Changes

Jump to: navigation, search

OPS235 Lab 6 - Fedora17

9,297 bytes added, 11:44, 3 March 2010
no edit summary
'''= Configuring a Network Using Virtual Machines =
[[Category:OPS235]][[Category:OPS235 Labs]]
{{Admon/caution | Caution! | This lab is very much under construction. Please do not start it until this warning is removed.}}
* Configure a virtual network for Virtual Machines
* Use the Fedora GUI program to configure network interfaces with static IP configuration and host name resolution
* Use the <code>find</code> command to locate the configuration files modified by the GUI network configuration program  
* To examine some of the Linux's TCP/IP configuration files in the <code>/etc/</code> directory
* To configure a Fedora host with static network configuration without a GUI tool
* To use and interpret the <code>netstat</code> command to troubleshoot and monitor network services  
* To configure the linux firewall <code>iptables</code> to allow/disallow/forward different types of network traffic using simple rules
#*192.168.235.0/24
# Disable DHCP by deselecting the check box.
# Enable Network Forwarding by Selecting "Forwarding to physical network"  
# The destination should be "Any physical device" and the mode should be "NAT"
# Now we need to add our new virtual network "network1" to the 3 VM's
# On your fedora host run <code>ifconfig</code> and make note of the IP address assigned to the <code>virbr1</code> interface. This will be your default gateway for your Vm's.
# To configure a new interface on fedora2 go to System->Administration->Network and click on the "New" button
# Select Ethernet Device and choose the network card named <code>eth1</code>  
# Statically set the IP configuration:
#* IP Address 192.168.235.12
#* Previously, you created a file called <code>/tmp/timestamp</code>. Any files that were modified by the GUI network configuration program should have a timestamp later (or newer) than the "timestamp" file you created. All the Linux TCP/IP configuration files are stored under the "/etc" directory or its sub-directories. The following command when run as root will give you a list of all the files under the <code>/etc</code> directory with a file modification date newer than the date of the "timestamp" file:
#**<code>find /etc -newer /tmp/timestamp</code>
# Capture the output to a file called <code>netcfg.lst</code> under user root's home directory.  
# Create a new directory called <code>/tmp/lab6</code> and copy all the files from the <code>find</code> command to it.
#* There are a number of ways to accomplish this:
# Login and attempt to <code>ssh</code> to your matrix account to verify the settings.
# Answer the Investigation question in your logbook.
=== Investigation 5: IPTABLES -- Basic Function/Configuration ===
 
'''Iptables''' is the built-in firewall for LINUX. While this program can be controlled by different GUI's, we are going to investigate the powerful command line interface for this program to choose what data is allowed into, out of and through our computer.
 
Essentially, Iptables is a list of rules. Each rule is placed into a particular chain and when data is sent into, out of or through a PC the data is checked against these rules. If the data matches a particular rule, it then must “jump” to a condition. Simple conditions include ACCEPT, DROP and LOG but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
 
Iptables consists of three chains of rules – INPUT, OUTPUT and FORWARD. Here as brief explanation of these chains.
 
'''OUTPUT''' – When you want to do some research on the Web for something, you open a browser on your PC and navigate to http://www.google.ca. When you do you are attempting to establish an HTTP or HTTP session with the web server at http://www.google.ca. A data packet is built with apprpriate IP and TCP information and sent out of your computer but before it goes out to the Internet it will be compared to all of the rules in the OUTPUT chain to see if this data is allowed to go “out” of the PC. If it is not allowed then the packet is dropped.
 
'''INPUT''' – If your data was allowed out and a request was sent to http://www.google.ca, this web server will send data back to your PC with an acknowledgement. Before this data can be processed by your browser, it must first be checked against the INPUT chain to see if it is allowed into the PC. If it is, your browser will process the data and move to it's next task. If it is not, the packet will be dropped.
 
'''FORWARD''' – LINUX PC's are often used as routers or gateways for other PC's. This means that data may have to be passed through this LINUX box, but the data is not intended for the LINUX PC nor is it being sent by the LINUX PC. Even though the data will go into this PC and it will exit this PC, the INPUT and OUTPUT chains do not apply here. Because the PC is acting as a router it does not actually send or receive data, it FORWARDS data from one machine to another. When this process happens, the data is checked against the FORWARD chain to see if it is allowed through. If it is the router will forward the data to it's destination. If not, the packet is dropped.
 
Note: We will complete this lab on the host machine. It should be noted that all of the commands that we do here with iptables will not be persistent. That means if you re-boot, the default iptables configuration will be loaded.
 
1. Enter super-user mode on the HOST MACHINE and enter the following commands at the prompt:
 
'''iptables -F (This flushes out or clears all of your rules from the chains)
iptables -L'''
 
You should see something similar to this:
 
'''Chain INPUT (policy ACCEPT)'''
 
'''target prot opt source destination'''
 
'''Chain FORWARD (policy ACCEPT)'''
 
'''target prot opt source destination'''
 
'''Chain OUTPUT (policy ACCEPT)'''
 
'''target prot opt source destination'''
 
 
Each chain has a default policy. In my example here the default policy is ACCEPT. This means that if data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destination. Conversely, if the policy is set to DROP then the packet will be dropped if there is no match.
 
See the MAN page for iptables for detailed information on switches and options.
 
2. Set the default policy for the INPUT chain to DROP:
 
'''iptables -P INPUT DROP'''
 
The -P switch stands for POLICY. This tells ip tables that we are changing the policy for the INPUT chain. The policy is to be changed to DROP. Note that iptables commands (as well as all other Linux commands) are case sensitive. Check your syntax carefully.
 
3. Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
 
Write the commands you executed in your lab book.
 
4. Can we mix these policies? Try to set the FORWARD chain policy to ACCEPT. Did it work?
 
Testing policies
 
5. Execute the command iptables -L and check that the policies on your INPUT and OUTPUT chain are set to DROP
 
Open a browser and attempt to access the Internet. Were you successful?
 
6. Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
 
Open your browser and attempt to access the Internet again. Were you successful?
 
7. Change the policies on all of the chains to DROP
 
8. In the OUTPUT chain, add the following rule
 
'''iptables -A OUTPUT -j LOG'''
 
The above rule tells iptables to log packets and relevant information to /var/messages. This entry in the OUPTPUT policiy will therefore log all packets being sent out of the machine.
 
Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged. Let's have a look at the log file and analyze the data.
 
9. Execute the following command:
 
'''tail /var/log/messages'''
 
This command by default shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:
 
'''Mar 3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0
'''
 
Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value. When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?
 
10. Using the commands we already know, change the default policies on all of your chains to ACCEPT. Open a browser and confirm that you can access the world wide web.
 
11. Enter the following from the command prompt:
 
'''iptables -I OUTPUT -p tcp -s0/0 -d 0/0 –dport 80 -j DROP'''
 
This command can be read like this: Insert a line into the iptables OUTPUT chain that will look at tcp information and DROP any packet with a source address from anywhere, to a destination address to anywhere if the destination port = 80 (WWW.) Let's break down the command to see how it works.
 
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables where multiple matches can occur, it is important that the lines go in the right order. Most people simply write scripts to ensure this.
 
The '''-p''' tcp switch tells iptables to filter data by looking at TCP information in the packets. For now, we simply want to filter data by source and destination TCP ports so we need this switch.
 
The '''-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC.
 
The '''-d0/0''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.
 
The switch '''–dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80
 
'''-j''' means jump to a particular condition – Basic conditions are ACCEPT, DROP and LOG. There are others and you also have the ability to create your own.
 
'''DROP''' means drop the packet – do not let it leave the computer.
 
Try to access the Web. If you have done everything right, you should not have been successful.
 
12. After you have completed the test execute the following command:
 
'''iptables -F'''
 
Additional Exercises
 
This will flush out all of the rules for iptables. Using the information you have, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.
 
After you have completed this task, flush the iptables again.
 
Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice. Once you have confirmed that ssh is running on the host machine, modify the iptables setup on the host machine to prevent access to the ssh server from the virtual machine.
 
Open a text editor and write a script that will accomplish the above task for you when you run it. Show the script to your professor and execute it.

Navigation menu