Data Networking/Fall 2014/Datagirl
Project Team members
editHaowen Liu
Daiwei Zhang
Ying Zhang
Ai Jiang
Motivation
editNowadays, Internet is very widespread. We use computer network, which is the basic interconnected telecommunication networks and based on many various protocols, to meet our different needs.
In this scenario, we have to build a complete network system that contains DNS, DHCP, Web server and Firewall for a star-up company. In this computer system, DNS serves as a IP resolution part. DHCP is used for assigning IP address to client and give client access to web page. So we also need to implement a web server to host website and provide other web uses. Moreover, configuring firewall is very essential to make the whole network more safety.
Given the features of Linus such as portable, source opening, system hierarchically, much more security and easy to develop, we choose this operating system to achieve our network system. By doing this hands-on training project, we could finally get more deeply understand and practical insight of computer networking.
Introduction
editProject Requirement
editIn general, we need to configure all of following servers and make them work together at the same network so that the client in that network could able to get the web page as normal. The requirements in specific are shown as follow.
Linux machine: First of all, the entire project is based on Linux machine. By installing Ubuntu 12.04 64bits in VMware, we can easily get a Linux environment.
DNS: By choosing BIND9 as the DNS server, it can create any 5 DNS records for clients and servers with implementing IPv4 addresses and vice versa so that they can communicate with each other.
DHCP: By downloading and using isc-dhcp-server, it is supposed to assign a IP address for a new client from the IP addresses pool except some special addresses with a particular expire time. Implement the PXE boot and RARP in additional.
Web server: By combining Apache2, MySQL5 and PHP5, we are going to establish a simple web server, which could make pages accessible to clients under the same network when using a web browser.
Firewall: Without much funding to buy more secure devices, we are trying to make the server at the most secured status only by using command line and original packages. In particular, server is able to filter IP addresses and protocols, etc.
Backup: By using Rync as backup server, it could make files and configures periodically backup.
Understanding the Protocols
edit1. Client/server Architecture- It is a computer network in which many clients request and receive service from a centralized server. Client hosts request services to the server and display the results the server returns. On the other hand, servers wait for requests from clients and respond to them. A client provides the user interface and part or all application processing, while the server might provide high-volume storage capacity, heavy data crunching, and/or high-resolution graphics.
2. DNS (Domain Name Server)- DNS translates hostnames to IP addresses. DNS is a distributed database implemented in a hierarchy of DNS servers and an application-layer protocol that allows hosts to query the distributed database. The DNS protocol runs over UDP and uses port 53.
3. DHCP (Dynamic Host Configuration Protocol)-The ability of DHCP is automating the network-related aspects of connecting a host into a network; it is often referred to as a plug-and-play protocol. As the host join and leave, the DHCP sever needs to update its list of available IP addresses. Each time a host joins, the DHCP sever allocates an arbitrary address from its current pool of available addresses. Each time a host leaves, its address is returned to the pool.
4. RARP (Reverse Address Resolution Protocol)-The RARP is an obsolete computer networking protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its Link Layer or hardware address, such as a MAC address. The client broadcasts the request, and does not need prior knowledge of the network topology or the identities of servers capable of fulfilling its request.
5. Web Server-The Web server delivers Web pages to browsers or other data files to Web-based applications by using the HTTP protocol. The Web server includes the hardware, software, operating system, TCP/IP protocols and site content.
6. Firewall- A firewall is a system that enforces an access control policy between two networks. There is a pair of mechanisms existing in the firewall, to block or permit the traffic. Firewalls are frequently used to prevent unauthorized access from private networks connected to the Internet or intranet. All messages entering or leaving the intranet pass through the firewall, which examines each of them and blocks those do not meet the security criteria. As firewall is a mechanism for enforcing policy, imposes its policy on everything behind it. It's so important to recognize the configuration of firewall.
Steps to perform the setup / installation
editSteps to set up the DHCP server:
• At a terminal prompt, enter the following command to install dhcp server.
• Set “etho” as default interface in “/etc/default/isc-dhcp-server”.
• Assign a static IP address for DHCP server: 192.168.2.171/24 with the gateway address as 192.168.2.1/24..
• Configure the DHCP server configuration file: /etc/dhcp/dhcpd.conf.
• In this case, the domain-name is “datagirl.com” with the DNS server as 192.168.2.172..
• The default lease time is as long as 600 seconds while the maximum one is 7200 seconds.
• The network address is 192.168.2.0/24, and the address pools are 192.168.2.4 ~ 192.168.2.169 and 192.168.2.180 ~ 192.168.2.254, exclude the IP addresses for servers.
• Given the MAC addresses and fixed-addresses for DNS server and web-server.
• Installed the TFTP packages, including openbsd-inetd, lftp and tftpd-hpa.
• Added the PXE specific configurations, both the filename and next-server, into the DHCP configuration file, dhcpd.conf.
