server0 Add a second NIC to the RedHat 9.0 Linux virtual machine Configure the server as a router between 172.30.1.0/24 and 192.168.1.0/24 Exercise: The goal of this exercise is to a configure a NetFilter firewall on your Linux router that will translate inbound and outbound network addresses. Configure the Filter table as follows: INPUT chain: allow all loopback traffic and icmp traffic. From external hosts, allow only ssh traffic, from internal hosts allow any connections. OUTPUT chain: allow all. FORWARD chain: allow established and related. Allow new connections only if they represent HTTP or FTP protocols. Configure the NAT table as follows: POSTROUTING chain: translate all 192.168.1.0 addresses to the router's 172.30.1 address. PREROUTING chain: translate any packet with a 172.30.1.XX+50 destination address to 192.168.1.2XX where XX is your station number. Configure the default gateway and DNS nameserver Set runlevel to 2 and limit to the following services: iptables, network, syslog, keytable, random, vmware-tools, sshd, and local. Configure the Filter and NAT tables according to classroom specifications. ---------------------------------------------- F I R E W A L L # Commands iptables-save > /etc/sysconfig/iptables service iptables restart chkconfig -list iptables #To flush tables iptables -P INPUT ACCEPT iptables -F iptables -F -t nat #To show tables iptables -L iptables -L -t nat **** My original version **** iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 172.30.1.200 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -s 172.30.1.101 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -s 172.30.1.1 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 192.168.1.254 -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp --dport http -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --dport ftp -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ***************************** ****** Jim's version **************************************** iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A INPUT -s 172.30.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -m tcp --dport 20:21 -j ACCEPT iptables -A FORWARD -s 172.30.1.200 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT **************************************************************** [root@server0-01 root]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT tcp -- 172.30.1.0/24 anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp ACCEPT tcp -- 172.30.1.200 anywhere tcp dpt:ssh ACCEPT all -- 192.168.1.0/24 anywhere state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@server0-01 root]# [root@server0-01 root]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.7a on Sun Jun 1 13:30:26 2008 *nat :PREROUTING ACCEPT [499:112671] :POSTROUTING ACCEPT [14:975] :OUTPUT ACCEPT [14:975] COMMIT # Completed on Sun Jun 1 13:30:26 2008 # Generated by iptables-save v1.2.7a on Sun Jun 1 13:30:26 2008 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [39:3620] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT -A INPUT -s 172.30.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 20:21 -j ACCEPT -A FORWARD -s 172.30.1.200 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Sun Jun 1 13:30:26 2008 [root@server0-01 root]# -------------------------------------------- H O S T S [root@server0-01 root]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 server0-01 server0-01.whitehats.net localhost [root@server0-01 root]# -------------------------------------------- N E T W O R K [root@server0-01 root]# cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=server0-01.whitehats.net GATEWAY=172.30.1.1 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 0 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=172.30.1.201 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 0 : 0 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:0 DEVICE=eth0:0 BOOTPROTO=static ONBOOT=yes IPADDR=172.30.1.51 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- I F C F G - E T H 1 [root@server0-01 root]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.1.254 NETMASK=255.255.255.0 [root@server0-01 root]# -------------------------------------------- R E S O L V . C O N F [root@server0-01 root]# cat /etc/resolv.conf nameserver 172.30.1.20 [root@server0-01 root]# -------------------------------------------- M O D U L E S . C O N F [root@server0-01 root]# cat /etc/modules.conf alias eth0 pcnet32 alias eth1 pcnet32 alias scsi_hostadapter BusLogic alias usb-controller usb-uhci # Added by VMware Tools alias char-major-14 sb options sb io=0x220 irq=5 dma=1 dma16=5 mpu_io=0x330 [root@server0-01 root]# -------------------------------------------- S Y S C T L . C O N F echo 1 > /proc/sys/net/ipv4/ip_forward (to enable ip forwarding) [root@server0-01 root]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 [root@server0-01 root]# -------------------------------------------------------------- N