Data Networking/Fall 2014/Olaoluwa Oloniniyi
Group Members
edit- Devandra Sharma
- Elyes Ighilaza
- Olaoluwa Oloniniyi
- Chris Lazar
Introduction
editThe aim of this Linux project was to demonstrate the interoperability of certain network components on a small scale by creating a complete network solution for a start up company. It was required to create a private network with its own DNS and DHCP. The network was implemented using a switch and Ubuntu operating system on 3 computers.
The network components being combined are
- DNS : Domain Name Server
- DHCP: Dynamic Host Configuration Protocol
- Web server & firewall
- Client
The general operation of the network is such that
- The client who does not have an IP address gets its IP address from the DHCP server. This IP address must be within a specified range and adhere to specified conditions.
- The client would try to access the web page by the hostname, this request goes to the DNS which resolves this hostname and directs the client's web browser to the appropriate webserver.
- The firewall serves to monitor incoming and outing traffic on the network.
DNS
editDomain Name System (DNS) is a hierarchical distributed system for naming services, systems that are connected either via the internet or a private network. The most common service or well-known service is its resolution of hostname to IP address. As human’s it would be very difficult for us to keep track of IP addresses that enable us to get to our favourite websites, this is where the DNS comes into play. The DNS resolves the hostname i.e www.google.com, www.yahoo.com to the appropriate IP addresses hence saving us the stress of having to memorize tons of numbers. The DNS service is hierarchical for many reasons such but the most important is to prevent a single point of failure in the naming system. DNS follows a hierarchical model with 4 layers starting from
- Global root servers (13 in total)
- Top level domain servers (.net, .edu, .com, .org )
- Authoritative DNS servers providing authoritative hostname to IP mappings for organisations servers (e.g. web, mail)
- Local Name server, strictly speaking does not belong to the hierarchy. Each ISP has one, when a host makes a DNS query, the query is sent to its local DNS server
Configuration steps
edit1. Sudo apt-get install bind9
Downloading the bind package
2. Sudo nano /etc/hosts
Provide domain name for server
3. Sudo nano /etc/bind/named.conf.local
Creating the forward and reverse lookup zones
Zone “sharma.com” { type master; file “/etc/bind/zones/sharma.com.db”; }; zone “1.168.192.im-addr.arpa” IN { Type master ; File “/etc/bind/zones/1.168.192.in-addr.arpa.db”; };
4. Sudo mkdir zones
Making a directory “zones” in bind directory
5. Sudo cp /etc/bind/db.local /etc/bind/zones/sharma.com.db
Copying the forward lookup files in the zones directory and edit them to contain forward records
$TTL 604800 @ IN SOA sharma.com. root.sharma.com . 2 Serial . 604800 Refresh . 86400 Retry . 2419200 Expire . 604800 ) Negative Cache TTL @ IN NS devandra.sharma.com. Sahrma.com. IN A 192.168.1.128 devandra IN A 192.168.1.128 ;also list other computers ola IN A 192.168.1.138 elyes IN A 192.168.1.108 www IN CNAME elyes.sharma.com
6. Sudo cp /etc/bind/db.127 /etc/bind/zones/1.168.192.in- addr.arpa.db
copying the lookup files in the zones directory
7. Sudo nano /etc/bind/zones/sharma.com.db
Edit the forward lookup zone file
8. Sudo nano /etc/bind/zones/1.168.192.in-addr.arpa.db
Edit the reverse lookup zones file
$TTL 604800 @ IN SOA sharma.com. root.sharma.com ( . 3 Serial . 604800 Refresh . 86400 Retry . 2419200 Expire . 604800 ) Negative Cache TTL ; IN NS devandra. 128 IN PTR devandra.sharma.com. 138 IN PTR ola.sharma.com. 108 IN PTR elyes.sharma.com.
9. Sudo nano /etc/resolv.conf
Edit the resolv.conf file to provide server details
nameserver 192.168.1.128 search elyes.sharma.com
DHCP
editDynamic Host Configuration Protocol is used to dynamically assign network configuration parameters such as IP addresses, gateway, network mask, etc. It prevents the need to statically assign IP addresses to every host in a particular network, rather the host undergoes the process described below upon discovering that it does not have an IP address.
