Thursday, 5 April 2018

00- Create the Slave DNS servers

ns2.ab.lab:

root@ns2:~# cat /etc/os-release | head -n2 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"

root@ns2:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3

root@ns2:~# cat /etc/resolv.conf
search ab.lab
nameserver 127.0.0.1
nameserver 10.0.0.22
nameserver 8.8.8.8

root@ns2:~# cat  /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
 address 10.0.0.22/24
 gateway 10.0.0.1
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 127.0.0.1 10.0.0.22 8.8.8.8
 dns-search ab.lab

root@ns2:~# hostname
ns2.ab.lab

root@ns2:~# hostnamectl 
   Static hostname: ns2.ab.lab
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 52c1bcfad0c642b486b7e16fdda1af1a
           Boot ID: 5d68b29036b1483bba7303ea58f5b751
    Virtualization: kvm
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-4-amd64
      Architecture: x86-64


root@ns2:~# cat /etc/hostname 
ns2.ab.lab

root@ns2:~# cat /etc/hosts
127.0.0.1 localhost
10.0.0.22 ns2.ab.lab ns2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Install the BIND server: 
root@ns2:~# apt-get install bind9 dnsutils bind9-host bind9utils

Modify '/etc/bind/named.conf.options' file as the following: 
root@ns2:~# cp -av /etc/bind/named.conf.options  /root/orig_files/
'/etc/2ind/named.conf.options' -> '/root/orig_files/named.conf.options'


root@ns2:~# cat  /etc/bind/named.conf.options
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };

 # ----------- 
  # Added by Ab
  # -----------

  # Allow query from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
  allow-query { localhost; 10.0.0.254; };


 # 'recursion' is set to 'yes' by default
  # 'recursion' Info  - > http://www.zytrax.com/books/dns/ch7/queries.html#recursion
 # 'recursion query' ->  http://www.zytrax.com/books/dns/ch2/index.html#recursive 
 # Disable 'recursion' as global configuration, then allow it only for the "internal" view
 recursion no;

 # ---------------
 # End of addition 
 # ---------------

 //========================================================================
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys.  See https://www.isc.org/bind-keys
 //========================================================================
 dnssec-validation auto;

 auth-nxdomain no;    # conform to RFC1035
 
 # --------------
        # Modified by Ab
        # --------------
 
  # We don not use IPv6 
  #listen-on-v6 { any; };
  listen-on-v6 { none; };

  # -------------------
        # End of Modification
        # -------------------
};

Modify '/etc/bind/named.conf' file: 
root@ns2:~# cat  /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

# --------------
# Modified by Ab
# --------------

# Comment the following include file as it will be added to the "internal" and "external" view
#include "/etc/bind/named.conf.default-zones";

# -------------------
# End of Modification
# -------------------
##

# ----------- 
# Added by Ab
# -----------

# Add Web, Middleware and Application Tiers Zones configuration file
include "/etc/bind/named.conf.internal-zones";

# Add Public Tier Zones configuration file
include "/etc/bind/named.conf.external-zones";

# ---------------
# End of addition 
# ---------------

Create '/etc/bind/named.conf.internal-zones': 
root@ns2:~# cat /etc/bind/named.conf.internal-zones 
# -----------------------------------------------------------------
# Zone configuration file for Web, Middleware and Application Tiers
# -----------------------------------------------------------------
view "internal" {
 # Clients allowed to use the following zones
 match-clients {
  localhost;
  10.0.0.254;
 };
 
 # Allow recursion as it is disabled by default
 recursion yes;

 # Allow recursion from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
        # 'allow-recursion' -> http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion
 allow-recursion { 127.0.0.1; 10.0.0.254; };

 # 'ab.lab' FORWARD Zone
 zone "ab.lab" {
  type slave;
                # Master DNS server to get Forward Zone recordes from
  masters { 10.0.0.21; };
  file "/etc/bind/slaves/db.ab.lab-internal";
 };

