CIS 192 – Lesson 9 Lesson Module Status Slides – Properties - done Flashcards - 1 st minute quiz...

CIS 192 – Lesson 9

Lesson Module Status•Slides – •Properties - done•Flashcards -•1st minute quiz – •Web Calendar summary – •Web book pages – •Commands – •Howtos – •Skills pacing -•Lab – done•Depot (VMs) – na

1

CIS 192 - Lesson 9

Quiz

No Quiz today since we are having a test


Objectives Agenda

• Review lessons 5 - 8

• Implement serial connection using PPP

• Quiz

• Questions on previous material

• Housekeeping

• Review for next test on Lessons 5-8

• PPP

• Wrap

3

PPP and WAN protocols

Questionson previous

material

4

CIS 192 - Lesson 9

Questions?

• Previous lesson material• Lab assignment

5

Housekeeping

6

CIS 192 - Lesson 9

• No labs due today!• Spring break next week!

7

DNS

8

CIS 192 - Lesson 9

9

http://www.tldp.org/HOWTO/DNS-HOWTO.html

Very good DNS reference by Nicolai Langfeldt

CIS 192 - Lesson 9

dig +norec +noques +nostats +nocmd simms-teach.com @ns1.dreamhost.com

10

dig (domain information groper) command•Tool to interrogate DNS servers•Performs DNS lookups and displays the answers from the DNS server queried.•Will use name server specified in /etc/resolv.conf unless another is specified

query options name server to query

name to lookup

Some query options+[no]recurse - [do not] use recursive queries+[no]question - [do not] print question section when an answer is returned+[no]stats - [do not] print query statistics+[no]cmd - [do not] print dig version information… for more, use man dig

CIS 192 - Lesson 9

[root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach.com;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16548;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; AUTHORITY SECTION:com. 172798 IN NS G.GTLD-SERVERS.NET.com. 172798 IN NS M.GTLD-SERVERS.NET.com. 172798 IN NS K.GTLD-SERVERS.NET.com. 172798 IN NS A.GTLD-SERVERS.NET.com. 172798 IN NS C.GTLD-SERVERS.NET.com. 172798 IN NS L.GTLD-SERVERS.NET.com. 172798 IN NS J.GTLD-SERVERS.NET.com. 172798 IN NS H.GTLD-SERVERS.NET.com. 172798 IN NS B.GTLD-SERVERS.NET.com. 172798 IN NS I.GTLD-SERVERS.NET.com. 172798 IN NS E.GTLD-SERVERS.NET.com. 172798 IN NS F.GTLD-SERVERS.NET.com. 172798 IN NS D.GTLD-SERVERS.NET.

11

dig simms-teach.com (com. servers)

NS = Authoritative Name Server record

IN = Internet Domain Names

CIS 192 - Lesson 9

[root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach.com @A.GTLD-SERVERS.NET.;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40276;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; AUTHORITY SECTION:simms-teach.com. 172800 IN NS ns1.dreamhost.com.simms-teach.com. 172800 IN NS ns2.dreamhost.com.simms-teach.com. 172800 IN NS ns3.dreamhost.com.

;; ADDITIONAL SECTION:ns1.dreamhost.com. 172800 IN A 66.33.206.206ns2.dreamhost.com. 172800 IN A 208.96.10.221ns3.dreamhost.com. 172800 IN A 66.33.216.216

[root@elrond ~]#

12

dig simms-teach.com (simms-teach.com. servers)

CIS 192 - Lesson 9

[root@elrond ~]# dig +norec +noques +nostats +nocmd simms-teach.com @ns1.dreamhost.com;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60986;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:simms-teach.com. 14400 IN A 208.113.161.13

[root@elrond ~]#

[root@elrond ~]# ping -c2 simms-teach.comPING simms-teach.com (208.113.161.13) 56(84) bytes of data.64 bytes from apache2-zoo.nehi.dreamhost.com (208.113.161.13): icmp_seq=1 ttl=56 time=26.1 ms64 bytes from apache2-zoo.nehi.dreamhost.com (208.113.161.13): icmp_seq=2 ttl=56 time=25.9 ms

--- simms-teach.com ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 25.973/26.078/26.184/0.192 ms[root@elrond ~]#

13

dig simms-teach.com (ANSWER section received)

CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus.cabrillo.edu;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19571;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13

;; AUTHORITY SECTION:. 3600000 IN NS A.ROOT-SERVERS.NET.. 3600000 IN NS L.ROOT-SERVERS.NET.. 3600000 IN NS I.ROOT-SERVERS.NET.. 3600000 IN NS E.ROOT-SERVERS.NET.. 3600000 IN NS D.ROOT-SERVERS.NET.. 3600000 IN NS F.ROOT-SERVERS.NET.. 3600000 IN NS B.ROOT-SERVERS.NET.. 3600000 IN NS M.ROOT-SERVERS.NET.. 3600000 IN NS J.ROOT-SERVERS.NET.. 3600000 IN NS G.ROOT-SERVERS.NET.. 3600000 IN NS K.ROOT-SERVERS.NET.. 3600000 IN NS H.ROOT-SERVERS.NET.. 3600000 IN NS C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:B.ROOT-SERVERS.NET. 604794 IN A 192.228.79.201C.ROOT-SERVERS.NET. 604761 IN A 192.33.4.12E.ROOT-SERVERS.NET. 604794 IN A 192.203.230.10F.ROOT-SERVERS.NET. 604791 IN A 192.5.5.241F.ROOT-SERVERS.NET. 604794 IN AAAA 2001:500:2f::fG.ROOT-SERVERS.NET. 604794 IN A 192.112.36.4I.ROOT-SERVERS.NET. 604794 IN A 192.36.148.17J.ROOT-SERVERS.NET. 604794 IN A 192.58.128.30K.ROOT-SERVERS.NET. 604794 IN A 193.0.14.129K.ROOT-SERVERS.NET. 604791 IN AAAA 2001:7fd::1L.ROOT-SERVERS.NET. 604794 IN AAAA 2001:500:3::42M.ROOT-SERVERS.NET. 604794 IN A 202.12.27.33M.ROOT-SERVERS.NET. 604791 IN AAAA 2001:dc3::35

[root@elrond ~]# 14

dig opus.cabrillo.edu (root "." servers)

CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus.cabrillo.edu @J.ROOT-SERVERS.NET.;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53616;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 8

;; AUTHORITY SECTION:edu. 172800 IN NS E.GTLD-SERVERS.NET.edu. 172800 IN NS F.GTLD-SERVERS.NET.edu. 172800 IN NS G.GTLD-SERVERS.NET.edu. 172800 IN NS L.GTLD-SERVERS.NET.edu. 172800 IN NS A.GTLD-SERVERS.NET.edu. 172800 IN NS C.GTLD-SERVERS.NET.edu. 172800 IN NS D.GTLD-SERVERS.NET.

;; ADDITIONAL SECTION:A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30

[root@elrond ~]#

15

dig opus.cabrillo.edu (edu. servers)

CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus.cabrillo.edu @F.GTLD-SERVERS.NET.;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17333;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; AUTHORITY SECTION:cabrillo.edu. 172800 IN NS buttercup.cabrillo.edu.cabrillo.edu. 172800 IN NS ns1.csu.net.cabrillo.edu. 172800 IN NS ns2.csu.net.

;; ADDITIONAL SECTION:buttercup.cabrillo.edu. 172800 IN A 207.62.187.54ns1.csu.net. 172800 IN A 130.150.102.100ns2.csu.net. 172800 IN A 130.150.102.20

[root@elrond ~]#

16

dig opus.cabrillo.edu (cabrillo.edu. servers)

CIS 192 - Lesson 9

17

dig opus.cabrillo.edu (resolved)

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd opus.cabrillo.edu @ns1.csu.net.;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6591;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; ANSWER SECTION:opus.cabrillo.edu. 300 IN A 207.62.186.9

;; AUTHORITY SECTION:cabrillo.edu. 300 IN NS ns1.csu.net.cabrillo.edu. 300 IN NS ns2.csu.net.cabrillo.edu. 300 IN NS buttercup.cabrillo.edu.

;; ADDITIONAL SECTION:ns1.csu.net. 15219 IN A 130.150.102.100ns2.csu.net. 15324 IN A 130.150.102.20buttercup.cabrillo.edu. 300 IN A 207.62.187.54

[root@elrond ~]#

CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9.186.62.207.in-addr.arpa;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26350;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 5

;; AUTHORITY SECTION:. 518387 IN NS I.ROOT-SERVERS.NET.. 518387 IN NS C.ROOT-SERVERS.NET.. 518387 IN NS E.ROOT-SERVERS.NET.. 518387 IN NS F.ROOT-SERVERS.NET.. 518387 IN NS K.ROOT-SERVERS.NET.. 518387 IN NS A.ROOT-SERVERS.NET.. 518387 IN NS L.ROOT-SERVERS.NET.. 518387 IN NS H.ROOT-SERVERS.NET.. 518387 IN NS M.ROOT-SERVERS.NET.. 518387 IN NS B.ROOT-SERVERS.NET.. 518387 IN NS G.ROOT-SERVERS.NET.. 518387 IN NS D.ROOT-SERVERS.NET.. 518387 IN NS J.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:A.ROOT-SERVERS.NET. 604782 IN A 198.41.0.4A.ROOT-SERVERS.NET. 604787 IN AAAA 2001:503:ba3e::2:30E.ROOT-SERVERS.NET. 604787 IN A 192.203.230.10M.ROOT-SERVERS.NET. 604787 IN A 202.12.27.33M.ROOT-SERVERS.NET. 604782 IN AAAA 2001:dc3::35

[root@elrond ~]#

18

dig 9.186.62.207.in-addr.arpa

CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9.186.62.207.in-addr.arpa @A.ROOT-SERVERS.NET.

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12044;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0

;; AUTHORITY SECTION:207.in-addr.arpa. 86400 IN NS X.ARIN.NET.207.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET.207.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET.207.in-addr.arpa. 86400 IN NS Y.ARIN.NET.207.in-addr.arpa. 86400 IN NS CHIA.ARIN.NET.207.in-addr.arpa. 86400 IN NS DILL.ARIN.NET.207.in-addr.arpa. 86400 IN NS Z.ARIN.NET.207.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET.

[root@elrond ~]#

19


CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9.186.62.207.in-addr.arpa @BASIL.ARIN.NET.


;; AUTHORITY SECTION:62.207.in-addr.arpa. 86400 IN NS ns2.csu.net.62.207.in-addr.arpa. 86400 IN NS ns1.csu.net.

[root@elrond ~]#

20


CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9.186.62.207.in-addr.arpa @BASIL.ARIN.NET.


;; AUTHORITY SECTION:62.207.in-addr.arpa. 86400 IN NS ns2.csu.net.62.207.in-addr.arpa. 86400 IN NS ns1.csu.net.

[root@elrond ~]#

21


CIS 192 - Lesson 9

[root@elrond ~]# dig +norecurse +noques +nostats +nocmd 9.186.62.207.in-addr.arpa @ns1.csu.net

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58855;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; AUTHORITY SECTION:186.62.207.in-addr.arpa. 28800 IN SOA buttercup.cabrillo.edu.

hostmaster.cabrillo.edu. 2004062137 3600 1800 604800 28800

[root@elrond ~]#

22


CIS 192 - Lesson 9

23

An Overview of Domain Name SystemCreated in 1984 from the work led by Paul Mockapetris Improves the deficiencies of the /etc/hosts file DNS manages two databases (zones)

Forward lookup zones: for mapping Domain names to IP addresses Reverse lookup zones: for mapping IP addresses to Domain names

Three components to DNS:Resolver The Server

Primary Secondary Caching

Database files (db.domain-name)Supports two type of queries:

Recursive Iterative

Most popular implementation of DNS is Berkely Internet Name Daemon (BIND)Maintained by the Internet Software Consortium: www.ics.org

CIS 192 - Lesson 9

24

The DNS Namespace •Top most domain in the namespace hierarchy is "." •top-level domains: .com, .net, .gov, .edu, .org .us, ... •Special domain for reverse lookups: in-addr.arpa •Fully Qualified Domain Names read from right to left •Name registration was handled by InterNIC; now belongs to companies for profit.

CIS 192 - Lesson 9

25

DNS Configuration Files Package name: bind-9.1.0 Daemon name: /usr/sbin/named Startup script: /etc/rc.d/init.d/named Database file location: /var/named

/var/named/named.ca /var/named/db.in-addr.arpa /var/named/db.domain name Record types:

SOA - Start of Authority NS - Nameserver A - Address PTR - Pointer CNAME - Aliases

/etc/named.conf /etc/resolv.conf /etc/nsswitch.conf

CIS 192 - Lesson 9

26





CIS 192 - Lesson 9

27





CIS 192 - Lesson 9

28

Zone file

[root@elrond ~]# cat /var/named/db.rivendell $TTL 604800; Rivendell Zone Definition;;Rivendell. IN SOA elrond.rivendell. root.rivendell. ( 2009040304 ; serial number 60 ; refresh rate in seconds 15 ; retry in seconds 1209600 ; expire in seconds 300) ; minimum in seconds;;;;Name Server RecordsRivendell. IN NS elrond.rivendell.;;Address Recordslocalhost IN A 127.0.0.1legolas IN A 192.168.2.105elrond IN A 192.168.2.107galadriel IN A 192.168.2.108william IN A 192.168.2.114;;CNAME records[root@elrond ~]#

TTL = Time to live. How long a DNS record from this zone should be cached. The longer the TTL value the faster domain resolution time periods will be.