- Host broadcasts “DHCP discover” message (optional)
- DHCP server responds with “DHCP offer” message [optional]
- Host requests IP address: “DHCP request” message
- DHCP server sends address: “DHCP ACK” message
After initially getting the IP address the host only repeats the last two steps to renew its lease on the IP address it already has
configuration steps
edit1. Install DHCP Server
sudo apt-get install isc-dhcp-server
2. Create IP pool
subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.130 192.168.1.254; option domain-name-servers 192.168.1.128; option domain name "internal.example.org"; option routers 192.168.1.128; option broadcast-address 192.168.1.255; default-lease-time 600; max-lease-time 7200; }
3. Assign static IP address to the DHCP
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.108 netmask 255.255.255.0 network 192.168.1.255 gateway 192.168.1.128 dns-nameservers 192.168.1.128
4. Restart the dhcp server
sudo service isc-dhcp-server restart
Web server
editIn simple terms a web server is the system that hosts a web page. It renders the service of providing the webpage upon a request from a client. It processes these requests via HTTP, which is the basic network protocol used to distribute information on the world wide web. In the case of this project the client the following steps take place
- The client communicates with the DNS which resolves the hostname elyes.sherma.com to the IP address 192.168.1.108
- Using the HTTP protocol, the browser sent a GET request to the webserver asking for the web page elyes.sherma.com
- The webserver then responds with the HTML text for the webpage to the browser
Configuration steps
edit1. downloaded apache using the command sudo apt-get install apache2
2. We crosschecked that the webpage had downloaded properly by typing localhost into our web browser
3. the webpage was created in the folder /var/www/html
4. We created a file index.html and wrote the following html code shown above
5. The IP address of the webserver and the DHCP are static since they are located on the same machine
auto eth0 iface eth0 inet static address 192.168.1.108 netmask 255.255.255.0 network 192.168.1.255 gateway 192.168.1.128 dns-nameservers 192.168.1.128
Fire Wall
editWith the increase in threats to network security, there is the need to have several lines of defence against unwanted access to network resources. In this project case, the network resource is the webpage and the line of defence implemented is a firewall. The firewall serves to control incoming and outgoing network traffic by using several parameters to check if traffic is meant to be allowed or blocked by the wall.
To implement the fire wall iptables were used. IP tables is used in linux to allow a system discern between allowed and banned traffic unto a network via chains and rules it stores. IP tables has several chains such as pre-routing, input, forward, output and post-routing. Each of these chains controls the flow of traffic from different incoming and outgoing directions on the network.
Configuration steps
editConfiguration used
1. The first step is to view the iptables via the command iptables –L 2. Flush actual table using iptables -F 3. allow loopback connection iptables -A INPUT -i lo -j ACCEPT 4. allow range of ip addresses on the LAN iptables -A INPUT -s 192.168.220.0/24 --dport 80 -j ACCEPT 5. allow feedback to connections initiated from within the network iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 6. Prevent spoofing iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j DROP 7. limit ping requests iptables -A INPUT -p ICMP -m ICMP -m limit -limit 1/second -j ACCEPT 8. allow ssh connections iptables -A INPUT -p TCP --dport 22 -j 9. allow all outgoing traffic from the network iptables -P OUTPUT ACCEPT 10. drop traffic that does not match our rules iptables -P INPUT DROP
Back up
editThere is always a need to provide a contingency plan with regards to networks hence the need for a backup. Configuring a backup involves two phases, firstly the transfer of the actual files is carried out via ‘rsync’ then this file transfer is scheduled to be carried out intermittently via the cron job.
Configuration process
- Install rsync if not already available- apt –get install rsync
- create target directory
- use the command rsync –v –e ssh /root/(source folder)/* root@(destination folder)
- The crontab was edited and a new cron job created for the rysnc
- 1 2 3 4 5 /path/to/command arg1 arg2 (1=minute, 2=hours, 3day, 4=month, 5=day of the week)
It can be seen that the crontab is a very flexible command which allows for commands to be carried out various times which can easily be specified. It also has several short cuts which can be put before the cronjob such @daily/path/to/command arg1 , @hourly/path/to/command arg1 to specify that the cronjob occur daily and hourly respectively.