 # '10.0.0.0/24' (Public Tier) Reverse Zone
        zone "0.0.10.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.10.0.0";
        };

 # '172.16.11.0/24' (Web Tier) Reverse Zone
 zone "11.16.172.in-addr.arpa" {
                # Master DNS server to get Reverse Zone recordes from
  type slave;
  masters { 10.0.0.21; }; 
  file "/etc/bind/slaves/db.172.16.11"; 
 };

 # '192.168.20.0/24' (Middleware Tier) Reverse Zone
        zone "20.168.192.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.192.168.20";
        };

 # '192.168.21.0/24' (Application Tier) Reverse Zone
        zone "21.168.192.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.192.168.21";
        };


 # Include Default Zones file which was commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Create "/etc/bind/named.conf.external-zones": 
root@ns2:~# cat /etc/bind/named.conf.external-zones 
# ---------------------------------------
# Zone configuration file for Public Tier
# ---------------------------------------
view "external" {
 # Clients allowed to use the following zones
 match-clients {
  any;
 };

 # Allow query from any hosts
 allow-query {
  any;
 };

 # 'ab.lab' External FORWARD Zone
 zone "ab.lab" {
  type slave;
  # Master DNS server to get FORWARD Zone recordes from
  masters { 10.0.0.21; };
  file "/etc/bind/slaves/db.ab.lab-external";
 };

 # 'ab.lab' Reverse Zone
 zone "0.0.10.in-addr.arpa" {
  type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
  # As "/etc/bind/slaves/db.10.0.0" is used in "/etc/bind/bind.conf.internal-zones here in this slave server,
  # "named-checkconf /etc/bind/named.conf" will complain regarding repeating hte file here again
  #file "/etc/bind/slaves/db.10.0.0";
 };

 # Include Default Zones file which were commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Check 'BIND' configuration files: 
root@ns2:~# named-checkconf /etc/bind/named.conf
root@ns2:~# echo $?
0

root@ns2:~# named-checkconf /etc/bind/named.conf.options 
root@ns2:~# echo $?
0

Create "/etc/bind/slaves" directory: 
root@ns2:~# mkdir -v /etc/bind/slaves/
mkdir: created directory '/etc/bind/slaves/'

root@ns2:~# chown -v bind.bind /etc/bind/slaves
changed ownership of '/etc/bind/slaves' from root:bind to bind:bind

Enable 'bind9' service start it: 
root@ns2:~# systemctl enable bind9 --now
Synchronizing state of bind9.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable bind9

Restart 'bind' service in 'ns1.ab.lab', then do the same in 'ns2.ab.lab': 
root@ns1:~# systemctl restart bind9 

root@ns2:~# systemctl restart bind9

Check Slave zones now: 
root@ns2:~# ls -lh /etc/bind/slaves/
total 24K
-rw-r--r-- 1 bind bind 458 Apr  5 21:27 db.10.0.0
-rw-r--r-- 1 bind bind 621 Apr  5 21:33 db.172.16.11
-rw-r--r-- 1 bind bind 566 Apr  5 21:33 db.192.168.20
-rw-r--r-- 1 bind bind 491 Apr  5 21:33 db.192.168.21
-rw-r--r-- 1 bind bind 408 Apr  5 21:27 db.ab.lab-external
-rw-r--r-- 1 bind bind 408 Apr  5 21:27 db.ab.lab-internal

By default, iptables rules are empty and policies are ACCEPT: 
root@n2:~# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust the iptables rules as the following: 
## Allow all "ESTABLISHED" and "RELATED" incoming packets
root@ns2:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow all packets for loclahost
root@ns2:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

## Allow incoming DNS packets used TCP protocol
root@ns2:~# iptables -A INPUT -p tcp --dport 53 -d 10.0.0.22 -m state --state NEW -j ACCEPT
 
