Networking Lab

## Important! :::danger Need to modify .yml settings before setting up docker, as nginx config files would otherwise be read-only and cannot be modified. ::: ``` # Go to lab_net and access .yml file: cd lab_net vim docker-compose.yml # Navigate to services: web: # Under Volumes: ./conf/nginx.conf:/etc/nginx/nginx.conf # Remove the "ro" after it. ``` ## Part 1: Basic Networking & Routing Setup 1. Run ```ping 10.140.113.254 -c 4``` from ```user1``` node. ![Screenshot 2024-10-13 at 21.40.10](https://hackmd.io/_uploads/Hyra6BK11l.png) 2. Run ```ping 10.140.112.254 -c 4``` from ```user1``` node.![Screenshot 2024-10-13 at 21.40.44](https://hackmd.io/_uploads/S1DyRrK1Jx.png) 3. Run ```ping 10.140.113.100 -c 4``` from ```user1``` node ![Screenshot 2024-10-13 at 21.41.23](https://hackmd.io/_uploads/r1AWASt1kl.png) 4. Run ```ping 10.140.112.2 -c 4``` from ```user1``` node. ![Screenshot 2024-10-13 at 21.42.10](https://hackmd.io/_uploads/BkaNCBKJJg.png) ## Part 2: NAT Setup 1. The commands you used to configure the ```gw``` node. ### Basic Networking & Routing Setup ``` # gw config docker exec -ti labnet-gw bash /scripts/net-gw.sh # user1 config docker exec -ti labnet-user1 bash /scripts/net-user.sh 10.140.112.1 #user2 config docker exec -ti labnet-user2 bash /scripts/net-user.sh 10.140.112.2 #web config docker exec -ti labnet-web bash /scripts/net-web.sh ssh -p 30022 -i ./conf/ssh/id_ed25519 root@localhost -L 20080:gw:80 -L 20443:gw:443 ``` ### NAT Setup ``` # From zsh: docker exec -ti labnet-gw bash vim /etc/sysctl.conf ``` ![Screenshot 2024-10-13 at 21.50.50](https://hackmd.io/_uploads/rJLSgLFy1g.png) > Modification: Uncommented ```net.ipv4.ip_forward=1``` ``` # configure NAT (specifically, masquerading) to allow # user1 and user2 to share the gateway's public IP address. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ``` 2. * Run ```ping 8.8.8.8 -c 4``` from ```user1``` node. ![Screenshot 2024-10-13 at 21.54.44](https://hackmd.io/_uploads/SJyEWIFkJx.png) * Run ```ping 8.8.8.8 -c 4``` from ```user2``` node. ![Screenshot 2024-10-13 at 21.56.00](https://hackmd.io/_uploads/Skj_ZIt1Jl.png) ## Part 3: Port Forwarding Setup 1. The commands you used to configure the ```gw``` node. ``` # DNAT incoming traffic on port 80 to the web server iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.19.0.2:80 # Forward traffic from eth0 to eth20 iptables -A FORWARD -i eth0 -o eth20 -p tcp --dport 80 -d 172.19.0.2 -j ACCEPT # Allow established connections back iptables -A FORWARD -i eth20 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # SNAT packets going to the web server iptables -t nat -A POSTROUTING -o eth20 -s 172.18.0.0/16 -d 172.19.0.2 -j SNAT --to-source 172.19.0.3 # MASQUERADE outgoing traffic from the web server to the external network (if needed) iptables -t nat -A POSTROUTING -o eth0 -s 172.19.0.0/16 -j MASQUERADE # DNAT incoming traffic on port 443 to the web server iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 172.19.0.2:443 # Forward traffic from eth0 to eth20 iptables -A FORWARD -i eth0 -o eth20 -p tcp --dport 443 -d 172.19.0.2 -j ACCEPT # Allow established connections back iptables -A FORWARD -i eth20 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ``` Result: ![Screenshot 2024-10-18 at 21.07.48](https://hackmd.io/_uploads/SJWhT01ekx.png) 2. Run ```curl gw``` from ```outr``` node. ![Screenshot 2024-10-13 at 23.12.26](https://hackmd.io/_uploads/rJLPXvY1ke.png) ## Part 4: Firewall Setup 1. The commands you used to configure the ```gw``` node. ``` iptables -F iptables -t nat -F iptables -X iptables -t nat -X # if cat /proc/sys/net/ipv4/ip_forward return 1, do nothing # else echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.21.0.2:80 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth20 -p tcp --dport 80 -d 172.21.0.2 -j ACCEPT iptables -A FORWARD -i eth20 -o eth0 -p tcp --sport 80 -s 172.21.0.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s 172.21.0.2 -d 172.19.0.0/16 -j DROP ``` 2. * Run ```ping 10.140.112.1 -c 4``` from ```web``` node. ![Screenshot 2024-10-13 at 23.21.09](https://hackmd.io/_uploads/BkGuHPY1ke.png) * Run ```ping 10.140.112.2 -c 4``` from ```web``` node. ![Screenshot 2024-10-13 at 23.21.46](https://hackmd.io/_uploads/SJI9SPFk1x.png) ## Part 5: HTTPS Setup: ``` mkdir $HOME/ca cd $HOME/ca mkdir -p ./demoCA/newcerts touch ./demoCA/index.txt echo 00 > ./demoCA/serial #CA Creation openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 3650 -keyout zooCA_key.pem -out zooCA_cert.pem -subj "/C=TW/ST=Hsinchu/L=Hsinchu/O=zoo.ORG/OU=CA/CN=localhost Root CA" #Create Server Key openssl genrsa -out server_key.pem 2048 #Generate Signing Request openssl req -new -key server_key.pem -out server_key.csr -sha256 -subj "/C=TW/ST=Hsinchu/L=Hsinchu/O=zoo.ORG/OU=WebServer/CN=localhost" -addext "subjectAltName=DNS:localhost" openssl ca -in server_key.csr -out server_cert.pem -md sha256 -cert zooCA_cert.pem -keyfile zooCA_key.pem -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -extensions SAN #Combine server key & cert cat server_key.pem server_cert.pem > server.pem ``` 1. Take a screenshot of the command ```ls -al <path-to-your-ca-dir>```. ![Screenshot 2024-10-13 at 23.28.21](https://hackmd.io/_uploads/SJxXDvFJkl.png) 2. Explain how you configure nginx in the web node to serve HTTPS requests on port 443. ``` root@web:~/ca# cat /etc/nginx/nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; error_log /dev/stderr; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; } http { sendfile on; tcp_nopush on; types_hash_max_size 2048; server_tokens off; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; access_log /dev/stderr; gzip on; include /etc/nginx/conf.d/*.conf; #include /etc/nginx/sites-enabled/*; server { listen 80 default_server; listen [::]:80 default_server; listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name localhost; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } } } ``` a. Navigate to config file: ``` cd ~ cd /etc/nginx vim nginx.conf ``` b. Added lines: ``` listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name localhost; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/server_key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ``` c. Creating ```ssl``` directory and copying certificates and keys: ``` mkdir /etc/nginx/ssl cd /etc/nginx/ssl cp $HOME/ca/server_cert.pem $HOME/ca/server_key.pem $HOME/ca/zooCA_cert.pem /etc/nginx/ssl/ cat /etc/nginx/ssl/server_cert.pem /etc/nginx/ssl/zooCA_cert.pem > /etc/nginx/ssl/fullchain.pem chmod 600 /etc/nginx/ssl/server_key.pem chmod 644 /etc/nginx/ssl/server_cert.pem ``` d. Restart nginx: ``` nginx -t nginx -s reload ``` 3. Explain how you install the CA certificate in your browser or