A T iptables -L -t nat iptables-save > /etc/sysconfig/iptables Configure the NAT table as follows: POSTROUTING chain: translate all 192.168.1.0 addresses to the router's 172.30.1 address. (ask Jim, why not 50+XX) PREROUTING chain: translate any packet with a 172.30.1.XX+50 destination address to 192.168.1.2XX where XX is your station number. **** My original version **** iptables -t nat -A POSTROUTING -s 192.168.1.101 -j SNAT --to-source 172.30.1.51 iptables -t nat -A PREROUTING -d 172.30.1.51 -j DNAT --to-destination 192.168.1.101 ***************************** **** Jim's version **** iptables -t nat -A PREROUTING -d 172.30.1.51 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.101 iptables -t nat -A PREROUTING -d 172.30.1.51 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.101 iptables -t nat -A PREROUTING -s 172.30.1.200 -d 172.30.1.51 -j DNAT --to-destination 192.168.1.101 iptables -t nat -A POSTROUTING -s 192.168.1.101 -o eth0 -j SNAT --to-source 172.30.1.51 iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 172.30.1.51 *********************** [root@server0-01 network-scripts]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.7a on Sun Jun 1 14:19:01 2008 *nat :PREROUTING ACCEPT [511:115454] :POSTROUTING ACCEPT [16:1116] :OUTPUT ACCEPT [16:1116] -A PREROUTING -d 172.30.1.51 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.101 -A PREROUTING -d 172.30.1.51 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.101 -A PREROUTING -s 172.30.1.200 -d 172.30.10.51 -j DNAT --to-destination 192.168.1.101 -A POSTROUTING -s 192.168.1.101 -o eth0 -j SNAT --to-source 172.30.1.51 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 172.30.1.51 COMMIT # Completed on Sun Jun 1 14:19:01 2008 # Generated by iptables-save v1.2.7a on Sun Jun 1 14:19:01 2008 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1566:173228] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT -A INPUT -s 172.30.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 20:21 -j ACCEPT -A FORWARD -s 172.30.1.200 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Sun Jun 1 14:19:01 2008 [root@server0-01 network-scripts]# -------------------------------------------- I N I T T A B (changed for runlevel 2) [root@server0-01 root]# cat /etc/inittab # # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg, # Modified for RHS Linux by Marc Ewing and Donnie Barnes # # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:2:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" # If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 # Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm -nodaemon [root@server0-01 root]# -------------------------------------------- S E R V I C E S (default runlevel 2) [root@server0-01 root]# ls /etc/rc2.d/ K03rhnsd K50xinetd K95firstboot S17keytable S80sendmail S99local K05atd K72autofs K95kudzu S19vmware-tools S85gpm K05saslauthd K74ntpd S08iptables S20random S90crond K20nfs K75netfs S09isdn S24pcmcia S90cups K24irda K86nfslock S10network S26apmd S90xfs K44rawdevices K87portmap S12syslog S55sshd S95anacron [root@server0-01 root]# [root@server0-01 root]# chkconfig --list vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen-udp: off rsync: off chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off servers: off time-udp: off time: off cups-lpd: off sgi_fam: on [root@server0-01 root]# -------------------------------------------- S E R V I C E S (limited runlevel 2) chkconfig --level 2 isdn off chkconfig --level 2 pcmcia off chkconfig --level 2 apmd off chkconfig --level 2 sendmail off chkconfig --level 2 gpm off chkconfig --level 2 crond off chkconfig --level 2 cups off chkconfig --level 2 xfs off chkconfig --level 2 anacron off [root@server0-01 root]# ls /etc/rc2.d/ K03rhnsd K20nfs K74apmd K95kudzu S20random K05anacron K24irda K74ntpd K96pcmcia S55sshd K05atd K30sendmail K75netfs S08iptables S99local K05saslauthd K44rawdevices K86nfslock S10network K10cups K50xinetd K87portmap S12syslog K10xfs K60crond K91isdn S17keytable K15gpm K72autofs K95firstboot S19vmware-tools [root@server0-01 root]# chkconfig --list vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:off 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:off 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:off 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:off 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off cups 0:off 1:off 2:off 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd based services: chargen-udp: off rsync: off chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off servers: off time-udp: off time: off cups-lpd: off sgi_fam: on [root@server0-01 root]# -------------------------------------------- R C . L O C A L [root@server0-01 root]# cat /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local # Added by Rich for FTP firewall modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_nat modprobe ip_nat_ftp [root@server0-01 root]#