## Allow incoming DNS packets used UDP protocol
root@ns2:~# iptables -A INPUT -p udp --dport 53 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Allow incoming SSH connection (for now until I install the jumpstart server)
root@ns2:~# iptables -A INPUT -p tcp --dport 22 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Allow incoming SSH packets from 'jumpstart.ab.lab' after SNATing IP from 10.0.0.254 to 10.0.0.31
root@ns2:~# iptables -A INPUT -p tcp --dport 22 -s 10.0.0.31 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Change "INPUT" and "FORWARD" Chains policy to "DROP"
root@ns2:~# iptables -P INPUT DROP
root@ns2:~# iptables -P FORWARD DROP

Iptables should be like: 
root@ns2:~# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      172 10860 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.22            tcp dpt:53 state NEW
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.22            udp dpt:53 state NEW
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.22            tcp dpt:22 state NEW
6        0     0 ACCEPT     tcp  --  *      *       10.0.0.31            10.0.0.22            tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42 packets, 4456 bytes)
num   pkts bytes target     prot opt in     out     source               destination 

root@ns2:~# iptables-save > /etc/iptables/rules.v4

at No comments:

Wednesday, 4 April 2018

003- Create the Master DNS servers

ns1.ab.lab:

root@ns1:~# cat /etc/os-release | head -n2 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"

root@ns1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3

root@ns1:~# cat /etc/resolv.conf 
nameserver 127.0.0.1
nameserver 10.0.0.21
nameserver 8.8.8.8
search ab.lab

root@ns1:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
 address 10.0.0.21/24
 gateway 10.0.0.1
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 127.0.0.1 10.0.0.21 8.8.8.8
 dns-search ab.lab

root@ns1:~# hostname
ns1.ab.lab

root@ns1:~# hostnamectl 
   Static hostname: ns1.ab.lab
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 23347cec76ad435399dee326b64953ab
           Boot ID: 668f4d51bbd94dd9bdea5f74b842ebf6
    Virtualization: kvm
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-4-amd64
      Architecture: x86-64

root@ns1:~# cat /etc/hostname 
ns1.ab.lab

root@ns1:~# cat /etc/hosts
127.0.0.1 localhost
10.0.0.21 ns1.ab.lab ns1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Install the BIND server: 
root@ns1:~# apt-get install bind9 dnsutils bind9-host bind9utils

Modify '/etc/bind/named.conf.options' file as the following: 
root@ns1:~# cp -av /etc/bind/named.conf.options  /root/orig_files/
'/etc/bind/named.conf.options' -> '/root/orig_files/named.conf.options'


root@ns1:~# cat /etc/bind/named.conf.options 
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };
 
 # ----------- 
 # Added by Ab
 # -----------

 # Allow query from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
 allow-query { localhost; 10.0.0.254; };

 # Allow Zone Transfer to ns2.ab.lab (Slave DNS Server)
 # 'allow-transfer' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
 allow-transfer { localhost; 10.0.0.22; };

 # 'recursion' is set to 'yes' by default
 # 'recursion' Info  - > http://www.zytrax.com/books/dns/ch7/queries.html#recursion
 # 'recursion query' ->  http://www.zytrax.com/books/dns/ch2/index.html#recursive 
 # Disable 'recursion' as global configuration, then allow it only for the "internal" view
 recursion no;

 # ---------------
 # End of addition 
 # ---------------


 //========================================================================
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys.  See https://www.isc.org/bind-keys
 //========================================================================
 dnssec-validation auto;

 auth-nxdomain no;    # conform to RFC1035
 
        # --------------
        # Modified by Ab
        # --------------
 
 # We don not use IPv6 
 #listen-on-v6 { any; };
 listen-on-v6 { none; };

 # -------------------
        # End of Modification
        # -------------------


};

Modify '/etc/bind/named.conf' file: 
root@ns1:~# cp -av /etc/bind/named.conf /root/orig_files/
'/etc/bind/named.conf' -> '/root/orig_files/named.conf'

root@ns1:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

# --------------
# Modified by Ab
# --------------

# Comment the following include file as it will be added to the "internal" and "external" view
#include "/etc/bind/named.conf.default-zones";