OS to ensure that your browser can automatically validate the web server's certificate. ### Keychain Access Go to KeychainAccess using spotlight search, and import server cert, CA cert inside. Right click the imported cert, choose ```get info```. Under ```Trust```, change settings to ```Always Trust```. Exit Keychain Access. ![Screenshot 2024-10-13 at 12.03.43](https://hackmd.io/_uploads/SyzkD6O1yl.png) > Already set Trust to "Always Trust" ### Connecting to Server ``` # On terminal 1: openssl s_server -cert server.pem -accept 8443 -www # On terminal 2: openssl s_client -connect localhost:8443 ``` Result from terminal #1 ![Screenshot 2024-10-14 at 11.13.16](https://hackmd.io/_uploads/SkiLnWckJg.png) Result from terminal #2 ``` root@web:~/ca# openssl s_client -connect localhost:8443 -CAfile /etc/nginx/ssl/zooCA_cert.pem CONNECTED(00000003) Can't use SSL_get_servername depth=1 C = TW, ST = Hsinchu, L = Hsinchu, O = zoo.ORG, OU = CA, CN = localhost Root CA verify return:1 depth=0 C = TW, ST = Hsinchu, O = zoo.ORG, OU = WebServer, CN = localhost verify return:1 --- Certificate chain 0 s:C = TW, ST = Hsinchu, O = zoo.ORG, OU = WebServer, CN = localhost i:C = TW, ST = Hsinchu, L = Hsinchu, O = zoo.ORG, OU = CA, CN = localhost Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 17 12:19:27 2024 GMT; NotAfter: Oct 17 12:19:27 2025 GMT 1 s:C = TW, ST = Hsinchu, L = Hsinchu, O = zoo.ORG, OU = CA, CN = localhost Root CA i:C = TW, ST = Hsinchu, L = Hsinchu, O = zoo.ORG, OU = CA, CN = localhost Root CA a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 17 12:19:16 2024 GMT; NotAfter: Oct 15 12:19:16 2034 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIEmDCCAoCgAwIBAgIBADANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJUVzEQ MA4GA1UECAwHSHNpbmNodTEQMA4GA1UEBwwHSHNpbmNodTEQMA4GA1UECgwHem9v Lk9SRzELMAkGA1UECwwCQ0ExGjAYBgNVBAMMEWxvY2FsaG9zdCBSb290IENBMB4X DTI0MTAxNzEyMTkyN1oXDTI1MTAxNzEyMTkyN1owWTELMAkGA1UEBhMCVFcxEDAO BgNVBAgMB0hzaW5jaHUxEDAOBgNVBAoMB3pvby5PUkcxEjAQBgNVBAsMCVdlYlNl cnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAtd/23bTjTbzD52bWl4wwyr/M+UFHFrDnBYdJMqJqjKwbe1YD1bTi HdcXIv++6+JlgcGoFJD7jgjxcgokFv7qwDVxMMzb3ZvX/T+29qT0p1T5MTvqc9TH Jk+Lw9y5+S0t6+TOabxXIICHV5ggTpEkNZU4EoJCsW1EO19BjaZM+thcNJ7NY8V0 c8D1+i7GNJBWdi4yOeptApJtGHOvXQNHTkiZvv/fFA5/BnRCpxVEy6fAOq86+wQy U7tu4wdP67wn718nBJ6LVxUobzlea18LPcIWc+Ub4KDbcB8Mn/IU2yodNomSpQ2k HATVe7Jhyed4wcvVVg63lGuAtbctD3vtywIDAQABo1gwVjAUBgNVHREEDTALggls b2NhbGhvc3QwHQYDVR0OBBYEFEmZU4P1juhIA0pSiGmLKIavvYvhMB8GA1UdIwQY MBaAFPoG4bhhZkNwjjleYr91H1hSevibMA0GCSqGSIb3DQEBCwUAA4ICAQB2UQFz UJtoFPxS3d3JsBzmvo2rnpJgk5Mvr83/2SPWWCLh+lsHHwgkaS2rCmUHdd7TANB8 65vGHCKj09Oyg58yEnCpoV7sTNX0efbcRlOiBKbKvE8B9EHAqWI2nnwUE7Vbyf03 O0Cci++TFZo1Bd4+bBfuVJTOe4x558x+k3TkmlEEDc/bETe0F1SoctNPgVn4r6Gd AfbRS2d1NBYQupCUDp26HIPo2cG91kxiFBQbEruD6x9VoSOfg/nGSSlnRSe7OCbp cO29LmZ/f6a2k4EfSxHOdd606TZn3xx4LD//Uk+NtFiyNLtc3VGa+jGmotqUEmWd rBqpD/h2IuHTmWYIvh8dcqvg1p9PPHxgY1p22KrFJoLSqueNiWKTzcwWhrM2xJ/0 DPzJHmdCet/GQ0ILTpjtcro+kzesT57VU7yn3ra0nZFJcu8fL9Bw99fl76kQnSiu oTJCiiT+ytJ+eneVBT5aa3iiDZCBCWV19wuk+g/dQawu9ghUCIvm8Qisi0DCbFrM OW9LT24oUflT87wOue9Bjj/fcY9MmGZGKBjZ2hz7WZKc6Q4KSMpeiMUG1tn7YU6G hib6R7tD+OEq4FKzXy30tp9mLYCZXYRr2mUJFqDvLtFMuzrXU+u8atgs/hnxKj40 xhGiC5kY2WPkBBEG/JgeCzUaZ9ryPpEwYHZuPw== -----END CERTIFICATE----- subject=C = TW, ST = Hsinchu, O = zoo.ORG, OU = WebServer, CN = localhost