Data Networking/Fall 2014/SRKT
Group Candidates
edit1. Rohit Gomashe
2. Pratyusha Keerthi K R
3. Sahil Jain
4. Tushar Shinde
Purpose of Project
editAs in today’s world we use linux in most of the industries on switches, routers and all workstations because it is the open source Operating System and it is also customisable. That is the reason why we are working on this project because it will be useful to us in industrial experience.
Protocols
editDNS:
DNS stands for Domain Name Server, which resolves URL into an IP address. DNS in an intranet, such as our network, can resolve only hostnames and IP addresses mentioned in its files. Whereas in internet DNS maps domain name to IP address by assigning Authoritative servers to each domain.
DNS uses UDP to fetch IP address of a hostname, which includes following processes to forward packets:
Recursive Process
Iterative Process
Hostname to IP address mapping is known as Forward DNS query and IP address to hostname mapping is known as Reverse DNS query. We configured BIND9 according to our project requirements. BIND stands for Berkley Internet Name Domain, which contains both name server and resolver library.
DHCP:
DHCP (Dynamic Host Configuration Protocol) is used on layer three protocol (Internet Protocol to assign IP addresses to the devices connected in the same network. There are three methods by which DHCP server allocates IP address:
Dynamic Allocation: Devices connected to the network are dynamically allocated with IP addresses when the network is initialized.
Static Allocation: Every device requesting for a IP address is permanently assigned withan IP address.
Automatic Allocation: DHCP allocates IP addresses based on the pre defined, MAC address IP address mapping.
IP allocation is done in four phases, which includes discover, offer, request, acknowledge.
DHCP Server Discovery: Client broadcasts a DHCP discover message with source address as 0.0.0.0
DHCP Server Offer: DHCP Server responds with an offer message, which includes Transcation ID, Processs ID, Subnet mask, and IP address lease time.
DHCP Request: Client sends a DHCP Request message in response to the DHCP Offer message, which indicates that client is ready to accept the Configuration information involved in the Offer message. Unlike Discovery message, client includes its MAC address in the Request message.
DHCP ACK: DHCP server sends ACK message in response to the DHCP Request message, which includes the information client has requested for.
The Requirements
editLINUX OS
BIND9
UBUNTU 14.04
APACHE 2 to Implement web server
ISC-DHCP-SERVER for DHCP Implememtation
Steps to perform the setup / installation
editInstallation of Domain Name System (DNS):
For static interfaces:
auto eth0
iface eth0 inet static
address 192.168.3.254
netmask 255.255.255.0
network 192.168.3.0
broadcast 192.168.3.255
gateway 192.168.3.1
dns-domain-nameserver 192.168.3.254
dns-domain-search dnlab.net
For named.conf.local:
#Forward
zone "dnlab.net" {
type master;
file "/etc/bind/db.dnlab.net";
};
#Reverse
zone "3.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
For Forward lookup table:
$TTL 86400
@ IN SOA dnlab.net. root.dnlab.net. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS dnlab.net.
IN A 192.162.3.254
a1 IN A 192.168.3.201
a2 IN A 192.168.3.202
a3 IN A 192.168.3.203
c1 IN A 192.168.3.204
mail IN A 192.168.3.210
IN MX 10 mail.dnlab.net.
www IN CNAME c1.dnlab.net.
For Reverse lookup table:
$TTL 86400
@ IN SOA dnlab.net. root.dnlab.net. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS dnlab.net.
201 IN PTR a1.dnlab.net.
202 IN PTR a2.dnlab.net.
203 IN PTR a3.dnlab.net.
204 IN PTR c1.dnlab.net.
210 IN PTR mail.dnlab.net.
For Master Zone Files:
# Forward
zone "dnlab.net" {
type master;
file "/etc/bind/db.dnlab.net";
allow-transfer { 192.168.3.253; };
};
# Reverse
zone "3.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.3.253; };
};
Commands used in installing DHCP on linux:
DHCP (IPV4) Steps
1) To install DHCP server:
sudo apt-get install isc-dhcp-server
2) DHCP file Configuration:
sudo gedit /etc/default/isc-dhcp-server
Interfaces= “eth0” is to be set.