# -------------------
# End of Modification
# -------------------

# ----------- 
# Added by Ab
# -----------

# Add  Web, Middleware and Application Tiers Zones configuration file
include "/etc/bind/named.conf.internal-zones";

# Add Public Tier Zones configuration file
include "/etc/bind/named.conf.external-zones";

# ---------------
# End of addition 
# ---------------

Create '/etc/bind/named.conf.internal-zones': 
root@ns1:~# cat  /etc/bind/named.conf.internal-zones
# -----------------------------------------------------------------
# Zone configuration file for Web, Middleware and Application Tiers
# -----------------------------------------------------------------
view "internal" {
 # Clients allowed to use the following zones
 match-clients {
  localhost;
  10.0.0.254;
 };
 
 # Allow recursion as it is disabled by default
 recursion yes;

 # Allow recursion from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
        # 'allow-recursion' -> http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion
 allow-recursion { 127.0.0.1; 10.0.0.254; };

 # 'ab.lab' Internal FORWARD Zone
 zone "ab.lab" {
  type master;
  file "/etc/bind/db.ab.lab-internal";
  # NO hosts are allowed to submit dynamic updates for master zones
  # 'allow-update' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
  allow-update { none; };
 };

 # '10.0.0.0/24' (Public Tier) Reverse Zone
        zone "0.0.10.in-addr.arpa" {
                type master;
                file "/etc/bind/db.10.0.0";
                allow-update { none; };
        };

 # '172.16.11.0/24' (Web Tier) Reverse Zone
 zone "11.16.172.in-addr.arpa" {
  type master;
  file "/etc/bind/db.172.16.11"; 
  allow-update { none; };
 };

 # '192.168.20.0/24' (Middleware Tier) Reverse Zone
        zone "20.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.20";
                allow-update { none; };
        };

 # '192.168.21.0/24' (Application Tier) Reverse Zone
        zone "21.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.21";
                allow-update { none; };
        };


 # Include Default Zones file which was commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Create "/etc/bind/named.conf.external-zones": 
root@ns1:~# cat /etc/bind/named.conf.external-zones
# ---------------------------------------
# Zone configuration file for Public Tier
# ---------------------------------------
view "external" {
 # Clients allowed to use the following zones
 match-clients {
  any;
 };

 # Allow query from any hosts
 allow-query {
  any;
 };

 # 'ab.lab' External FORWARD Zone
 zone "ab.lab" {
  type master;
  file "/etc/bind/db.ab.lab-external";
  # NO hosts are allowed to submit dynamic updates for master zones
  # 'allow-update' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
  allow-update { none; };
 };

 # 'ab.lab' Reverse Zone
 zone "0.0.10.in-addr.arpa" {
  type master;
  file "/etc/bind/db.10.0.0";
  allow-update { none; };
 };

 # Include Default Zones file which were commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Create "/etc/bind/db.ab.lab-internal" file: 
root@ns1:~# cat /etc/bind/db.ab.lab-internal
;
; "ab.lab" INTERNAL FORWARD ZONE Records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
       2018040401  ; Serial
      3600  ; Refresh
      1800  ; Retry
    604800  ; Expire
    86400 ) ; Negative Cache TTL

; Name Servers records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.

; ping ab.lab resolves 10.0.0.21
@ IN A 10.0.0.21

;
; A RECORDS
;

; Public Tier
ns1  IN A 10.0.0.21
ns2  IN A  10.0.0.22

; Web Tier
dmz1-gw  IN A 172.16.11.254
www1   IN A 172.16.11.11
dhcp-releay1 IN A 172.16.11.23
jumpstart IN A 172.16.11.31

; Middleware Tier
dmz2-gw  IN A 192.168.20.254
app1  IN A 192.168.20.11
dhcp-relay2 IN A 192.168.20.21

; Application Tier
internal-gw IN A 192.168.21.254
db1  IN  A 192.168.21.11
dhcp  IN A 192.168.21.21


; CNAME RECORDS
web1  IN CNAME www1.ab.lab.

Create "/etc/bind/db.10.0.0" file: 
root@ns1:~# cat /etc/bind/db.10.0.0
;
; 10.0.0.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
       2018040401  ; Serial
      3600  ; Refresh
      1800  ; Retry
    604800  ; Expire
    86400 ) ; Negative Cache TTL

; Name Servers Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.


@       IN      PTR     ab.lab.
@ IN  A 255.255.255.0

; PTR RECORDS 
254 IN PTR dmz1-gw.ab.lab.
21 IN PTR ns1.ab.lab.
22 IN PTR ns2.ab.lab.

Create "/etc/bind/db.172.16.11" file: 
root@ns1:~# cat /etc/bind/db.172.16.11
;
; 172.16.11.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
       2018040401  ; Serial
      3600  ; Refresh
      1800  ; Retry
    604800  ; Expire
    86400 ) ; Negative Cache TTL

; Name Servers Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.

@       IN      PTR     ab.lab.
@ IN  A 255.255.255.0

; PTR RECORDS 
254 IN PTR dmz1-gw.ab.lab.
11 IN PTR www1.ab.lab.
23 IN PTR dhcp-relay1.ab.lab.
31 IN PTR jumpstart.ab.lab.
100 IN PTR dmz2-gw.ab.lab.

Create "/etc/bind/db.192.168.20" file: 
root@ns1:~# cat /etc/bind/db.192.168.20
;
; 192.168.20.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
       2018040401  ; Serial
      3600  ; Refresh
      1800  ; Retry
    604800  ; Expire
    86400 ) ; Negative Cache TTL

; Name Server Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.

@       IN      PTR     ab.lab.
@ IN  A 255.255.255.0

; PTR RECORDS 
254 IN PTR dmz2-gw.ab.lab.
11 IN PTR app1.ab.lab.
21 IN PTR dhcp-relay2.ab.lab.
100 IN PTR internal-gw.ab.lab.

Create "/etc/bind/db.192.168.21" file: 
root@ns1:~# cat /etc/bind/db.192.168.21
;
; 192.168.21.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
       2018040401  ; Serial
      3600  ; Refresh
      1800  ; Retry
    604800  ; Expire
    86400 ) ; Negative Cache TTL

; Name Server Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.

@       IN      PTR     ab.lab.
@ IN  A 255.255.255.0

; PTR RECORDS 
254 IN PTR internal-gw.ab.lab.
11 IN PTR db1.ab.lab.
21 IN PTR dhcp.ab.lab.

By default, iptables rules are empty and policies are ACCEPT: 
root@ns1:~# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust the iptables rules as the following: 
## Allow all "ESTABLISHED" and "RELATED" incoming packets
root@ns1:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow all packets for loclahost
root@ns1:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

## Allow incoming DNS packets used TCP protocol
root@ns1:~# iptables -A INPUT -p tcp --dport 53 -d 10.0.0.21 -m state --state NEW -j ACCEPT
 
## Allow incoming DNS packets used UDP protocol
root@ns1:~# iptables -A INPUT -p udp --dport 53 -d 10.0.0.21 -m state --state NEW -j ACCEPT

## Allow incoming SSH connection (for now until I install the jumpstart server)
root@ns1:~# iptables -A INPUT -p tcp --dport 22 -d 10.0.0.21 -m state --state NEW -j ACCEPT

## Allow incoming SSH packets from 'jumpstart.ab.lab' after SNATing IP from 10.0.0.254 to 10.0.0.31
root@ns1:~# iptables -A INPUT -p tcp --dport 22 -s 10.0.0.31 -d 10.0.0.21 -m state --state NEW -j ACCEPT

