Data Networking/Fall 2014/Raghav Surianarayanan
Team
edit1. Anirudh Mittal
2. Raghav Surianarayanan
3. Shaurya Katiyar
4. Subramaniam Veerabahu
Motivation
editLinux Operating system has developed into a force in almost each and every networking application, which gives us the much required motivation to play around with the OS. Linux is one of the powerful open-source operating system. Linux OS is a key skill-set to possess for a successful career in networking. Hoping to develop a good proficiency in Linux, we have decided to approach this project.
Behaviour of Protocols
editDomain Name System
editThe main understanding involved in DNS is that it is used to resolve host name into IP address. When a particular website is typed in the address bar of the browser, DNS server finds out the corresponding IP address of the website and returns it to the user. Initially, a DNS query is made to the servers and the server replies back with a response about the IP address of the website. After the IP address is obtained, the host can be reachable to retrieve data from them. In order to reduce the latency, BIND9 server with caching can be used. The main advantage is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is considerably reduced, thereby decreasing the waiting time of the user to obtain the data from the webpage.
Dynamic Host Configuration Protocol
editAssigning IP addresses to the networking component can be done in the following ways.
i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator.
ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network.
iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.
Webserver & Firewall
editIn order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network).
Requirements
The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.
Installation Steps
editDNS
editStep 1: Edit /etc/network/interfaces
Command:
sudo nano /etc/network/interfaces
Add
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
Step 2: Restart the networking daemon
Command:
sudo /etc/init.d/networking restart
Step 3: Create a hostname
Command:
sudo nano /etc/hostname
ubuntu
Step 4: Create a domain-name by editing /etc/hosts
Command:
sudo nano /etc/hosts
Add
127.0.0.1 localhost
192.168.1.5 ubuntu.linux.abc ubuntu
Do a restart of the server
Step 5: Install BIND9
Command:
sudo apt-get install bind9
Step 6: Configure named.conf.options
Command:
sudo nano /etc/bind/named.conf.options
Add forwarders {
# ISP DNS IP’s
192.168.1.1;
8.8.8.8;
8.8.4.4;
};
Step 7: Configure named.conf.local
Command:
sudo nano /etc/bind/named.conf.local
Edit
# Forward zone
zone "linux.abc" {
type master;
file "/etc/bind/zones/db.linux.abc";
};
# Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192";
};
Step 8: Create two database files db.linux.abc and db.192 in zones folder
Command:
Make the directory etc/bind/zones
sudo mkdir /etc/bind/zones
Copy db.local to db.linux.abc
sudo cp /etc/bind/db.local /etc/bind/zones/db.linux.abc
Open db.linux.abc file
sudo nano /etc/bind/zones/db.linux.abc
Edit the file
$TTL 604800
@ IN SOA linux.abc. admin.linux.abc. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS linux.abc
Step 9: Create two database files db.linux.abc and db.192 in zones folder
Command:
@ IN A 192.168.1.8
itworks IN A 192.168.1.10
macbook IN CNAME itworks.linux.abc
www IN A 192.168.1.8
Save and Exit
Copy db.127 to db.192
sudo cp /etc/bind/db.127 /etc/bind/zones/db.192
Open db.192 file
sudo nano /etc/bind/zones/db.192
Edit the file
$TTL 604800
@ IN SOA linux.abc. admin.linux.abc. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS linux.abc
8 IN PTR linux.abc
10 IN PTR itworks.linux.abc
Save and Exit
Check whether both zones are working properly
# Forward Zone
named-checkzone linux.abc /etc/bind/zones/db.linux.abc
zone linux.abc /IN: loaded serial 1
Ok
#Reverse Zone
named-checkzone linux.abc /etc/bind/zones/db.192
zone autun.hom /IN: loaded serial 1
Ok
Step 10: Configure resolv.conf
Command:
sudo nano /etc/resolv.conf
Edit
Nameserver 192.168.1.5
domain linux.abc
search linux.abc
Restart the bind server and check the log file for no errors
sudo /etc/init.d/bind9 restart
tail -f /var/log/syslog
DHCP
editStep1: Install DHCP server package
Command:
sudo apt-get install isc-dhcp-server
Step2: Edit the isc-dhcp-server file
Command:
sudo nano /etc/default/isc-dhcp-server
On line 11 change:
INTERFACES=”eth0”
Save and Exit
Step3: Editing file /etc/dhcp/dhcpd.conf
create backup /etc/dhcp/dhcpd.conf
Command:
sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original
Login as root
sudo -i
Create configuration file dhcpd.conf:
cat > /etc/dhcp/dhcpd.conf <<-EOF
option domain-name "linux.abc";
option domain-name-servers ns1.linux.abc,ns2.linux.abc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.30,192.168.1.60 192.168.1.80 ;
option domain-name-servers 192.168.1.5, 192.168.1.6 ;
option domain-name "serv.linux.abc";
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
Step4: Restart the DHCP server
Command:
sudo service isc-dhcp-server restart
Webserver
editStep 1: Install Apache2 Webserver
Command:
sudo apt-get install apache2
Step 2: Check whether the web server is able to listen on port 80
Command:
netstat -a | more
Step 3: Restart the web server
Command:
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
Step 4: Develop a webpage for the server
Command:
cd /var/www
sudo nano index.html
Firewall
editFirewall allows the system administrator to configure the ip tables.
1. In order to block ICMP requests:
sudo iptables -A INPUT -d <IP address of the destination> -p icmp -icmp -type 0 -j DROP
2. In order to prevent SSH login:
sudo iptables -A INPUT -s <IP address of the source> -d <IP address of the destination> -p tcp -dport ssh - j DROP
3. In order to block FTP ports:
sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 20 –j DROP
sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 21 –j DROP
4. In order to block the port used by Telnet:
sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 23 –j DROP
5. To block a webpage:
sudo iptables –A INPUT –d 192.168.1.8 –s 192.168.1.22 –p tcp –dport –j DROP
Additional Features
editMail Server
editPostfix is the default mail transfer agent for Ubuntu.
Step 1: Install postfix
Command:
sudo apt-get install postfix
Step 2: Configure the following:
Command:
sudo dpkg-reconfigure postfix
Insert the following details:
1.General type of mail configuration: Internet Site
2.NONE doesnot appear in current config
3.System mail name: linux.abc
4.Root and postmaster mail recipient: <admin_user_name>
5.Other destinations for mail: server1.linux.abc
6.Force synchronous updates on mail queue?: No
7:Local networks: 127.0.0.0/8
8:Yes doesnot appear to be requested in current config
9:Mailbox size limit (bytes): 0
10.Local address extension character: +
11.Internet protocols to use: all
Step 3: Configure the mailbox format for Maildir
Command:
sudo postconf -e 'home_mailbox = Maildir/'
sudo postconf -e 'mailbox_command ='
Step 4: Configure Postfix to do SMTP AUTH using SASL
Command:
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'
Generate certificates to be used for TLS encryption and/or certificate Authentication
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
Step 5:Configure Postfix to do TLS encryption for incoming and outgoing mail:
Command:
sudo postconf -e 'smtp_tls_security_level = may'
Step 6:Restart the postfix daemon
Command:
sudo /etc/init.d/postfix restart
VPN
editStep 1:Install pptpd package used to configure VPN
Command:
sudo apt-get install pptpd
Step 2:Edit the files in /etc/pptpd.conf and change
Command:
localip <IP of VPN server>
remoteip 192.168.1.10 192.168.1.30
Step 3:Edit /etc/ppp/pptpd-options file
Command:
ms-dns 192.168.1.254
Step 4:Set userid and password
Command:
sudo nano /etc/ppp/chap-secrets
user pptpd password *
- indicates the IP addresses in the IP range
NFS
editStep 1:Configuring the NFS-server
Command:
sudo apt-get install nfs-kernel-server
sudo mkdir /export/shared
sudo chmod 777 /export/shared
Edit the file
sudo nano /etc/exports
On the last line
append ==> /export/shared <ip address of the client> (rw,sync,no_root_squash)
Save and Exit
Change the directory
cd /export/shared
touch newfile
sudo nano new-file
sudo reboot
# Enter the data that is to be seen by the client
Restart the server
sudo service nfs-kernel-server restart
Step 2:Configuring the NFS-client
Command:
sudo apt-get install nfs-common
Make directory in /home
mount serverip:/serverpath /clientpath
sudo reboot
sudo mount -a
Master & Slave
editStep 1: Edit /etc/hosts
Command:
sudo nano /etc/hosts
Add
127.0.0.1 localhost
192.168.1.5 ubuntu.linux.abc ubuntu
192.168.1.6 ubuntu.linux.abc ubuntu
Step 2: Edit /etc/bind/named.conf.local on the master virtual machine
Command:
sudo nano /etc/bind/named.conf.local
Edit
# Forward zone
zone "linux.abc" {
type master;
allow-transfer{ip address of the slave;};
file "/etc/bind/zones/db.linux.abc";
};
# Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
