Spec

VMs on PVE

Check Point

Router

Configs

1
2
3
4
timedatectl set-timezone Asia/Taipei
apt install -y vim tmux htop tcpdump nload net-tools mtr
wget git.io/nella17-tmux-conf -O ~/.tmux.conf
wget https://github.com/nella17/dotfiles/raw/main/.vimrc.simple -O ~/.vimrc

Interface

eth0: External

eth1: Intranet 172.16.<ID>.254/24

Netplan https://ubuntu.com/blog/ubuntu-bionic-netpla

/etc/netplan/99-intranet.yaml

1
2
3
4
5
6
7
8
9
network:
version: 2
ethernets:
    eth1:
        addresses:
            - "172.16.<ID>.254/24"
        match:
            macaddress: MAC
        set-name: eth1

netplan apply to apply config.

eth2: VPN

1
2
3
4
5
6
apt install -y wireguard
# config /etc/wireguard/wg0.conf
# start wg0 on boot
systemctl enable wg-quick@wg0
# wg-quick up wg0
systemctl start wg-quick@wg0

DHCP

1
2
3
4
5
apt install -y isc-dhcp-server
# reload config
service isc-dhcp-server restart
# view logs
journalctl -u isc-dhcp-server

Options

Interface: eth1
Subnet: 172.16.<ID>.0
netmask: 255.255.255.0
Pool: 172.16.<ID>.111 ~ 172.16.<ID>.222

/etc/default/isc-dhcp-server

1
INTERFACESv4="eth1"

/etc/dhcp/dhcpd.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
subnet 172.16.<ID>.0 netmask 255.255.255.0 {
    range 172.16.<ID>.111 172.16.<ID>.222;

    authoritative;
    option routers 172.16.<ID>.254;
    option broadcast-address 172.16.<ID>.255;

    # option domain-name "";
    option domain-name-servers 1.1.1.1, 8.8.8.8;

    default-lease-time 86400;
    max-lease-time 604800;
}

iptables

NAT

1
2
3
4
5
vi /etc/sysctl.conf
# net.ipv4.conf.default.rp_filter=1
# net.ipv4.conf.all.rp_filter=1
# net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 172.16.<ID>.0/24 -o eth0 -j MASQUERADE

Firewall

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# input chain
iptables -P INPUT DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
# forward chain
iptables -P FORWARD DROP
iptables -A FORWARD -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -o eth0 -j DROP
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -d 172.16.<ID>.123 -p tcp --dport 22  -j ACCEPT

Persistent

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
apt install -y iptables-persistent
# netfilter-persistent save
# save to /etc/iptables/rules.v4
cat << EOF > ./save.sh
#!/bin/bash
iptables -Z
iptables -Z -t nat
iptables -Z -t mangle
iptables-save > /etc/iptables/rules.v4
EOF
chmod +x save.sh
./save.sh

Record

1
2
3
4
#!/bin/bash
IP=$(echo $SSH_CLIENT | awk '{ print $1}')
f=${1?"need file name"}
tcpdump -n -w - -i any "not (host $IP and port 22)" | tee logs/$f.pcap | tcpdump -vv -r -

-w save raw packets to file
-r read packets from file
expression syntax: pcap-filter(7)

Agent

Install OVA on PVE

1
2
3
4
5
6
7
8
$ tar xvf 'NASA - Agent.ova'
NASA - Agent.ovf
NASA - Agent-disk001.vmdk
$ qm create <vmid> --memory 512 --net0 virtio,bridge=<vmbr>
$ qm importdisk <vmid> 'NASA - Agent-disk001.vmdk' local-lvm
$ qm set <vmid> --virtio0 local-lvm:vm-<vmid>-disk-0
$ qm set <vmid> --boot c --bootdisk virtio0
$ qm start <vmid>

Set static DHCP

/etc/dhcp/dhcpd.conf

1
2
3
4
host agent {
    hardware ethernet <MAC>;
    fixed-address 172.16.<ID>.123;
}

Question

1. iptables couldn’t load via crontab

PATH 錯誤，需要指定 fullpath /usr/sbin/iptables-restore。

2. 在沒有 route 時，指定 interface 無法 ping 成功

指定 interface 似乎是 on-link，會用 arp-ping，需要設定相關的 route 才可以 ping。

NYCU NA 2022 HW1

計算機網路管理 Computer Network Administration