Lab 1.1 Routing and DMZ - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki
Pre-Lab Architecture
Configuring rw01 (XUbuntu)
rw01 is an “road warrior” linux laptop that sits outside of the organization's network. It will be used to test firewall defenses.
- Ensure Network Adapter is on the SEC-350 WAN
- Change Default password
- Add a new sudo user savannah
- Set your hostname
- Set the static ip (assigned to students by WAN supervisor)
passwd
sudo adduser savannah
sudo usermod -aG sudo savannah
sudo hostnamectl set-hostname rw01-savannah
Configure the IP addresses with nmtui interface or with commands
- Edit a Connection > Wired Connection > Manual IPv4 Configuration
- Default Gateway and DNS: 10.0.17.2
- Address 10.0.17.13/24
sudo systemctl enable Network Managersudo systemctl restart Network Manager
[!WARNING]
Screenshot out of date, had to go back and fix IP address to be 10.0.17.13/24, NOT 10.0.17.113/24 (that's the firewall)
Deliverable 1
Configuring fw01 (vyOS)
vyOS is a fully functional but console based network appliance. In this enterprise, it will be used as a router and firewall. This lab sets up the router functionality.
vyOS is similar to Cisco in configuration styles: configure, commit, save, and exit. You must save changes before reloading or they won't save.
Add and set adapters in VSphere
- Network Adapter 1: SEC-350-01-WAN
- Network Adapter 2: SEC-350-01-DMZ-savannah.ciak
- New Network: SEC0350-01-LAN-savannah.ciak
Setting the host name:
configure
set system host-name fw01-savannah
commit
save
exit
configure
set system login user username authentication plaintext-password password
commit
save
exit
Interface Assignment
If DHCP configuration exists when show interfaces is run, use the below commands to delete the DHCP configuration:
delete interfaces ethernet eth0 address dhcp
commit
save
Set a Description and IP Address on Each Interface
configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description SAVANNAH-DMZ
set interfaces ethernet eth2 description SAVANNAH-LAN
set interfaces ethernet eth0 address 10.0.17.113/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
Gateway and DNS The SEC350-WAN interface on fw01 needs to be informed on how to get out to the internet. Set both the default gateway and DNS server to the SEC350-Gateway Firewall at 10.0.17.2.
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
Deliverable 2
Reboot the system and test connectivity by pinging a website:
Configure web01 (Rocky Web Server)
web01-savannah is a Rocky Web Server that will be placed on the DMZ Network with the IP Address of 172.16.50.3/29.
- Change Network Adapter 1 to the DMZ Lan
web01-savannah Setup:
- Normal steps (network adapter, IP address, hostname, local admin (wheel) user savannah
- Hostname web01-savannah
- Change default password(s)
- DNS/Gateway 172.16.50.2 (DMZ Interface)
- IPv4 172.16.50.3/29
Utlize nmtui to Do Networking Setup
- Previous Documentation
- Make sure to change to manual, automatic connection
- DMZ Zone is /29
passwd root # change root password
useradd savannah
passwd savannah
usermod -aG wheel savannah
Restart the network with the systemctl restart network. After this command, when ifconfig is run, the new information will be available.
- At this point the machine should be able to ping the DMZ Interface 172.16.50.2
- However, pinging outside of the DMZ zone will not work because fw01-savannah is not setup to translate IP addresses from the DMZ zone
Configuring fw01 for NAT Forwarding on fw01
configure
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit
save
Deliverable #3
On web01-savannah should now be able to ping by IP address, but not hostname yet:
Configuring fw01 for DNS forwarding
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
Deliverable #4
On web01-savannah should now be able to ping by IP address and hostname:
Configuring log01 (CentOS Log Server)
For now, the log01-savannah log server will be in the DMZ zone with an IP of 172.16.50.5/29
- Change Network Adapter 1 to the DMZ Lan
- Normal steps (network adapter, IP address, hostname, local admin (wheel) user savannah
- Hostname log01-savannah
- Change default password(s)
- DNS/Gateway 172.16.50.2 (DMZ Interface)
- IPv4 172.16.50.5/29
Utlize nmtui to Do Networking Setup
- Previous Documentation
- Make sure to change to manual, automatic connection
- DMZ Zone is /29
passwd root # change root password
useradd savannah
passwd savannah
usermod -aG wheel savannah
Restart the network with the systemctl restart network. After this command, when ifconfig is run, the new information will be available.
Deliverable #5
- A screenshot of the ifconfig followed by a successful ping to google.com from log01
Configuring httpd on web01
Make sure httpd is active and installed on web01-savannah.
- httpd is the same as Apache HTTP Server, an open-source web server developed by the Apache Software Foundation.
- Previous Lab: Simple Web Server and Page CentOS
Steps to install and setup 80/443 as services:
yum install -y httpd
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
firewall-cmd --query-port=80/tcp
firewall-cmd --query-port=443/tcp
systemctl start httpd
systemctl enable httpd
systemctl status httpd
Further Resource: https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-centos-7
Testing httpd on web01 from rw01
rw01's default gateway is 10.0.17.2, we need to tell it that any address in your DMZ should route via your firewall’s WAN interface.
We do this with a static route on rw01.
In this case, we are saying that anything addressed to the 172.16.50.0/29 network will go through the 10.0.17.113 router.
- On rw01-savannah, go to edit connections
- Edit connections > Wired connection 1 > IPv4 Settings > Routes > Add
- Add in the above information
- OK > Save
- Run
systemctl restart NetworkManager.service.to save the configurations
rw01-savannah will not be able to reach web01-savannah's httpd web server at http://172.16.50.3 yet because it is set to use 10.0.17.2 as the default gateway, but it needs a static route for the DMZ network (172.16.50.0/29) to route through fw01's WAN interface (10.0.17.113).
sudo netplan apply
Also on Rw01, change the gateway to 10.0.17.140
Deliverable 6
rw01-savannah successfully browsing the test page on my httpd web01 server.
Configuring rsyslog services on log01
log01 will be receiving syslog traffic from fw01 and web01. I need to allow UDP and TCP 514 for syslog traffic permanently.
[!WARNING]
rsyslog should be installed and running on log01 (systemctl status rsyslog) If rsyslog is not present, install it.
rpm -q rsyslog
sudo yum install -y rsyslog
sudo systemctl status rsyslog
sudo systemctl enable --now rsyslog
sudo firewall-cmd --list-all
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
[!NOTE]
Run the same firewall commands on web01-savannah
On log01, the /etc/rsyslog.conf file needs to be modified to receive syslog messages over ports 514 tcp and udp. Uncomment the appropriate lines (see below) and restart the rsyslog service.
sudo nano /etc/rsyslog.confsudo systemctl restart rsyslog
- Check that rsyslog is listening on the ports
sudo netstat -tupan | grep 514
Configuring rsyslog client on web01
[!WARNING]
rsyslog may not be installed and running on web01. Use systemctl status to test. If it is not, easy to install withyum install rsyslog
- Create the above file:
/etc/rsyslog.d/sec350.confand restart rsyslog on web01
[!IMPORTANT]
The line in sec350.conf means: user=syslog facility, notice=syslog priority, @=UDP, @@ means TCP, so we are only going to send UDP, 172.16.50.5=Remote Syslog Server
Test rsyslog messaging from web01 to log01
On log01, tail -f the /var/log/messages file
sudo tail -f /var/log/messages
On web01, use the local logger utility to send a syslog message
sudo systemctl restart rsysloglogger -t test TESTFROMWEB01TOLOG01
Deliverable 7
- Shows the test message arriving in log01’s /var/log/messages file from web01.
SSH Layered Session rw01->SSH->web01->SSH->log01
From rw01, use a SSH session to login to web01, from that SSH session login to log01.