Data Networking/Fall 2014/Raghav Surianarayanan

Team

edit

1. Anirudh Mittal
2. Raghav Surianarayanan
3. Shaurya Katiyar
4. Subramaniam Veerabahu

Motivation

edit

Linux Operating system has developed into a force in almost each and every networking application, which gives us the much required motivation to play around with the OS. Linux is one of the powerful open-source operating system. Linux OS is a key skill-set to possess for a successful career in networking. Hoping to develop a good proficiency in Linux, we have decided to approach this project.

Behaviour of Protocols

edit

Domain Name System

edit

The main understanding involved in DNS is that it is used to resolve host name into IP address. When a particular website is typed in the address bar of the browser, DNS server finds out the corresponding IP address of the website and returns it to the user. Initially, a DNS query is made to the servers and the server replies back with a response about the IP address of the website. After the IP address is obtained, the host can be reachable to retrieve data from them. In order to reduce the latency, BIND9 server with caching can be used. The main advantage is that whenever a response is received for a DNS query, it is cached in the server. As a result, the time taken to load the previous cached page is considerably reduced, thereby decreasing the waiting time of the user to obtain the data from the webpage.

Dynamic Host Configuration Protocol

edit

Assigning IP addresses to the networking component can be done in the following ways.
i) Static Allocation: In this method, IP addresses to networking components like computers, routers etc. are assigned statically and remain constant until changed by the network administrator.
ii) Automatic Allocation: In this method, same IP addresses are allocated to the systems whenever it connects to a particular network.
iii) Dynamic Allocation: In this method, a DHCP server is used to allocate IP addresses to the devices, from a selected pool of addresses as specified in the DHCP server. Both IPv4 and IPv6 addressing can be provided using the DHCP server. A suitable subnet mask needs to be provided for correct allocation of IP addresses, to prevent the wastage of IP’s.

Webserver & Firewall

edit

In order to host a website, we need a webserver to run on the Linux OS. Apache2 is the most popularly used webserver. In addition, firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network. All traffic other than the allowed set of rules made in the IP tables are denied by the firewall at the gateway router (router in between the private network and the public network). Requirements The main requirement is a Linux based OS. This project is being implemented using Ubuntu 14.04. In addition to this, BIND9 for implementing DNS caching, DHCP server for implement dynamic IP allocation and Apache2 server for hosting a website are required.

Installation Steps

edit

Step 1: Edit /etc/network/interfaces
Command:

               sudo nano /etc/network/interfaces

Add

               auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

Step 2: Restart the networking daemon
Command:

               sudo /etc/init.d/networking restart

Step 3: Create a hostname
Command:

               sudo nano /etc/hostname
ubuntu

Step 4: Create a domain-name by editing /etc/hosts
Command:

               sudo nano /etc/hosts

Add

               127.0.0.1   localhost
192.168.1.5 ubuntu.linux.abc ubuntu

Do a restart of the server
Step 5: Install BIND9
Command:

               sudo apt-get install bind9

Step 6: Configure named.conf.options
Command:

               sudo nano /etc/bind/named.conf.options
Add forwarders {
# ISP DNS IP’s
192.168.1.1;
8.8.8.8;
8.8.4.4;
};

Step 7: Configure named.conf.local
Command:

             sudo nano /etc/bind/named.conf.local

Edit

             # Forward zone
zone "linux.abc" {
type master;
file "/etc/bind/zones/db.linux.abc";
};
             # Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192";
};

Step 8: Create two database files db.linux.abc and db.192 in zones folder
Command:
Make the directory etc/bind/zones

               sudo mkdir /etc/bind/zones

Copy db.local to db.linux.abc

               sudo cp /etc/bind/db.local  /etc/bind/zones/db.linux.abc

Open db.linux.abc file

               sudo nano /etc/bind/zones/db.linux.abc

Edit the file

               $TTL    604800
@ IN SOA linux.abc. admin.linux.abc. (
1  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
@ IN NS linux.abc

Step 9: Create two database files db.linux.abc and db.192 in zones folder
Command:

               @               IN  A     192.168.1.8
itworks IN A 192.168.1.10
macbook IN CNAME itworks.linux.abc
www IN A 192.168.1.8

Save and Exit
Copy db.127 to db.192

               sudo cp /etc/bind/db.127 /etc/bind/zones/db.192

Open db.192 file

               sudo nano /etc/bind/zones/db.192

Edit the file

               $TTL    604800
@ IN SOA linux.abc. admin.linux.abc. (
1  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
@ IN NS linux.abc
8 IN PTR linux.abc
10 IN PTR itworks.linux.abc