sudo gedit /etc/dhcp/dhcpd.conf
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.150;
option domain-name-servers 192.168.3.254;
option domain-name "dnlab.org";
option broadcast-address 192.168.3.255;
default-lease-time 600;
max-lease-time 7200;
}
3) Command to edit network interfaces file:
sudo gedit /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.3.2
netmask 255.255.255.0
broadcast 192.168.3.255
gateway 192.168.3.1
dns-nameserver 192.168.3.254
dns-search tsm
4) DHCP Server restart:
sudo /etc/init.d/isc-dhcp-server restart
DHCP log:
sudo tail –f /var/log/syslog
DHCP (IPV6) Steps:
1) Command used to install IPV6 server:
sudo apt-get install ravdv
2) Command to edit the configuration file of radvd:
sudo gedit /etc/radvd.conf
interface eth0 {
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1280;
AdvSendAdvert on;
prefix A1B8:1111:1234:F110::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvValidLifetime 86400;
AdvPreferredLifetime 86400;
AdvRouterAddr on;
};
};
3) Command to edit dhcpv6 configuration:
sudo gedit /etc/dchp/dhcpd6.conf
default-lease-time 6800;
max-lease-time 72000;
log-facility local7;
subnet6 A1B8:1111:1234:F110::/64 {
range6 A1B8:1111:1234:F110::100
A1B8:1111:1234:F110::150;
4) Command to restart the radvd:
sudo service radvd restart
5) Command to restart dhcp6 :
sudo service isc-dhcp-server restart
Web Server:
A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol (HTTP), serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests).
Every computer on the Internet that contains a Web site must have a Web server program. Two leading Web servers are Apache , the most widely-installed Web server, and Microsoft's Internet Information Server (IIS).
Web servers often come as part of a larger package of Internet- and intranet-related programs for serving e-mail, downloading requests for File Transfer Protocol (FTP) files, and building and publishing Web pages.
Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix environments, the Apache Web server has been ported to Windows and other network operating systems. The Apache Web server provides a full range of Web server features, including CGI, SSL, and virtual domains.
Installation Steps:
Apache:
sudo apt-get install apache2
sudo /etc/init.d/apache2 restart
echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn
PHP modules (Server side scripting):
sudo apt-get install php5 libapache2-mod-php5
sudo touch /var/www/test.php
sudo nano /var/www/test.php
<?php phpinfo(); ?>
PHPadmin and MySql Installation:
sudo apt-get install mysql-server
sudo apt-get install libapache2-mod-auth-mysql php5–mysql phpmyadmin
Firewall:
A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.
The name firewall comes from a common architectural practice of placing a brick wall between two structures, to prevent a fire in one from spreading to the other.
The National Institute of Standards and Technology (NIST) 800-10 divides firewalls into three basic types:
-Packet Filters
-Stateful inspection
-Proxys
Firewalls act as a platform for network security policy enforcement and network traffic inspection. They are defined by following attributes:
Standard capabilities: Packet filtering, Stateful protocol inspection, network address translation(NAT), VPN connectivity.
Truly integrated intrusion connection: Support for vulnerability-facing and threat-facing signatures and suggesting rules based on IPS activity.
Full stack visibility and application identification: Ability to enforce policy at the application layer.
Extra firewall intelligence: ability to take information from external sources and make improved decisions.
Adaptability to modern threat landscapes: Supports upgrade paths for integration of new information feeds and new techniques to address future threats.
In-line support : with minimum performance degradation or disruption to network service.
The following are the configuration commands and relevant functionalities:
iptables -L
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall.
sudo iptables –A INPUT –m conntrack –ctstate ESTABLISHED,RELATED –j ACCEPT
-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
--ctstate - Define the list of states for the rule to match on. Valid states are:
-NEW - The connection has not yet been seen.
-RELATED - The connection is new, but is related to another connection already permitted.
-ESTABLISHED - The connection is already established.
-INVALID - The traffic couldn't be identified for some reason.
Sudo iptables –A INPUT –j ACCEPT –p tcp –destination-port 22
Sudo iptables –A INPUT –j ACCEPT –p tcp –destination-port 80
Sudo iptables –A INPUT –j DROP –p tcp –destination-port 20
Sudo iptables –A INPUT –j DROP –p tcp –destination-port 21
Sudo iptables –A INPUT –j DROP –p tcp –destination-port 23
Commands to allow and deny access to ssh, http, ftp-data, ftp-control, telnet by port address.
sudo iptables –A INPUT –p icmp –icmp-type echo-reply –j ACCEPT
Allows icmp ping at input chain
sudo iptables –A OUTPUT –p icmp –icmp-type echo-request –j ACCEPT
Allows icmp ping at output chain
sudo iptables-save /etc/iptables.test.rules
sudo gedit /etc/iptables.test.rules
Save the configured file in a table
iptables-save > /etc/iptables.up.rules
pre-up iptables-restore < /etc/iptables.up.rules
Restore the configured file in a table
NFS
NFS allows a system (NFS server) to share files with the systems connected to it in the same network.This helps in reducing the storage of files on each and every system in the network, instead can have access to all the files stores on server using NFS.