Examples:

$TTL 86400$TTL 1440m$TTL 24h$TTL 1d

CIS 192 - Lesson 9

29

A successful zone transfer

/var/log/messages:Apr 6 07:30:59 legolas named[16429]: zone rivendell/IN: Transfer started.Apr 6 07:30:59 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: connected using 192.168.2.105#46736Apr 6 07:30:59 legolas named[16429]: zone rivendell/IN: transferred serial 2009040309Apr 6 07:30:59 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: end of transfer

Request from Slave

Response from Master

zone records

DNSTrobleshooting

30

CIS 192 - Lesson 9

31

Lab 7 Troubleshooting

Problem: Master to Slave transfer failing

From /var/log/messages:Apr 6 06:39:33 legolas named[16429]: zone rivendell/IN: Transfer started.Apr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: connected using 192.168.2.105#54165Apr 6 06:39:33 legolas named[16429]: dumping master file: tmp-UjD7J9kLlr: open: permission deniedApr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: failed while receiving responses: permission deniedApr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: end of transfer

Solution:Enable named to create new files on Slave:1.Run lokkit on Slave and change SELinux setting from Enforcing to Permissive2.Use chmod 770 /var/named on Slave

CIS 192 - Lesson 9

32



From /var/log/messages:Apr 6 07:01:15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for master 192.168.2.107#53 exceeded (source 0.0.0.0#0)Apr 6 07:01:15 legolas named[16429]: zone rivendell/IN: Transfer started.Apr 6 07:01:15 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: failed to connect: host unreachableApr 6 07:01:15 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: end of transfer

Solution:Firewall on master is blocking connection by slave for transfer1.Run lokkit on Master and disable firewall or2.Open port UDP port 53 on Master

CIS 192 - Lesson 9

33

Zone transfer failing when blocked by firewall on Master

Firewall and DNS port

34

CIS 192 - Lesson 9

35

Default firewall on CentOS (Red Hat) does not allow DNS requests

[root@elrond ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@elrond ~]#

UDP port 53 is not open

CIS 192 - Lesson 9

36

Default firewall on CentOS (Red Hat) does not allow DNS requests

[root@elrond ~]# cat /etc/sysconfig/iptables# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT[root@elrond ~]#

UDP port 53 is not open

CIS 192 - Lesson 9

37

[root@elrond ~]# iptables -I RH-Firewall-1-INPUT 9 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

This command inserts a new rule on the custom firewall chain on the Master to allow new UDP port 53 requests

line number to insert before

-m specifies match modules to use-p specified protocol to match-I to insert a new rule--state NEW for new (not yet established) connections--dport for the destination port

Name of chain

CIS 192 - Lesson 9

38

Modified firewall on CentOS (Red Hat) now allows DNS requests

[root@elrond ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere



Chain RH-Firewall-1-INPUT (2 references)target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@elrond ~]#

UDP port 53 is open

CIS 192 - Lesson 9

39

Modified firewall on CentOS (Red Hat) Master now allows DNS requests

UDP port 53 is open

DNSTrobleshooting

40

CIS 192 - Lesson 9

41



From /var/log/messages:Apr 6 06:39:33 legolas named[16429]: zone rivendell/IN: Transfer started.Apr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: connected using 192.168.2.105#54165Apr 6 06:39:33 legolas named[16429]: dumping master file: tmp-UjD7J9kLlr: open: permission deniedApr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: failed while receiving responses: permission deniedApr 6 06:39:33 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: end of transfer

Solution:Enable named to create new files on Slave:1.Run lokkit on Slave and change SELinux setting from Enforcing to Permissive2.Use chmod 770 /var/named on Slave

CIS 192 - Lesson 9

42



From /var/log/messages:Apr 6 07:01:15 legolas named[16429]: zone rivendell/IN: refresh: retry limit for master 192.168.2.107#53 exceeded (source 0.0.0.0#0)Apr 6 07:01:15 legolas named[16429]: zone rivendell/IN: Transfer started.Apr 6 07:01:15 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: failed to connect: host unreachableApr 6 07:01:15 legolas named[16429]: transfer of 'rivendell/IN' from 192.168.2.107#53: end of transfer

Solution:Firewall on master is blocking connection by slave for transfer1.Run lokkit on Master and disable firewall or2.Open port UDP port 53 on Master

CIS 192 - Lesson 9

43

Zone transfer failing when blocked by firewall on Master

Wrap

44

CIS 192 - Lesson 9

New commands, daemons:named DNS daemonhost For testing DNSdig DNS informationnslookup Being phased out

Configuration files/etc/named.conf/var/named/*/etc/resolv.conf/etc/nsswitch.conf/etc/hosts

45

Assignment: Check Calendar Page http://simms-teach.com/cis192calendar.php

•Test next week on lessons 5 - 8 and related labs • Example questions:

• How do you recognize a 3-way handshake in Wireshark?• What command on Red Hat family systems would configure the

vsftpd service to startup automatically when powering up?• For firewall purposes when is a TCP stream considered to be

"established" on the server side? • What are two different commands on Red Hat family systems that

would cause the xinetd daemon to reread its configuration files?

• Extra credit Lab X2 on PPP available now


Next Class

46

http://simms-teach.com/cis192calendar.php

Backup

47

Station IP Static 1

Instructor 172.30.1.100 172.30.1.125

Station-01 172.30.1.101 172.30.1.126

Station-02 172.30.1.102 172.30.1.127

Station-03 172.30.1.103 172.30.1.128

Station-04 172.30.1.104 172.30.1.129

Station-05 172.30.1.105 172.30.1.130

Station-06 172.30.1.106 172.30.1.131

Station-07 172.30.1.107 172.30.1.132

Station-08 172.30.1.108 172.30.1.133

Station-09 172.30.1.109 172.30.1.134

Station-10 172.30.1.110 172.30.1.135

Station-11 172.30.1.111 172.30.1.136

Station-12 172.30.1.112 172.30.1.137

Station IP Static 1

Station-13 172.30.1.113 172.30.1.138

Station-14 172.30.1.114 172.30.1.139

Station-15 172.30.1.115 172.30.1.140

Station-16 172.30.1.116 172.30.1.141

Station-17 172.30.1.117 172.30.1.142

Station-18 172.30.1.118 172.30.1.143

Station-19 172.30.1.119 172.30.1.144

Station-20 172.30.1.120 172.30.1.145

Station-21 172.30.1.121 172.30.1.146

Station-22 172.30.1.122 172.30.1.147

Station-23 172.30.1.123 172.30.1.148

Station-24 172.30.1.124 172.30.1.149

CIS 192 - Lesson 9

Classroom Static IP addresses for VM's

Note the static IP address for your station to use in the next class exercise

CIS 192 - Lesson 9

Classroom DHCP IP allocation pools table by station number

Station IP Start End

01 172.30.1.101 172.30.1.50 172.30.1.54

02 172.30.1.102 172.30.1.55 172.30.1.59

03 172.30.1.103 172.30.1.60 172.30.1.64

04 172.30.1.104 172.30.1.65 172.30.1.69

05 172.30.1.105 172.30.1.70 172.30.1.74

06 172.30.1.106 172.30.1.75 172.30.1.79

07 172.30.1.107 172.30.1.80 172.30.1.84

08 172.30.1.108 172.30.1.85 172.30.1.89

09 172.30.1.109 172.30.1.90 172.30.1.94

10 172.30.1.110 172.30.1.95 172.30.1.99

11 172.30.1.111 172.30.1.200 172.30.1.204

12 172.30.1.112 172.30.1.205 172.30.1.209

Station IP Start End

13 172.30.1.101 172.30.1.210 172.30.1.214

14 172.30.1.102 172.30.1.215 172.30.1.219

15 172.30.1.103 172.30.1.220 172.30.1.224

16 172.30.1.104 172.30.1.225 172.30.1.229

17 172.30.1.105 172.30.1.230 172.30.1.234

18 172.30.1.106 172.30.1.235 172.30.1.239

19 172.30.1.107 172.30.1.240 172.30.1.244

20 172.30.1.108 172.30.1.245 172.30.1.249

21 172.30.1.109 172.30.1.250 172.30.1.254

22 172.30.1.110 172.30.1.30 172.30.1.34

23 172.30.1.111 172.30.1.35 172.30.1.39

24 172.30.1.112 172.30.1.20 172.30.1.44

Instruct 172.30.1.100 172.30.1.45 172.30.1.49

Use these pools of addresses based on your station number to avoid conflicts on the classroom network

CIS 192 - Lesson 9

Using PPP over a direct null modem connection

Test for connectivity

Start pppd on either side

pppd -detach crtscts lock <local IP>:<remote IP> /dev/ttyS0 38400 &

50

51

nosmo

207.62.187.54Internet

.1

DNS

.10

snickers

DHCP

buttercup

eth0

.1XX

eth1

.1XX

eth0 dhcp

eth0

.150

eth1

.150

elrond

frodo

legolas

sauronwilliam

eth0 dhcp eth0 dhcp

DHCP

DHCPServer

DHCPRelay Agent

172.30.N.0 /24

Shire

192.168.2.0 /24

Rivendell

192.168.3.0 /24

Mordor

DHCP

DHCP Reservation

client client client

CIS 192 - Lesson 9

Exercise - Debian/Ubuntu NIC Config (permanent)

52

[root@arwen ~]# ipcalc -npmb 10.10.10.141/22NETMASK=255.255.252.0PREFIX=22BROADCAST=10.10.11.255NETWORK=10.10.8.0

cis192@sawyer:~$ cat /etc/hostnamesawyer

cis192@sawyer:~$ cat /etc/network/interfaces auto loiface lo inet loopback

auto eth0iface eth0 inet staticaddress 10.10.10.141broadcast 10.10.11.255netmask 255.255.252.0network 10.10.8.0

gateway 10.10.8.1

up route add -net 192.168.3.0/24 gw 10.10.8.10

cis192@sawyer:~$

CIS 192 - Lesson 9


53

[root@arwen ~]# ipcalc -npmb 10.10.10.141/22NETMASK=255.255.252.0PREFIX=22BROADCAST=10.10.11.255NETWORK=10.10.8.0

root@sawyer:~# cat /etc/hosts127.0.0.1 localhost127.0.1.1 sawyer

# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhostsroot@sawyer:~#

CIS 192 - Lesson 9


54

cis192@sawyer:~$ ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0c:29:6f:53:d9 inet addr:10.10.10.141 Bcast:10.10.11.255 Mask:255.255.252.0 inet6 addr: fe80::20c:29ff:fe6f:53d9/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:209 errors:0 dropped:0 overruns:0 frame:0 TX packets:27 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:35602 (35.6 KB) TX bytes:4755 (4.7 KB) Interrupt:18 Base address:0x1400

cis192@sawyer:~$ route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.3.0 10.10.8.10 255.255.255.0 UG 0 0 0 eth010.10.8.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth00.0.0.0 10.10.8.1 0.0.0.0 UG 100 0 0 eth0cis192@sawyer:~$ ping -c2 sawyerPING sawyer (127.0.1.1) 56(84) bytes of data.64 bytes from sawyer (127.0.1.1): icmp_seq=1 ttl=64 time=1.26 ms64 bytes from sawyer (127.0.1.1): icmp_seq=2 ttl=64 time=0.152 ms

--- sawyer ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1007msrtt min/avg/max/mdev = 0.152/0.710/1.269/0.559 mscis192@sawyer:~$ ping -c2 10.10.10.141PING 10.10.10.141 (10.10.10.141) 56(84) bytes of data.64 bytes from 10.10.10.141: icmp_seq=1 ttl=64 time=0.295 ms64 bytes from 10.10.10.141: icmp_seq=2 ttl=64 time=0.071 ms

--- 10.10.10.141 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 999msrtt min/avg/max/mdev = 0.071/0.183/0.295/0.112 mscis192@sawyer:~$

CIS 192 - Lesson 9

Exercise - CentOS NIC Config (permanent)

55

[root@arwen ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]DEVICE=eth0ONBOOT=yesHWADDR=00:0c:29:70:d5:71BOOTPROTO=staticIPADDR=10.10.8.100NETMASK=255.255.252.0BROADCAST=10.10.11.255[root@arwen ~]#

[root@arwen ~]# ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:0C:29:70:D5:71 inet addr:10.10.8.100 Bcast:10.10.11.255 Mask:255.255.252.0 inet6 addr: fe80::20c:29ff:fe70:d571/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1002 errors:0 dropped:0 overruns:0 frame:0 TX packets:1088 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:761805 (743.9 KiB) TX bytes:107613 (105.0 KiB) Interrupt:177 Base address:0x1400

[root@arwen ~]#

CIS 192 - Lesson 9

TCP connection exercise

56

Client Server

172.30.4.83 192.168.2.150

41025 51283

Socket for data transfer

12345678910111213141516

What is the socket being used for the FTP data transfer?

After which packet number does the FTP server regard the data transfer connection as being in the Established state?

What service makes use of the state of a connection?

6

firewall (iptables)

PacketNumbers

CIS 192 - Lesson 9

TCP Tunable Parameters exercise

57

Arwen

• Revert Arwen to snapshot

For Arwen:

How many retries will Arwen do on a tcp connection before killing it? cat /proc/sys/net/ipv4/tcp_retries215

Is TCP Selective acknowledgment enabled or disabled? cat /proc/sys/net/ipv4/tcp_sack1

How would you enable IP packet forwarding? echo 1 > /proc/sys/net/ipv4/ip_forward

How would you enable IP packet forwarding permanently? Put net.ipv4.ip_forward=1 line in /etc/sysctl.conf, then do sysctl -p

SelectedReview

58

CIS 192 - Lesson 9

Test 2 Review Topics• Debian/Ubuntu NIC Config• TCP - open and close connections• TCP - tunable kernel parameters• TCP - security issues• Security Issues• Application Layer• telnet• vsftpd• sshd• Super daemons• TCP Wrappers• SSH Port Forwarding• Netfilter (firewalls and NAT)• Firewalls and FTP• DHCP• PPP

59

CIS 192 - Lesson 9

Debian/Ubuntu NIC Config (permanent)

60

root@sun:~# cat /etc/network/interfacesauto loiface lo inet loopback

auto eth0iface eth0 inet staticaddress 172.30.4.222netmask 255.255.255.0broadcast 172.30.4.255network 172.30.4.0

gateway 172.30.4.1

up route add -net 192.168.2.0/24 gw 172.30.4.107up route add -net 192.168.30.0/24 gw 172.30.4.107

root@sun:~#

root@sun:~# cat /etc/network/interfacesauto loiface lo inet loopback

auto eth0iface eth0 inet dhcp

root@sun:~#

root@jin:~# vi /etc/hostnameroot@jin:~# cat /etc/hostnamesun

/etc/init.d/networking restart

static dhcp

hostname

Note: /etc/resolv.conf is the same as the Red Hat family

Apply changes in configuration file

Be sure and update /etc/hosts after changing hostname

CIS 192 - Lesson 9


61

1. Revert Sauron to snapshot

2. Configure Sauron permanently:• Hostname = Sawyer• Static IP = 10.10.10.141/22• Default gateway = 10.10.8.1• Static route to 192.168.3.0/24 via 10.10.8.10

3. Test: • ping sawyer• ping 10.10.10.141

Sauron

Hint: Use ipcalc on one of the CentOS systems

CIS 192 - Lesson 9

The Transmission Control Protocol

TCP Header

Transport Layer

Sequence and acknowledgement numbers are used for flow control.

ACK, SYN and FIN flags are used for initiating connections, acknowledging data received and terminating connections

Window size is use to communicate buffer size of recipient.

Options like SACK permit selective acknowledgement

63

CIS 192 - Lesson 9


Initial Connection Three-Way Handshake 1. SYN 2. SYN-ACK 3. ACK

Transport Layer

client server

openstate

establishedstate

listenstate

establishedstate

SYN, SN=A, AN=0

ACK, AN=B+1

SYN, ACK, SN=B, AN=A+1AN=Acknowledgment Number SN=Sequence Number ACK=ACK flag set

64

CIS 192 - Lesson 9


Closing a Connection Four-Way Handshake 1. FIN, ACK 2. ACK 3. FIN, ACK 4. ACK

Transport Layer

64

client server

initiateclose

end application

closed

FIN, ACK, SN=A, AN=B

ACK, SN=A+1, AN=B+1

ACK, SN=B, AN=A+1

establishedstate

closed

endapplication

FIN, ACK, SN=B, AN=A+1

AN=Acknowledgment Number SN=Sequence Number ACK=ACK flag set FIN=FIN flag set

CIS 192 - Lesson 9

TCP connection exercise

65

12345678910111213141516

What is the socket being used for the FTP data transfer?

After which packet number does the FTP server regard the data transfer connection as being in the Established state?

What service makes use of the state of a connection?

PacketNumbers

66

CIS 192 - Lesson 9

TCP Tunable Kernel Parameterstcp_fin_timeout how long to keep in FIN-WAIT-2 state

tcp_keepalive_time how long to keep an unused connection alive

tcp_sack enable/disable selective acknowledgments

tcp_timestamps enable RFC 1323 definition for round-trip measurement

tcp_window_scaling enable RFC 1323 window scaling

tcp_retries1 how many times to retry before reporting an error

tcp_retries2 how many times to retry before killing connection

tcp_syn_retries how many times to retransmit the SYN, ACK reply

ip_forward enable/disable selective acknowledgments

Transport Layer

In the same directory:

Found in the /proc/sys/net/ipv4 directory

67

CIS 192 - Lesson 9

TCP Tunable Kernel Parameters

[cis192@arwen ~]$ cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.

# Controls IP packet forwardingnet.ipv4.ip_forward = 0

# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1

# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0

< snipped >

[cis192@arwen ~]$

[cis192@arwen ~]$ cat /proc/sys/net/ipv4/conf/default/accept_source_route 0[cis192@arwen ~]$ cat /proc/sys/net/ipv4/conf/default/rp_filter 1[cis192@arwen ~]$ cat /proc/sys/net/ipv4/ip_forward 0

Note: Use sysctl -p to put in effect any changes made to /etc/sysctl.conf

CIS 192 - Lesson 9

TCP Tunable Parameters Exercise

68

Arwen

• Revert Arwen to snapshot

For Arwen:

How many retries will Arwen do on a TCP connection before killing it?

Is TCP Selective acknowledgment enabled or disabled?

How would you enable IP packet forwarding temporarily?

How would you enable IP packet forwarding permanently?

69

CIS 192 - Lesson 9

Telnet Service and the xinetd super daemon

• Install: yum install telnet-server

• Configure: /etc/xinetd.d/telnet

• Start: service xinetd (re)start or killall -1 xinetd

• Automate: chkconfig xinetd on

• Check: • ps -ef | grep telnetd• service xinetd status

• Test: telnet localhost

• Troubleshoot:• cabling, interfaces• routing and forwarding• config file sytax and content• /var/log/messages• wireshark• firewall and selinux• universal fix (reboot)

CIS 192 - Lesson 9

Telent and xinetd super daemon exercise

70

Arwen

1. Revert Arwen to snapshot

2. Temporarily connect to the Internet and use

dhcp to get an IP address

3. Install the telnet-server package

4. Configure and start the service

5. Automate the service to start at boot

6. Test the server locally (telnet localhost)

71

CIS 192 - Lesson 9

Access controls

• Configuration files• TCP Wrappers• Firewalls

CIS 192 - Lesson 9

Access controls using xinetd configuration file

72

Arwen

• Join Sawyer and Arwen to the 10.10.8.0/22 network

• Test using pings from both ends • Disable the firewall on Arwen

• lokkit• or iptables -F and iptables -X

• Telnet from Sawyer to Arwen

Sawyer

VMnet3

10.10.8.0/22

eth0.8.100

eth0.10.141

[root@arwen ~]# cat /etc/xinetd.d/telnet# default: on# description: The telnet server serves telnet sessions; it uses \# unencrypted username/password pairs for authentication.service telnet{ flags = REUSE socket_type = stream wait = no user = root only_from = 192.168.0.23 server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no}[root@arwen ~]#

73

CIS 192 - Lesson 9

Installing and Configuring Telnet

Edit the configuration file

Use only_from to restrict clients that can access the Telnet service

74

CIS 192 - Lesson 9

Installing and Configuring Telnet

only_from = arwen

only_from = arwen legolas

only_from = 192.168.3.12 192.168.3.14

only_from = 192.168.3.{12, 14}

only_from = 192.168.0.0

only_from = sauron 172.30.4.0 10.10.10.{1, 200}

multiple hostnames

or IP addresses

hostname

0's are wildcards

same as above

mixes

CIS 192 - Lesson 9

Access controls using xinetd configuration file

75

Arwen

• Configure telnet service configuration file on Arwen to not allow Sawyer.