Save and Exit
Check whether both zones are working properly

               # Forward Zone
named-checkzone linux.abc /etc/bind/zones/db.linux.abc
zone linux.abc /IN: loaded serial 1
Ok
#Reverse Zone
named-checkzone linux.abc /etc/bind/zones/db.192
zone autun.hom /IN: loaded serial 1
Ok

Step 10: Configure resolv.conf
Command:

              sudo nano /etc/resolv.conf

Edit

              Nameserver      192.168.1.5
domain linux.abc
search linux.abc

Restart the bind server and check the log file for no errors

              sudo /etc/init.d/bind9 restart
tail -f /var/log/syslog

DHCP

edit

Step1: Install DHCP server package
Command:

               sudo apt-get install isc-dhcp-server

Step2: Edit the isc-dhcp-server file
Command:

               sudo nano /etc/default/isc-dhcp-server

On line 11 change:
INTERFACES=”eth0”
Save and Exit

Step3: Editing file /etc/dhcp/dhcpd.conf
create backup /etc/dhcp/dhcpd.conf
Command:

               sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original

Login as root

               sudo -i

Create configuration file dhcpd.conf:

                cat > /etc/dhcp/dhcpd.conf <<-EOF
option domain-name "linux.abc";
option domain-name-servers ns1.linux.abc,ns2.linux.abc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.30,192.168.1.60 192.168.1.80 ;
option domain-name-servers 192.168.1.5, 192.168.1.6 ;
option domain-name "serv.linux.abc";
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;

Step4: Restart the DHCP server
Command:

                sudo service isc-dhcp-server restart

Webserver

edit

Step 1: Install Apache2 Webserver
Command:

                sudo apt-get install apache2 

Step 2: Check whether the web server is able to listen on port 80
Command:

                netstat -a | more 

Step 3: Restart the web server
Command:

                sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start

Step 4: Develop a webpage for the server
Command:

                cd /var/www
sudo nano index.html

Firewall

edit

Firewall allows the system administrator to configure the ip tables.
1. In order to block ICMP requests:

               sudo iptables -A INPUT -d <IP address of the destination> -p icmp -icmp -type 0 -j DROP 

2. In order to prevent SSH login:

               sudo iptables -A INPUT -s <IP address of the source> -d <IP address of the destination> -p tcp -dport ssh - j DROP 

3. In order to block FTP ports:

               sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 20 –j DROP 
sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 21 –j DROP

4. In order to block the port used by Telnet:

               sudo iptables –A INPUT –d 192.168.1.8 –p tcp –dport 23 –j DROP 

5. To block a webpage:

               sudo iptables –A INPUT –d 192.168.1.8 –s 192.168.1.22 –p tcp –dport –j DROP 

Additional Features

edit

Mail Server

edit

Postfix is the default mail transfer agent for Ubuntu.
Step 1: Install postfix
Command:

               sudo apt-get install postfix

Step 2: Configure the following:
Command:

                sudo dpkg-reconfigure postfix

Insert the following details:
1.General type of mail configuration: Internet Site
2.NONE doesnot appear in current config
3.System mail name: linux.abc
4.Root and postmaster mail recipient: <admin_user_name>
5.Other destinations for mail: server1.linux.abc
6.Force synchronous updates on mail queue?: No
7:Local networks: 127.0.0.0/8
8:Yes doesnot appear to be requested in current config
9:Mailbox size limit (bytes): 0
10.Local address extension character: +
11.Internet protocols to use: all
Step 3: Configure the mailbox format for Maildir
Command:

               sudo postconf -e 'home_mailbox = Maildir/'
sudo postconf -e 'mailbox_command ='

Step 4: Configure Postfix to do SMTP AUTH using SASL
Command:

               sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
sudo postconf -e 'inet_interfaces = all'

Generate certificates to be used for TLS encryption and/or certificate Authentication

               touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts
sudo mv smtpd.key /etc/ssl/private/
sudo mv smtpd.crt /etc/ssl/certs/
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Step 5:Configure Postfix to do TLS encryption for incoming and outgoing mail:
Command:

               sudo postconf -e 'smtp_tls_security_level = may'

Step 6:Restart the postfix daemon
Command:

               sudo /etc/init.d/postfix restart

Step 1:Install pptpd package used to configure VPN
Command:

               sudo apt-get install pptpd 

Step 2:Edit the files in /etc/pptpd.conf and change
Command:

               localip <IP of VPN server>
               remoteip 192.168.1.10 192.168.1.30

Step 3:Edit /etc/ppp/pptpd-options file
Command:

              ms-dns 192.168.1.254 

Step 4:Set userid and password
Command:

              sudo nano /etc/ppp/chap-secrets 
user pptpd password *
  • indicates the IP addresses in the IP range