## Change "INPUT" and "FORWARD" Chains policy to "DROP"
root@ns1:~# iptables -P INPUT DROP
root@ns1:~# iptables -P FORWARD DROP

Iptables should be like: 
root@ns1:~# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      450 28536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.21            tcp dpt:53 state NEW
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.21            udp dpt:53 state NEW
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.21            tcp dpt:22 state NEW
6        0     0 ACCEPT     tcp  --  *      *       10.0.0.31            10.0.0.21            tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 112 packets, 15340 bytes)
num   pkts bytes target     prot opt in     out     source               destination  

root@ns1:~# iptables-save > /etc/iptables/rules.v4

at No comments:

Tuesday, 3 April 2018

004- Create the first router

I am going to create the the first router which control the Web Tier::



dmz1-gw.ab.lab:

root@dmz1-gw:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
 address 10.0.0.254/24
 gateway 10.0.0.1
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 10.0.0.1 8.8.8.8
 dns-search ab.lab

allow-hotplug ens4
iface ens4 inet static
 address 172.16.11.254/24

root@dmz1-gw:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3
172.16.11.0     0.0.0.0         255.255.255.0   U     0      0        0 ens4

Allow Kernel routing: 
root@dmz1-gw:~# tail -n2 /etc/sysctl.conf 
# Allow Kernel Routing
net.ipv4.ip_forward = 1

root@dmz1-gw:~# sysctl -p
net.ipv4.ip_forward = 1

root@dmz1-gw:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@dmz1-gw:~# cat /proc/sys/net/ipv4/ip_forward
1

By default, 'filter' table policy is ACCEPT and it has not rules: 
root@dmz1-gw:~# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 76 packets, 5040 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 46 packets, 4544 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust "INPUT" chain as the following: 
# Allow localhost communication 
root@dmz1-gw:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# Allow incoming ESTABLISHED and RELATED connections
root@dmz1-gw:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connection to 'dmz1.ab.lab' until you build SSH jumpstart.ab.lab
root@dmz1-gw:~# iptables -A INPUT -i ens3 -p tcp --dport 22 -d 10.0.0.254 -m state --state NEW -j ACCEPT

# Allow SSH Connection from 'jumpstart.ab.lab'
root@dmz1-gw:~# iptables -A INPUT -p tcp --dport 22 -s 172.16.11.31 -d 172.16.11.254 -m state --state NEW -j ACCEPT


root@dmz1-gw:~# iptables -P INPUT DROP

Adjust "FORWARD CHAIN AS THE FOLLOWING: 
# Allow ESTABLISHED and RELATED connections to  Web Tier, Middleware Tier and Application Tier to outside world
root@dmz1-gw:~# iptables -A FORWARD -i ens3 -o ens4 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow trrafice from Web Tier, Middleware Tier and Application Tier to outside world
root@dmz1-gw:~# iptables -A FORWARD -i ens4 -o ens3 -j ACCEPT

root@dmz1-gw:~# iptables -N FORWARD_WEB_TIER

# Deal with all FORWARD packets in the Web Tier
root@dmz1-gw:~# iptables -A FORWARD -j FORWARD_WEB_TIER

# Allow SSH connection to jumpstart.ab.lab
root@dmz1-gw:~# iptables -A FORWARD_WEB_TIER -i ens3 -o ens4 -p tcp --dport 22 -d 172.16.11.31 -m state --state NEW -j ACCEPT

root@dmz1-gw:~# iptables -P FORWARD DROP

Filter table should be like: 
root@dmz1-gw:~# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1           
2     1129 69144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  ens3   *       0.0.0.0/0            10.0.0.254           tcp dpt:22 state NEW
4        0     0 ACCEPT     tcp  --  *      *       172.16.11.31         172.16.11.254        tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  ens3   ens4    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  ens4   ens3    0.0.0.0/0            0.0.0.0/0           
3        0     0 FORWARD_WEB_TIER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 153 packets, 22536 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_WEB_TIER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  ens3   ens4    0.0.0.0/0            172.16.11.31         tcp dpt:22 state NEW

