Data Networking/Fall 2015/Zopgang
Group Members
edit1) Mitali Vikas Mathure 2) Priyanka Suresh Pawar 3) Neha Sudhir Mahajan 4) Shivani Santosh Jakhi
Motivation
editThe main objective of this project is to implement a network in real scenario using Linux based operating system on Ubuntu 14.04 by configuring network elements such as DHCP,DNS, Web Server, Firewall and Back-up. Linux is secure, the processing speed is faster as compared to other systems and smart enough to cater the needs of an organization.
Understanding the Protocols
editDHCP
editEvery device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed.
With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation.
The network administrator establishes DHCP servers that maintain TCP/IP configuration information and provide address configuration to DHCP-enabled clients in the form of a lease offer. The DHCP server stores the configuration information in a database that includes:
• Valid TCP/IP configuration parameters for all clients on the network.
• Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.
• Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.
• The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.
DNS
editDomain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain namewww.example.com might translate to 198.105.232.4. The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
Firewall
editA firewall is a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic based on a set of rules. Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through: Packet Filter Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application Gateway Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level Gateway Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy Server Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Web Server
editWeb servers are computers that deliver (serves up) Web pages. Every Web server has an IP address and possibly a domain name. For example, if you enter theURLhttp://www.webopedia.com/index.html in your browser, this sends a request to the Web server whose domain name is webopedia.com. The server then fetches the page named index.html and sends it to your browser.Any computer can be turned into a Web server by installing server software and connecting the machine to the Internet. There are many Web server software applications, including public domain software and commercial packages.
Virtual Private Network
editVPN means Virtual Private Network, a secure tunnel between two devices. Protect and free yourself online with just 1 click. Express VPN creates a secure tunnel between your computer and every website or application online allowing you to anonymously appear to be anywhere you choose.
Network File System
editNFS stands for Network File System, a file system developed by Sun Microsystems, Inc. It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
Network Time Protocol
editNetwork Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.
Project Requirements
editDHCP server [isc-dhcp-server]
DNS [bind9]
Web server [apache2]
Firewall [ip tables]
Back up [ssh server].
Configuration Steps
editDHCP
edit1. Install DHCP Server
sudo apt-get install isc-dhcp-server
2. Install radvd package
apt-get install radvd
3. Set the static IP address of the DHCP server
sudo nano /etc/network/interfaces auto lo iface lo inet loopback
auto eth0 iface eth0 inet static address 192.168.10.4 netmask 255.255.255.0 gateway 192.168.10.1 network 192.168.10.0 broadcast 192.168.10.255 dns-domain-nameserver 192.168.10.2 dns-domain-search zopgang.com
iface eth0 inet6 static address 2001:db8:0:1::200 netmask 64 gateway 2001:db8:0:f101::130
auto eth1 iface eth1 inet dhcp
auto eth2 iface eth2 inet dhcp
4. Configure the IPv6 and IPv4 forwarding
nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter=1 net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
5. Make eth0 as the default interface
nano /etc/default/isc-dhcp-server
INTERFACES="eth0"
6. Configure the DHCP server for ipv4
nano /etc/dhcp/dhcpd.conf
subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.220 192.168.10.230; option domain-name-servers 192.168.10.2; option domain-name "zopgang.com"; option routers 192.168.10.1; option broadcast-address 192.168.10.255; default-lease-time 600; max-lease-time 7200; }
7. Edit the resolv.conf file
sudo nano /etc/resolv.conf nameserver 192.168.10.2
8. Configure the DHCP server for ipv6
nano /etc/dhcp/dhcpd6.conf
default-lease-time 600; max-lease-time 7200; log-facility local7; subnet6 2001:db8:0:1::/64 { # Range for clients range6 2001:db8:0:1::129 2001:db8:0:1::254;
# Range for clients requesting a temporary address range6 2001:db8:0:1::/64 temporary;
# Additional options option dhcp6.name-servers fec0:0:0:1::1; option dhcp6.domain-search "domain.example";
# Prefix range for delegation to sub-routers prefix6 2001:db8:0:100:: 2001:db8:0:f00:: /56;
# Example for a fixed host address host specialclient { host-identifier option dhcp6.client-id 00:01:00:01:4a:1f:ba:e3:60:b9:1f:01:23:45; fixed-address6 2001:db8:0:1::127; } }
9. Configuration of the radvd module
nano /etc/radvd.conf
interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; prefix 2001:0db8:0100:f101::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; };
10. Reboot the System
Sudo init 6
11.
Sudo service isc-dhcp-server
12. Restart the DHCP server
Sudo service networking restart
DNS
editFor DNS configuration the following steps are done • For IPv4
1) Initially the network-manager assigns a dynamic IP address to the port, but servers need to have a static IP address. This can be done changing the configuration in the “/etc/network/interfaces” file.
sudo nano /etc/network/interfaces
In this file we need to add the address for the port required and save it using cntrl + X followed by Y.