Step 1:Configuring the NFS-server
Command:

               sudo apt-get install nfs-kernel-server 
sudo mkdir /export/shared
sudo chmod 777 /export/shared

Edit the file

               sudo nano /etc/exports

On the last line

               append ==> /export/shared <ip address of the client> (rw,sync,no_root_squash)

Save and Exit
Change the directory

               cd /export/shared
touch newfile
sudo nano new-file
sudo reboot
# Enter the data that is to be seen by the client

Restart the server

              sudo service nfs-kernel-server restart

Step 2:Configuring the NFS-client
Command:

               sudo apt-get install nfs-common

Make directory in /home

               mount serverip:/serverpath /clientpath
sudo reboot
sudo mount -a

Master & Slave

edit

Step 1: Edit /etc/hosts
Command:

               sudo nano /etc/hosts

Add

               127.0.0.1   localhost
192.168.1.5 ubuntu.linux.abc ubuntu
192.168.1.6 ubuntu.linux.abc ubuntu

Step 2: Edit /etc/bind/named.conf.local on the master virtual machine
Command:

             sudo nano /etc/bind/named.conf.local

Edit

             # Forward zone
zone "linux.abc" {
type master;
allow-transfer{ip address of the slave;};
file "/etc/bind/zones/db.linux.abc";
};
             # Reverse Zone
zone "1.168.192.in-addr.arpa" {
type master;
allow-transfer{ip address of the slave;};
file "/etc/bind/zones/db.192";
};

Step 3: Edit /etc/bind/named.conf.local on the slave virtual machine
Command:

             sudo nano /etc/bind/named.conf.local

Edit

             # Forward zone
zone "linux.abc" {
type slave;
masters{ip address of the master;};
file "/etc/bind/zones/db.linux.abc";
};
             # Reverse Zone
zone "1.168.192.in-addr.arpa" {
type slave;
masters{ip address of the master;};
file "/etc/bind/zones/db.192";
};

Backup

edit

The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.
Step 1: Install rsync

                            sudo apt-get install rsync 

Step 2: Install ssh

                            sudo apt-get install openssh-server 

Step 3: Create a public and a private key for security

                            ssh-keygen -t rsa -b 1000

Step 4: Copy this into the web server

                            ssh-copy-id -i /root/.ssh/id_rsa.pub webserver@ipaddress

Step 5: Edit crontab

                            crontab –e

Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync

                            rsync -avzh -e ssh webserver@ipaddress:/var/www /home/backupserver/DestinationFolder

PXE Boot and RARP

edit

The Bootstrap Protocol is a network protocol used by a client to obtain an IP address from a server which provides an IP address pool.PXE boot is an extension from the BOOTP as well as DHCP. Using PXE boot, we can boot thousands of Linux Terminals from a remote server.
The configuration for PXE boot has the following four steps:
Step 1: Configure dhcp service
Add these lines:

             allow booting;
allow bootp;
filename “/pxelinux.0”

Step 2: Restart the dhcp service
Configure the tftp service

             sudo apt-get install tftp-server
sudo nano /etc/xinetd.d/tftp
Change “disable=yes” to “disable=no”
sudo service xinetd restart

Step 3: Configure the vsftp service

             sudo apt-get install vsftp 
sudo nano /etc/vsftp/vsftp.conf
Add anon_root= /mnt
Anon_upload_enable=NO

Step 4: Configure the pxe service

             sudo mkdir /tftpboot
cp /usr/lib/syslinux/pxelinux.0 /tftpboot/

Copy the file to boot Ubuntu to /tftpboot and boot Ubuntu using PXE boot.

Test Plan

edit

DNS Test

edit

The following commands are used for DNS testing:
1) Dig
Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers.
2) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and information that is requested for a particular host or domain.
3) Ping
Ping is used for checking the network layer status of the server.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.

DHCP Test

edit

A device entering a network gets an IP address, which is allocated by the DHCP server. IP address can be verified using ifconfig/ipconfig.

                sudo dhclient –r                  -This command is used for refreshing 
cat /var/lib/dhcp/dhcpd.leases - This command is used to view the lease provided by the DHCP server to a particular device

Webserver Test

edit

Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.

Firewall Test

edit

A client Can try to ping the servers which are blocked. If the response is request timed-out then, the firewall has blocked the client and it is working properly.
The client won't gain access to the webpage because it is forbidden.

References

edit

Websites Referred:

  1. https://help.ubuntu.com/community/BIND9ServerHowto
  2. https://help.ubuntu.com/community/Postfix
  3. https://help.ubuntu.com/community/isc-dhcp-server
  4. http://www.bind9.net
  5. http://net.tutsplus.com/tutorials/other/the-linux-firewall
  6. https://help.ubuntu.com/community/OpenVPN

Books Referred:

  1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross