Tuesday, 3 April 2018

004- Create the first router

I am going to create the the first router which control the Web Tier::



dmz1-gw.ab.lab:

root@dmz1-gw:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens3
iface ens3 inet static
 address 10.0.0.254/24
 gateway 10.0.0.1
 # dns-* options are implemented by the resolvconf package, if installed
 dns-nameservers 10.0.0.1 8.8.8.8
 dns-search ab.lab

allow-hotplug ens4
iface ens4 inet static
 address 172.16.11.254/24

root@dmz1-gw:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ens3
172.16.11.0     0.0.0.0         255.255.255.0   U     0      0        0 ens4

Allow Kernel routing: 
root@dmz1-gw:~# tail -n2 /etc/sysctl.conf 
# Allow Kernel Routing
net.ipv4.ip_forward = 1

root@dmz1-gw:~# sysctl -p
net.ipv4.ip_forward = 1

root@dmz1-gw:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

root@dmz1-gw:~# cat /proc/sys/net/ipv4/ip_forward
1

By default, 'filter' table policy is ACCEPT and it has not rules: 
root@dmz1-gw:~# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 76 packets, 5040 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 46 packets, 4544 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust "INPUT" chain as the following: 
# Allow localhost communication 
root@dmz1-gw:~# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# Allow incoming ESTABLISHED and RELATED connections
root@dmz1-gw:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connection to 'dmz1.ab.lab' until you build SSH jumpstart.ab.lab
root@dmz1-gw:~# iptables -A INPUT -i ens3 -p tcp --dport 22 -d 10.0.0.254 -m state --state NEW -j ACCEPT

# Allow SSH Connection from 'jumpstart.ab.lab'
root@dmz1-gw:~# iptables -A INPUT -p tcp --dport 22 -s 172.16.11.31 -d 172.16.11.254 -m state --state NEW -j ACCEPT


root@dmz1-gw:~# iptables -P INPUT DROP

Adjust "FORWARD CHAIN AS THE FOLLOWING: 
# Allow ESTABLISHED and RELATED connections to  Web Tier, Middleware Tier and Application Tier to outside world
root@dmz1-gw:~# iptables -A FORWARD -i ens3 -o ens4 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow trrafice from Web Tier, Middleware Tier and Application Tier to outside world
root@dmz1-gw:~# iptables -A FORWARD -i ens4 -o ens3 -j ACCEPT

root@dmz1-gw:~# iptables -N FORWARD_WEB_TIER

# Deal with all FORWARD packets in the Web Tier
root@dmz1-gw:~# iptables -A FORWARD -j FORWARD_WEB_TIER

# Allow SSH connection to jumpstart.ab.lab
root@dmz1-gw:~# iptables -A FORWARD_WEB_TIER -i ens3 -o ens4 -p tcp --dport 22 -d 172.16.11.31 -m state --state NEW -j ACCEPT

root@dmz1-gw:~# iptables -P FORWARD DROP

Filter table should be like: 
root@dmz1-gw:~# iptables -nvL --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       127.0.0.1            127.0.0.1           
2     1129 69144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  ens3   *       0.0.0.0/0            10.0.0.254           tcp dpt:22 state NEW
4        0     0 ACCEPT     tcp  --  *      *       172.16.11.31         172.16.11.254        tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  ens3   ens4    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  ens4   ens3    0.0.0.0/0            0.0.0.0/0           
3        0     0 FORWARD_WEB_TIER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 153 packets, 22536 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_WEB_TIER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  ens3   ens4    0.0.0.0/0            172.16.11.31         tcp dpt:22 state NEW

By default, nat table is empty: 
root@dmz1-gw:~# iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 3 packets, 604 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3 packets, 604 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19 packets, 1369 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 19 packets, 1369 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Adjust net table like the following: 
# SNAT all communications from Middleware Tier and Application Tier
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.100 -j SNAT --to-source 10.0.0.254 

# SNAT packets from www1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.11 -j SNAT --to-source 10.0.0.254 

# SNAT packets from ns1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.21 -j SNAT --to-source 10.0.0.254 

# SNAT packets from ns2.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.22 -j SNAT --to-source 10.0.0.254 

# SNAT packets from jumpstart.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.31 -j SNAT --to-source 10.0.0.254 

# SNAT packets from dhcp-relay1.ab.lab
root@dmz1-gw:~# iptables -t nat -A POSTROUTING -o ens3 -s 172.16.11.23 -j SNAT --to-source 10.0.0.254

nat table should be like: 
root@dmz1-gw:~# iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 SNAT       all  --  *      ens3    172.16.11.100        0.0.0.0/0            to:10.0.0.254
2        0     0 SNAT       all  --  *      ens3    172.16.11.11         0.0.0.0/0            to:10.0.0.254
3        0     0 SNAT       all  --  *      ens3    172.16.11.21         0.0.0.0/0            to:10.0.0.254
4        0     0 SNAT       all  --  *      ens3    172.16.11.22         0.0.0.0/0            to:10.0.0.254
5        0     0 SNAT       all  --  *      ens3    172.16.11.31         0.0.0.0/0            to:10.0.0.254
6        0     0 SNAT       all  --  *      ens3    172.16.11.23         0.0.0.0/0            to:10.0.0.254
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

00- Create the Slave DNS servers

ns2.ab.lab: root@ns2:~# cat /etc/os-release | head -n2 PRETTY_NAME="Debian GNU/Linux 9 (stretch)" NAME="Debian GNU/Linux...

  • 004- Create the first router
    I am going to create the the first router which control the Web Tier:: dmz1-gw.ab.lab: root@dmz1-gw:~# cat /etc/network/interfaces #...
  • 001- Introduction
    This blog aims to build internal lab network using "KVM" as a hypervisor and "iptales" as firewall/router. Computi...
  • 002- KVM Networks
    According to the Network Info, create the following KVM Networks: virsh # net-dumpxml iptables-public <network> <name>iptab...