Thursday, 5 April 2018

00- Create the Slave DNS servers

ns2.ab.lab:

root@ns2:~# cat /etc/os-release | head -n2 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"

root@ns2:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3

root@ns2:~# cat /etc/resolv.conf
search ab.lab
nameserver 127.0.0.1
nameserver 10.0.0.22
nameserver 8.8.8.8

root@ns2:~# cat  /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
 address 10.0.0.22/24
 gateway 10.0.0.1
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 127.0.0.1 10.0.0.22 8.8.8.8
 dns-search ab.lab

root@ns2:~# hostname
ns2.ab.lab

root@ns2:~# hostnamectl 
   Static hostname: ns2.ab.lab
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 52c1bcfad0c642b486b7e16fdda1af1a
           Boot ID: 5d68b29036b1483bba7303ea58f5b751
    Virtualization: kvm
  Operating System: Debian GNU/Linux 9 (stretch)
            Kernel: Linux 4.9.0-4-amd64
      Architecture: x86-64


root@ns2:~# cat /etc/hostname 
ns2.ab.lab

root@ns2:~# cat /etc/hosts
127.0.0.1 localhost
10.0.0.22 ns2.ab.lab ns2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Install the BIND server: 
root@ns2:~# apt-get install bind9 dnsutils bind9-host bind9utils

Modify '/etc/bind/named.conf.options' file as the following: 
root@ns2:~# cp -av /etc/bind/named.conf.options  /root/orig_files/
'/etc/2ind/named.conf.options' -> '/root/orig_files/named.conf.options'


root@ns2:~# cat  /etc/bind/named.conf.options
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };

 # ----------- 
  # Added by Ab
  # -----------

  # Allow query from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
  allow-query { localhost; 10.0.0.254; };


 # 'recursion' is set to 'yes' by default
  # 'recursion' Info  - > http://www.zytrax.com/books/dns/ch7/queries.html#recursion
 # 'recursion query' ->  http://www.zytrax.com/books/dns/ch2/index.html#recursive 
 # Disable 'recursion' as global configuration, then allow it only for the "internal" view
 recursion no;

 # ---------------
 # End of addition 
 # ---------------

 //========================================================================
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys.  See https://www.isc.org/bind-keys
 //========================================================================
 dnssec-validation auto;

 auth-nxdomain no;    # conform to RFC1035
 
 # --------------
        # Modified by Ab
        # --------------
 
  # We don not use IPv6 
  #listen-on-v6 { any; };
  listen-on-v6 { none; };

  # -------------------
        # End of Modification
        # -------------------
};

Modify '/etc/bind/named.conf' file: 
root@ns2:~# cat  /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

# --------------
# Modified by Ab
# --------------

# Comment the following include file as it will be added to the "internal" and "external" view
#include "/etc/bind/named.conf.default-zones";

# -------------------
# End of Modification
# -------------------
##

# ----------- 
# Added by Ab
# -----------

# Add Web, Middleware and Application Tiers Zones configuration file
include "/etc/bind/named.conf.internal-zones";

# Add Public Tier Zones configuration file
include "/etc/bind/named.conf.external-zones";

# ---------------
# End of addition 
# ---------------

Create '/etc/bind/named.conf.internal-zones': 
root@ns2:~# cat /etc/bind/named.conf.internal-zones 
# -----------------------------------------------------------------
# Zone configuration file for Web, Middleware and Application Tiers
# -----------------------------------------------------------------
view "internal" {
 # Clients allowed to use the following zones
 match-clients {
  localhost;
  10.0.0.254;
 };
 
 # Allow recursion as it is disabled by default
 recursion yes;

 # Allow recursion from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
        # 'allow-recursion' -> http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion
 allow-recursion { 127.0.0.1; 10.0.0.254; };

 # 'ab.lab' FORWARD Zone
 zone "ab.lab" {
  type slave;
                # Master DNS server to get Forward Zone recordes from
  masters { 10.0.0.21; };
  file "/etc/bind/slaves/db.ab.lab-internal";
 };

 # '10.0.0.0/24' (Public Tier) Reverse Zone
        zone "0.0.10.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.10.0.0";
        };

 # '172.16.11.0/24' (Web Tier) Reverse Zone
 zone "11.16.172.in-addr.arpa" {
                # Master DNS server to get Reverse Zone recordes from
  type slave;
  masters { 10.0.0.21; }; 
  file "/etc/bind/slaves/db.172.16.11"; 
 };

 # '192.168.20.0/24' (Middleware Tier) Reverse Zone
        zone "20.168.192.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.192.168.20";
        };

 # '192.168.21.0/24' (Application Tier) Reverse Zone
        zone "21.168.192.in-addr.arpa" {
                type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
                file "/etc/bind/slaves/db.192.168.21";
        };


 # Include Default Zones file which was commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Create "/etc/bind/named.conf.external-zones": 
root@ns2:~# cat /etc/bind/named.conf.external-zones 
# ---------------------------------------
# Zone configuration file for Public Tier
# ---------------------------------------
view "external" {
 # Clients allowed to use the following zones
 match-clients {
  any;
 };

 # Allow query from any hosts
 allow-query {
  any;
 };

 # 'ab.lab' External FORWARD Zone
 zone "ab.lab" {
  type slave;
  # Master DNS server to get FORWARD Zone recordes from
  masters { 10.0.0.21; };
  file "/etc/bind/slaves/db.ab.lab-external";
 };

 # 'ab.lab' Reverse Zone
 zone "0.0.10.in-addr.arpa" {
  type slave;
                # Master DNS server to get Reverse Zone recordes from
  masters { 10.0.0.21; };
  # As "/etc/bind/slaves/db.10.0.0" is used in "/etc/bind/bind.conf.internal-zones here in this slave server,
  # "named-checkconf /etc/bind/named.conf" will complain regarding repeating hte file here again
  #file "/etc/bind/slaves/db.10.0.0";
 };

 # Include Default Zones file which were commented in /etc/bind/named.conf
 include "/etc/bind/named.conf.default-zones";
};

Check 'BIND' configuration files: 
root@ns2:~# named-checkconf /etc/bind/named.conf
root@ns2:~# echo $?
0

root@ns2:~# named-checkconf /etc/bind/named.conf.options 
root@ns2:~# echo $?
0

Create "/etc/bind/slaves" directory: 
root@ns2:~# mkdir -v /etc/bind/slaves/
mkdir: created directory '/etc/bind/slaves/'

root@ns2:~# chown -v bind.bind /etc/bind/slaves
changed ownership of '/etc/bind/slaves' from root:bind to bind:bind

Enable 'bind9' service start it: 
root@ns2:~# systemctl enable bind9 --now
Synchronizing state of bind9.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable bind9

Restart 'bind' service in 'ns1.ab.lab', then do the same in 'ns2.ab.lab': 
root@ns1:~# systemctl restart bind9 

root@ns2:~# systemctl restart bind9

Check Slave zones now: 
root@ns2:~# ls -lh /etc/bind/slaves/
total 24K
-rw-r--r-- 1 bind bind 458 Apr  5 21:27 db.10.0.0
-rw-r--r-- 1 bind bind 621 Apr  5 21:33 db.172.16.11
-rw-r--r-- 1 bind bind 566 Apr  5 21:33 db.192.168.20
-rw-r--r-- 1 bind bind 491 Apr  5 21:33 db.192.168.21
-rw-r--r-- 1 bind bind 408 Apr  5 21:27 db.ab.lab-external
-rw-r--r-- 1 bind bind 408 Apr  5 21:27 db.ab.lab-internal

By default, iptables rules are empty and policies are ACCEPT: 
root@n2:~# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust the iptables rules as the following: 
## Allow all "ESTABLISHED" and "RELATED" incoming packets
root@ns2:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Allow all packets for loclahost
root@ns2:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

## Allow incoming DNS packets used TCP protocol
root@ns2:~# iptables -A INPUT -p tcp --dport 53 -d 10.0.0.22 -m state --state NEW -j ACCEPT
 
## Allow incoming DNS packets used UDP protocol
root@ns2:~# iptables -A INPUT -p udp --dport 53 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Allow incoming SSH connection (for now until I install the jumpstart server)
root@ns2:~# iptables -A INPUT -p tcp --dport 22 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Allow incoming SSH packets from 'jumpstart.ab.lab' after SNATing IP from 10.0.0.254 to 10.0.0.31
root@ns2:~# iptables -A INPUT -p tcp --dport 22 -s 10.0.0.31 -d 10.0.0.22 -m state --state NEW -j ACCEPT

## Change "INPUT" and "FORWARD" Chains policy to "DROP"
root@ns2:~# iptables -P INPUT DROP
root@ns2:~# iptables -P FORWARD DROP

Iptables should be like: 
root@ns2:~# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      172 10860 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1           
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.22            tcp dpt:53 state NEW
4        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.22            udp dpt:53 state NEW
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.22            tcp dpt:22 state NEW
6        0     0 ACCEPT     tcp  --  *      *       10.0.0.31            10.0.0.22            tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42 packets, 4456 bytes)
num   pkts bytes target     prot opt in     out     source               destination 

root@ns2:~# iptables-save > /etc/iptables/rules.v4

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

00- Create the Slave DNS servers

ns2.ab.lab: root@ns2:~# cat /etc/os-release | head -n2 PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux...

  • 004- Create the first router
    I am going to create the the first router which control the Web Tier:: dmz1-gw.ab.lab: root@dmz1-gw:~# cat /etc/network/interfaces #...
  • 001- Introduction
    This blog aims to build internal lab network using "KVM" as a hypervisor and "iptales" as firewall/router. Computi...
  • 002- KVM Networks
    According to the Network Info, create the following KVM Networks: virsh # net-dumpxml iptables-public <network> <name>iptab...