CS183: Lab 10

CS183 Lab 10: Firewall and Advanced ssh usage

Goal:
In this lab, you will learn how to setup a firewall using iptables and a couple of advanced ssh usages.

Details:
CentOS Linux distribution comes with the iptables which is enabled by default. In previous several labs, you have to turn iptables off in order for those labs to work. In this lab, you will leave your iptables on (turn it on if not already), and make sure that your DNS server, web server and mail server are still working by adding extra rules into the iptables.

Every time when ssh'ing to a machine, a password needs to be entered. It could be troublesome sometime. This problem can be mitigated by using ssh-agent and ssh-add. Additionally, when ssh'ing to a machine with X11 Forwarding enabled, one has to use -X command line option. By creating a local ssh configuration file with X11 Forwarding option enabled, -X option is no longer needed.

iptables

Boot up both the Router VM and the Host VM.
Start the iptables on both VMs, if not already.
```
  $ /etc/init.d/iptables start
```
Try "host www 10.0.0.1" on the Host VM, it should NOT work :) Show that in your report.
Now, go to the Router VM and edit /etc/sysconfig/iptables. Add a rule that accepts connections for UDP protocol on port 53.
Restart the iptables by doing:
```
  $ /etc/init.d/iptables restart
```
Now, try "host www 10.0.0.1" again on the Host VM. It should work now. Show that in your report.
Try "host -t axfr linux.is.better" which requests the zone transfer of the entire linux.is.better domain. It should fail because zone transfer uses TCP for performance reason. Show that in your report.
Go back to the Router VM and add another rule that accepts connections for TCP protocol on port 53.
Try to do the zone transfer again on the Host VM, it should work now. Show that in your report.
Now, on the Host VM, try "telnet www 80" which should fail again. Show that in your report. Notice the error message should be "No route to host" which usually means the remote host is being firewalled.
Go to the Router VM and add a new rule that accepts HTTP connections.
Try to access the WWW again from the Host VM, which should work now. Show that in your report.
Try the same for your mail server. Show that in your report.

Extra Credits (10%): Getting NFS and NIS to work with iptables is a bit tricky. Google "NFS iptables" and "NIS iptables", and get NFS and NIS to work with iptables.

Advanced ssh usage

Login any CS machine multiple times by only entering a passphase once.
- From your lab machine, ssh to eon, create a pair of public and private DSA key using "ssh-keygen" program.
```
  $ /usr/bin/ssh-keygen -t dsa -b 2048
```
  When asked about the file in which to save the key, use the default one by hitting the enter key. When prompted for a passphase, enter a good and secure passphase you can remember. Re-enter the same passphase when asked again.
- Copy the contents of ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the machine to which you want to connect. In this case, since you would like ssh to any CS machine without typing any password, you could simply copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys.
- If you are using Gnome window manager, on the panel, select System/Preferences/More Preferences/Sessions, click on the "Startup Programs" tab, click "Add" and enter "/usr/bin/ssh-add" in the "Startup Command".
- Logout from your lab machine.
- From now on, after logging in using your CS password on a lab machine, you will be asked for a passphase. Type in the passphase for the DSA key generated from the step above. Now, try to ssh to any CS machine. You will not be asked for a password ever again. Show that in your report.
X11 Forwarding without -X command line option
- Create and edit ~/.ssh/config
- Add the following lines into ~/.ssh/config
```
  ForwardX11 yes
  ForwardX11Trusted yes
```
- From now on, you can do ssh without -X option. Show that in your report.

Questions

Show the result before and after adding the iptables rule to make DNS server to work.
Show the result before and after adding the iptables rule to make web server to work.
Show the result before and after adding the iptables rule to make mail server to work.
Show that you do not need to type in any password when ssh'ing to a CS machine.
Show that you can do X11 Forwarding without the -X option.

Scoring

Attendance - 10%
Question 1 - 10%
Question 2 - 10%
Question 3 - 10%
Question 4 - 10%
Question 5 - 10%
The rest of the report - 40%

Notes & Tips:

After editing /etc/sysconfig/iptables, you have to do "/etc/init.d/iptables restart"
Check out /etc/services for known protocols and ports.
How to setup ssh-agent with Gnome.
A sample lab report can be downloaded from here.