By default, nat table is empty: 
root@dmz1-gw:~# iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 3 packets, 604 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3 packets, 604 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 1369 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 19 packets, 1369 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust net table like the following: 
# SNAT all communications from Middleware Tier and Application Tier
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.100 -j SNAT --to-source 10.0.0.254 

# SNAT packets from www1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.11 -j SNAT --to-source 10.0.0.254 

# SNAT packets from ns1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.21 -j SNAT --to-source 10.0.0.254 

# SNAT packets from ns2.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.22 -j SNAT --to-source 10.0.0.254 

# SNAT packets from jumpstart.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.31 -j SNAT --to-source 10.0.0.254 

# SNAT packets from dhcp-relay1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.23 -j SNAT --to-source 10.0.0.254

nat table should be like: 
root@dmz1-gw:~# iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 SNAT       all  --  *      ens3    172.16.11.100        0.0.0.0/0            to:10.0.0.254
2        0     0 SNAT       all  --  *      ens3    172.16.11.11         0.0.0.0/0            to:10.0.0.254
3        0     0 SNAT       all  --  *      ens3    172.16.11.21         0.0.0.0/0            to:10.0.0.254
4        0     0 SNAT       all  --  *      ens3    172.16.11.22         0.0.0.0/0            to:10.0.0.254
5        0     0 SNAT       all  --  *      ens3    172.16.11.31         0.0.0.0/0            to:10.0.0.254
6        0     0 SNAT       all  --  *      ens3    172.16.11.23         0.0.0.0/0            to:10.0.0.254
at No comments:

002- KVM Networks

According to the Network Info, create the following KVM Networks:

virsh # net-dumpxml iptables-public
<network>
  <name>iptables-public</name>
  <uuid>3637b3c4-29fa-49dd-8f0e-f8c9b2d8f8a8</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr6' stp='on' delay='0'/>
  <mac address='52:54:00:b3:79:f2'/>
  <domain name='ab.lab'/>
  <ip address='10.0.0.1' netmask='255.255.255.0'>
  </ip>
</network>

virsh # net-dumpxml iptables-dmz1
<network>
  <name>iptables-dmz1</name>
  <uuid>2a777b89-a347-48ab-bff6-5d010eca04a0</uuid>
  <bridge name='virbr7' stp='on' delay='0'/>
  <mac address='52:54:00:42:76:64'/>
  <domain name='ab.lab'/>
  <ip address='172.16.11.1' netmask='255.255.255.0'>
  </ip>
</network>

virsh # net-dumpxml iptables-dmz2
<network>
  <name>iptables-dmz2</name>
  <uuid>df1d7b5d-e8c2-4b2c-9177-c572508f5cdb</uuid>
  <bridge name='virbr8' stp='on' delay='0'/>
  <mac address='52:54:00:c1:2c:2f'/>
  <domain name='ab.lab'/>
  <ip address='192.168.20.1' netmask='255.255.255.0'>
  </ip>
</network>

virsh # net-dumpxml iptables-interna
<network>
  <name>iptables-interna</name>
  <uuid>729552eb-a768-48b6-88b0-119f6a5f86e5</uuid>
  <bridge name='virbr10' stp='on' delay='0'/>
  <mac address='52:54:00:fb:a7:7d'/>
  <domain name='ab.lab'/>
  <ip address='192.168.21.1' netmask='255.255.255.0'>
  </ip>
</network>

Change route path for Web Tier(Tier1), Middleware Tier (Tier2) and Application Tier (Tier3) to be gone through the public Tier:

[root@base iptables-lab]# hostname
base.lab

[root@base iptables-lab]# route -n | grep -e Gateway -e  10.0.0.0 -e 172.16.11.0 -e 192.168.20.0 -e 192.168.21.0
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 virbr6
172.16.11.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr7
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr8
192.168.21.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr10

