Port Forwarding & Jump Box (SEC 350) - Chromosom3/TechNotes GitHub Wiki
Introduction
For this lab we will be removing the static routes on our road warrior machine. From there we will be configuring a jump box on our network that we can access via port forwarding from out side of the network.
VyOS Port Forwarding
We will be adding some nat destination rules to allow access to the jump box. While we are setting these up we will also set up port forwarding for the web server since the road warrior machine will no longer know how to access the web01 host. Section 1 shows the port forwarding rule for the web server. We will also want to update our previous rule that allowed SSH to the web server from the management box. We want to allow the management box to SSH to all DMZ servers so we will change the rule. Section 2 shows this. Section 3 shows the configuration for the nat port forwarding rule that allows SSH connections to the jump box. Finally we need to create a firewall rule to allow the SSH connection from the WAN interface, section 4 shows this.
# Section 1
configure
set nat destination rule 10 description "WAN HTTP to WEB01"
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 172.16.50.3
set nat destination rule 10 translation port 80
commit
save
# Section 2
configure
delete firewall name LAN-to-DMZ rule 20 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 20 description "Allow SSH access from MGMT01-dylan"
commit
save
#Section 3
configure
set nat destination rule 20 description "WAN to SSH on jump01"
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 destination port 22
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 172.16.50.4
set nat destination rule 20 translation port 22
commit
save
# Section 4
configure
set firewall name WAN-to-DMZ rule 20 action accept
set firewall name WAN-to-DMZ rule 20 destination address 172.16.50.4
set firewall name WAN-to-DMZ rule 20 destination port 22
set firewall name WAN-to-DMZ rule 20 protocol tcp
set firewall name WAN-to-DMZ rule 20 description "Allow WAN access to JUMP01 SSH"
commit
save
Updated Management SSH Rule:
Ubuntu Jump Box Configuration
In this lab the jump box is running Ubuntu Server. This uses netplan for networking. We need to set a static IP on the server so we will need to adjust the configuration. Steps to do this have already been provided in this wiki entry. That being said, I have included the configuration running on this specific server below. Note that this box is on the DMZ (172.16.50.0/29) network.
hostnamectl set-hostname jump01-dylan
cd /etc/netplan/
sudo vi 00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens160:
dhcp4: false
addresses: [172.16.50.4/29]
gateway4: 172.16.50.2
nameservers:
search: [dylan.local]
addresses: [172.16.200.11,1.1.1.1]
version: 2
sudo netplan apply
ip a
Found a fun thing, :w !sudo tee %
in VIM will save as root if not root.
Now that the system is networked we should secure our accounts. First I changed the champuser user account password. Default credentials are bad! After that I created a new user using the command shown below.
sudo user add -m -d /home/dylan -k /etc/skel/ -s /bin/bash dylan
After creating the user account for remote access we will need to add SSH keys. This is because we will be using key based auth for remote access. The following commands show how to setup the keys for remote access. Note my public key for this class is hosted publicly on GitHub and the key will need to be imported differently depending on the situation.
sudo su dylan
mkdir .ssh/
touch .ssh/authorized_keys
curl https://raw.githubusercontent.com/Chromosom3/TechNotes/main/sec350/rw01-dylan.pub > .ssh/authorized_keys
# Make sure that PubkeyAuthentication is uncommented and set to yes
sudo vi /etc/ssh/sshd_config
# Restart the service to apply changes
sudo systemctl restart sshd
Now that our remote access user account is created lets make an admin user for management of this jump box. This user account will be the admin account. Note the remote access user account does not have sudo privileges on this system. The commands below show how to add a sudo user to the system.
sudo useradd dylan-adm -s /bin/bash
sudo usermod -aG sudo dylan-adm
sudo passwd dylan-adm
# sudo passwd -d dylan if you accidently set a password for the keyauth account
The last thing we will want to do on the jump box is configure logging. Execute the following commands to achieve this.
# Create file
sudo vi /etc/rsyslog.d/sec350.conf
# File Content
auth,authpriv.* @172.16.200.10:1514;RSYSLOG_SyslogProtocol23Format
# Restart service to apply changes
systemctl restart rsyslog
Road Warrior
On the rw01-dylan system we will need to make changes to the know_hosts file. This is because the IP we will use to SSH to the jump box is actually the firewalls IP (due to port forwarding). The system knows the host identification for the firewall and will think something is wrong since the identity doesn’t match anymore. We will need to run the following command to remove the old entry from the known host file: ssh-keygen -f "/home/dylan/.ssh/know_hosts" -R "10.0.17.137"
.