[Case Study]Host isolation

[pyth0n3]

Avem urmatotul network

			 	            	
			      +++++++++++               (blade)
                              +  Router +          192.168.123.111 
                              +++++++++++          ****************
				   |		   *--------------*
			           |               *-   ZONE1    -*      
                                   |               *--------------*    
			           |               *-  Solaris 10-*
				   |______________ *--------------*
			           |192.168.123.0  *-  SPARC 64  -*   
                                   | (Subnet1)     *-   Router   -*  
			 	   |  	           *--------------*                          
 			           |               ****************
					           192.168.123.110                   
			           |                   (BLADE)
                                   | 
                               --------- 
                               -  NAT  -
                               ---------
                                   |
                   Subnet1 Address | 192.168.123.0 
                   Netmask Address | 255.255.255.0
          IP Pool Starting Address | 100
          IP Pool Ending   Address | 200   		 
         __________________________|______________________________________
                  |              |            |                 |             
             --------------  ----------  -------------   ---------------
             -    Debian  -  - Fedora -  -  FreeBSD  -   -   Centos    -
             --------------  ----------  -------------   ---------------
            192.168.123.100     DHCP    192.168.123.107  192.168.123.105

Vom izola serverul Centos 192.168.1123.105 intrun subnet separat in asa fel incat sa nu poata fi accesat de catre

celelalte servere din Subnet1.Eventual ii vom lasa liber accessul SSH doar de pe reteaua externa (Internet)

1.Vom crea un router in serverul (Blade 192.168.123.110) cu un nou subnet 10.0.0.0

Vom crea urmatorul subnet2 clasa A:

Network class A

IP Adrddress 10.0.0.1

Subnet Mask 255.255.255.252

Broadcast 10.0.0.3

Host range 10.0.0.1 (Router),10.0.0.2 Host Centos (redman)

Setari Blade solaris 10 (Router)

Vom aloca o interfata fizica pentru subnet2

Show interface

[blade]# dladm show-dev |  sort -n | awk '{ print $1,$2,$3,$7,$8 }'
bge0 link: up duplex: full
bge1 link: up duplex: full
qfe4 link: down duplex: unknown
qfe5 link: down duplex: unknown
qfe6 link: down duplex: unknown
qfe7 link: up duplex: full    

Avem 3 interfete de retea momentan care sunt up

bge0 link: up duplex: full

bge1 link: up duplex: full

qfe7 link: up duplex: full

Vom folosi urmatoarele

qfe7 -> interfata externa conectata direct la internet

bge1 -> interfata interna in care vom crea un subnet

Vom seta ipforwarding si routing in sistemù

routeadm -u -e ipv4-forwarding
routeadm -u -e ipv4-routing

Vom seta ipfilter

svcadm -v enable svc:/network/pfil:default
svcadm -v enable svc:/network/ipfilter:default
svcadm -v enable svc:/system/rmtmpfiles:default

Vom adauga interfetele in fisierul de configurare a firewall-ului

echo "bge -1 0 pfil" >> /etc/ipf/pfil.ap
echo "qfe -1 0 pfil" >> /etc/ipf/pfil.ap

Pentru a verifica daca ip forwarding si routing a fost setat corect

[blade]# routeadm | head
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   enabled              enabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   enabled              enabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

[blade]# 

Configurarea interfetei pt subnet

ifconfig bge1 10.0.0.1 netmask 255.255.255.252 broadcast 10.0.0.3 && ifconfig bge1 plumb up
echo 10.0.0.1 >  /etc/hostname.bge1
echo "10.0.0.0	255.255.255.252" >> /etc/netmasks

[blade]# ifconfig bge1
bge1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3
        inet 10.0.0.1 netmask fffffffc broadcast 10.0.0.3
        ether x:xx:xx:xx:xx:xx 
[blade]# 

INIT restart

init 6

Configurarea serverului redman (Centos)

Vom configura interfata de retea a serverului

ifconfig eth2  10.0.0.2 netmask 255.255.255.252 broadcast 10.0.0.3
route add default gw 10.0.0.1 eth2 
ifconfig eth2 up

[root@redman ~]# ifconfig eth2
eth2      Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          inet addr:10.0.0.2  Bcast:10.0.0.3  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:418 errors:0 dropped:0 overruns:0 frame:0
          TX packets:236 errors:1 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000 
          RX bytes:36660 (35.8 KiB)  TX bytes:22175 (21.6 KiB)

[root@redman ~]# 

Note:

Setarile in centos nu vor fi valabile la reboot

Pentru a face acest lucru va trebui creata o directiva /etc/sysconfig/network-scripts ceea ce eu nu o voi face

deoarece nu am nevoie de setari statice.

Vom crea o regula in Router (BLADE Solaris 10) pentru a permite ssh catre redman (centos)

Aici vom face un port forwarding:

echo 'rdr qfe7 192.168.123.111 port 4444 -> 10.0.0.2 port 22' >> /etc/ipf/ipnat.conf
ipnat -C -f /etc/ipf/ipnat.conf

Pentru a verifica regulile NAT

[blade]# ipnat -l
List of active MAP/Redirect filters:
rdr qfe7 192.168.123.111/32 port 4444 -> 10.0.0.2 port 22 tcp

List of active sessions:
[blade]# 

Intrun final vom avea urmatorul rezultat

                                  ##########      
                                  #internet#
                                  #####.####    
                                       .
                       ----------------.----------        
                       - SSH PKI redman port 4444-  
		       ----------------.----------			
	                               .		 	           	
                                       .
			      +++++++++.+               (blade)                               
                              +  Router.+          192.168.123.111                          
                              +++++++++.+          ****************                          
				   |   .	   *--------------*                           
			           |   .           *-   ZONE1    -*                           (redman)            
                                   |   .................................      (Netmask)       10.0.0.2     
			           _______________ * Solaris 10  -*    .    255.255.255.252 ------------
                                   |192.168.123.0  *--------------*__ NAT __________________-  Centos  - 
			           | (Subnet1)     *-  SPARC 64  -*    .      10.0.0.1      ------------ 
                                   |               *-  Router/FW -*    .      (subnet2)          |
			 	   |  	           *--------------*    .                     -----------
 			           |               ****************    .                     - SSH PKI - 
			           |		    192.168.123.110    .                     - port 22 -
			           |                   (BLADE)         .                     -----.-----
                                   |                                   ............................
                               --------- 
                               -  NAT  -
                               ---------
                                   |
                   Subnet1 Address | 192.168.123.0 
                   Netmask Address | 255.255.255.0
          IP Pool Starting Address | 100
          IP Pool Ending   Address | 200   		 
         __________________________|____________________________
                        |              |            |                      
                   --------------  ----------  ------------    
                   -    Debian  -  - Fedora -  - FreeBSD  -    
                   --------------  ----------  ------------   
                  192.168.123.100     DHCP    192.168.123.107