Additionally crontab can be instructed to send a mail to specified destination upon successfully carrying out the command using MAILTO = “example@example.com”
Add-ons
editThe following add-ons were carried out to make the project more robust
- NFS
- NIS
- VPN
NFS
editNetwork File System (NFS) is a distributed file system protocol that allows a user on a client computer to access files over a network much like local storage is accessed. The process follows the following steps
- The server implements NFS processes, which makes its data available to clients over the LAN.
- The server determines what to make available.
- The server security-administration ensures that it can recognize and approve validated clients.
- The server network configuration ensures that appropriate clients can negotiate with it through any firewall system.
- The client machine requests access to exported data which the server grants to the allowed client.
configuration steps
editSudo apt-get install nfs-kernel-server (Install the NFS server) Sudo mkdir data (Create folder for files) Sudo nano /etc/exports (create an export file system) Sudo chmod 777 data (provide permissions for accessing the NFS from the client) Sudo /etc/init.d/nfs-kernel-server restart (restart the server) Sudo nano devendrafromsaumitra.txt Create a file to be mounted On the client side mount –t nfs ip-address of the server:/home/server-name/data /home/client-name
NIS
editNIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers. Its purpose is to provide information that is to be known throughout the network. Information likely to be distributed by NIS include login names/passwords, group information, hostnames etc.
Configuration steps
edit1. On the server side
• Sudo apt-get install portmap • Sudo update-rc.d portmap defaults 10 • Sudo apt-get nis • Sudo nano /var/yp/Makefile • Sudo service portmap restart • Sudo service nis restart • Sudo nano /usr/lib/yp/ypinit-m • Sudo useradd –d/home/username –m username
2. Add the users
• Sudo passwd username
3. Assign passwords to the users
• Cd /var/yp/ • Sudo make • ypcat passwd
4. On the client
• Sudo apt-get install portmap • Sudo update-rc.d portmap defaults 10 • Sudo apt-get nis • Sudo nano /etc/yp.conf Edit the file to set the domain sharma.com server devendra.sharma.com • Sudo nano /etc/nsswitch.conf • Sudo chmod 777/home
Permission to read, write and execute files
• Sudo reboot • Ypcat passwd • Log out and log in as user1
VPN
editVPN is used to extend a private network across a public network. It enables the sender benefit from the security of being on a private network while still communicating over a public network.
Configuration steps
edit• Install sudo apt-get install openvpn • generate key on server openvpn --genkey --secret static.key • copy the key on client • On the server, create a new /etc/openvpn/tun0.conf file and add the following: • dev tun0 ifconfig 192.168.1.108 192.168.1.131 secret /etc/openvpn/static.key • Where 192.168.1.X is your VPN subnetwork, 192.168.1.108 will be IP of the server, 192.168.1.131 is IP of client. • On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following: • remote your-server.org dev tun0 ifconfig 192.168.1.108 192.168.1.131 secret /etc/openvpn/static.key
Testing
editThe network components were all connected via a switch. The following checks were carried out to ensure that the basic configurations of the network were working properly
• The client got its IP address from the DHCP server • The client was able to gain access to the created web page by the web name elyes.sharma.com • With some minor adjustments to the firewall the host was denied access to the web server hence we knew that the firewall was working • We connected several clients to the switch to ensure that the DHCP does not assign IP addresses out of range • We checked the allocated IP address to ensure that it was not among the reserved IP address.
References
edit1. https://wiki.debian.org/OpenVPN
2. https://help.ubuntu.com/community/BIND9ServerHowto
3. http://www.youtube.com/watch?v=H8phIakC-Jk&list=PLB6A3E57CA19D7D0F&index=4
4. https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
5. https://help.ubuntu.com/community/IptablesHowTo
6. http://www.youtube.com/watch?v=ldB8kDEtTZA
7. http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/
8. http://linux.about.com/library/cmd/blcmdl1_rsync.htm
9. http://www.youtube.com/watch?v=-q8Jj4aAWYw
11. https://en.wikipedia.org/wiki/Network_File_System
12. https://en.wikipedia.org/wiki/Network_Information_Service