1,234
edits
Changes
Created page with "= Objectives = * a = PART 1: PREREQUISITES = * In order to do this lab and the ones to follow you need to make sure that you've completed assignment 1 successfully, which..."
= Objectives =
* a
= PART 1: PREREQUISITES =
* In order to do this lab and the ones to follow you need to make sure that you've completed assignment 1 successfully, which in turn requires that you've completed labs 1 through 4.
* Your c7host should have at least 8GB of RAM allocated to it. Your four nested VMs should be reconfigured to use no more than 1GB of memory (1024MB). That way when we create more nested VMs we won't run out of memory.
* If you've completed the labs correctly, this is what the iptables configuration should look like on your c7host (except the "35" which will be different for all of you):<source>
[root@c7host ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50 3260 ACCEPT udp -- virbr1 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr1 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr1 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr1 any anywhere anywhere tcp dpt:bootps
0 0 ACCEPT udp -- virbr2 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr2 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr2 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr2 any anywhere anywhere tcp dpt:bootps
294 31177 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
7 469 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
576 87997 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
869 71173 ACCEPT all -- any virbr1 anywhere 192.168.210.0/24 ctstate RELATED,ESTABLISHED
885 66577 ACCEPT all -- virbr1 any 192.168.210.0/24 anywhere
0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr2 virbr2 anywhere anywhere
0 0 REJECT all -- any virbr2 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 418 packets, 34375 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any virbr1 anywhere anywhere udp dpt:bootpc
0 0 ACCEPT udp -- any virbr2 anywhere anywhere udp dpt:bootpc
[root@c7host ~]# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 1448 packets, 149K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 24 packets, 1671 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 265 packets, 19649 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 265 packets, 19649 bytes)
pkts bytes target prot opt in out source destination
3 336 RETURN all -- any any 192.168.210.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.210.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.210.0/24 !192.168.210.0/24 masq ports: 1024-65535
883 66409 MASQUERADE udp -- any any 192.168.210.0/24 !192.168.210.0/24 masq ports: 1024-65535
1 84 MASQUERADE all -- any any 192.168.210.0/24 !192.168.210.0/24
</source>
* The asg1 network must be an isolated network, with access to the network1 network and the internet via lin1a1 which is configured as a router.
= PART 2: DHCP =
So far we've used either DHCP provided by the virtualisation systems (Vmware/KVM) or static IP addresses. In this lab we'll set up a DHCP server on the asg1 network.
= Lab completion =
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.
* Have notes in your labbook from this lab.
* Show your work to the professor and have them sign your labbook.
* a
= PART 1: PREREQUISITES =
* In order to do this lab and the ones to follow you need to make sure that you've completed assignment 1 successfully, which in turn requires that you've completed labs 1 through 4.
* Your c7host should have at least 8GB of RAM allocated to it. Your four nested VMs should be reconfigured to use no more than 1GB of memory (1024MB). That way when we create more nested VMs we won't run out of memory.
* If you've completed the labs correctly, this is what the iptables configuration should look like on your c7host (except the "35" which will be different for all of you):<source>
[root@c7host ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50 3260 ACCEPT udp -- virbr1 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr1 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr1 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr1 any anywhere anywhere tcp dpt:bootps
0 0 ACCEPT udp -- virbr2 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr2 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr2 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr2 any anywhere anywhere tcp dpt:bootps
294 31177 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
7 469 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
576 87997 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
869 71173 ACCEPT all -- any virbr1 anywhere 192.168.210.0/24 ctstate RELATED,ESTABLISHED
885 66577 ACCEPT all -- virbr1 any 192.168.210.0/24 anywhere
0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr2 virbr2 anywhere anywhere
0 0 REJECT all -- any virbr2 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 418 packets, 34375 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any virbr1 anywhere anywhere udp dpt:bootpc
0 0 ACCEPT udp -- any virbr2 anywhere anywhere udp dpt:bootpc
[root@c7host ~]# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 1448 packets, 149K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 24 packets, 1671 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 265 packets, 19649 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 265 packets, 19649 bytes)
pkts bytes target prot opt in out source destination
3 336 RETURN all -- any any 192.168.210.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.210.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.210.0/24 !192.168.210.0/24 masq ports: 1024-65535
883 66409 MASQUERADE udp -- any any 192.168.210.0/24 !192.168.210.0/24 masq ports: 1024-65535
1 84 MASQUERADE all -- any any 192.168.210.0/24 !192.168.210.0/24
</source>
* The asg1 network must be an isolated network, with access to the network1 network and the internet via lin1a1 which is configured as a router.
= PART 2: DHCP =
So far we've used either DHCP provided by the virtualisation systems (Vmware/KVM) or static IP addresses. In this lab we'll set up a DHCP server on the asg1 network.
= Lab completion =
* Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.
* Have notes in your labbook from this lab.
* Show your work to the professor and have them sign your labbook.