• Verify Sawyer is blocked and gets "Connection closed by foreign host" error message.

• Now configure telnet service configuration file on Arwen to only allow Sawyer.

• Login using telnet from Sawyer to Arwen to verify.

Sawyer

VMnet3

10.10.8.0/22

eth0.8.100

eth0.10.141

76

CIS 192 - Lesson 9

Access controls

•Implemented by the tcpd daemon

•/etc/hosts.allow – to specify hosts that may access services

•/etc/hosts.deny – to specify hosts that may not access services

TCP Wrappers

Use ldd command on to see if daemon supports TCP Wrappers (i.e. libwrap has been compiled in)

77

CIS 192 - Lesson 9

/etc/hosts.allow and /etc/hosts.deny syntax

daemon : hosts : options

TCP Wrappers

ALL or name of daemon

ALLor hostname(s)or net., e.g. 192.168. matches all 192.168.x.x addressesor net/netmask , e.g. 172.0.0.0/255.0.0.0 matches all 172.x.x.x

addressesmore …

allowdenyspawn shell commandmany more …

78

CIS 192 - Lesson 9

[root@arwen ~]# cat /etc/hosts.allow ## hosts.allow This file describes the names of the hosts which are# allowed to use the local INET services, as decided# by the '/usr/sbin/tcpd' server.#sshd: frodovsftpd: 172.30.in.telnetd: 192.168.2.10 127.0.0.1

[root@arwen ~]# cat /etc/hosts.deny ## hosts.deny This file describes the names of the hosts which are# *not* allowed to use the local INET services, as decided# by the '/usr/sbin/tcpd' server.## The portmap line is redundant, but it is left to remind you that# the new secure portmap uses hosts.deny and hosts.allow. In particular# you should know that NFS uses portmap!

#deny everythingALL: ALL

TCP Wrapper Examples

daemons hosts

All daemons and all hosts

CIS 192 - Lesson 9

Access controls using TCP Wrappers

79

Arwen

• Configure TCP wrappers /etc/hosts.deny on Arwen to not allow any access to any services.

• Verify Sawyer is blocked and gets " Connection closed by foreign host " error message.

• Now configure TCP wrappers on Arwen to only allow Sawyer to use telnet service.


Sawyer

VMnet3

10.10.8.0/22

eth0.8.100

eth0.10.141

CentOS[root@arwen ~]# iptables -L RH-Firewall-1-INPUT --line-numbersChain RH-Firewall-1-INPUT (2 references)num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT icmp -- anywhere anywhere icmp any 3 ACCEPT esp -- anywhere anywhere 4 ACCEPT ah -- anywhere anywhere 5 ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns 6 ACCEPT udp -- anywhere anywhere udp dpt:ipp 7 ACCEPT tcp -- anywhere anywhere tcp dpt:ipp 8 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 9 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 10 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@arwen ~]#

80

CIS 192 - Lesson 9

Firewall for Telnet

Telnet port is not open

81

[root@arwen ~]# iptables -R RH-Firewall-1-INPUT 9 -m state --state NEW -m tcp -p tcp --dport 22:23 -j ACCEPT[root@arwen ~]#

CIS 192 - Lesson 9

Firewall for Telnet

Open the telnet port by replacing rule 9

ssh=22 and telnet=23

[root@arwen ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere



Chain RH-Firewall-1-INPUT (2 references)target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:ssh:telnet REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@arwen ~]#

82

CIS 192 - Lesson 9

Firewall for TelnetTelnet port is open

CIS 192 - Lesson 9

Access controls using Firewall

83

Arwen

• Enable the firewall with lokkit or service iptables restart.

• Verify Sawyer is blocked and gets "Unable to connect to remote host: No route to host" error message.

• Modify Arwen's firewall to allow incoming telnet connections


Sawyer

VMnet3

10.10.8.0/22

eth0.8.100

eth0.10.141

84

CIS 192 - Lesson 9

Netfilter – all tables and chains

RoutingAlgorithm

InboundPacket

OutboundPacket

From inboundpacket

From local process

LocalProcesses

85

CIS 192 - Lesson 9

Chain Rules:-s 172.30.4.199/32 -j REJECT

-s 192.168.0.0/16 –j ACCEPT

DROP everything else

Table: filterChain: INPUT

Elrond

eth1

.10

192.168.2.8/30172.30.4.0/24

eth2

.1xx

Arwen

eth0

.9

ServerClient Router

eth0

.199

Frodo

Netfilter – examples

Accept all packets from 192.168.x.x

Reject anything from Frodo

Chain Policy: DROP

86

CIS 192 - Lesson 9

Elrond

eth1

.10

192.168.2.8/30172.30.4.0/24

eth2

.1xx

Arwen

eth0

.9

ServerClient Router

eth0

.199

Frodo

cis192@frodo:~$ ssh -L 8000:arwen:23 elrond

SSH Port Forwarding

Any connection made to port 8000 on Frodo will get forwarded to port 23 on Arwen via Elrond.

The portion of the connection between Frodo and Elrond will be encrypted

87

CIS 192 - Lesson 9

SSH Port Forwarding

Frodo Enable port forwarding in first terminal

Use port forwarding in second terminal

DHCP Architecture DHCP Servers

• Scopes and exclusions • Reservations • Leases • Options

‒ IP Address and Netmask ‒ Gateway ‒ DNS Server ‒ Domain name ‒ others

DHCP Relay Agents DHCP Clients


DHCP

88

DHCP Clients lease IP addresses from DHCP Servers.

DHCP Relay agents lets one DHCP server service non-connected subnets


DHCP

89

DHCP Server

DHCP Clients DHCP Clients

DHCP Relay Agent(Linux Router)


DHCP

90

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

DHCPACK

DHCPRELEASE

DORA


91

DHCPDISCOVER(broadcast)

frodo

UDP datagram is broadcastSIP = 0.0.0.0

Help, I need an IP address!

[root@elrond ~]# cat /etc/dhcpd.conf ddns-update-style interim;ignore client-updates;option time-offset -25200; # Pacific Daylight Time (-7 HR)

## R I V E N D E L L#subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.1XX; # Default GW option subnet-mask 255.255.255.0; option domain-name "rivendell"; option domain-name-servers 207.62.187.54;

range dynamic-bootp 192.168.2.50 192.168.2.99; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours

# reservations host legolas { hardware ethernet 00:0C:29:7C:18:F5; fixed-address 192.168.2.150; }}


92

Global and specific settings for DHCP Lab Rivendell subnet

Will be the eth1 interface on your station's Elrond

DHCPelrond

DHCP

## M O R D O R#subnet 192.168.3.0 netmask 255.255.255.0 { option routers 192.168.3.150; # Default GW option subnet-mask 255.255.255.0; option domain-name "mordor"; option domain-name-servers 207.62.187.54;

range dynamic-bootp 192.168.3.50 192.168.3.99; default-lease-time 21600; # 6 hours max-lease-time 43200; # 12 hours}


93

Settings for DHCP Lab Mordor subnet in /etc/dhcpd.conf

DHCPelrond

DHCP

## S H I R E #subnet 172.30.4.0 netmask 255.255.255.0 { option routers 172.30.N.1; option subnet-mask 255.255.255.0; option domain-name "shire"; option domain-name-servers 207.62.187.54;

range dynamic-bootp 172.30.4.80 172.30.4.84; default-lease-time 21600; max-lease-time 43200;}[root@elrond ~]#


94

Settings for DHCP Lab Shire subnet in /etc/dhcpd.conf

Use the pool of addresses based on your station number to avoid conflicts!

N=1 for the classroom and N=4 for the lab

DHCPelrond

DHCP

PPP

95

96

Layer 2 Technologies

Layer 2 technologies•X.25•HIPPI•Ethernet/IEEE 802.3•Token Ring•FDDI/CDDI•Fibre Channel•ATM•PPP

Up to now we have been just using Ethernet for Layer 2. In LabX2 we will implement PPP over a serial connection.

CIS 192 - Lesson 9

CIS 192 - Lesson 9

97

http://tldp.org/HOWTO/PPP-HOWTO/index.html

Lots of good information on PPP here!

PPP

CIS 192 - Lesson 9

98

• PPP = Point to Point protocol

• PPP allows running IP and other network protocols over a serial link

• Serial links can be:• Direct connections using a null-modem cable• Using modems and telephones lines

• PPP can be used as a WAN technology to connect LANs together

PPP

CIS 192 - Lesson 9

Features of PPP and SLIP Both protocols offer the ability to send datagrams over a serial-line connection. SLIP

• Works only with TCP/IP • No error detection unless SLIP headers become corrupted • Supports header compression only • Supports only clear-text authentication

PPP• Supports TCP/IP as well as UDP/IP, IPX/SPX, and

Appletalk • Built-in error detection • Supports built-in data compression using the Van

Jacobson compression algorithm • Supports various authentication mechanisms e.g. PAP and

CHAP

99Password Authentication Protocol

Challenge Handshake Authentication Protocol

CIS 192 - Lesson 9

PPP Architecture•PPP is also called a Peer-to-Peer protocol because there is fundamentally no difference between the server and the client.

•The ppp daemons must be running on both sides of the connection.

•The computer that initiates the call is called the client, the one who answers the call is the server.

100

CIS 192 - Lesson 9

PPP Architecture (continued)• Network Control Protocol (NCP) provides PPP with a

means of differentiating between the different stacks it can transport, such as using IPCP for delivering TCP/IP packets.

• Authorization Protocol Provides a built-in authentication mechanism for PPP connections using either:

• Password Authentication Protocol (PAP) or• Challenge Handshake Authentication Protocol

(CHAP)

101

CIS 192 - Lesson 9

PPP Architecture (continued)• Link Control Protocol (LCP) negotiates important link

establishment options such as the maximum datagram size. Also helps to facilitate automated link establishment setup.

• High-level Data Link Control Protocol (HDLC) Provides frame boundary information and an added checksum for built-in error detection.

102

CIS 192 - Lesson 9

PPP Architecture

PPP runs as two major components: 1.Kernel portion - consists of and manages low-level protocols 2.User portion - consists of and manages the authentication protocols

• pppd - runs the various protocols • chat - provides automated dialing management for

modem connections Both of these programs rely on command line options and/or shell scripts to configure how they operate.

103

CIS 192 - Lesson 9

Setting Up PPP •Install the softwareYou may have to compile code into the kernel. Look for something similar to the following in /var/log/dmesg to see if you have kernel support for PPP:PPP Dynamic channel allocation code copyright 1995 Caldera, Inc.PPP line discipline registered. •Configure your serial port

• setserial Look for modern 16550A UART • stty Look for baud rate, parity and stop bits

•Configure your modem

104

CIS 192 - Lesson 9

Linking two LANS using PPP

•Setting up the IP numbers

•Setting up the routing

•Network security

105

CIS 192 - Lesson 9

Setting up a PPP Server

•Getting the software together

•Setting up standard (shell access) dialup.

•Setting up the PPP options files

•Setting pppd up to allow users to (successfully) run it

•Setting up the global alias for pppd

106

CIS 192 - Lesson 9

PPP Configuration Utilities

•WvDial - A command-line pppd driver

•rp3 - RedHat PPP dialer (Graphical)

•Linuxconf - Universal (almost) Linux PPP dialer

107

CIS 192 - Lesson 9

ISP Information

•The phone number to call (don't forget 9 if behind a PABX)

•Dynamic or static IP numbers

•DNS server IP addresses (does not come dynamically at

connect time)

•If PAP or CHAP is used, you need an id and "secret"

•What starting command to invoke.

108

Lab X2

109

CIS 192 - Lesson 9

110

Using a named pipe for the virtual null modem cable between the two serial COM ports

Using PPP as the WAN layer 2 protocol over the serial connection

Using Ethernet as the LAN layer 2 protocol over the hub and LAN cables

Lab X2

CIS 192 - Lesson 9

111

Arwen (the server end)

Sauron (the client end)

Use the Hardware Wizard to add serial ports

Lab X2

CIS 192 - Lesson 9

112

Lab X2

[root@arwen ~]# ls -l /dev/ttyS?crw--w---- 1 ppp tty 4, 64 Mar 25 06:56 /dev/ttyS0crw-rw---- 1 root uucp 4, 65 Mar 24 16:39 /dev/ttyS1crw-rw---- 1 root uucp 4, 66 Mar 24 16:39 /dev/ttyS2crw-rw---- 1 root uucp 4, 67 Mar 24 16:39 /dev/ttyS3[root@arwen ~]#

Each serial port is considered by UNIX to be a device. In the past these serial ports were used to connect terminals. Teletypes were terminals without a screen (had a keyboard and printer).

Note: DOS COM1 = Linux /dev/ttyS0

In the DOS/Windows world serial ports are called COM 1, COM 2, etc.

CIS 192 - Lesson 9

113

Lab X2

[root@arwen ~]# setserial /dev/ttyS0/dev/ttyS0, UART: 16550A, Port: 0x03f8, IRQ: 4[root@arwen ~]#

The setserial command sets or reports on serial port configuration.

Use with just the device name to report the configuration.

CIS 192 - Lesson 9

114

Lab X2

[root@arwen ~]# tail -1 /etc/inittabs1:35:respawn:/sbin/agetty 38400 ttyS0

Run levels 3 and 5

agetty - agetty is an alternate getty used for virtual consoles or terminals rather than modems. It opens a TTY port, prompts for a login and invokes the /bin/login command

terminal serial device

baud rate

Unique identifier

respawn - start the process if is does not exist and restart it when it dies.