Steps involved in configuration of NFS server and client includes the following commands
NFS at Server:
1) Command to install NFS server: sudo apt-get install nfs-kernel-server
2) Command to create a file on server: mkdir file
3) Command to edit export file: sudo gedit /etc/exports
4) Restart NFS server: sudo service nfs-kernel-server restart
NFS at Client:
1) Command to install NFS at client: sudo apt-get install nfs-common
2) Command to create file at client: mkdir /mnt/nfs/file
3) Command to mount the file: sudo mount 192.168.3.2:/file /mnt/nfs/file
Backup Server:
1) Command to Install rsync –
sudo apt-get install rsync
2) Command to change the configuration of rsync client and server
i. To generate key : ssh-keygen -t rsa
ii. To send public key :scpid_rsa_pubroot@192.168.3.20:/root/.ssh/authorized_keys
iii. To generate a key for client: ssh-keygen -t rsa
iv. Send the public key to server: scpid_rsa_pubroot@192.168.3.3:/root/.ssh/authorized_keys
3) Command to create a shell script to finish the backup–
touch autobackup.sh
4) Command to edit the shell script –
vim autobackup.sh
# ! /bin/sh
rm /var/www.zip
zip -r /var/www.zip /var/www
rsync -zvr /var/www.zip root@192.168.3.20:/home/www_$(date +%Y%m%d-%H%M%).zip
5) Command to give the privilege to execute shell script –
chmod +x autobackup.sh
6) Command to add shell script to the task table to execute–
crontab -e
7) Command to execute the shell script –
chmod +x autobackup.sh* * */1 * * /home/autobackup.sh
VPN
VPN stands for Virtual Private Network, which enables two devices on private network to connect over public network. In VPN the device in private network communicates as though it is connected to a public network, VPN ensures security. VPN is a point to point connection between two private networks through a dedicated network followed by encryption of data that can be sent over public network.
VPN in our project is enabled by creating a VPN connection with SSID and password.
For server:
1) Command to Install pptd –
sudo apt-get install pptd
2) Command to edit the file configuration of pptd –
sudo gedit /etc/pptpd.conf local ip 192.168.3.2
remoteip 192.168.3.100-150
ms-dns 192.168.3.254
3) Change the configuration file for VPN's username and password –
sudo gedit /etc/ppp/chap-secrets
Secrets for authentication using CHAP
client server secret IP addresses
dnlab pptpd dnlab.net *
4) Restart the server –
sudo service pptpd restart
NIS:
NIS stands for Network Information System, which is a directory protocol for distributing data or information with the systems in same network. Data distributed by NIS database includes login names, passwords, group names, hostnames and IP addresses. For example if NIS data such as password is recorded in NIS database, the systems in the same network with NIS client configured on it, could be able to access with same login credentials. NIS implemented in our project has a record of password and username mapping, client can only read the records.
NIS Server configuration:
1) Command to install NIS:
sudo apt-get nisportmap (nis.dnlab.net)
2) Command to edit configuration:
sudo gedit /etc/yp.conf
3) Command to initiate database:
usr/lib/yp/ypinit –n
NIS Client configuration:
1) Command to install on NIS client:
sudo apt-get install nisportmap
2) Command to edit the configuration:
sudo gedit /etc/yp.conf
3) Command to add on /etc/passed, /etc/group, /etc/shadow respectively:
sudo gedit /etc/passwd
sudo gedit /etc/group
sudo gedit /etc/shadow
PXE Boot and RARP:
Testing
editTest Plan
DNS server
Testing of following entries
1. Forward zone
2. Reverse zone
3. CNAME
4. A Name
5. Ping
Testing DNS:
Dig
Nslookup (Name Server Lookup)
Ping
Testing DHCP:
Ifconfig
cat /var/lib/dhcp/dhcpd.leases
sudo dhclient
Testing Web Server:
By entering the webpage name www.dnlab.net in the client we were able to fetch a web page from the web server.
Testing Firewall:
When client whose IP address is blocked tries to ping the server then the result will be “request time out” and “server not reachable”.
Testing Backup:
Backup Testing was performed by synchronising the files to a fixed directory. We can confirm the presence of file by using ls command.
Future Prospects
editFuture Scope:
1. We could have implemented light weight directory access protocol for maintenance of directory.
2. We could have implemented cloud server and bit torrent server.
3. We could have implemented modularity in network.
4. We could have implemented VLAN,s.
Citations
editWebsites referred:
https://help.ubuntu.com/community/
https://wiki.debian.org/WiFi/AdHoc
https://help.ubuntu.com/community/SettingUpNFSHowTo
http://www.garron.me/en/go2linux/how-setup-dns-server-master-slave-bind.html
https://help.ubuntu.com/lts/serverguide/dhcp.html
http://www.syslinux.org/wiki/index.php/PXELINUX#DHCP_Config_-_PXE-1
Books referred:
Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross