Make sure to check the name of your ethernet so you can change it in your netplan yaml file! The default will be eth0, but I had to change mine to ens160.
You can find this by doing ip a
Open the terminal and make file sudo nano /etc/netplan/99_config.yaml
Input the code below:
Type sudo netplan applyto apply the configuration
use hostname -i to check the IP address associated with your box
Deliverable 1: Using rw01's web browser, go to champlain.edu. Take a screenshot that shows your vsphere console name and your browser window similar to the following screenshot.
Success!
Configuring basic routing on fw01
vyOS is a fully functional but console based network appliance and it is a favorite among networking and security professionals. Today we are going to deal with it as a router, saving firewall functionality for another class. Your job will be to join fw01’s three network interfaces to the appropriate networks and provide routing and NAT service to clients residing on those networks.
Go to fw01 Virtual hardware and change the network adapters as seen below
I had to add the third one by going to ADD NEW DEVICE in the top right
Set hostname with Configure, Commit, Save and Exit
Changes are made to the running configuration by entering configure mode. These changes are applied to the running configuration via commit. The changes persist after reload only if you save them. You leave configuration mode via the exit command.
Login
type the following commands in the command prompt
Exit until you get back to the login page, and you should see the machine is now updated to your new hostname!
Successful hostname change
fw01-hanne Interface Assignment
First, check if any interfaces are configured with a dhcp. If it is, then you will need to run the delete command as seen below to delete the DHCP configuration. If there is no dhcp configuration, then you do not & can skip it.
type show interfaces
Ther e are no interfaces configured with DHCP
Set the interfaces and make sure to give them a description
Set the corresponding IP addresses for each interface
Make sure to include CIDR notation
All interfaces configured
Gateway and DNS
The SEC350-WAN interface on fw01 needs to be informed on how to get out to the internet. We will set both the default gateway and DNS server to the SEC350-Gateway Firewall at 10.0.17.2.
Deliverable 2: Successfully ping google.com and provide a screenshot
Successful ping of google.com
Configuring web01
Web01 is a Rocky Web Server that should be placed on the DMZ Network with the IP Address of 172.16.50.3/29. Ensure web01’s network adapter is on the SEC350-DMZ Network
add sudo user hanne
useradd hanne
sudo usermod -aG wheel hanne
change password default account and new account
passwd hanne
change hostname to web01-hanne
nmtui --> set hostname
Set IP/Netmask, Gatewaty, and DNS servers
Reboot the system to apply the settings
Ip addresses configured
Successful ping to fw01-hanne
in order to see your new hostname at the bash prompt, logout (exit) and log back in again.Try to ping google.com or 8.8.8.8 from web01. It will fail because fw01 is not configured to translate IP addresses from the DMZ yet, nor is it configured to forward DNS from the DMZ Subnet.
Configuring fw01 for NAT and DNS Forwarding on fw01
NAT ensures devices in your internal network can access the internet while maintaining network security
DNS Forwarding simplifies DNS management for connected devices by providing a local DNS resolver, reducing the need to configure DNS on each device individually
Show the rules that were set up
Deliverable 3/4: Provide a screenshot of a successful ping from web01 to 8.8.8.8 followed by a failed DNS lookup for google.com. (Deliverable 4 is a successful ping).
I could not get it to fail. Even before I did the DNS forwarding commands, I was able to ping both Google.com and 8.8.8.8 successfully.
Use the commands below to configure DNS forwarding on fw01-hanne
Another Successful Ping of Google
Configuring log01
We are going to put our log server on the DMZ network, and later place this server in a segmented area of our network. (adapter)
Configure log01 with an IP address ending in .5 (make sure log01 is on the DMZ network)
Set the hostname on log01
create a sudo user on log01
Configure IP address
I used nmtui
address: 172.16.50.5
gateway: 172.16.50.2 (DMZ)
NMTUI IP configuration
Deliverable 5: A screenshot of your ifconfig followed by a successful ping to google.com from log01
Successful ping of google.com
Configuring httpd on web01
Install, enable and start httpd on web01
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl status httpd (to check that its running)
Configuring firewall on web01
Add ports 80, 443, TCP or services http, https that are required for your http server
rw01's default gateway is 10.0.17.2, we need to tell it that any address in your DMZ should route via your firewall’s WAN interface. We do this with a static route on rw01. Remember, your IP address will not be the same as the following illustration, so refer to your WAN assignment. In this case, we are saying that anything addressed to the 172.16.50.0/29 network will go through the 10.0.17.1XX router.
Configure the route through nmtui
Anything that is addressed to 172.15.50.0/29 will go through the WAN at 10.0.17.143
Reboot the machine
browse to http://172.16.50.3 on the web browser
Troubleshooting:
My route when I was using nmtui was not showing up when I typed in ip routewhich is weird because that is suppose to make the route persist in the system.
Steps taken:
I manually added the route with:
sudo ip route add 172.16.50.0/29 via 10.0.17.143
This didn't work, and then I rebooted the system, but the routes are not persistent when adding it via the command above, so it wasn' there anymore.
What was werid is that the in GUI, the route that I had added in NMTUI was there, but still wasn't show
The solution was to type systemctl restart NetworkManagerto get the route to stay!
do traceroute 172.16.50.3 to check that connection to the IP works!
Deliverable 6: Submit a screenshot showing rw01 successfully browsing the test page on your httpd server.
Configuring rsyslog services on log01
log01 will be receiving syslog traffic from fw01 and web01.
Install rsyslog on log01-hanne
Allow UDP and TCP 514 for syslog traffic permanently
adding the ports for syslog
Checking that the ports were applied (sudo firewall-cmd --list-all)
On log01, the /etc/rsyslog.conf file needs to be modified to receive syslog messages over ports 514 tcp and udp.
sudo nano /etc/rsyslog.conf
Uncomment the appropriate lines
restart the rsyslog service
sudo systemctl restart rsyslog
check to see if rsyslog is listening appropriately to these ports
netstat -tupan | grep 514
Configuring rsyslog client on web01
Install syslog on web01 if its not there
sudo yum install syslog
Create file /etc/rsyslog.d/sec350.conf
the line in sec350.conf means:
user=syslog facility
notice=syslog priority
@=UDP, @@ means TCP, so we are only going to send UDP
172.16.50.5=Remote Syslog Server
file input
restart syslog
Test rsyslog messaging from web01 to log01
On log01, tail -f the /var/log/messages file
The tail command in Unix/Linux operating systems displays the last part of one or more files or piped data. By default, it shows the last 10 lines of each specified file. It's often used to check the end of log files, monitor file changes in real-time with the -f option, or to view the end of large files without loading the entire contents into memory.
send a message from web01 to log01 using the logger tool
logger -t test TESTFROMWEB01TOLOG01
using the logger command
Deliverable 7: Take a screenshot that shows the test message arriving in log01’s /var/log/messages file from web01.
The bottom lines show the test from Web01 to Log01 working!
rw01->SSH->web01->SSH->log01
From rw01, use a SSH session to login to web01, from that SSH session login to log01
Deliverable 8: Provide a screenshot that shows this layered ssh session.
sudo usermod -aG sudo hanne
# adds the user to the admin group
sudo hostnamectl set-hostname rw01-hanne
network:
version: 2
renderer: networkd
ethernets:
ens160: (make sure you change this)
addresses:
- 10.0.17.43/24 (this should be your IP address)
routes:
- to: default
via: 10.0.17.2 (this is your default gateway)
configure
set system host-name fw01-hanne (this should be whatever hostname you choose)
commit
save
exit
configure
set interfaces ethernet eth0 description SEC-350-WAN
set interfaces ethernet eth1 description SEC-350-DMZ
set interfaces ethernet eth2 description SEC-350-LAN
commit
save
exit
configure
set interfaces ethernet eth0 address 10.0.17.143/24 (this will be unique)
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
exit
configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
exit
configure
//adds description to rule with ID of 10, the purpose will be translating traffic from the DMZ netowkr to the WAN interface
set nat source rule 10 description "NAT FROM DMZ TO WAN"
//indicates that traffic leaving through interface eth0 will be affected by the rule
set nat source rule 10 outbound-interface eth0
//matches traffic originating from the 172.15.30.0/29 subnet (DMZ network)
set nat source rule 10 source address 172.16.50.0/29
//Masquerade dynamically translates the source IP address of traffic to the IP address assigned to the eth0 interface
set nat source rule 10 translation address masquerade
commit
save
configure
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
