Category:I802 Firewalls and VPN IPSec (2017): Difference between revisions
(15 intermediate revisions by 3 users not shown) | |||
Line 8: | Line 8: | ||
To register to this course send your SSH public key to Lauri and state which service you want to configure. | To register to this course send your SSH public key to Lauri and state which service you want to configure. | ||
Grading bot is at http://193.40.244.178/static/bot.html | |||
==Scenario== | ==Scenario== | ||
Line 24: | Line 26: | ||
* IPv4 address: 193.40.244.129-188 | * IPv4 address: 193.40.244.129-188 | ||
* Subnet: /26 | * Subnet: /26 | ||
* Gateway: 193.40.244. | * Gateway: 193.40.244.189 | ||
* DNS: 8.8.8.8 | * DNS: 8.8.8.8 | ||
That network is physically routed to 413-6-16 port in room 413. | |||
We have total of about 264GB of RAM and couple of terabytes of SSD storage: | We have total of about 264GB of RAM and couple of terabytes of SSD storage: | ||
Line 35: | Line 39: | ||
* Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185) | * Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185) | ||
* Another Sun box with 24G of RAM, dying harddisks | * Another Sun box with 24G of RAM, dying harddisks | ||
* Reserved addresses 186-188 | |||
NB! Replace BIOS batteries; replace thermal paste | NB! Replace BIOS batteries; replace thermal paste | ||
Line 72: | Line 77: | ||
* ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J | * ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J | ||
* ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ??? | * ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ??? | ||
* git.momcorp.eu - Gogs installation. | * git.momcorp.eu - Gogs installation. Farhan | ||
* mon.momcorp.eu - Nagios monitoring. Nika | * mon.momcorp.eu - Nagios monitoring. Nika | ||
* mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris | * mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris | ||
* ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. | * ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. Masaki | ||
* nas.momcorp.eu - Samba fileserver. Hindrek | * nas.momcorp.eu - Samba fileserver. Hindrek | ||
* log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik | * log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik | ||
Line 103: | Line 108: | ||
* 7. sept - Intro, virtualization, containers etc. Relevant story [https://lauri.xn--vsandi-pxa.com/lan/virtualization.html here] | * 7. sept - Intro, virtualization, containers etc. Relevant story [https://lauri.xn--vsandi-pxa.com/lan/virtualization.html here] | ||
* 14. sept - Network topology | * 14. sept - Network topology, bridges, tagging, trunking, subnetting, LAN, WAN | ||
* 21. sept - iptables, ebtables, packet forwarding, DNAT, SNAT, routing tables, empheral ports, listening ports, slides [https://docs.google.com/presentation/d/1XMISOg88BJ0Dy8o3r8ZL9cxFT0oZZKDqPZ2EaWJRqFQ/edit?usp=sharing here] | |||
* 28. sept - X.509 certificates, certificate authority, TLS, symmetric, asymmetric, keyexchange, Let's Encrypt, relevant slides [https://docs.google.com/presentation/d/1kqTyhhUu5CfwODmOTIC7odhlYfeEeJALTd4RX7XhPLE/edit?usp=sharing here] | |||
* 30. nov - [https://docs.google.com/presentation/d/1aXtreUS2YD9vlsngVUSr_ZaXdrQv37zCRtc51TSGjPI/edit?usp=sharing AD auth] | |||
Order to be determined: | Order to be determined: | ||
* iptables, | * OpenVPN | ||
* | * IPSec | ||
* TBD, there are a lot of topics to discuss | |||
==Firewall rules== | |||
You can load these rules by running iptables-restore command, pasting the rules to the terminal and pressing Ctrl-D. | |||
To make rules persistent on your box install netfilter-persistent package, the rules will be stored at /etc/iptables/rules.v4 | |||
<syntaxhighlight lang="iptables"> | |||
*raw | |||
:PREROUTING ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
COMMIT | |||
*mangle | |||
:PREROUTING ACCEPT [0:0] | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
COMMIT | |||
*nat | |||
:PREROUTING ACCEPT [0:0] | |||
:INPUT ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
:POSTROUTING ACCEPT [0:0] | |||
-A POSTROUTING -o eth1 -m comment --comment "Hide VPN addresses from LAN" -j MASQUERADE | |||
COMMIT | |||
*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT | |||
-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT | |||
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT | |||
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT | |||
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT | |||
-A INPUT -p tcp -m tcp --dport 5666 -m comment --comment "Allow Nika\'s Monitoring" -j ACCEPT | |||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT | |||
-A FORWARD -i tun0 -o eth1 -m comment --comment "Allow from VPN to LAN" -j ACCEPT | |||
COMMIT | |||
</syntaxhighlight> |
Latest revision as of 17:11, 11 December 2017
Firewalls and VPN/IPSec
General information
ECTS: 4
Lecturer: Lauri Võsandi
To register to this course send your SSH public key to Lauri and state which service you want to configure.
Grading bot is at http://193.40.244.178/static/bot.html
Scenario
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png
Our virtual company's story is based on Mom's Friendly Robot Company.
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.
Hardware
School's infra provides with public subnet for 62 hosts:
- IPv4 address: 193.40.244.129-188
- Subnet: /26
- Gateway: 193.40.244.189
- DNS: 8.8.8.8
That network is physically routed to 413-6-16 port in room 413.
We have total of about 264GB of RAM and couple of terabytes of SSD storage:
- Marek's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s (hosts 130-139)
- Madis' box HP Proliant G5, 4x quadcore Opteron, 64GB RAM, 2 NIC-s (hosts 140-149)
- Erik's box Sun 32GB, 2x 256GB SSD (hosts 155-159)
- Lauri's box HP Proliant G5 2x quadcore Xeon, 64G RAM, 2 NIC-s, 4x 250G SSD (hosts 160-179)
- Frank's box DELL 16GB, 2x 256GB SSD, 6 NIC (hosts 180-185)
- Another Sun box with 24G of RAM, dying harddisks
- Reserved addresses 186-188
NB! Replace BIOS batteries; replace thermal paste
Grading
If you don't know what to do pick a topic from the services list below. Send your SSH public key to Lauri and state which service you want to take care of.
Collect 100p in total to pass the course, note that there are opportunities to collect much more points in total:
- Get the service up and running (15p)
- Configure Let's Encrypt certificates for your service if applicable (15p)
- Add your service to monitoring at mon.momcorp.eu (15p)
- Enable log forwarding to log.momcorp.eu, if applicable configure auditing for your service (15p)
- Configure your service to send e-mails (mail.momcorp.eu) if applicable (15p)
- Keep the service up and running through the semester (up to -20p)
- Keep the bad guys out from your servers (up to -30p)
- Have a disaster recovery plan (up to -20p)
- Configure layer3 firewall (15p)
- Configure application firewall(s) if applicable
- Configure your laptop to connect to intranet using OpenVPN and IPSec (15p)
- Configure your mobile device to connect to intranet using OpenVPN or IPSec (15p)
- Configure your service to use authentication from AD (20p)
We will start with services facing the public internet, see what's the worst that can happen in that case and later migrate some services to intranet only. Some services will retain connectivity to public internet due to their nature (eg OwnCloud, mailserver) and some services will be available only in the intranet (eg fileserver)
Services
To support our virtual company in everyday business we need to provide them with a variety of services:
- www.momcorp.eu - Install webserver/load balancer and create a homepage for the company and link to remaining sites. Olusiji
- shop.momcorp.eu - Install Magento and add some fictive products like dark matter and neutron star. Sander
- wiki.momcorp.eu - Install MediaWiki, later integrate with AD. Peep
- blog.momcorp.eu - Install WordPress, later integrate with AD. Steven
- chat.momcorp.eu - Install IRC server, provide multiple channels for developers. Install some web based software for customer helldesk. Ardi
- ns1.momcorp.eu - Primary Bind9 installation, later also add DNSSEC. Erik J
- ns2.momcorp.eu - Secondary Bind9 installation in another physical host. ???
- git.momcorp.eu - Gogs installation. Farhan
- mon.momcorp.eu - Nagios monitoring. Nika
- mail.momcorp.eu - Mailserver with Postfix (postfw, greylisting, dkim, spf, setup secondary mx), later with AD integration if exchange won't be used. Andris
- ca.momcorp.eu - Java servlet container, EJBCA installation for certificate management. Masaki
- nas.momcorp.eu - Samba fileserver. Hindrek
- log.momcorp.eu - Graylog or similar for central logging. Kaspar, Sten-Erik
- vpn.momcorp.eu - OpenVPN gateway. Moira
- cs.momcorp.eu - Teamspeak and/or gaming server for entertainment. Christopher
Additionally for each physical box listed under Hardware we could set up:
- Person responsible for the hypervisor on that box
- Virtual machine with router OS - Mikrotik RouterOS, Vyatta, pfsense or just vanilla Debian with shell scripts
Other topics:
- Mikus - Remote management: Puppet master, DSC, postfix with kerberos (and AD?)
- Strongswan gateway
- OpenVPN gateway, later AD integration
- Exchange
- failover/high availability (heartbeat)
- db clusters/shards/replication (mysql/mariadb)
- clustered filesystems/servers (clvm, corosync, fenced, gfs)
- web caches (varnish, squid, nginx)
- load balancing (haproxy, nginx, simple roundrobin)
Lectures
Following lectures are planned:
- 7. sept - Intro, virtualization, containers etc. Relevant story here
- 14. sept - Network topology, bridges, tagging, trunking, subnetting, LAN, WAN
- 21. sept - iptables, ebtables, packet forwarding, DNAT, SNAT, routing tables, empheral ports, listening ports, slides here
- 28. sept - X.509 certificates, certificate authority, TLS, symmetric, asymmetric, keyexchange, Let's Encrypt, relevant slides here
- 30. nov - AD auth
Order to be determined:
- OpenVPN
- IPSec
- TBD, there are a lot of topics to discuss
Firewall rules
You can load these rules by running iptables-restore command, pasting the rules to the terminal and pressing Ctrl-D.
To make rules persistent on your box install netfilter-persistent package, the rules will be stored at /etc/iptables/rules.v4
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -m comment --comment "Hide VPN addresses from LAN" -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A INPUT -i eth1 -m comment --comment "Allow traffic from LAN" -j ACCEPT
-A INPUT -s 127.0.0.0/8 -i lo -m comment --comment "Allow loopback" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow ping" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -m comment --comment "Allow Nika\'s Monitoring" -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow returning packets" -j ACCEPT
-A FORWARD -i tun0 -o eth1 -m comment --comment "Allow from VPN to LAN" -j ACCEPT
COMMIT
This category currently contains no pages or media.