Lab 1.1 Routing and DMZ
Configuring rw01
rw01Configure Interface
rw01 is a linux system based on Ubuntu that will be used to test firewall defenses.
Set Network Adapter 1 to SEC350-WAN
Find this in
VM hardwareMake sure machine is OFF before you do this
Secure champuser default account by changing the password
Go to terminal
passwd
current password: enter default password
new password: enter new password Add a new sudo user hanne
sudo adduser hanne
# only sudo can add a usersudo usermod -aG sudo hanne
# adds the user to the admin groupSet hostname rw01-hanne
sudo hostnamectl set-hostname rw01-hanneuse
hostnameto check the hostname of the machine
Set your Static IP matches IP assignment (10.0.17.43)
Make sure to check the name of your ethernet so you can change it in your netplan yaml file! The default will be eth0, but I had to change mine to ens160.
You can find this by doing
ip a
Open the terminal and make file
sudo nano /etc/netplan/99_config.yamlInput the code below:
network:
version: 2
renderer: networkd
ethernets:
ens160: (make sure you change this)
addresses:
- 10.0.17.43/24 (this should be your IP address)
routes:
- to: default
via: 10.0.17.2 (this is your default gateway)Type
sudo netplan applyto apply the configurationuse
hostname -ito check the IP address associated with your box
Deliverable 1: Using rw01's web browser, go to champlain.edu. Take a screenshot that shows your vsphere console name and your browser window similar to the following screenshot.
Configuring basic routing on fw01
Go to
fw01Virtual hardware and change the network adapters as seen belowI had to add the third one by going to ADD NEW DEVICE in the top right
Set hostname with Configure, Commit, Save and Exit
Changes are made to the running configuration by entering configure mode. These changes are applied to the running configuration via commit. The changes persist after reload only if you save them. You leave configuration mode via the exit command.
Login
type the following commands in the command prompt
configure
set system host-name fw01-hanne (this should be whatever hostname you choose)
commit
save
exitExit until you get back to the login page, and you should see the machine is now updated to your new hostname!
fw01-hanne Interface Assignment
First, check if any interfaces are configured with a dhcp. If it is, then you will need to run the delete command as seen below to delete the DHCP configuration. If there is no dhcp configuration, then you do not & can skip it.
delete interfaces ethernet eth0 address dhcp
delete interfaces ethernet eth1 address dhcp
commit
savetype
show interfaces
Set the interfaces and make sure to give them a description
configure
set interfaces ethernet eth0 description SEC-350-WAN
set interfaces ethernet eth1 description SEC-350-DMZ
set interfaces ethernet eth2 description SEC-350-LAN
commit
save
exitSet the corresponding IP addresses for each interface
Make sure to include CIDR notation
configure
set interfaces ethernet eth0 address 10.0.17.143/24 (this will be unique)
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
exit
Gateway and DNS
The SEC350-WAN interface on fw01 needs to be informed on how to get out to the internet. We will set both the default gateway and DNS server to the SEC350-Gateway Firewall at 10.0.17.2.
configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
exitDeliverable 2: Successfully ping google.com and provide a screenshot
Configuring web01
add sudo user hanne
useradd hannesudo usermod -aG wheel hanne
change password default account and new account
passwd hanne
change hostname to
web01-hannenmtui--> set hostname
Set IP/Netmask, Gatewaty, and DNS servers
Reboot the system to apply the settings
Configuring fw01 for NAT and DNS Forwarding on fw01
configure
//adds description to rule with ID of 10, the purpose will be translating traffic from the DMZ netowkr to the WAN interface
set nat source rule 10 description "NAT FROM DMZ TO WAN"
//indicates that traffic leaving through interface eth0 will be affected by the rule
set nat source rule 10 outbound-interface eth0
//matches traffic originating from the 172.15.30.0/29 subnet (DMZ network)
set nat source rule 10 source address 172.16.50.0/29
//Masquerade dynamically translates the source IP address of traffic to the IP address assigned to the eth0 interface
set nat source rule 10 translation address masquerade
commit
save
Deliverable 3/4: Provide a screenshot of a successful ping from web01 to 8.8.8.8 followed by a failed DNS lookup for google.com. (Deliverable 4 is a successful ping).
I could not get it to fail. Even before I did the DNS forwarding commands, I was able to ping both Google.com and 8.8.8.8 successfully.
Use the commands below to configure DNS forwarding on fw01-hanne
configure
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
Configuring log01
Configure log01 with an IP address ending in .5 (make sure log01 is on the DMZ network)
Set the hostname on log01
create a sudo user on log01
Configure IP address
I used
nmtuiaddress: 172.16.50.5
gateway: 172.16.50.2 (DMZ)
Deliverable 5: A screenshot of your ifconfig followed by a successful ping to google.com from log01
Configuring httpd on web01
Install, enable and start httpd on web01
sudo yum install httpdsudo systemctl start httpdsudo systemctl status httpd(to check that its running)
Configuring firewall on web01
Add ports 80, 443, TCP or services http, https that are required for your http server
GitHub link used https://github.com/Hsanokklis/2023-2024-Tech-journal/wiki/Apache-Lab
Also do these commands on web01-hanne:
sudo firewall-cmd --add-service=https
sudo firewall-cmd --add-service=http
sudo firewall-cmd --reloadTesting httpd on web01 from rw01
Configure the route through
nmtui
Reboot the machine
browse to http://172.16.50.3 on the web browser
Troubleshooting:
My route when I was using nmtui was not showing up when I typed in ip routewhich is weird because that is suppose to make the route persist in the system.
Steps taken:
I manually added the route with:
sudo ip route add 172.16.50.0/29 via 10.0.17.143
This didn't work, and then I rebooted the system, but the routes are not persistent when adding it via the command above, so it wasn' there anymore.
What was werid is that the in GUI, the route that I had added in NMTUI was there, but still wasn't show
The solution was to type
systemctl restart NetworkManagerto get the route to stay!
do
traceroute 172.16.50.3to check that connection to the IP works!
Deliverable 6: Submit a screenshot showing rw01 successfully browsing the test page on your httpd server.
Configuring rsyslog services on log01
Install rsyslog on log01-hanne
sudo systemctl status rsyslog
//if not installed run -->
sudo yum install rsyslog
sudo systemctl start rsyslog
sudo systemctl status rsyslogAllow UDP and TCP 514 for syslog traffic permanently
On log01, the /etc/rsyslog.conf file needs to be modified to receive syslog messages over ports 514 tcp and udp.
sudo nano /etc/rsyslog.conf
Uncomment the appropriate lines
restart the rsyslog service
sudo systemctl restart rsyslog
check to see if rsyslog is listening appropriately to these ports
netstat -tupan | grep 514
Configuring rsyslog client on web01
Install syslog on web01 if its not there
sudo yum install syslog
Create file /etc/rsyslog.d/sec350.conf
restart syslog
Test rsyslog messaging from web01 to log01
On log01, tail -f the /var/log/messages file
send a message from web01 to log01 using the logger tool
logger -t test TESTFROMWEB01TOLOG01
Deliverable 7: Take a screenshot that shows the test message arriving in log01’s /var/log/messages file from web01.
rw01->SSH->web01->SSH->log01
From rw01, use a SSH session to login to web01, from that SSH session login to log01
Deliverable 8: Provide a screenshot that shows this layered ssh session.
Last updated