LinuxNetworkLearn

Contents

Chapter I

Chapter II

TCP IP protocol stack

Addressing

Routing

Chapter III

Part 1. **ipcalc** tool

Start a virtual machine (hereafter -- ws1)

1.1. Networks and Masks

Define and write in the report:

1) network address of *192.167.38.54/13*

2) conversion of the mask *255.255.255.0* to prefix and binary, */15* to normal and binary, *11111111.11111111.11111111.11110000* to normal and prefix

3) minimum and maximum host in *12.167.38.4* network with masks: */8*, *11111111.11111111.00000000.00000000*, *255.255.254.0* and */4*

1.2. localhost

Define and write in the report whether an application running on localhost can be accessed with the following IPs: *194.34.23.100*, *127.0.0.2*, *127.1.0.1*, *128.0.0.1*

1.3. Network ranges and segments

Define and write in a report:

1) which of the listed IPs can be used as public and which only as private: *10.0.0.45*, *134.43.0.2*, *192.168.4.2*, *172.20.250.4*, *172.0.2.1*, *192.172.0.1*, *172.68.0.2*, *172.16.255.255*, *10.10.10.10*, *192.169.168.1*

2) which of the listed gateway IP addresses are possible for *10.10.0.0/18* network: *10.0.0.1*, *10.10.0.2*, *10.10.10.10*, *10.10.100.1*, *10.10.1.255*

Part 2. Static routing between two machines

Start two virtual machines (hereafter -- ws1 and ws2)

View existing network interfaces with the `ip a` command

Describe the network interface corresponding to the internal network on both machines and set the following addresses and masks: ws1 - *192.168.100.10*, mask */16 *, ws2 - *172.24.116.8*, mask */12*

Run the `netplan apply` command to restart the network service

2.1. Adding a static route manually

Add a static route from one machine to another and back using a

Ping the connection between the machines

2.2. Adding a static route with saving

Restart the machines

Add static route from one machine to another using *etc/netplan/00-installer-config.yaml* file

Ping the connection between the machines

Part 3. **iperf3** utility

3.1. Connection speed

Convert and write results in the report: 8 Mbps to MB/s, 100 MB/s to Kbps, 1 Gbps to Mbps

3.2. **iperf3** utility

Measure connection speed between ws1 and ws2

Part 4. Network firewall

4.1. **iptables** utility

Create a */etc/firewall.sh* file simulating the firewall on ws1 and ws2:

The following rules should be added to the file in a row:

1) on ws1 apply a strategy where a deny rule is written at the beginning and an allow rule is written at the end (this applies to points 4 and 5);

2) on ws2 apply a strategy where an allow rule is written at the beginning and a deny rule is written at the end (this applies to points 4 and 5);

3) open access on machines for port 22 (ssh) and port 80 (http);

4) reject *echo reply* (machine must not ping, i.e. there must be a lock on OUTPUT);

5) allow *echo reply* (machine must be pinged);

Run the files on both machines with `chmod +x /etc/firewall.sh` and `/etc/firewall.sh` commands.

4.2. **nmap** utility

Use **ping** command to find a machine which is not pinged, then use **nmap** utility to show that the machine host is up

Save dumps of the virtual machine images

Part 5. Static network routing

Start five virtual machines (3 workstations (ws11, ws21, ws22) and 2 routers (r1, r2))

5.1. Configuration of machine addresses

Set up the machine configurations in *etc/netplan/00-installer-config.yaml* according to the network in the picture.

Restart the network service. If there are no errors, check that the machine address is correct with the `ip -4 a`command. Also ping ws22 from ws21. Similarly ping r1 from ws11.

5.2. Enabling IP forwarding.

To enable IP forwarding, run the following command on the routers:

Open */etc/sysctl.conf* file and add the following line:

5.3. Default route configuration

Configure the default route (gateway) for the workstations. To do this, add `default` before the router's IP in the configuration file

Call `ip r` and show that a route is added to the routing table

Ping r2 router from ws11 and show on r2 that the ping is reaching. To do this, use the `tcpdump -tn -i eth0`

5.4. Adding static routes

Add static routes to r1 and r2 in configuration file. Here is an example for r1 route to 10.20.0.0/26:

Call `ip r` and show route tables on both routers. Here is an example of the r1 table:

Run `ip r list 10.10.0.0/[netmask]` and `ip r list 0.0.0.0/0` commands on ws11.

5.5. Making a router list

Run the `tcpdump -tnv -i eth0` dump command on r1

Use **traceroute** utility to list routers in the path from ws11 to ws21

5.6. Using **ICMP** protocol in routing

Run on r1 network traffic capture going through eth0 with the

Ping a non-existent IP (e.g. *10.30.0.111*) from ws11 with the

Save dumps of the virtual machine images

Part 6. Dynamic IP configuration using **DHCP**

For r2, configure the **DHCP** service in the */etc/dhcp/dhcpd.conf* file:

1) Specify the default router address, DNS-server and internal network address. Here is an example of a file for r2:

2) Write `nameserver 8.8.8.8` in a *resolv.conf* file

Restart the **DHCP** service with `systemctl restart isc-dhcp-server`. Reboot the ws21 machine with `reboot` and show with `ip a` that it has got an address. Also ping ws22 from ws21.

Specify MAC address at ws11 by adding to *etc/netplan/00-installer-config.yaml*:

Сonfigure r1 the same way as r2, but make the assignment of addresses strictly linked to the MAC-address (ws11). Run the same tests

Request ip address update from ws21

Save dumps of virtual machine images

Part 7. **NAT**

In */etc/apache2/ports.conf* file change the line `Listen 80` to `Listen 0.0.0.0:80`on ws22 and r1, i.e. make the Apache2 server public

Start the Apache web server with `service apache2 start` command on ws22 and r1

Add the following rules to the firewall, created similarly to the firewall from Part 4, on r2:

1) delete rules in the filter table - `iptables -F`

2) delete rules in the "NAT" table - `iptables -F -t nat`

3) drop all routed packets - `iptables --policy FORWARD DROP`

Run the file as in Part 4

Check the connection between ws22 and r1 with the `ping` command

Add another rule to the file:

4) allow routing of all **ICMP** protocol packets

Run the file as in Part 4

Check connection between ws22 and r1 with the `ping` command

Add two more rules to the file:

5) enable **SNAT**, which is masquerade all local ip from the local network behind r2 (as defined in Part 5 - network 10.20.0.0)

6) enable **DNAT** on port 8080 of r2 machine and add external network access to the Apache web server running on ws22

Run the file as in Part 4

Check the TCP connection for **SNAT** by connecting from ws22 to the Apache server on r1 with the `telnet [address] [port]` command

Check the TCP connection for **DNAT** by connecting from r1 to the Apache server on ws22 with the `telnet` command (address r2 and port 8080)

Save dumps of virtual machine images

Part 8. Bonus. Introduction to **SSH Tunnels**

Run a firewall on r2 with the rules from Part 7

Start the **Apapche** web server on ws22 on localhost only (i.e. in */etc/apache2/ports.conf* file change the line `Listen 80` to `Listen localhost:80`)

Use *Local TCP forwarding* from ws21 to ws22 to access the web server on ws22 from ws21

Use *Remote TCP forwarding* from ws11 to ws22 to access the web server on ws22 from ws11

To check if the connection worked in both of the previous steps, go to a second terminal (e.g. with the Alt + F2) and run the `telnet 127.0.0.1 [local port]` command.

Save dumps of virtual machine images

Chapter IV