Data Networking/Fall 2015/Zopgang

Group Members

edit

1) Mitali Vikas Mathure 2) Priyanka Suresh Pawar 3) Neha Sudhir Mahajan 4) Shivani Santosh Jakhi

Motivation

edit

The main objective of this project is to implement a network in real scenario using Linux based operating system on Ubuntu 14.04 by configuring network elements such as DHCP,DNS, Web Server, Firewall and Back-up. Linux is secure, the processing speed is faster as compared to other systems and smart enough to cater the needs of an organization.

Understanding the Protocols

edit

DHCP

edit

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed.

With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation.

The network administrator establishes DHCP servers that maintain TCP/IP configuration information and provide address configuration to DHCP-enabled clients in the form of a lease offer. The DHCP server stores the configuration information in a database that includes:

• Valid TCP/IP configuration parameters for all clients on the network.

• Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.

• Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.

• The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.

Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain namewww.example.com might translate to 198.105.232.4. The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.

Firewall

edit

A firewall is a network security system, either hardware- or software-based, that controls incoming and outgoing network traffic based on a set of rules. Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through: Packet Filter Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application Gateway Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level Gateway Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy Server Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Web Server

edit

Web servers are computers that deliver (serves up) Web pages. Every Web server has an IP address and possibly a domain name. For example, if you enter theURLhttp://www.webopedia.com/index.html in your browser, this sends a request to the Web server whose domain name is webopedia.com. The server then fetches the page named index.html and sends it to your browser.Any computer can be turned into a Web server by installing server software and connecting the machine to the Internet. There are many Web server software applications, including public domain software and commercial packages.

Virtual Private Network

edit

VPN means Virtual Private Network, a secure tunnel between two devices. Protect and free yourself online with just 1 click. Express VPN creates a secure tunnel between your computer and every website or application online allowing you to anonymously appear to be anywhere you choose.

Network File System

edit

NFS stands for Network File System, a file system developed by Sun Microsystems, Inc. It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.

Network Time Protocol

edit

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.

Project Requirements

edit

DHCP server [isc-dhcp-server]

DNS [bind9]

Web server [apache2]

Firewall [ip tables]

Back up [ssh server].

Configuration Steps

edit

DHCP

edit

1. Install DHCP Server

   sudo apt-get install isc-dhcp-server

2. Install radvd package

   apt-get install radvd

3. Set the static IP address of the DHCP server

   sudo nano /etc/network/interfaces
   auto lo
   iface lo inet loopback
    auto eth0
    iface eth0 inet static
    address 192.168.10.4
    netmask 255.255.255.0
    gateway 192.168.10.1
    network 192.168.10.0
    broadcast 192.168.10.255
    dns-domain-nameserver 192.168.10.2
    dns-domain-search zopgang.com
    iface eth0 inet6 static
    address 2001:db8:0:1::200
    netmask 64
    gateway 2001:db8:0:f101::130
    auto eth1
    iface eth1 inet dhcp
    auto eth2
    iface eth2 inet dhcp

4. Configure the IPv6 and IPv4 forwarding

    nano /etc/sysctl.conf
    net.ipv4.conf.default.rp_filter=1
    net.ipv4.ip_forward=1
    net.ipv6.conf.all.forwarding=1

5. Make eth0 as the default interface

   nano /etc/default/isc-dhcp-server
   INTERFACES="eth0"


6. Configure the DHCP server for ipv4

    nano /etc/dhcp/dhcpd.conf
    subnet 192.168.10.0 
    netmask 255.255.255.0 {
    range 192.168.10.220 192.168.10.230;
    option domain-name-servers 192.168.10.2;
    option domain-name "zopgang.com";
    option routers 192.168.10.1;
    option broadcast-address 192.168.10.255;
    default-lease-time 600;
    max-lease-time 7200;
    }

7. Edit the resolv.conf file

    sudo nano /etc/resolv.conf
    nameserver 192.168.10.2

8. Configure the DHCP server for ipv6

    nano /etc/dhcp/dhcpd6.conf
    default-lease-time 600;
    max-lease-time 7200;
    log-facility local7;
    subnet6 2001:db8:0:1::/64 {
    # Range for clients
    range6 2001:db8:0:1::129 2001:db8:0:1::254;
    # Range for clients requesting a temporary address
    range6 2001:db8:0:1::/64 temporary;
    # Additional options
    option dhcp6.name-servers fec0:0:0:1::1;
    option dhcp6.domain-search "domain.example";
    # Prefix range for delegation to sub-routers
    prefix6 2001:db8:0:100:: 2001:db8:0:f00:: /56;
    # Example for a fixed host address
    host specialclient {
    host-identifier option dhcp6.client-id 00:01:00:01:4a:1f:ba:e3:60:b9:1f:01:23:45;
    fixed-address6 2001:db8:0:1::127;
    }
    }

9. Configuration of the radvd module

   nano /etc/radvd.conf
   interface eth0 {
   AdvSendAdvert on;
   MinRtrAdvInterval 3;
   MaxRtrAdvInterval 10;
   prefix 2001:0db8:0100:f101::/64 {
   AdvOnLink on;
   AdvAutonomous on;
   AdvRouterAddr on;
   };
   };

10. Reboot the System

    Sudo init 6

11.

   Sudo service isc-dhcp-server

12. Restart the DHCP server

    Sudo service networking restart

For DNS configuration the following steps are done • For IPv4

1) Initially the network-manager assigns a dynamic IP address to the port, but servers need to have a static IP address. This can be done changing the configuration in the “/etc/network/interfaces” file.

   sudo nano /etc/network/interfaces

In this file we need to add the address for the port required and save it using cntrl + X followed by Y.

   auto lo 
   iface lo inet loopback
   auto eth0
   iface eth0 inet static
   address 192.168.10.2
   netmask  255.255.255.0
   network   192.168.10.0
   broadcast  192.168.10.255
   gateway   192.168.10.1

2) After changing the /network/interfaces file reboot the system by the following command

   sudo init 6

3) Restart the network-manger

   sudo service network-manger restart

4) Install the bind9 server

   sudo apt-get install bind9

5) After installing the bind9 server we need to make changes in the configuration file in the Bind directory.

   cd /etc
   cd bind
   sudo nano named.conf.options

6) In the named.conf.options we need to add the forwarders

   forwarders
   { 
   192.168.10.1;
   8.8.8.8;
   8.8.4.4;
   };

7) Configure forward and reverse lookup zones in the named.conf.local

   sudo nano named.conf.local
   forward lookup zones
   zone “zopgang.com”
   { type master;
   allow-transfer {192.168.10.3;};
   file “/etc/bind/zones/zopgang.com.db”;
   }
   reverse lookup zone for IPv4 
   zone “10.168.192.in-addr.arpa”
   {
   type master;
   allow-transfer {192.168.10.3;};
   file “/etc/bind/zones/rev.10.168.192.in-addr.arpa”;}
   };

8) Create a sub directory called ‘zones’ and create forward and reverse database files

   $TTL    604800
   @       IN      SOA     zopgang.com. root.zopgang.com. (
                             2         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  ;
  @                     IN      NS          neha.zopgang.com.
  @                     IN      NS          ns2.zopgang.com.
  neha                  IN      A           192.168.10.120
  neha                  IN      AAAA        2001:db8:0:1::124
  ns2                   IN      A           192.168.10.3
  pri                   IN      A           192.168.10.110
  pri                   IN      AAAA        2001:db8:0:1::125
  www                   IN      CNAME       neha

9) Create the reverse lookup database file

  ; BIND data file for local loopback interface
  ;
  $TTL    604800
  @       IN      SOA     zopgang.com. root.zopgang.com. (
                             4         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  ;
  @       IN      NS      neha.zopgang.com.
  @       IN      NS      ns2.zopgang.com.
  120     IN      PTR     neha.zopgang.com.
  110     IN      PTR     pri.zopgang.com.

