Data Networking/Fall 2014/Olaoluwa Oloniniyi

Group Members edit

  • Devandra Sharma
  • Elyes Ighilaza
  • Olaoluwa Oloniniyi
  • Chris Lazar

Introduction edit

The aim of this Linux project was to demonstrate the interoperability of certain network components on a small scale by creating a complete network solution for a start up company. It was required to create a private network with its own DNS and DHCP. The network was implemented using a switch and Ubuntu operating system on 3 computers.

The network components being combined are

  • DNS : Domain Name Server
  • DHCP: Dynamic Host Configuration Protocol
  • Web server & firewall
  • Client

The general operation of the network is such that

  • The client who does not have an IP address gets its IP address from the DHCP server. This IP address must be within a specified range and adhere to specified conditions.
  • The client would try to access the web page by the hostname, this request goes to the DNS which resolves this hostname and directs the client's web browser to the appropriate webserver.
  • The firewall serves to monitor incoming and outing traffic on the network.

DNS edit

Domain Name System (DNS) is a hierarchical distributed system for naming services, systems that are connected either via the internet or a private network. The most common service or well-known service is its resolution of hostname to IP address. As human’s it would be very difficult for us to keep track of IP addresses that enable us to get to our favourite websites, this is where the DNS comes into play. The DNS resolves the hostname i.e www.google.com, www.yahoo.com to the appropriate IP addresses hence saving us the stress of having to memorize tons of numbers. The DNS service is hierarchical for many reasons such but the most important is to prevent a single point of failure in the naming system. DNS follows a hierarchical model with 4 layers starting from

  • Global root servers (13 in total)
  • Top level domain servers (.net, .edu, .com, .org )
  • Authoritative DNS servers providing authoritative hostname to IP mappings for organisations servers (e.g. web, mail)
  • Local Name server, strictly speaking does not belong to the hierarchy. Each ISP has one, when a host makes a DNS query, the query is sent to its local DNS server

Configuration steps edit

1. Sudo apt-get install bind9

Downloading the bind package

2. Sudo nano /etc/hosts

Provide domain name for server

3. Sudo nano /etc/bind/named.conf.local

Creating the forward and reverse lookup zones

                  Zone “sharma.com”
                  {
                  type master;
                  file “/etc/bind/zones/sharma.com.db”;
                  };
                  zone “1.168.192.im-addr.arpa” IN
                  {
                  Type master ;
                  File “/etc/bind/zones/1.168.192.in-addr.arpa.db”;
                  };

4. Sudo mkdir zones

Making a directory “zones” in bind directory

5. Sudo cp /etc/bind/db.local /etc/bind/zones/sharma.com.db

Copying the forward lookup files in the zones directory and edit them to contain forward records

       $TTL 	604800
       @		IN 		SOA 		sharma.com.	         root.sharma.com 
.                                                              2	          Serial
.	                                                   604800	          Refresh
.	                                                    86400	          Retry
.	                                                  2419200	          Expire
.	                                                   604800 )	          Negative Cache TTL
       
       @		IN		NS		devandra.sharma.com.
       Sahrma.com.     IN		A		192.168.1.128
       devandra	IN		A		192.168.1.128
       ;also list other computers
       ola		IN		A		192.168.1.138
       elyes		IN		A		192.168.1.108
       www		IN		CNAME	elyes.sharma.com

6. Sudo cp /etc/bind/db.127 /etc/bind/zones/1.168.192.in- addr.arpa.db

copying the lookup files in the zones directory

7. Sudo nano /etc/bind/zones/sharma.com.db

Edit the forward lookup zone file

8. Sudo nano /etc/bind/zones/1.168.192.in-addr.arpa.db

Edit the reverse lookup zones file


       $TTL 	604800
       @		IN 		SOA 		sharma.com.	         root.sharma.com (
 .							3	          Serial
 .			  	  		   604800	          Refresh
 .			    			    86400	          Retry
 .		             			  2419200	          Expire
 .						   604800 )	          Negative Cache TTL
       ;
        		IN		NS		devandra.
       128		IN		PTR		devandra.sharma.com.
       138		IN		PTR		ola.sharma.com.
       108		IN		PTR		elyes.sharma.com.

9. Sudo nano /etc/resolv.conf

Edit the resolv.conf file to provide server details


    nameserver	192.168.1.128
    search		elyes.sharma.com

DHCP edit

Dynamic Host Configuration Protocol is used to dynamically assign network configuration parameters such as IP addresses, gateway, network mask, etc. It prevents the need to statically assign IP addresses to every host in a particular network, rather the host undergoes the process described below upon discovering that it does not have an IP address.

  • Host broadcasts “DHCP discover” message (optional)
  • DHCP server responds with “DHCP offer” message [optional]
  • Host requests IP address: “DHCP request” message
  • DHCP server sends address: “DHCP ACK” message

After initially getting the IP address the host only repeats the last two steps to renew its lease on the IP address it already has

configuration steps edit

1. Install DHCP Server

    sudo apt-get install isc-dhcp-server

2. Create IP pool

  subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.130 192.168.1.254;
    option domain-name-servers 192.168.1.128;
    option domain name "internal.example.org";
    option routers 192.168.1.128;
    option broadcast-address 192.168.1.255;
    default-lease-time 600; 
    max-lease-time 7200;
    }

3. Assign static IP address to the DHCP

    auto lo
    iface lo inet loopback
    auto eth0
    iface eth0 inet static
    address 192.168.1.108
    netmask 255.255.255.0
    network 192.168.1.255
    gateway 192.168.1.128
    dns-nameservers 192.168.1.128

4. Restart the dhcp server

    sudo service isc-dhcp-server restart

Web server edit

In simple terms a web server is the system that hosts a web page. It renders the service of providing the webpage upon a request from a client. It processes these requests via HTTP, which is the basic network protocol used to distribute information on the world wide web. In the case of this project the client the following steps take place

  • The client communicates with the DNS which resolves the hostname elyes.sherma.com to the IP address 192.168.1.108
  • Using the HTTP protocol, the browser sent a GET request to the webserver asking for the web page elyes.sherma.com
  • The webserver then responds with the HTML text for the webpage to the browser

Configuration steps edit

1. downloaded apache using the command sudo apt-get install apache2

2. We crosschecked that the webpage had downloaded properly by typing localhost into our web browser

3. the webpage was created in the folder /var/www/html

4. We created a file index.html and wrote the following html code shown above

5. The IP address of the webserver and the DHCP are static since they are located on the same machine

    auto eth0
    iface eth0 inet static
    address 192.168.1.108
    netmask 255.255.255.0
    network 192.168.1.255
    gateway 192.168.1.128
    dns-nameservers 192.168.1.128

Fire Wall edit

With the increase in threats to network security, there is the need to have several lines of defence against unwanted access to network resources. In this project case, the network resource is the webpage and the line of defence implemented is a firewall. The firewall serves to control incoming and outgoing network traffic by using several parameters to check if traffic is meant to be allowed or blocked by the wall.

To implement the fire wall iptables were used. IP tables is used in linux to allow a system discern between allowed and banned traffic unto a network via chains and rules it stores. IP tables has several chains such as pre-routing, input, forward, output and post-routing. Each of these chains controls the flow of traffic from different incoming and outgoing directions on the network.

Configuration steps edit

Configuration used

1. The first step is to view the iptables via the command iptables –L
2. Flush actual table using iptables -F
3. allow loopback connection iptables -A INPUT -i lo -j  ACCEPT
4. allow range of ip addresses on the LAN iptables -A INPUT -s 192.168.220.0/24 --dport 80 -j ACCEPT
5. allow feedback to connections initiated from within the network iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
6. Prevent spoofing iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j DROP
7. limit ping requests iptables -A INPUT -p ICMP -m ICMP -m limit -limit 1/second -j ACCEPT 
8. allow ssh connections iptables -A INPUT -p TCP --dport 22 -j 
9. allow all outgoing traffic from the network iptables -P OUTPUT ACCEPT
10. drop traffic that does not match our rules iptables -P INPUT DROP

Back up edit

There is always a need to provide a contingency plan with regards to networks hence the need for a backup. Configuring a backup involves two phases, firstly the transfer of the actual files is carried out via ‘rsync’ then this file transfer is scheduled to be carried out intermittently via the cron job.

Configuration process

  • Install rsync if not already available- apt –get install rsync
  • create target directory
  • use the command rsync –v –e ssh /root/(source folder)/* root@(destination folder)
  • The crontab was edited and a new cron job created for the rysnc
  • 1 2 3 4 5 /path/to/command arg1 arg2 (1=minute, 2=hours, 3day, 4=month, 5=day of the week)

It can be seen that the crontab is a very flexible command which allows for commands to be carried out various times which can easily be specified. It also has several short cuts which can be put before the cronjob such @daily/path/to/command arg1 , @hourly/path/to/command arg1 to specify that the cronjob occur daily and hourly respectively.

Additionally crontab can be instructed to send a mail to specified destination upon successfully carrying out the command using MAILTO = “example@example.com”

Add-ons edit

The following add-ons were carried out to make the project more robust

  • NFS
  • NIS
  • VPN

NFS edit

Network File System (NFS) is a distributed file system protocol that allows a user on a client computer to access files over a network much like local storage is accessed. The process follows the following steps

  • The server implements NFS processes, which makes its data available to clients over the LAN.
  • The server determines what to make available.
  • The server security-administration ensures that it can recognize and approve validated clients.
  • The server network configuration ensures that appropriate clients can negotiate with it through any firewall system.
  • The client machine requests access to exported data which the server grants to the allowed client.

configuration steps edit

 Sudo apt-get install nfs-kernel-server (Install the NFS server)
 Sudo mkdir data (Create folder for files)
 Sudo nano /etc/exports (create an export file system)
 Sudo chmod 777 data (provide permissions for accessing the NFS from the client)
 Sudo /etc/init.d/nfs-kernel-server restart (restart the server)
 Sudo nano devendrafromsaumitra.txt
 Create a file to be mounted
 On the client side
 mount –t nfs ip-address of the server:/home/server-name/data  /home/client-name

NIS edit

NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers. Its purpose is to provide information that is to be known throughout the network. Information likely to be distributed by NIS include login names/passwords, group information, hostnames etc.

Configuration steps edit

1. On the server side

   •	Sudo apt-get install portmap
   •	Sudo update-rc.d portmap defaults 10
   •	Sudo apt-get nis
   •	Sudo nano /var/yp/Makefile
   •	Sudo service portmap restart
   •	Sudo service nis restart
   •	Sudo nano /usr/lib/yp/ypinit-m
   •	Sudo useradd –d/home/username –m username

2. Add the users

   •	Sudo passwd username

3. Assign passwords to the users

   •	Cd /var/yp/
   •	Sudo make
   •	ypcat passwd

4. On the client

   •	Sudo apt-get install portmap
   •	Sudo update-rc.d portmap defaults 10
   •	Sudo apt-get nis
   •	Sudo nano /etc/yp.conf
       Edit the file to set the domain sharma.com    server devendra.sharma.com 
   •	Sudo nano /etc/nsswitch.conf
   •	Sudo chmod 777/home

Permission to read, write and execute files

   •	Sudo reboot
   •	Ypcat passwd     
   •	 Log out and log in as user1

VPN edit

VPN is used to extend a private network across a public network. It enables the sender benefit from the security of being on a private network while still communicating over a public network.

Configuration steps edit

  •	Install sudo apt-get install openvpn
  •	generate key on server openvpn --genkey --secret static.key
  •	copy the key on client
  •	On the server, create a new /etc/openvpn/tun0.conf file and add the following:
  •	dev tun0 ifconfig 192.168.1.108 192.168.1.131 secret /etc/openvpn/static.key
  •	Where 192.168.1.X is your VPN subnetwork, 192.168.1.108 will be IP of the server, 192.168.1.131 is IP of client.
  •	On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following:
  •	remote your-server.org dev tun0 ifconfig 192.168.1.108 192.168.1.131 secret /etc/openvpn/static.key

Testing edit

The network components were all connected via a switch. The following checks were carried out to ensure that the basic configurations of the network were working properly

  •	The client got its IP address from the DHCP server
  •	The client was able to gain access to the created web page by the web name elyes.sharma.com
  •	With some minor adjustments to the firewall the host was denied access to the web server hence we knew that the firewall was working
  •	We connected several clients to the switch to ensure that the DHCP does not assign IP addresses out of range
  •	We checked the allocated IP address to ensure that it was not among the reserved IP address.

References edit

1. https://wiki.debian.org/OpenVPN

2. https://help.ubuntu.com/community/BIND9ServerHowto

3. http://www.youtube.com/watch?v=H8phIakC-Jk&list=PLB6A3E57CA19D7D0F&index=4

4. https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

5. https://help.ubuntu.com/community/IptablesHowTo

6. http://www.youtube.com/watch?v=ldB8kDEtTZA

7. http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

8. http://linux.about.com/library/cmd/blcmdl1_rsync.htm

9. http://www.youtube.com/watch?v=-q8Jj4aAWYw

10. https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-14-04

11. https://en.wikipedia.org/wiki/Network_File_System

12. https://en.wikipedia.org/wiki/Network_Information_Service