• Implemented TFTP by editing the configuration file: inetd.conf and enabling boot service of inetd.
• Enable boot service for inetd and started service.
• Started the service of openbsd-inetd as well as tftpd-hpa.
• Downloaded and installed pxelinux.0 file and put all the files in the proper structure.
• Edited /var/lib/tftpboot/pxelinux.cfg/default and setup the permissions.
• After configuration, restart virtual machine as well as the service.
Steps to set up the DNS server:
• Install the BIND9 package. Our domain name is datagirl.com. So first we need to get a Bind 9 package, which will be having the configuration directories.
• List Network Information indicate that the ip address (192.168.2.172) and netmask(255.255.255.0)
• Create a file for forwarding the Domain name, the name of the file is set by /etc/named.conf: Zone “datagirl.com”
• Create a file for reversing domain name, the name is set by /etc/named.conf: Zone “2.168.192. in-addr.arpa
• Create the resolve file of domain name (datagirl.com) /etc/bind/db.datagirl.com, and other 4 files. The contents are:
BIND data file for dev sites Set the time to live (TTL) Set the ip address and the hostname of the server. Set the related resource record
• Create the resolve file of the IP address /etc/bind/db.192.168.2, including:
BIND reverse data file for dev domains Set the time to live (TTL) Set the IP address and the hostname of the server. Set the related resource record
• Modify each need to use the DNS server configuration files DNS
• Set IP for the DNS server: 192.168.2.172
• Restart the BIND9.
Steps to set up the WEB server:
• Installing Apache
• Change to the root directory /var/www/index.html, and create a new home page.
• Restart Apache and then enable the “datagirl” website. • Installed PHP and crated a quick file of PHP to test by creating a blank document inside the folder of /var/www/html, and adding some context about some basic information of the php installation.
• Installed MySQL and PhpMyAdmin to Apache web server.
• Added a link to phpmyadmin.
Steps to set up Firewall:
• Install or upgrade the existing UFW.
• Allow some packets in while reject the packets with an error message or drop some particular packets with no response.
• Specify a particular protocol to allow some tcp/icmp message in at some particular ports rather than on, and control some particular IP addresses or ranges. For example, accept IP address 192.168.2.0/24 while dropping the other IP addresses.
• Restore.
Add-ons
editNFS
• Install and give the nfsserver a static IP address.
• For server:
sudo mkdir /armnfs sudo chmod 777 /armnfs sudo vi /etc/exports Type “/armnfs *(rw)”
sudo service rpcbind restart sudo service nfs-kernel-server restart sudo showmount –e
• For client:
sudo apt-get install nfs-common rpcbind sudo mkdir /var/armnfs sudo mount 192.168.2.150 : /armnfs/var/armnfs
VPN
• Install a VPN server, a client from extranet can connect to intranet
• Configure vpn server in three files--pptpd.conf/pptpd-options/chap-secrets
sudo nano /etc/pptpd.conf localip is the ip address of the host remoteip is the address pool for vpn server
• configurate DNS server ip address for vpn client.
• For configuration users, created three clients and secrets.
• Use iptables to set NAT
• Restart the service.
NTP
• Installed ntp package.
sudo apt-get install ntp
• Edited the configuration file.
sudo vi /etc/ntp.conf Type “server ntp.ubuntu.com” Type “server pool.ntp.org”
Ecryptfs
• Install the ecryptfs-utils package.
• Set it up and mount it to the directory.
• After typing this, the folder may display as messy code.
• After typing this, the folder will display normal again.
Testing
editDHCP
• Connected to switch with other servers and a client, and disabled the Wi-Fi networking of the windows machine, and then bridged the virtual network adaptor with the real one.
• Started the DHCP service, and rebooted others.
• Then we can see that client get a dynamic IP address while servers get the fixed-IP addresses.
DNS
• The DHCP sever has allocated an IP address as 192.168.2.172.
• Use “nslookup” to see if it could get the IP address by the domain name
nslookup datagirl.com
• Use “nslookup” to see if it could get the domain name by IP address or not.
nslookup 192.1678.2.173
Web server
• Self-test by using the loopback address 127.0.0.1 to access the designed web pages.
• Php can work together with the apache webserver.
• PhpMyAdmin is a tool written in PHP intended to handle the administration of MySQL servers over the web. The client can log in as the username and password. Then client can create, edit or delete database with user-friendlier interface.
Firewall
• Connected with other client with the static IP address in different subnet.
• When the client tries to access the web pages, the firewall works by denying the access.
Future Improvements
editImplement IPv6 on DHCP and DNS server for future use.
Implement backup server in case of the server failed.
Implement NIS and IDS to improve the security.
Citation
edit• https://help.ubuntu.com/community/isc-dhcp-server
• http://askubuntu.com/questions/412574/pxe-boot-server-installation-steps-in-ubuntu-server-vm