[root@base iptables-lab]# route add -net 172.16.11.0 netmask 255.255.255.0 gw 10.0.0.254
[root@base iptables-lab]# route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.0.0.254
[root@base iptables-lab]# route add -net 192.168.21.0 netmask 255.255.255.0 gw 10.0.0.254

[root@base iptables-lab]# route -n | grep -e Gateway -e  10.0.0.0 -e 172.16.11.0 -e 192.168.20.0 -e 192.168.21.0
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 virbr6
172.16.11.0     10.0.0.254      255.255.255.0   UG    0      0        0 virbr6
172.16.11.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr7
192.168.20.0    10.0.0.254      255.255.255.0   UG    0      0        0 virbr6
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr8
192.168.21.0    10.0.0.254      255.255.255.0   UG    0      0        0 virbr6
192.168.21.0    0.0.0.0         255.255.255.0   U     0      0        0 virbr10
at No comments:

001- Introduction

This blog aims to build internal lab network using "KVM" as a hypervisor and "iptales" as firewall/router.


Computing and disks Info:

Network Topology:


Network Info:


KVM VM Name
Hostname
Usage
Network
Tier
NICIP AddressSubnet MaskSubnetKVM Virtual BridgeGatewayDNSKVM Virtual Network
iptables-dmz1-gw
dmz1-gw.ab.lab
DMZ1 Router
ens310.0.0.254255.255.255.010.0.0./24virbr610.0.0.110.0.0.1 8.8.8.8iptables-publicPublic Tier
ens4172.16.11.254
255.255.255.0
172.16.11.0/24
virb7
N/AN/AN/A
iptables-dmz1
Web Tier (Tier1)
ns1.ab.labMaster DNS Serverens3172.16.11.21172.16.11.254127.0.0.1172.16.11.21
ns2.ab.labSLave DNS Serverens3172.16.10.22172.16.11.254127.0.0.1172.16.11.22
dhcp-relay1.ab.labDHCP Relay Server 1ens3 172.16.11.23172.16.11.254172.16.11.21172.16.11.22
www1.ab.labWeb Server 1ens3172.16.11.11172.16.11.254172.16.11.21172.16.11.22
jumpstart.ab.labSSH Jumpstart Serverens3172.16.11.31172.16.11.254172.16.11.21172.16.11.22
iptables-dmz2-gw
dmz2-gw.ab.lab
DMZ2 Router
ens172.16.11.100172.16.11.254172.16.11.21172.16.11.22
ens4192.168.20.254
255.255.255.0
192.168.20.0/24
virbr8
N/AN/AN/A
iptables-dmz2
Middleware Tier (Tier2)
app1.ab.labApplication Serverens3192.168.20.11
192.168.20.254
172.16.11.21
172.16.11.22
dhcp-relay2.ab.labDHCP Relay Server 2ens3192.168.20.21
iptables-internal-gw
internal-gw.ab.lab
Internal Router
ens3192.168.20.100
ens4192.168.21.254
255.255.255.0
192.168.21.0/24
virbr10
N/AN/AN/A
iptbles-interna
Application Tier (Tier3)
db1.ab.labDatabase Server1ens3192.168.21.254
192.168.21.254
172.16.11.21
172.16.11.22
dhcp.ab.labDHCP Serverens3192.168.21.21
at No comments:
Subscribe to: Posts (Atom)

00- Create the Slave DNS servers

ns2.ab.lab: root@ns2:~# cat /etc/os-release | head -n2 PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux...

  • 004- Create the first router
    I am going to create the the first router which control the Web Tier:: dmz1-gw.ab.lab: root@dmz1-gw:~# cat /etc/network/interfaces #...
  • 001- Introduction
    This blog aims to build internal lab network using "KVM" as a hypervisor and "iptales" as firewall/router. Computi...
  • 002- KVM Networks
    According to the Network Info, create the following KVM Networks: virsh # net-dumpxml iptables-public <network> <name>iptab...