server0 ****************************** To Do "perfect" FTP firewall - NAT the passive mode IP address for client to connect to - right way to preload ip_conntrack_ftp boot errors around mounting local file systems and HGFS ****************************** Add a second NIC to the RedHat 9.0 Linux virtual machine Configure the server as a router between 172.30.1.0/24 and 192.168.1.0/24 Exercise: The goal of this exercise is to a configure a NetFilter firewall on your Linux router that will translate inbound and outbound network addresses. Configure the Filter table as follows: INPUT chain: allow all loopback traffic and icmp traffic. From external hosts, allow only ssh traffic, from internal hosts allow any connections. OUTPUT chain: allow all. FORWARD chain: allow established and related. Allow new connections only if they represent HTTP or FTP protocols. Configure the NAT table as follows: POSTROUTING chain: translate all 192.168.1.0 addresses to the router's 172.30.1 address. PREROUTING chain: translate any packet with a 172.30.1.XX+50 destination address to 192.168.1.2XX where XX is your station number. Configure the default gateway and DNS nameserver Set runlevel to 2 and limit to the following services: iptables, network, syslog, keytable, random, vmware-tools, sshd, and local. Configure the Filter and NAT tables according to classroom specifications. ---------------------------------------------- F I R E W A L L and N A T iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 172.30.1.200 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -s 172.30.1.101 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -s 172.30.1.1 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.254 -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -p tcp --dport http -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport ftp -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Configure the NAT table as follows: POSTROUTING chain: translate all 192.168.1.0 addresses to the router's 172.30.1 address. (ask Jim, why not 50+XX) PREROUTING chain: translate any packet with a 172.30.1.XX+50 destination address to 192.168.1.2XX where XX is your station number. iptables -t nat -A POSTROUTING -s 192.168.1.101 -j SNAT --to-source 172.30.1.51 iptables -t nat -A PREROUTING -d 172.30.1.51 -j DNAT --to-destination 192.168.1.101 -------------------------------------------- R C . L O C A L [root@server0-01 root]# cat /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local # Added by Rich for FTP firewall modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_nat modprobe ip_nat_ftp [root@server0-01 root]# -------------------------------------------- H O S T S [root@server0-01 root]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 server0-01 server0-01.whitehats.net localhost [root@server0-01 root]# -------------------------------------------- N E T W O R K [root@server0-01 root]# cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=server0-01.whitehats.net GATEWAY=172.30.1.1 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 0 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=172.30.1.201 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 0 : 0 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:0 DEVICE=eth0:0 BOOTPROTO=static ONBOOT=yes IPADDR=172.30.1.51 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 1 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.254 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- R E S O L V . C O N F [root@server0-01 root]# cat /etc/resolv.conf nameserver 172.30.1.20 [root@server0-01 root]# -------------------------------------------- M O D U L E S . C O N F [root@server0-01 root]# cat /etc/modules.conf alias eth0 pcnet32 alias eth1 pcnet32 alias scsi_hostadapter BusLogic alias usb-controller usb-uhci # Added by VMware Tools alias char-major-14 sb options sb io=0x220 irq=5 dma=1 dma16=5 mpu_io=0x330 [root@server0-01 root]# -------------------------------------------- S Y S C T L . C O N F [root@server0-01 root]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 [root@server0-01 root]# -------------------------------------------- I N I T T A B (changed for runlevel 2) [root@server0-01 root]# cat /etc/inittab # # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg, # Modified for RHS Linux by Marc Ewing and Donnie Barnes # # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:2:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" # If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 # Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm -nodaemon [root@server0-01 root]# -------------------------------------------- S E R V I C E S (default runlevel 2) [root@server0-01 root]# ls /etc/rc2.d/ K03rhnsd K50xinetd K95firstboot S17keytable S80sendmail S99local K05atd K72autofs K95kudzu S19vmware-tools S85gpm K05saslauthd K74ntpd S08iptables S20random S90crond K20nfs K75netfs S09isdn S24pcmcia S90cups K24irda K86nfslock S10network S26apmd S90xfs K44rawdevices K87portmap S12syslog S55sshd S95anacron [root@server0-01 root]# [root@server0-01 root]# chkconfig --list vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen-udp: off rsync: off chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off servers: off time-udp: off time: off cups-lpd: off sgi_fam: on [root@server0-01 root]# -------------------------------------------- S E R V I C E S (limited runlevel 2) [root@server0-01 root]# chkconfig --level 2 isdn off [root@server0-01 root]# chkconfig --level 2 pcmcia off [root@server0-01 root]# chkconfig --level 2 apmd off [root@server0-01 root]# chkconfig --level 2 sendmail off [root@server0-01 root]# chkconfig --level 2 gpm off [root@server0-01 root]# chkconfig --level 2 crond off [root@server0-01 root]# chkconfig --level 2 cups off [root@server0-01 root]# chkconfig --level 2 xfs off [root@server0-01 root]# chkconfig --level 2 anacron off [root@server0-01 root]# ls /etc/rc2.d/ K03rhnsd K20nfs K74apmd K95kudzu S20random K05anacron K24irda K74ntpd K96pcmcia S55sshd K05atd K30sendmail K75netfs S08iptables S99local K05saslauthd K44rawdevices K86nfslock S10network K10cups K50xinetd K87portmap S12syslog K10xfs K60crond K91isdn S17keytable K15gpm K72autofs K95firstboot S19vmware-tools [root@server0-01 root]# chkconfig --list vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:off 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:off 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:off 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:off 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off cups 0:off 1:off 2:off 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen-udp: off rsync: off chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off servers: off time-udp: off time: off cups-lpd: off sgi_fam: on [root@server0-01 root]#