Changes

Jump to: navigation, search

SRT210 Lab 2

5,329 bytes added, 03:50, 2 July 2019
PART 1: NESTED VIRTUAL MACHINE
* Set up a nested virtual machine
* Get familiar with basic networking setup and utilities used on Linux
* Understand how the IPtables firewall works and use it to make simple rules
= PART 1: NESTED VIRTUAL MACHINE =
Since we're forced to use a Windows machine as the main VM host, we're going to have to set up nested virtualisation. Luckily that's not too difficult.
* Change the settings for your c7host to have at least 4GB of RAM(8 would be better), and enable "Virtual Intel VT-X/EPT or AMD-V/RVI" under VM/Settings/Processors.
* Install the following packages: qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils
* Make sure (using <code>systemctl enablestatus</code>) that the libvirtd service starts at boot.
* Those will include both the KVM hypervisor and Virt Manager, which is a graphical tool used to administer it.
* Create a new virtual machine with the following settings:
** Will be installed from the network: https://mirror.senecacollege.ca/centos/7/os/x86_64/ or http://mirror.netflash.net/centos/7/os/x86_64/
** 2GB of RAM(needed for installation, you should change it to 512MB after the install is done)
** 10GB of disk
** NAT for networking
* Now if you try to start lin1 - it will tell you that the network "default" is unavailable. Go into the lin1 VM settings and configure the NIC to use "network1" instead.
* After starting the VM you'll find that your network interface is not configured (try all the commands above again to see their output).
* Configure your wired interface by editing the file as described in the steps below.
* Change to the '''/etc/sysconfig/network-scripts''' directory.
* List the contents of this directory. You should see 2 different types of files, network config scripts and network configuration files.
* Use yum to uninstall firewalld and install iptables-services
* Use systemctl to start the iptables service and configure it to be started on boot.
* Run <code>iptables -L</code>. We will be learning how to read that mess in the next section.
IPtables is a complex system, and there's a lot of material this week to cover it. Keep in mind as you're going through the lab that you're trying to learn three things:
::::<pre>ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED</pre>
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output'') and contain information regarding the type of traffic they apply to. For example, '''protocols''' such as ''tcp/udp/icmp'', '''port numbers''' such as ''22 (SSH), 80 (HTTP), 443 (SHTTPHTTPS)'', '''addresses''', and many other things.
::Let's look at how these rules would apply to a simple web connection (HTTP - port 80):
::# For the ''request''(originating from browser on local machine), the '''source port (sport) for the example in the above diagram is 40112(browser on local machine)''' and the '''destination port (dport) is 80(webserver on remote machine)'''::# For the ''response''(originating from server on remote machine), the '''source port (sport) is 80(webserver on remote machine)''' and the '''destination port (dport) is 40112(browser on local machine)'''
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
:* 'Most other services work in a similar way as discussed above. == Adding a rule == '''<source>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</source>''' Can be read like this: ''Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.''  '''Let's break down the <u>command displayed above</u> to see how it works:'''   {|cellpadding="15" width="60%"|- valign="top"| | <span style="font-family:courier; font-weight:bold">-I</span>| | tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a <span style="font-family:courier; font-weight:bold">-A</span> switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example)|- valign="top"|width="75" | '''-p tcp'''| | tells iptables to only match TCP packets. Alternately, the protocol could be set to '''udp''', '''icmp''', or '''all'''|- valign="top"| |'''-s0/0'''| |specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC|- valign="top"| |'''-d0/0'''| |specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed|- valign="top"| |'''--dport 80'''| |tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch|- valign="top"| |'''-j'''| |means when condition is met, then jump to a particular target – Basic targets are '''ACCEPT''', '''DROP''', '''REJECT''', and '''LOG'''. The available targets depend on which table contains the chain|- valign="top"| |'''DROP''' | |means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it|} To play with this:* Install the Apache web server on lin1 (the package is called httpd).* Enable and start that service.* Install elinks (a command-line web browser) and see if you can connect to http://localhost (it should work by default).* Using Firefox on c7host, check whether you can view the same webpage in lin1 (by default you wont).* Next, check the iptables rules in lin1 and try to figure out why Firefox could not connect from c7host by reading the output of <code>iptables -L</code> on lin1 carefully looking for clues whether lin1 is letting inbound http traffic (TCP port 80) through.* If the output of <code>iptables -L</code> on lin1 isn't letting HTTP traffic through, which by default it does not, add a rule to the iptables in lin1 to allow inbound traffic to pass through to Apache (TCP port 80).* Go back to c7host after verifing lin1 permits http traffic and once again test whether Firefox on c7host displays the webpage (you may need to give Firefox the IP address of lin1 to view the webpage). Now it should. If you make such a mess that you don't know what you did any longer, there are a couple of things that can help you get back to normal: * iptables --flush will erase all the rules* Restarting the iptables service will revert all the rules to the defaults. = PART 3: YOUR TASKS = Use what you learned so far and what you can learn online in order to set up the following: # lin1 will allow access to Apache from any source.# c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from any other source. = Lab completion = * Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.* Have notes in your labbook from this lab.* Show your work to the professor and have them sign your labbook.

Navigation menu