configur
TRANSCRIPT
NETWORK ADMINISTRATINETWORK ADMINISTRATINETWORK ADMINISTRATINETWORK ADMINISTRATIONONONON
Firewall (Iptables on SuSE11)
2013-2015
PASSERELLES NUMERIQEUS CAMBODIA
Street 371 Phum Tropeang Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O. Box 511 Phnom Penh,
Cambodia
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 1
CONTENTS
lAB INstruCtion ....................................................................................................................................................... 2
WindowsWindowsWindowsWindows ................................................................................................................................................................. 2
I.I.I.I. Configure iptabConfigure iptabConfigure iptabConfigure iptables fileles fileles fileles file ..................................................................................................................................... 3
a. Set the variables or Declarations for every interface and policy. .............................................................. 3
• Ping allow .................................................................................................................................................. 4
1. Allow Only SRV1 can remote SSH into Firewall Server ..................................................................................... 5
2. Allow LAN-Client Request IP address ............................................................................................... 6
3. Allow DNS ...................................................................................................................................................... 7
A. Firewall Request DNS from ISP ......................................................................................................... 7
B. Firewall Request DNS in Local ........................................................................................................... 8
C. SRV1 Request DNS from ISP ............................................................................................................ 9
D. LAN-Client request DNS in Local ................................................................................................... 9
4. Allow LAN-client Join domain and Access file share ................................................................. 10
� Let us join and access file share ................................................................................................. 10
� User access file share from server ............................................................................................. 12
5. Allow Only PC2 can remote Desktop into SRV1 Server ........................................................... 14
6. Allow LAN-Client access webserver in SRV1 (local) ................................................................ 15
7. Enable POSTROUTING by using Masquerading type ................................................................... 17
8. Allow access internet ............................................................................................................................... 17
A. Firewall Server ....................................................................................................................................... 17
B. LAN-Server ........................................................................................................................................... 19
C. LAN-Client ............................................................................................................................................. 19
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 2
LAB INSTRUCTION
WINDOWSWINDOWSWINDOWSWINDOWS SERVERSERVERSERVERSERVER
� LAN ServerLAN ServerLAN ServerLAN Server
� Network Address: 192.168.25Network Address: 192.168.25Network Address: 192.168.25Network Address: 192.168.25.0/24.0/24.0/24.0/24
� 192.168.25192.168.25192.168.25192.168.25.1 Router/Default.1 Router/Default.1 Router/Default.1 Router/Default GatewayGatewayGatewayGateway
� 192.168.25.2192.168.25.2192.168.25.2192.168.25.2 DNS ServerDNS ServerDNS ServerDNS Server
� 192.168.25.3 192.168.25.3 192.168.25.3 192.168.25.3 –––– 192.168.25.150192.168.25.150192.168.25.150192.168.25.150 Address pool/scopeAddress pool/scopeAddress pool/scopeAddress pool/scope
� 192.168.25.3192.168.25.3192.168.25.3192.168.25.3----192.168.25192.168.25192.168.25192.168.25.20 Address Exclusive.20 Address Exclusive.20 Address Exclusive.20 Address Exclusive
� LAN ClientLAN ClientLAN ClientLAN Client
� Network address: 172.16.25Network address: 172.16.25Network address: 172.16.25Network address: 172.16.25.0/24.0/24.0/24.0/24
� 172.16.25172.16.25172.16.25172.16.25.1 Router/Default Gateway.1 Router/Default Gateway.1 Router/Default Gateway.1 Router/Default Gateway
� 192.16192.16192.16192.168888.25.2.25.2.25.2.25.2 DNS ServerDNS ServerDNS ServerDNS Server
� 172.16.120.3 172.16.120.3 172.16.120.3 172.16.120.3 –––– 172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope172.16.120.254 Address pool/scope
� 172.16.120.10 172.16.120.10 172.16.120.10 172.16.120.10 –––– 172.16.120.20172.16.120.20172.16.120.20172.16.120.20 Address ExclusiveAddress ExclusiveAddress ExclusiveAddress Exclusive
� InternetInternetInternetInternet
� 172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet172.16.1.135/23 IP Bypass for access to Internet
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 3
� Relay/RouterRelay/RouterRelay/RouterRelay/Router(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)(Use SUSE 11 for run iptabales)
� 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface 192.168.25.1/24 For LAN Server by Interface eth1eth1eth1eth1
� 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface 172.16.25.1/24 For LAN Client by Interface eht2eht2eht2eht2
� 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet 172.16.1.135/23 For Channel to Internet ethoethoethoetho
* Note* Note* Note* Note1111: Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server : Make sure all the primary roles that should be used in Server
there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.there are: AD+DNS, DHCP, Webserver,FTP and File Server.
*Note2: Makure*Note2: Makure*Note2: Makure*Note2: Makure Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is Sure the Configuration on relay(SUSE) or router is
reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.reliable in for LAN server and LAN Client is accessible.
I.I.I.I. Configure iptables fileConfigure iptables fileConfigure iptables fileConfigure iptables file
by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.by touch and vim to configure and set the rule for iptables.
a. Set the variables or Declarations for every interface and policy.
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 4
• Ping allow
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 5
1. Allow Only SRV1 can remote SSH into Firewall Server
� Run SH fileRun SH fileRun SH fileRun SH file
� Let Server remote to Firewall.Let Server remote to Firewall.Let Server remote to Firewall.Let Server remote to Firewall.
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 6
2. ALLOW LAN-CLIENT REQUEST IP ADDRESS
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 7
3. ALLOW DNS
A. FIREWALL REQUEST DNS FROM ISP
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 8
B. FIREWALL REQUEST DNS IN LOCAL
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 9
C. SRV1 REQUEST DNS FROM ISP
D. LAN-CLIENT REQUEST DNS IN LOCAL
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 10
4. ALLOW LAN-CLIENT JOIN DOMAIN AND ACCESS FILE SHARE
� Let us join and access file share
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 11
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 12
� User access file share from server
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 13
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 14
5. ALLOW ONLY PC2 CAN REMOTE DESKTOP INTO SRV1 SERVER
=> Let client remote
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 15
6. ALLOW LAN-CLIENT ACCESS WEBSERVER IN SRV1 (LOCAL)
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 16
Test Client
* I have two different template for point to domain and ip address. => Access by Domain name of server
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 17
� Access by IP address
7. ENABLE POSTROUTING BY USING MASQUERADING TYPE
8. ALLOW ACCESS INTERNET
A. FIREWALL SERVER
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 18
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 19
B. LAN-SERVER
C. LAN-CLIENT
PASSERELLESNUMERIQUES CAMBODIA NETWORK ADMINISTRATION
TOLA.LENG-PC 20
9. Enable PREROUTING by using Destination NAT. (optional)
A. Make sure PC3 (your real machine) can access Webserver in SRV1.
The End!The End!The End!The End!