deleted. It was likely there for Restarting the iptables service is usually a good reasonstart and a '''shell script''' to add your custom rules is a reasonable next step.Don't forget to restart libvirtd service as well if this is being done on a kvm host</td></tr></table>

At this point, you should be able to understand any iptables rules you experience in this course, including the <u>default</u> ones in CentOS. If you see a iptables rule that you don'''Record stepst understand, commandsyou can <u>delete</u> it and see what happens. But if you simply delete this rule, take the time to figure out what that rule did and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''why you needed to delete it. It was likely there for a purpose (other than to drive you crazy).

==INVESTIGATION 23: HANDS-ON IPTABLES TROUBLESHOOTING==

Download and run '''Perform the following scriptsteps on your HOST: http://scs.senecacollege.ca/~andrew.smith/ops335/labcheck_network_backup.sh'''

It #Download and run the following script: http://scs.senecacollege.ca/~andrew.smith/ops335/lab_practice_iptables.sh<br><br>This will print out display a menu of exercises. You can pick choose any of them the items in any order, but you should attempt all of them. The script will first reset the firewall settings to CentOS defaults and then make some modifications from those defaults.<br><br>#Troubleshoot and fix the problem as you would on a real server. The point of the exercises is for you to find the problem using regular troubleshooting tools, not to reverse-engineer the shell script.<br><br>#Finish the exercises, and record any information you feel you'll need to remember to solve problems like this in the future (e.g. in an assignment and/or in a practical test).

Finish {{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the exercisesdump command, and record any information you feel should use the Bash shell script that you'll need were adviced to remember create in order to solve problems like this in the future (e.g. in a practical test)backup all of your VMs.}}

'''Record steps, commands, and your observations in INVESTIGATION 2 in this section on your OPS335 lab log-book'''

[[Image:lab1_signoffIn completing this lab you have gained further practice using iptables.png|thumb|right|300px|Students Each of your machines should now be prepared with '''all required commands (system information) displayed in protected by a terminal custom firewall that we will continue to build on throughout the course. You have also gained experience troubleshooting iptables and determining what rules might need to be changed to allow desired traffic (or multiple terminalsblock undesired traffic) prior to calling the instructor for signoff. '''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below.]]'''Arrange evidence  ===Online Submission (command outputAhad Mammadov's Classes only) ===Follow the instructions for each lab 2b on blackboard. ===Andrew's sections=== You may choose to:* Submit screenshots of these items your work on your screenBlackboard, then ask your instructor in which case you don't need to come to the lab.* Or come to review them and sign off on the lab, show me your work, and talk to me about it. I want to hear what you's completion:''ve learned and answer any questions you have. You'll get the same grade regardless of how you choose to submit your work.

Expected results of this lab are::<span style="color:green;font-size:1.5em;">&#x2713;</span>x.

#xList 3 separate techniques that you used to help troubleshoot to detect and fix iptables from running the shell script in the previous section.#Without looking at the table above, list tips for troubleshooting iptables.#After completing this lab, how does the above-mentioned shell script work to cause problems with iptables?