Configur

NETWORK ADMINISTRATINETWORK ADMINISTRATINETWORK ADMINISTRATINETWORK ADMINISTRATIONONONON

Firewall (Iptables on SuSE11)

2013-2015

PASSERELLES NUMERIQEUS CAMBODIA

Street 371 Phum Tropeang Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O. Box 511 Phnom Penh,

Cambodia

PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION

TOLA.LENG-PC 1

CONTENTS

lAB INstruCtion ....................................................................................................................................................... 2

WindowsWindowsWindowsWindows ................................................................................................................................................................. 2

I.I.I.I. Configure iptabConfigure iptabConfigure iptabConfigure iptables fileles fileles fileles file ..................................................................................................................................... 3

a. Set the variables or Declarations for every interface and policy. .............................................................. 3

• Ping allow .................................................................................................................................................. 4

1. Allow Only SRV1 can remote SSH into Firewall Server ..................................................................................... 5

2. Allow LAN-Client Request IP address ............................................................................................... 6

3. Allow DNS ...................................................................................................................................................... 7

A. Firewall Request DNS from ISP ......................................................................................................... 7

B. Firewall Request DNS in Local ........................................................................................................... 8

C. SRV1 Request DNS from ISP ............................................................................................................ 9

D. LAN-Client request DNS in Local ................................................................................................... 9

4. Allow LAN-client Join domain and Access file share ................................................................. 10

� Let us join and access file share ................................................................................................. 10

� User access file share from server ............................................................................................. 12

5. Allow Only PC2 can remote Desktop into SRV1 Server ........................................................... 14

6. Allow LAN-Client access webserver in SRV1 (local) ................................................................ 15

7. Enable POSTROUTING by using Masquerading type ................................................................... 17

8. Allow access internet ............................................................................................................................... 17

A. Firewall Server ....................................................................................................................................... 17

B. LAN-Server ........................................................................................................................................... 19

C. LAN-Client ............................................................................................................................................. 19


TOLA.LENG-PC 2

LAB INSTRUCTION

WINDOWSWINDOWSWINDOWSWINDOWS SERVERSERVERSERVERSERVER

� LAN ServerLAN ServerLAN ServerLAN Server

� Network Address: 192.168.25Network Address: 192.168.25Network Address: 192.168.25Network Address: 192.168.25.0/24.0/24.0/24.0/24

� 192.168.25192.168.25192.168.25192.168.25.1 Router/Default.1 Router/Default.1 Router/Default.1 Router/Default GatewayGatewayGatewayGateway

� 192.168.25.2192.168.25.2192.168.25.2192.168.25.2 DNS ServerDNS ServerDNS ServerDNS Server

� 192.168.25.3 192.168.25.3 192.168.25.3 192.168.25.3 –––– 192.168.25.150192.168.25.150192.168.25.150192.168.25.150 Address pool/scopeAddress pool/scopeAddress pool/scopeAddress pool/scope

� 192.168.25.3192.168.25.3192.168.25.3192.168.25.3----192.168.25192.168.25192.168.25192.168.25.20 Address Exclusive.20 Address Exclusive.20 Address Exclusive.20 Address Exclusive

� LAN ClientLAN ClientLAN ClientLAN Client

� Network address: 172.16.25Network address: 172.16.25Network address: 172.16.25Network address: 172.16.25.0/24.0/24.0/24.0/24

� 172.16.25172.16.25172.16.25172.16.25.1 Router/Default Gateway.1 Router/Default Gateway.1 Router/Default Gateway.1 Router/Default Gateway

� 192.16192.16192.16192.168888.25.2.25.2.25.2.25.2 DNS ServerDNS ServerDNS ServerDNS Server

� 172.16.120.3 172.16.120.3 172.16.120.3 172.16.120.3 –––– 172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope

� 172.16.120.10 172.16.120.10 172.16.120.10 172.16.120.10 –––– 172.16.120.20172.16.120.20172.16.120.20172.16.120.20 Address ExclusiveAddress ExclusiveAddress ExclusiveAddress Exclusive

� InternetInternetInternetInternet

� 172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet


TOLA.LENG-PC 3

� Relay/RouterRelay/RouterRelay/RouterRelay/Router(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)

� 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface eth1eth1eth1eth1

� 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface eht2eht2eht2eht2

� 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet ethoethoethoetho

* Note* Note* Note* Note1111: Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server

there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.

*Note2: Makure*Note2: Makure*Note2: Makure*Note2: Makure Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is

reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.

I.I.I.I. Configure iptables fileConfigure iptables fileConfigure iptables fileConfigure iptables file

by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.

a. Set the variables or Declarations for every interface and policy.


TOLA.LENG-PC 4

• Ping allow


TOLA.LENG-PC 5

1. Allow Only SRV1 can remote SSH into Firewall Server

� Run SH fileRun SH fileRun SH fileRun SH file

� Let Server remote to Firewall.Let Server remote to Firewall.Let Server remote to Firewall.Let Server remote to Firewall.


TOLA.LENG-PC 6

2. ALLOW LAN-CLIENT REQUEST IP ADDRESS


TOLA.LENG-PC 7

3. ALLOW DNS

A. FIREWALL REQUEST DNS FROM ISP


TOLA.LENG-PC 8

B. FIREWALL REQUEST DNS IN LOCAL


TOLA.LENG-PC 9

C. SRV1 REQUEST DNS FROM ISP

D. LAN-CLIENT REQUEST DNS IN LOCAL


TOLA.LENG-PC 10

4. ALLOW LAN-CLIENT JOIN DOMAIN AND ACCESS FILE SHARE

� Let us join and access file share


TOLA.LENG-PC 11


TOLA.LENG-PC 12

� User access file share from server


TOLA.LENG-PC 13


TOLA.LENG-PC 14

5. ALLOW ONLY PC2 CAN REMOTE DESKTOP INTO SRV1 SERVER

=> Let client remote


TOLA.LENG-PC 15

6. ALLOW LAN-CLIENT ACCESS WEBSERVER IN SRV1 (LOCAL)


TOLA.LENG-PC 16

Test Client

* I have two different template for point to domain and ip address. => Access by Domain name of server


TOLA.LENG-PC 17

� Access by IP address

7. ENABLE POSTROUTING BY USING MASQUERADING TYPE

8. ALLOW ACCESS INTERNET

A. FIREWALL SERVER


TOLA.LENG-PC 18


TOLA.LENG-PC 19

B. LAN-SERVER

C. LAN-CLIENT


TOLA.LENG-PC 20

9. Enable PREROUTING by using Destination NAT. (optional)

A. Make sure PC3 (your real machine) can access Webserver in SRV1.

The End!The End!The End!The End!

Configur

Documents

Transcript of Configur