1

fOl'tt OzO NSA Semesrer B 2015-16, Week 6 Practicals

'zCOMt029 NSA Feb/B4aech 2016, [rastrarc- taiL -50 /varl1og/sysloq

tions for 6t[r week practicals: More iptables will show you the last 50 lines of the file, You should now see a
& DNS line starting with the time and then "PING".

ifdown again shut down the external interface'

Objectives
This week will involve completing work from last week, the mas-
querading network, logging events in the firewall, and providing
another local network service, a domain name server: DNS' In ad-
dition there are some references for you to read.
. everything from the previous practicals'
. do logging in iPtables
. understand a little about the architecture and operation of DNS
name resolution,
. given by a rule like:
configure a DNS server for a small private address domain
comment out the log line, this was an experiment, if you leave the
log line in iptables you will keep adding lines to syslog" So
comment out the line with "- j rOG" in it.
After that example now carry out an exercise' You are going to
try to log all INPUT packets that are "dropped" by your firewall'
Things to note:
where to log the first problem is where to put the log line. The way
iplables works is that rules for a given chain (INPUT' FOR-
WARD or OUTPUT) are tested in order, if a rule matches then
it is applied. If no rules match then iptables will get to the
end of the chain and use the "chain policy". The chain policy is

iptables -P INPUT DROP

First task: Continue with masquerading
network, firewall and APache2
Complete lhe masquerading firewall tasks and the installation and
configuration of Apache. This is VERY IMPORTANT, you can do
nothing else until this is working. If you have not finished yet you
shouid stay in the lab untii it is finisheci bccause the next piactical
assessment will involve iptables and apache'
ifno rules in INPUT match (it gets to the end
which says that
of the rules) then drop it, So to log dropped packets append the
logging rule at the end of the INPUT chain'
the rule the log rule should be similar to the ping log line except
(i) change the protocol from ICMP to ALL, and (ii) change the
"log-prefix" message,
bring interface up use ifup to bring up the external interface,

testit now login to the nsa acaount on 172'16.0.10 and use the
Second task: logging command:
Here you are going to modify the file /etc/neiwork/ipt-masq1'sh,
the firewall script, and use event logging' telnet 112.t6.n.L
ifdown go to your flrewall gateway system and shutdown the replacing "n" with your network (disc) unique number. This
"outside" connection attempt to use telnet should fail, you haven't installed it and
your rules don't allow it, so the packet should be "dropped" and
log pings edit the firewall script (probably /etc/network/ipt-
logged.
masql .sh). Add a line immediately before the line:
look at syslog to see if the dropped packet was logged use tail
iptables -A INPUT -p ICMP -s 0/0 -j ACCEPT -50 /var/1og/syslog to examine the messages,

that does logging:

Some references about configuring DNS
iptables -A -p ICMP -j LOG =-Iog-Ievel
INPUT 7

--Iog-prefix "PfNG: " This is a very good description of DNS, it is not about configuring,
iptables -A INPUT -p TCMP -s 0/0 -j ACCEPT it is about what it is and how it all works:
http :i/en.wi kipedia.org/wiki/D NS
NB the new line above is on two lines so it will flt on this page
but you should fit it on one line. Look in the book (in PDF form) bv Peter Harrison' L;','r.r- o.''-l'
-'-=
Fir Notebook, Prentice Hall. l0l-'5.:::r .:n'ce ':':'-:-=::::::
bring up outside interface use ifup to restart your external inter- Prentice Hall site:
face. \ori lour fire*'all should be logging any ping packets ar- http//phptr.com/perens And look for the link to Harris-'n's PDF
riving as I\PLT for the toP system. book. If you find it look at chapter 1 S

Alternativeiy if you cannot irno it then there is:;':':" in

test it. 1 oo a remote login, using ssh, to the nsa account (pass-
http://1 72.1 6.0.1 0/pub
no:d --::--. l) on 172.16.0.10 and ping your own gateway.

test it. I :.": file. By default rptables logs its

eramine the log This is a longer section arout D\S from the Det'i:n re:"''c:':
jisi;
e.3:,:::: -:; -le var'log,isyslog. Lots of system events are manual. But belrare ihis is "lout a real D\S domaln. nc:
.:,:_i;::: -:.: ::,i r.f the file /var/log,/syslog so it can be hard private one.
-- =.'---i-:-:- :i not useful to ttpe it all out. Instead use the i,,iw'l.deblan.orQ o33 n^?^;? s -=:,', l-'. ::- - s:rator'ch-blnd'htn'i
-_
7COM102g ldSA Semesrer B 2015-16, Week 6 Practicals

The following note about setting a Linux home networkhasalfyouthengotothedirectoryietc/bindyoushouldseethefollow.

ing files:
small section on DNS:
http ://www. neilgu nton'com/doc/l nux-network-howto i
# cd /etc/bind
# ls
Ancl anything else you can find by following links or
searching
db, 0 db. 255Iocal named ' conf
db,
in Google, db. 127 db, empty db . root named ' conf ' local
named. conf , oPt i ons zones , rfcl 9 1 B

rndc. key

Notes about domains and private networks

#

each"db,"fileisa"database"ofnamesserved(theydon'thaveto
. be db but since the localhost domain is in one'
why not keep the
If it is not already installed, install bind9-host:
name), and the named.conf is the main configuration
file'
apt-get uPdat.e In the Debian distribution the main conflguration file has been
apt-get install bind9-host split into three, there is no reason for this except
it is easier to man-
stuff that doesn't
the program you need is host, it will allow
you to look up IP age for larger domains. named'conf contains
servers So to named.conf local is where you add the names of
addiesses from DNS names using different
see nled ct.,anglng,
is
that there a server for the module's network try: the "databisei' roo fl1es) that you serve, and named'conf'options
is (as it says) other options you might need to change'
just keep them
host gate2l.nelIab' 112'16'0'10 The domains for localhost etc. are already there,
and don't change them, but you will need to:
which means: look up gaIe2l'netlab' using the DNS
server

running on 172.16.0.10. Or try using another server: . create a "db" Iile of names for your domain,
host tink , cs , herts , ac ' uk 14"/ '79'l '200 '2 . create a "db" file mapping numbers to names,
. a "domain"' In the real . edit named,conf.local to cause the DNS server to load your files
A DNS server is usually responsible for
musthave
internet using proper, not private, addresses' domains . make minor changes to named.conf'options
aDNSserver,Onprivatenetworksitisusefulbutnotessential'
DitIS serluers do not just dea'l with their own domains'
they pass You can get ex'anple files fr"om http://'1 72'16 0 10/pub/DNS/'
domain and
on queries to other domains, so if you ask the local server for a However note that these are sample files for the netlab
the 172.16.0.0/1 6 netwolk-you must eriit them for your new do-
name from another ciomain:
main as described below.
hosl tink.cs,herts'ac,uk 172'16'0' Things you will need to do, not really steps because I
10 might
have forgotten some:
you will see (in its long response) that it must have asked another
. (you
domain server on Your behalf' you will need two db' files for every domain you manage
file is "keyed" by name and maps
Le maraging one)' The flrst
. BUT BEWARE: you will be creating a private range of ad-
to the numbers. So for the domain netlab' there is file
db'netlab'
dresses and you must NOT respond to requests
from outside the
your names to DNS Here is a fraction of it:
private nelworkandyou must not try to pass

,"rr"r, in the real internet. Don't panic, it's not too difficult' rQ IN SOA server ' netlab ' rootG ' ' I

. Also remember that you are responsible for a private net-

work so you deal with the addresses inside it' for exampie G INNS serve r. nel Lab
192.168.0.0/24 NOT the outside address or name 172'16'21 '1' IN A .1 \:)
gate )'12,16.A
that belongs to a different network'

.Youcancallyourdomainanythingyoulike,noothersystem ,"r" starts with a sOA, put in the name server's name and
should ever know about it, But to avoid confusion do
not ";;r,
administrator's email (make it up)' Then, after expiry settings
use standard top-level suffixes like: 'com, 'uk, 'org' or 'edu' (don't change), it has a line NS naming its nameserver' Then
These ones are silly but would be safer: names like small'pond''
that
there will be one line for every host in the domain' notice
lost.world., all.my.own., middle.earth or atlantis' because they are all in the domain they just have hostnames with-
out the domain name. Rename and edit the zone file you
got
.Laterinthecourseyouwillchangeyournetworkfrommas.
from I 72.1 6.0.1O/pub/, that way you will have the details of
the
querading to routing thereby making your hosts "visible"
from
SC)A correct.
the Iaboratory network. When you do this it will be possible to
of netlab' But that is later' . lookups' tt
db. flle for the domain is for reverse
make your names a sub-zone the second
maps numbers to names. For the network 172'16'0
0/16 it is
calied db.16.172,if your network is 192'168'0'0124 it will
be:

Third task: Configuring DNS db.0.168.192, The lines map the numbers in the network
to
bigfish
names. So, for example, if you have a machine called
disc) this
Install DNS on your gateway system (the one on the hard and its number is tgi.t6g.0.3 and your domain is small.pond
use the other Linux system but it might
is not important, you could there will be a line;
besimplerthisway.FirstinstalltheDNSserver'itiscalledbind9;
3 IN PTR bigfish,small'Pond'
 JM 1 029 NSA Semesfe r B 20 1 5- 1 6, \Yeek 6 Practic al s 3

n you must edit the named.conf.local file to tell it about your db. Fourth task: Comfrgturing your systeffil to use
files:
DNS
zone 'Inetl-ai:" r

type r--asLeri
filc "/ etc/ bind/db. netlab"; Both systems on your network (that includes the one running the
11J---r llUa server) should have the IP address of your DNS servers machine.
); On Linux systems every name "lookup" by programs uses the file
you must alter the zone for your domain, eg. small.pond. and /etc/resolv.conf to find the address of a name server to contact, You
must get the address of the computer running your name server
the file name in which it is stored. Note that the notify no; is
in that file" There are different ways that the address can get into
important, it will help to prevent DNS telling other servers about
/etc/resolv.conf :
)'our names.
. \,'ou must include an entry for the reverse domain file aswell.
. by hand editing, though be careful that it is not overwritten by
. lastly you will probably need to alter some options in something else,
named.conf.options, I have added "forwarders" which are sys-
tems your server will contact to ask about domains outside:
forwarders {
. if a machine is conflgured by DHCP this might provide the ad-
141"I91.240,2; dress and overwrite /etc/resolv.conf.
);
you shorrld probably contact my server:
. OR if you have the Debian package resolvconf installed then:
forwarders {
112.16.0.10;
j; dns-nameservers 172.16.0.70 141.L91,2AA.2
. Now start (or restart) the bindg server program. dns-search netlab cs , herls. ac. uk herts . ac. uk
/etc/init . d/bind9 restart
if it says it failed you can look at the end of /varllog/syslog: lines in /etc/network/interfaces will cause /etciresolv.conf to be
tail -100 /var/ Iog/sysiog I more altered everl,tirne the network interfaee is "brought up".
anC try tc find the error messa,ges.

. if, and when, it appears to start without errors, you can test it.
First test it using host telling it where the bind program is run-
ning: /varllog/syslog:
host nnnn.dddd. I92.16B.A.I
where "nnnn, dddd" is one of the full domain names you have
given to DNS, and 192.168.0.1 is the machine on which the
DNS program, bind, is running. When you have edited the file
/etc/resolv.conf as described in the next section you will be able
to use host with just the name you are enquiring about, eg:
host nnnn,dddd.
The recommendation is to hand-edit the resolv.conf file,
If your domain is small.pond. and the server is on 192.168.0.1
and you want to use alternative servers if yours is unavailable, and
if you want to use some hostnames without suffixes (that's what
search achieves) then your/etc/resolv.conf could be:
search small.pond netlab feis.herts,ac,uk
nameserver 192,168,0,7
nameserver 772.16,0.70
nameserver 141 .791 ,204.2

O ?,r 1qk ^ e .1on-e- " c.Sn

sc. ''

i3: ?6Pro 1t4a- Ao,6

f.ra " /rte lbi"al4t cs,rs.n,,
dor,c " o. ,6*.te2. in _add t _a^r pr, t,
(i-- " Jc7 brnd
l.lb. o. 16, .tq\,,

t rlr,sI.