NA HW1 - HackMD

--- title: NA HW1 tags: NA2025 --- # NA HW1 :::info my ID=67 ::: [toc] ## How to add sudo to user 1. su to root 2. `sudo visudo` 3. add `dytsou ALL=(ALL:ALL) ALL` to file 4. test sudo if it is work ## Packets install in you environments ```bash! sudo apt update & sudo apt upgrade -y ``` ```bash! sudo apt install -y \ systemd \ curl wget \ gcc g++ make \ vim \ sudo \ openssh-server \ git \ lsof ``` ## How to set up wireguard ```bash! sudo cp wg0.conf /etc/wireguard/ sudo wg-quick down wg0 && sudo wg-quick up wg0 ping 10.113.67.254 sudo systemctl enable wg-quick@wg0 sudo systemctl status wg-quick@wg0 ``` ## How to test SSH 有可能是 Router VM 的防火牆擋住了 SSH 連線，請執行： ```bash! sudo iptables -L -v -n | grep 22 ``` 如果 `INPUT` 規則擋住了 **port 22**，請手動開放： ```bash! sudo iptables -A INPUT -i enp0s3 -p tcp --dport 22 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 192.168.67.0/24 -o enp0s3 -j MASQUERADE sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 192.168.67.0/24 -j ACCEPT sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 1 -d 10.113.67.11 -p tcp --dport 22 -j DROP # Block by destination sudo iptables-save | sudo tee /etc/iptables.rules ``` 如果你使用 `ufw` 防火牆： ```bash! sudo ufw allow 22 sudo ufw reload ``` ## 修改 DHCP 監聽的網卡 ```bash! sudo vim /etc/default/isc-dhcp-server ``` 找到`INTERFACESv4=""` 修改為你的內部網卡名稱 ```ini! INTERFACESv4="enp0s8" ``` 確保 `dhcpd.conf` 設定正確 ```bash! sudo vim /etc/dhcp/dhcpd.conf ``` ``` subnet 192.168.{ID}.0 netmask 255.255.255.0 { range 192.168.{ID}.111 192.168.{ID}.222; # DHCP 可分配的 IP 範圍 option routers 192.168.{ID}.254; # 指定 Router IP option domain-name-servers 8.8.8.8, 140.113.1.1, 140.113.6.2; # DNS 伺服器 (Google DNS) } host agent { hardware ethernet {Agent MAC Address}; # 這是 Agent VM 的 MAC Address，請替換 fixed-address 192.168.{ID}.234; # Agent VM 固定的 IP 位址 } ``` 儲存後重新啟動 DHCP： ```bash! sudo systemctl restart isc-dhcp-server ``` ## Test Router 確保 IP 轉發開啟： ```shell! echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward ``` ## Configure NAT and Forwarding - Check NAT: ```bash! sudo iptables -t nat -L -v -n ``` - Add NAT rule: ```bash! sudo iptables -t nat -A POSTROUTING -s 192.168.67.0/24 -o enp0s3 -j MASQUERADE ``` - Check `FORWARD`: ```bash! sudo iptables -L FORWARD -v -n ``` - Add forwarding rules: ```bash! sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 192.168.67.0/24 -j ACCEPT sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -m state --state RELATED,ESTABLISHED -j ACCEPT ``` - Verify Rules ```bash! sudo iptables -L INPUT -v -n ``` Expect Result ``` pkts bytes target prot opt in out source destination 0 0 DROP 6 -- * * 0.0.0.0/0 10.113.67.11 tcp dpt:22 0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 21 1384 ACCEPT 6 -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT 1 -- wg0 * 0.0.0.0/0 0.0.0.0/0 ``` - If wanna remove rule First, list the numbers of line ```bash! sudo iptables -L -v -n --line-numbers ``` Then, delete specific line ```bash! sudo iptables -D INPUT <line_number> ``` ## Check ARP ```bash! ip neigh show ``` - Expect: `192.168.67.234 ether 08:00:27:81:6a:8a C enp0s8.`