Use for handling the login process when using the serial link

CIS 192 - Lesson 9

115

Lab X2

[root@arwen ~]# telinit q

Tells init to reread the /etc/inittab file after making changes

CIS 192 - Lesson 9

116

Lab X2

[root@arwen ~]# chmod u+s /usr/sbin/pppd[root@arwen ~]# ls -l /usr/sbin/pppd-r-sr-xr-x 1 root root 312236 Mar 14 2007 /usr/sbin/pppd[root@arwen ~]#

This sets a special permission called the setuid bit. This allows users to run an executable with the permissions of the executable's owner.

CIS 192 - Lesson 9

117

Lab X2

[root@arwen ~]# minicom

minicom is a small terminal emulator with a dialing capability

-s option is used to setup defaults which are saved in /etc/minicom/minirc.dfl

-o option prevents initialization. Useful for restarting a session

-s-o

CIS 192 - Lesson 9

118

Lab X2

minicom is a small terminal emulator with a dialing capability

+-----[configuration]------+| Filenames and paths || File transfer protocols || Serial port setup || Modem and dialing || Screen and keyboard || Save setup as dfl || Save setup as.. || Exit || Exit from Minicom |+--------------------------+

+-----------------------------------------------------------------------+ | A - Serial Device : /dev/tty8 | | B - Lockfile Location : /var/lock | | C - Callin Program : | | D - Callout Program : | | E - Bps/Par/Bits : 115200 8N1 | | F - Hardware Flow Control : Yes | | G - Software Flow Control : No | | | | Change which setting? | +-----------------------------------------------------------------------+ | Screen and keyboard | | Save setup as dfl | | Save setup as.. | | Exit | | Exit from Minicom | +--------------------------+

root@sauron:~# minicom -s

Select choice and hit Enter

Select option and type new configuration value

CIS 192 - Lesson 9

119

Lab X2

+-----------------------------------------------------------------------+ | A - Serial Device : /dev/ttyS0 | | B - Lockfile Location : /var/lock | | C - Callin Program : | | D - Callout Program : | | E - Bps/Par/Bits : 115200 8N1 | | F - Hardware Flow Control : Yes | | G - Software Flow Control : No | | | | Change which setting? | +-----------------------------------------------------------------------+ | Screen and keyboard | | Save setup as dfl | | Save setup as.. | | Exit | | Exit from Minicom | +--------------------------+

When finished use Esc to exit menu

Use Save setup as dfl to save

Use Exit from Minicom to exit

+-----[configuration]------+ | Filenames and paths | | File transfer protocols | | Serial port setup | | Modem and dialing | | Screen and keyboard | | Save setup as dfl | | Save setup as.. | | Exit | | Exit from Minicom | +--------------------------+

+-----[configuration]------+ | Filenames and paths | | File transfer protocols | | Serial port setup | | Modem and dialing | | Screen and keyboard | | Save setup as dfl | | Save setup as.. | | Exit | | Exit from Minicom | +--------------------------+

CIS 192 - Lesson 9

120

Lab X2root@sauron:~# minicom -o Welcome to minicom 2.3 OPTIONS: I18n Compiled on Oct 24 2008, 06:37:44.Port /dev/ttyS0 Press CTRL-A Z for help on special keys CentOS release 5.2 (Final)Kernel 2.6.18-92.1.22.el5 on an i686 arwen.localdomain login: cis192Password: Last login: Tue Mar 24 17:27:32 on ttyS0[cis192@arwen ~]$ hostnamearwen.localdomain[cis192@arwen ~]$

CentOS release 5.2 (Final) Kernel 2.6.18-92.1.22.el5 on an i686 arwen.localdomain login: +----------------------+ | Leave without reset? | | Yes No | +----------------------+ CTRL-A Z for help |115200 8N1 | NOR | Minicom 2.3 | VT102 | Online 00:01 root@sauron:~#

Ctrl-A z q (press Ctrl and A keys together, then z then q)

CIS 192 - Lesson 9

121

Lab X2

[root@arwen ~]# useradd -c "Guest account for serial access" guest[root@arwen ~]# cat /etc/passwd | grep guestguest:x:501:501:Guest account for serial access:/home/guest:/bin/bash

user account

password is in /etc/shadow (use passwd command to set)

user ID (uid)

group ID (gid)

comment

home directory

shell

Adding a new user account

CIS 192 - Lesson 9

122

Lab X2

/usr/sbin/pppd -detach crtscts proxyarp 10.0.0.1:10.0.0.2 /dev/ttyS0 38400

[root@arwen ~]# cat /etc/ppp/options-detachcrtsctslockproxyarp10.0.0.1:10.0.0.2/dev/ttyS038400

Command line (server side)

or configuration file

Refer to: http://tldp.org/HOWTO/PPP-HOWTO/options.html#AEN964

Don't fork to become a background process (otherwise pppd will do so if a serial device is specified).

Use hardware flow control (i.e. RTS/CTS) to control the flow of data on the serial port.

Specifies that pppd should use a UUCP-style lock on the serial device to ensure exclusive access to the device.

Add an entry to this system's ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this system.

Serial device

Baud rate

IP address for server-end: client-end

CIS 192 - Lesson 9

123

Lab X2

pppd updetach crtscts defaultroute /dev/ttyS0 38400 connect \"exec chat -v TIMEOUT 3 ogin:--ogin: ppp assword: secret"

command line (client side)

With this option, pppd will detach from its controlling terminal once it has successfully established the ppp connection (to the point where the first network control protocol, usually the IP control protocol, has come up).

Add a default route to the system routing tables, using the peer as the gateway, when IPCP negotiation is successfully completed. This entry is removed when the PPP connection is broken.

Command line (client side) to make a connection

CIS 192 - Lesson 9

124

Lab X2


The chat program defines a conversational exchange between the computer and the modem. Its primary purpose is to establish the connectionbetween the Point-to-Point Protocol Daemon (pppd) and the remote pppd process.


CIS 192 - Lesson 9

125

Lab X2



Request that the chat script be executed in a verbose mode. The chat program will then log the execution state of the chat script as well as all text received from the modem and the output strings sent to the modem. The default is to log through the SYSLOG; the logging method may be altered with the -S and -s flags.

CIS 192 - Lesson 9

126

Lab X2


The initial timeout value is 45 seconds. This may be changed using the -t parameter.


CIS 192 - Lesson 9

127

Lab X2


One or more expect:send pairs.i.e. expect …ogin then send ppp, expect …assword then send secret

Note, because the beginning of the expected word may be garbled due to a flakey modem connection, just look for the end of the word (e.g login to ogin, password to assword)

Note: the --ogin is sub-expect:sub-send pair. If the first login is not received, send a single return (empty line) and look again for another login


Date post:	16-Jan-2016
Category:	Documents
Upload:	oscar-hopkins
View:	236 times
Download:	2 times

CIS 192 – Lesson 9 Lesson Module Status Slides – Properties - done Flashcards - 1 st minute quiz...

Documents