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.10.2 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.1
2) After changing the /network/interfaces file reboot the system by the following command
sudo init 6
3) Restart the network-manger
sudo service network-manger restart
4) Install the bind9 server
sudo apt-get install bind9
5) After installing the bind9 server we need to make changes in the configuration file in the Bind directory.
cd /etc cd bind sudo nano named.conf.options
6) In the named.conf.options we need to add the forwarders
forwarders { 192.168.10.1; 8.8.8.8; 8.8.4.4; };
7) Configure forward and reverse lookup zones in the named.conf.local
sudo nano named.conf.local forward lookup zones zone “zopgang.com” { type master; allow-transfer {192.168.10.3;}; file “/etc/bind/zones/zopgang.com.db”; } reverse lookup zone for IPv4 zone “10.168.192.in-addr.arpa” { type master; allow-transfer {192.168.10.3;}; file “/etc/bind/zones/rev.10.168.192.in-addr.arpa”;} };
8) Create a sub directory called ‘zones’ and create forward and reverse database files
$TTL 604800 @ IN SOA zopgang.com. root.zopgang.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS neha.zopgang.com. @ IN NS ns2.zopgang.com. neha IN A 192.168.10.120 neha IN AAAA 2001:db8:0:1::124 ns2 IN A 192.168.10.3 pri IN A 192.168.10.110 pri IN AAAA 2001:db8:0:1::125 www IN CNAME neha
9) Create the reverse lookup database file
; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA zopgang.com. root.zopgang.com. ( 4 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS neha.zopgang.com. @ IN NS ns2.zopgang.com. 120 IN PTR neha.zopgang.com. 110 IN PTR pri.zopgang.com.
10) Set the nameservers in the resolv.conf file
sudo nano /etc/resolv.conf nameserver 192.168.10.2 nameserver 192.168.10.3 search zopgang.com
11) Restart the bind9 server
sudo service bind9 restart
12) For the slave server repeat steps 1 to 6 and in the named.conf.local file include the following commands
sudo nano named.conf.local
zone "zopgang.com" { type slave; masters {192.168.10.2;}; file "/etc/bind/zones/zopgang.com.db"; };
zone "10.168.192.in-addr.arpa" { type slave; masters {192.168.10.2;}; file "/etc/bind/zones/rev.10.168.192.in-addr.arpa"; };
13) Configure the resolv.conf file as in step 10 and restart the bind9 server.
• For IPv6
1) Set static IPv6 address to the master and slave server by the following commands
sudo nano /etc/network/interfaces auto eth0 iface eth0 inet6 static address 2001:1200:aaaa:bbbb::254 netmask 64 gateway 2001:1200:aaaa:bbbb::1
2) In the named.conf.local file add the reverse IPv6 domain for master and slave.
In the master configuration file add
zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type master; allow-transfer {192.168.10.3;}; file "/etc/bind/zones/rev.ip6.arpa"; };
In the slave configuration file add
zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { type slave; masters {192.168.10.2;}; file "/etc/bind/zones/rev.ip6.arpa"; };
3) In the zones directory add the IPv6 reverse zone database file in the master dns server
; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA zopgang.com. root.zopgang.com. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS neha.zopgang.com. @ IN NS ns2.zopgang.com. 4.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR neha.zopgang.com. 5.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR pri.zopgang.com.
4) Restart both master and slave dns servers.
Web Server
edit1. Install apache2
install apt-get install apache2
2. Check webserver is listening on which port
Netstat –an | more sudo /etc/init.d/apache2 stop
3. Recheck if the same port is removed from the list
sudo /etc/init.d/apache2 restart
4. Go to html directory and open index.HTML file present in var/www/html/index.html to edit the web page
sudo nano index.html
5. HTML file can be edited as required.
Firewall
edit1. Check from any client or device on the same network, whether it can ping to this device (using cmd). It should reach.
2. View the iptables listed
Sudo iptables –L
3. Block icmp requests to check protocol filtering
sudo iptables –A INPUT –p icmp –j REJECT
4. Blocks all HTTP requests from a particular client or device
sudo iptables -A INPUT -p tcp –s 192.168.10.4 --dport 80 –j REJECT
4. Ping from any device connected to the same network. It will not be able to reach the device due to firewall.
Backup Server
edit1. Install ssh server
sudo apt-get install openssh-server
2. Install ssh client on another VM
sudo apt-get install openssh-client
3. Generate public and private keys in the client
sudo ssh-keygen -t rsa
4. Copy the public key to ssh server
ssh backupserver @192.168.10.121 mkdir -p .ssh cat .ssh/id_rsa.pub | ssh backupserver@192.168.10.121 'cat >> .ssh/authorized_keys'
5. For executing backup.
sudo tar -cvpzf minutebackup.tar.gz /var/www/html/index.html
6. For executing automatic backup
sudo crontab –e * * * * * sudo tar -cvpzf minutebackup.tar.gz /var/www/html/index.html * * * * * sudo scp minutebackup.tar.gz backupserver@192.168.10.121/home/backupserver/
Add-ons
editVirtual Private Network
edit1. Installating the pptpd server
sudo apt-get install pptpd
2. Coniguring the pptpd file
sudo nano /etc/pptpd.conf
In this file we need to update the IP of the server and the IP of the client
3.Configuring the DNS server
The DNS is configured for the scenario when the clients try to connect to pptp server. Sudo nano /etc/ppp/pptpd-options
4. Updating the VPN users in the chap-secrets file
Sudo nano /etc/ppp/chap-secrets
5. On configuring the pptp server,it has to be restarted so that all the settings can take effect.
sudo /etc/init.d/ppptpd restart
Mail Server
edit1. Update the Ubuntu OS with packages
sudo apt-get update sudo apt-get update --fix-missing
2. Install Postfix & Dovecot
sudo apt-get install bind9 dnsutils apache2 php5 postfix dovecot-common dovecot-imapd dovecot-pop3d squirrelmail
3. Restart the mail server
sudo nano /etc/bind/named.conf.local invoke-rc.d bind9 restart
4. Check it using nslookup & dig tool
nslookup mail.zopgang.com dig mail.zopgang.com
5. Moving the configuration file to dovecot-core
sudo mv /etc/apache2/sites-available/mail /etc/apache2/sites-available/mail.com a2ensite mail
6. Restart the Apache server
invoke-rc.d apache2 restart
7. Reconfigure Postfix
dpkg-reconfigure postfix system mail name-mail.zopgang.com
8. Editing the configuration file for apache & dovecot
sudo nano /etc/squirrelmail/apache.conf
sudo nano /etc/dovecot/dovecot.conf protocol= imap pop3 #disable-plaintext_auth=no mail_location= mbox:~/mail: INBOX=/var/mail/%u mail_location= maildir:~/Maildir
9. Kill all the processes
killall named killall apache2 killall dovecot
10. Set the static IP address for the mail server
ifconfig eth0 192.168.0.1 netmask 255.255.255.0 ifconfig eth0 up
11. Restart all the processes
invoke-rc.d bind9 restart invoke-rc.d postfix restart invoke-rc.d dovecot restart
12. Add users & assign them passwords
Network file System (NFS)
editSteps to configure NFS Server
1. Update repository
sudo apt-get update
2. Install NSF package
sudo apt-get install nfs-kernel-server
3. Create directory to share
sudo mkdir/home/neha/nfsserver
4. Configuring /etc/exports for NFS
sudo nano /etc/exports /shome 192.168.1.0/24 (rw,sync,no_root_squash)
5. Start the service
sudo /etc/init.d/nfs-kernel-server start
6. Check the status of the NFS share status
sudo exportfs -u
7. Restart the server
sudo service nfs-kernel-server restart
Steps to configure NFS Client
1. Install NFS for client and its dependencies
sudo apt-get update sudo apt-get install nfs-common rpcbind
2. Create a directory
sudo mkdir/home/nfsclient
3. Mounting the remote share /home on local directory /home/nfsclient
sudo mount 192.168.10.42:/shome/home/neha
Network Time Protocol (NTP)
edit1. Install NTP packages
sudo apt-get install ntp sudo apt-get install ntp ntpdate
2. Edit the ntp configuration file
sudo nano /etc/ntp.conf server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org # Use Ubuntu's ntp server as a fallback. server ntp.ubuntu.com
3. To start, stop, restart the ntp server
sudo service ntp start sudo service ntp stop sudo service ntp restart
Future Scope
edit1. We could implement a secondary DNS server in the network so that if the first DNS server fails, then all the queries directed towards the first DNS server will be forwarded towards backup server and will be successfully resolved.
2. We would implement NIS which is a central directory of user and group information which acts as a global user client list.
3. Routers can be added to the present configuration to see the communication between two different hosts on two different subnets, which is a real life scenarios.
References
edithttp://www.networkinghowtos.com/howto/connect-to-a-pptp-vpn-server-from-ubuntu-linux/
https://help.ubuntu.com/community/IptablesHowTo
https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works
https://help.ubuntu.com/community/Postfix
https://help.ubuntu.com/lts/serverguide/dns-configuration.html
http://www.danscourses.com/Linux-Fundamentals/how-to-install-ssh-in-ubuntu.html