ns1.ab.lab:
root@ns1:~# cat /etc/os-release | head -n2 PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux"
root@ns1:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 ens3 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
root@ns1:~# cat /etc/resolv.conf nameserver 127.0.0.1 nameserver 10.0.0.21 nameserver 8.8.8.8 search ab.lab
root@ns1:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug ens3 iface ens3 inet static address 10.0.0.21/24 gateway 10.0.0.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 127.0.0.1 10.0.0.21 8.8.8.8 dns-search ab.lab
root@ns1:~# hostname
ns1.ab.lab
root@ns1:~# hostnamectl
Static hostname: ns1.ab.lab
Icon name: computer-vm
Chassis: vm
Machine ID: 23347cec76ad435399dee326b64953ab
Boot ID: 668f4d51bbd94dd9bdea5f74b842ebf6
Virtualization: kvm
Operating System: Debian GNU/Linux 9 (stretch)
Kernel: Linux 4.9.0-4-amd64
Architecture: x86-64
root@ns1:~# cat /etc/hostname
ns1.ab.lab
root@ns1:~# cat /etc/hosts 127.0.0.1 localhost 10.0.0.21 ns1.ab.lab ns1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allroutersInstall the BIND server:
root@ns1:~# apt-get install bind9 dnsutils bind9-host bind9utils
Modify '/etc/bind/named.conf.options' file as the following:
root@ns1:~# cp -av /etc/bind/named.conf.options /root/orig_files/ '/etc/bind/named.conf.options' -> '/root/orig_files/named.conf.options'
root@ns1:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
# -----------
# Added by Ab
# -----------
# Allow query from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
allow-query { localhost; 10.0.0.254; };
# Allow Zone Transfer to ns2.ab.lab (Slave DNS Server)
# 'allow-transfer' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
allow-transfer { localhost; 10.0.0.22; };
# 'recursion' is set to 'yes' by default
# 'recursion' Info - > http://www.zytrax.com/books/dns/ch7/queries.html#recursion
# 'recursion query' -> http://www.zytrax.com/books/dns/ch2/index.html#recursive
# Disable 'recursion' as global configuration, then allow it only for the "internal" view
recursion no;
# ---------------
# End of addition
# ---------------
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
# --------------
# Modified by Ab
# --------------
# We don not use IPv6
#listen-on-v6 { any; };
listen-on-v6 { none; };
# -------------------
# End of Modification
# -------------------
};
Modify '/etc/bind/named.conf' file:
root@ns1:~# cp -av /etc/bind/named.conf /root/orig_files/ '/etc/bind/named.conf' -> '/root/orig_files/named.conf'
root@ns1:~# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; # -------------- # Modified by Ab # -------------- # Comment the following include file as it will be added to the "internal" and "external" view #include "/etc/bind/named.conf.default-zones"; # ------------------- # End of Modification # ------------------- # ----------- # Added by Ab # ----------- # Add Web, Middleware and Application Tiers Zones configuration file include "/etc/bind/named.conf.internal-zones"; # Add Public Tier Zones configuration file include "/etc/bind/named.conf.external-zones"; # --------------- # End of addition # ---------------
Create '/etc/bind/named.conf.internal-zones':
root@ns1:~# cat /etc/bind/named.conf.internal-zones
# -----------------------------------------------------------------
# Zone configuration file for Web, Middleware and Application Tiers
# -----------------------------------------------------------------
view "internal" {
# Clients allowed to use the following zones
match-clients {
localhost;
10.0.0.254;
};
# Allow recursion as it is disabled by default
recursion yes;
# Allow recursion from 'localhost' and 'dmz1-gw.ab.lab' as gateway for Web, Middleware and Application Tiers
# 'allow-recursion' -> http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion
allow-recursion { 127.0.0.1; 10.0.0.254; };
# 'ab.lab' Internal FORWARD Zone
zone "ab.lab" {
type master;
file "/etc/bind/db.ab.lab-internal";
# NO hosts are allowed to submit dynamic updates for master zones
# 'allow-update' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
allow-update { none; };
};
# '10.0.0.0/24' (Public Tier) Reverse Zone
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.0.0";
allow-update { none; };
};
# '172.16.11.0/24' (Web Tier) Reverse Zone
zone "11.16.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172.16.11";
allow-update { none; };
};
# '192.168.20.0/24' (Middleware Tier) Reverse Zone
zone "20.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.20";
allow-update { none; };
};
# '192.168.21.0/24' (Application Tier) Reverse Zone
zone "21.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.21";
allow-update { none; };
};
# Include Default Zones file which was commented in /etc/bind/named.conf
include "/etc/bind/named.conf.default-zones";
};
Create "/etc/bind/named.conf.external-zones":
root@ns1:~# cat /etc/bind/named.conf.external-zones
# ---------------------------------------
# Zone configuration file for Public Tier
# ---------------------------------------
view "external" {
# Clients allowed to use the following zones
match-clients {
any;
};
# Allow query from any hosts
allow-query {
any;
};
# 'ab.lab' External FORWARD Zone
zone "ab.lab" {
type master;
file "/etc/bind/db.ab.lab-external";
# NO hosts are allowed to submit dynamic updates for master zones
# 'allow-update' -> http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
allow-update { none; };
};
# 'ab.lab' Reverse Zone
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.0.0";
allow-update { none; };
};
# Include Default Zones file which were commented in /etc/bind/named.conf
include "/etc/bind/named.conf.default-zones";
};
Create "/etc/bind/db.ab.lab-internal" file:
root@ns1:~# cat /etc/bind/db.ab.lab-internal
;
; "ab.lab" INTERNAL FORWARD ZONE Records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
2018040401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name Servers records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.