issuer=C = TW, ST = Hsinchu, L = Hsinchu, O = zoo.ORG, OU = CA, CN = localhost Root CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3210 bytes and written 377 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 7F36303C2959457A9DAA7C2A59944CCF4EB6DE7FC68A70A3F523793DD5ABE4B9 Session-ID-ctx: Resumption PSK: 4C7CB5C07CD849BABBF9B0F1B8DC069C6D4B091CADB5E63480E400B2383B24C9124B0E80CCA9EBB95BF998091BF81A9B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 81 72 cf 45 04 c8 d6 da-72 35 62 2e 51 55 56 71 .r.E....r5b.QUVq 0010 - 0b 1e ae 0e 45 79 e8 70-86 fc 05 2b 28 62 bb 85 ....Ey.p...+(b.. 0020 - 63 8a ee a9 71 24 9e 30-8a 16 f0 d3 25 e8 8a 72 c...q$.0....%..r 0030 - 8f d6 9f 04 2e 4c 60 dc-64 72 0d 94 cd a3 41 e1 .....L`.dr....A. 0040 - e1 d1 1f f2 b2 a0 5f 42-62 e3 64 e4 44 24 eb 75 ......_Bb.d.D$.u 0050 - 2a 28 0a b1 16 79 06 f6-23 6a 8a 6e 74 ea 9a 27 *(...y..#j.nt..' 0060 - f4 ad 4a fb 4c 1b e3 74-90 84 24 02 6d e4 cf 3f ..J.L..t..$.m..? 0070 - cc 1e 58 a7 a6 9a 84 f9-7f cc 4c f7 54 82 28 2a ..X.......L.T.(* 0080 - 65 19 33 6b a0 b3 f9 95-da aa 55 2e 50 3a 01 ac e.3k......U.P:.. 0090 - 10 ad dc ea 98 a5 57 52-d0 65 bd f0 f7 9f cc d9 ......WR.e...... 00a0 - f6 e3 4d 0e c3 99 63 87-35 1d fa 5f e2 cb 5f 4f ..M...c.5.._.._O 00b0 - c9 04 d8 32 f2 67 08 d6-fa 1d ea c6 78 b7 80 7c ...2.g......x..| 00c0 - e2 11 e9 d6 d0 55 11 98-ef 32 5b 45 68 ab 2a ab .....U...2[Eh.*. 00d0 - fa d8 5f 0d 22 d8 86 fc-47 f8 f0 55 b6 cc a1 5a .._."...G..U...Z Start Time: 1729260036 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 0E0485B26F8205ED9FD109EB2A00EA0310B7CF7B0ED640C538F1D61696082BFD Session-ID-ctx: Resumption PSK: 0AEACC6FAD374E55F00D735772F5A9D655A1D90DAB555C2F1B92F6F7622510B24C93AF140748C3ACC1B8E5087C3BB96F PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 81 72 cf 45 04 c8 d6 da-72 35 62 2e 51 55 56 71 .r.E....r5b.QUVq 0010 - 99 44 1b 26 d9 13 9a 6f-c5 1d 45 1f a7 9c 34 2f .D.&...o..E...4/ 0020 - f9 8f bc a2 93 08 f4 22-9b ed 00 fb 89 1c b9 25 .......".......% 0030 - ce d3 37 e7 a7 b9 87 c6-1b 42 59 c1 fe f8 2d 86 ..7......BY...-. 0040 - 1c 4f bf 8e 42 d0 73 73-58 4f 04 04 b6 07 00 d7 .O..B.ssXO...... 0050 - 55 3f 58 2c 89 5d e5 33-65 10 dc 47 99 91 8a 03 U?X,.].3e..G.... 0060 - e4 c5 29 83 08 f8 68 51-93 2f a0 1a 15 9a 4f 96 ..)...hQ./....O. 0070 - da f3 96 b4 ac cd a8 48-e9 f7 91 c1 61 9e cb 97 .......H....a... 0080 - 9b b2 1c cc 35 f1 09 e6-a1 eb c8 58 30 0d 8b e6 ....5......X0... 0090 - c2 3f d2 a5 30 93 4d b5-47 e8 19 9c 89 d5 33 40 .?..0.M.G.....3@ 00a0 - bc 11 f2 6d 0d e2 97 6c-82 dd ea 1d f9 ec 16 87 ...m...l........ 00b0 - 25 28 5d d0 3f 56 12 ab-38 99 a8 bf e7 f7 1e cc %(].?V..8....... 00c0 - e0 2c 77 97 01 0f fa 81-ca 7a 64 52 80 83 49 dc .,w......zdR..I. 00d0 - 77 a8 0b 13 18 ef 43 39-e1 1d 86 61 48 fb e1 b6 w.....C9...aH... Start Time: 1729260036 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK ``` Take a screenshot of the full screen while browsing the HTTPS website after installing the CA certificate. The connection should show as secure when you’re browsing the HTTPS website. ![Screenshot 2024-10-18 at 22.00.05](https://hackmd.io/_uploads/rJscqJll1x.png) :::warning **IMPORTANT!** I somehow cannot export this HackMD file into PDF without loss of image, therefore, to see the rest of the code, please refer to my original note. URL: https://hackmd.io/iEAbIAFVSui0qx3pC7kX9Q?view :::