10) Set the nameservers in the resolv.conf file

   sudo nano /etc/resolv.conf
   nameserver 192.168.10.2 
   nameserver 192.168.10.3 
   search zopgang.com

11) Restart the bind9 server

    sudo service bind9 restart

12) For the slave server repeat steps 1 to 6 and in the named.conf.local file include the following commands

    sudo nano named.conf.local 
    zone "zopgang.com"
    {
    type slave;
    masters {192.168.10.2;};
    file "/etc/bind/zones/zopgang.com.db";
    };
    zone "10.168.192.in-addr.arpa"
    {
    type slave;
    masters {192.168.10.2;};
    file "/etc/bind/zones/rev.10.168.192.in-addr.arpa";
    };

13) Configure the resolv.conf file as in step 10 and restart the bind9 server.

• For IPv6

1) Set static IPv6 address to the master and slave server by the following commands

    sudo nano /etc/network/interfaces 
    auto eth0
    iface eth0 inet6 static
    address  2001:1200:aaaa:bbbb::254
    netmask  64
    gateway  2001:1200:aaaa:bbbb::1

2) In the named.conf.local file add the reverse IPv6 domain for master and slave.

In the master configuration file add

  zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"
  {
  type master;
  allow-transfer {192.168.10.3;};
  file "/etc/bind/zones/rev.ip6.arpa";
  };

In the slave configuration file add

  zone "1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"
  {
  type slave;
  masters {192.168.10.2;};
  file "/etc/bind/zones/rev.ip6.arpa";
  };

3) In the zones directory add the IPv6 reverse zone database file in the master dns server

   ;
   ; BIND data file for local loopback interface
   ;
   $TTL    604800
   @       IN      SOA     zopgang.com. root.zopgang.com. (
                             3         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  @                                    IN      NS      neha.zopgang.com.
  @                                    IN      NS      ns2.zopgang.com.
  4.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0      IN      PTR     neha.zopgang.com.
  5.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0      IN      PTR     pri.zopgang.com.

4) Restart both master and slave dns servers.

Web Server

edit

1. Install apache2

   install apt-get install apache2

2. Check webserver is listening on which port

   Netstat –an | more
   sudo /etc/init.d/apache2 stop

3. Recheck if the same port is removed from the list

   sudo /etc/init.d/apache2 restart

4. Go to html directory and open index.HTML file present in var/www/html/index.html to edit the web page

   sudo nano index.html

5. HTML file can be edited as required.

Firewall

edit

1. Check from any client or device on the same network, whether it can ping to this device (using cmd). It should reach.

2. View the iptables listed

   Sudo iptables –L

3. Block icmp requests to check protocol filtering

   sudo iptables –A INPUT –p icmp –j REJECT

4. Blocks all HTTP requests from a particular client or device

    sudo iptables -A INPUT -p tcp –s 192.168.10.4 --dport 80 –j REJECT

4. Ping from any device connected to the same network. It will not be able to reach the device due to firewall.

Backup Server

edit

1. Install ssh server

   sudo apt-get install openssh-server

2. Install ssh client on another VM

   sudo apt-get install openssh-client

3. Generate public and private keys in the client

   sudo ssh-keygen -t rsa

4. Copy the public key to ssh server

   ssh backupserver @192.168.10.121 mkdir -p .ssh
   cat .ssh/id_rsa.pub | ssh backupserver@192.168.10.121 'cat >> .ssh/authorized_keys'

5. For executing backup.

   sudo tar -cvpzf minutebackup.tar.gz /var/www/html/index.html

6. For executing automatic backup

   sudo crontab –e
   * * * * * sudo tar -cvpzf minutebackup.tar.gz /var/www/html/index.html
   * * * * * sudo scp minutebackup.tar.gz backupserver@192.168.10.121/home/backupserver/

Add-ons

edit

Virtual Private Network

edit

1. Installating the pptpd server

   sudo apt-get install pptpd

2. Coniguring the pptpd file

   sudo nano /etc/pptpd.conf

In this file we need to update the IP of the server and the IP of the client

3.Configuring the DNS server

The DNS is configured for the scenario when the clients try to connect to pptp server.
  Sudo nano /etc/ppp/pptpd-options

4. Updating the VPN users in the chap-secrets file

   Sudo nano /etc/ppp/chap-secrets

5. On configuring the pptp server,it has to be restarted so that all the settings can take effect.

   sudo /etc/init.d/ppptpd restart

Mail Server

edit

1. Update the Ubuntu OS with packages

   sudo apt-get update
   sudo apt-get update --fix-missing

2. Install Postfix & Dovecot

   sudo apt-get install bind9 dnsutils apache2 php5 postfix dovecot-common dovecot-imapd dovecot-pop3d squirrelmail

3. Restart the mail server

   sudo nano /etc/bind/named.conf.local
               invoke-rc.d bind9 restart

4. Check it using nslookup & dig tool

   nslookup mail.zopgang.com
   dig mail.zopgang.com

5. Moving the configuration file to dovecot-core

   sudo mv /etc/apache2/sites-available/mail  
   /etc/apache2/sites-available/mail.com
   a2ensite mail

6. Restart the Apache server

   invoke-rc.d apache2 restart

7. Reconfigure Postfix

   dpkg-reconfigure postfix
             system mail name-mail.zopgang.com
             

8. Editing the configuration file for apache & dovecot

   sudo nano /etc/squirrelmail/apache.conf


   sudo nano /etc/dovecot/dovecot.conf
              protocol= imap pop3
             #disable-plaintext_auth=no
             mail_location= mbox:~/mail: INBOX=/var/mail/%u
             mail_location= maildir:~/Maildir

9. Kill all the processes

   killall named
   killall apache2
   killall dovecot

10. Set the static IP address for the mail server

   ifconfig eth0 192.168.0.1 
   netmask 255.255.255.0
   ifconfig eth0 up

11. Restart all the processes

   invoke-rc.d bind9 restart
   invoke-rc.d postfix restart
   invoke-rc.d dovecot restart

12. Add users & assign them passwords

Network file System (NFS)

edit

Steps to configure NFS Server

1. Update repository

   sudo apt-get update

2. Install NSF package

    sudo apt-get install nfs-kernel-server

3. Create directory to share

    sudo mkdir/home/neha/nfsserver

4. Configuring /etc/exports for NFS

    sudo nano /etc/exports
    /shome 192.168.1.0/24 (rw,sync,no_root_squash)

5. Start the service

    sudo /etc/init.d/nfs-kernel-server start

6. Check the status of the NFS share status

    sudo exportfs -u 

7. Restart the server

    sudo service nfs-kernel-server restart

Steps to configure NFS Client

1. Install NFS for client and its dependencies

    sudo apt-get update
    sudo apt-get install nfs-common rpcbind

2. Create a directory

    sudo mkdir/home/nfsclient

3. Mounting the remote share /home on local directory /home/nfsclient

    sudo mount 192.168.10.42:/shome/home/neha

Network Time Protocol (NTP)

edit

1. Install NTP packages

    sudo apt-get install ntp
    sudo apt-get install ntp ntpdate

2. Edit the ntp configuration file

    sudo nano /etc/ntp.conf
    server 0.ubuntu.pool.ntp.org
    server 1.ubuntu.pool.ntp.org
    server 2.ubuntu.pool.ntp.org
    server 3.ubuntu.pool.ntp.org
    # Use Ubuntu's ntp server as a fallback.
    server ntp.ubuntu.com

3. To start, stop, restart the ntp server

   sudo service ntp start
   sudo service ntp stop
   sudo service ntp restart

Future Scope

edit

1. We could implement a secondary DNS server in the network so that if the first DNS server fails, then all the queries directed towards the first DNS server will be forwarded towards backup server and will be successfully resolved.

2. We would implement NIS which is a central directory of user and group information which acts as a global user client list.

3. Routers can be added to the present configuration to see the communication between two different hosts on two different subnets, which is a real life scenarios.

References

edit

http://www.networkinghowtos.com/howto/connect-to-a-pptp-vpn-server-from-ubuntu-linux/

https://www.youtube.com/

https://help.ubuntu.com/community/IptablesHowTo

https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works

https://help.ubuntu.com/community/Postfix

https://help.ubuntu.com/lts/serverguide/dns-configuration.html

http://www.danscourses.com/Linux-Fundamentals/how-to-install-ssh-in-ubuntu.html