; ping ab.lab resolves 10.0.0.21
@ IN A 10.0.0.21
;
; A RECORDS
;
; Public Tier
ns1 IN A 10.0.0.21
ns2 IN A 10.0.0.22
; Web Tier
dmz1-gw IN A 172.16.11.254
www1 IN A 172.16.11.11
dhcp-releay1 IN A 172.16.11.23
jumpstart IN A 172.16.11.31
; Middleware Tier
dmz2-gw IN A 192.168.20.254
app1 IN A 192.168.20.11
dhcp-relay2 IN A 192.168.20.21
; Application Tier
internal-gw IN A 192.168.21.254
db1 IN A 192.168.21.11
dhcp IN A 192.168.21.21
; CNAME RECORDS
web1 IN CNAME www1.ab.lab.
Create "/etc/bind/db.10.0.0" file:
root@ns1:~# cat /etc/bind/db.10.0.0
;
; 10.0.0.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
2018040401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name Servers Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.
@ IN PTR ab.lab.
@ IN A 255.255.255.0
; PTR RECORDS
254 IN PTR dmz1-gw.ab.lab.
21 IN PTR ns1.ab.lab.
22 IN PTR ns2.ab.lab.
Create "/etc/bind/db.172.16.11" file:
root@ns1:~# cat /etc/bind/db.172.16.11
;
; 172.16.11.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
2018040401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name Servers Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.
@ IN PTR ab.lab.
@ IN A 255.255.255.0
; PTR RECORDS
254 IN PTR dmz1-gw.ab.lab.
11 IN PTR www1.ab.lab.
23 IN PTR dhcp-relay1.ab.lab.
31 IN PTR jumpstart.ab.lab.
100 IN PTR dmz2-gw.ab.lab.
Create "/etc/bind/db.192.168.20" file:
root@ns1:~# cat /etc/bind/db.192.168.20
;
; 192.168.20.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
2018040401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name Server Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.
@ IN PTR ab.lab.
@ IN A 255.255.255.0
; PTR RECORDS
254 IN PTR dmz2-gw.ab.lab.
11 IN PTR app1.ab.lab.
21 IN PTR dhcp-relay2.ab.lab.
100 IN PTR internal-gw.ab.lab.
Create "/etc/bind/db.192.168.21" file:
root@ns1:~# cat /etc/bind/db.192.168.21
;
; 192.168.21.0/24 Reverse zone records
;
$TTL 60
@ IN SOA ns1.ab.lab. root.ab.lab. (
2018040401 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Negative Cache TTL
; Name Server Records
@ IN NS ns1.ab.lab.
@ IN NS ns2.ab.lab.
@ IN PTR ab.lab.
@ IN A 255.255.255.0
; PTR RECORDS
254 IN PTR internal-gw.ab.lab.
11 IN PTR db1.ab.lab.
21 IN PTR dhcp.ab.lab.
By default, iptables rules are empty and policies are ACCEPT:
root@ns1:~# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination
Adjust the iptables rules as the following:
## Allow all "ESTABLISHED" and "RELATED" incoming packets root@ns1:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Allow all packets for loclahost root@ns1:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT ## Allow incoming DNS packets used TCP protocol root@ns1:~# iptables -A INPUT -p tcp --dport 53 -d 10.0.0.21 -m state --state NEW -j ACCEPT ## Allow incoming DNS packets used UDP protocol root@ns1:~# iptables -A INPUT -p udp --dport 53 -d 10.0.0.21 -m state --state NEW -j ACCEPT ## Allow incoming SSH connection (for now until I install the jumpstart server) root@ns1:~# iptables -A INPUT -p tcp --dport 22 -d 10.0.0.21 -m state --state NEW -j ACCEPT ## Allow incoming SSH packets from 'jumpstart.ab.lab' after SNATing IP from 10.0.0.254 to 10.0.0.31 root@ns1:~# iptables -A INPUT -p tcp --dport 22 -s 10.0.0.31 -d 10.0.0.21 -m state --state NEW -j ACCEPT ## Change "INPUT" and "FORWARD" Chains policy to "DROP" root@ns1:~# iptables -P INPUT DROP root@ns1:~# iptables -P FORWARD DROP
Iptables should be like:
root@ns1:~# iptables -nvL --line-numbers Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 450 28536 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT all -- * * 127.0.0.1 127.0.0.1 3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.21 tcp dpt:53 state NEW 4 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.21 udp dpt:53 state NEW 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.21 tcp dpt:22 state NEW 6 0 0 ACCEPT tcp -- * * 10.0.0.31 10.0.0.21 tcp dpt:22 state NEW Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 112 packets, 15340 bytes) num pkts bytes target prot opt in out source destination
root@ns1:~# iptables-save > /etc/iptables/rules.v4
No comments:
Post a Comment