allow-transfer{ip address of the slave;};
file "/etc/bind/zones/db.192";
};
Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine
Command:
sudo nano /etc/bind/named.conf.local
Edit
# Forward zone
zone "linux.abc" {
type slave;
masters{ip address of the master;};
file "/etc/bind/zones/db.linux.abc";
};
# Reverse Zone
zone "1.168.192.in-addr.arpa" {
type slave;
masters{ip address of the master;};
file "/etc/bind/zones/db.192";
};
Backup
editThe protocols used for backup are rsync and ssh.
Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file.
Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users.
Crontab is used for scheduling backups.
Step 1: Install rsync
sudo apt-get install rsync
Step 2: Install ssh
sudo apt-get install openssh-server
Step 3: Create a public and a private key for security
ssh-keygen -t rsa -b 1000
Step 4: Copy this into the web server
ssh-copy-id -i /root/.ssh/id_rsa.pub webserver@ipaddress
Step 5: Edit crontab
crontab –e
Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync
rsync -avzh -e ssh webserver@ipaddress:/var/www /home/backupserver/DestinationFolder
PXE Boot and RARP
editThe Bootstrap Protocol is a network protocol used by a client to obtain an IP address from a server which provides an IP address pool.PXE boot is an extension from the BOOTP as well as DHCP. Using PXE boot, we can boot thousands of Linux Terminals from a remote server.
The configuration for PXE boot has the following four steps:
Step 1: Configure dhcp service
Add these lines:
allow booting;
allow bootp;
filename “/pxelinux.0”
Step 2: Restart the dhcp service
Configure the tftp service
sudo apt-get install tftp-server
sudo nano /etc/xinetd.d/tftp
Change “disable=yes” to “disable=no”
sudo service xinetd restart
Step 3: Configure the vsftp service
sudo apt-get install vsftp
sudo nano /etc/vsftp/vsftp.conf
Add anon_root= /mnt
Anon_upload_enable=NO
Step 4: Configure the pxe service
sudo mkdir /tftpboot
cp /usr/lib/syslinux/pxelinux.0 /tftpboot/
Copy the file to boot Ubuntu to /tftpboot and boot Ubuntu using PXE boot.
Test Plan
editDNS Test
editThe following commands are used for DNS testing:
1) Dig
Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.
2) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and information that is requested for a particular host or domain.
3) Ping
Ping is used for checking the network layer status of the server.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.
DHCP Test
editA device entering a network gets an IP address, which is allocated by the DHCP server. IP address can be verified using ifconfig/ipconfig.
sudo dhclient –r -This command is used for refreshing
cat /var/lib/dhcp/dhcpd.leases - This command is used to view the lease provided by the DHCP server to a particular device
Webserver Test
editOpen the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.
Firewall Test
editA client Can try to ping the servers which are blocked. If the response is request timed-out then, the firewall has blocked the client and it is working properly.
The client won't gain access to the webpage because it is forbidden.
References
editWebsites Referred:
- https://help.ubuntu.com/community/BIND9ServerHowto
- https://help.ubuntu.com/community/Postfix
- https://help.ubuntu.com/community/isc-dhcp-server
- http://www.bind9.net
- http://net.tutsplus.com/tutorials/other/the-linux-firewall
- https://help.ubuntu.com/community/OpenVPN
Books Referred:
- Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross