Sometimes when I learn something new in the world of technology, I am often amazed that something that I assumed was technically advanced is rather quite simple.
Such is the case with configuring DHCP on a Cisco Router. I mean, is it just me or do network guys sometimes act as if everything that they do is takes elite technical skills and tons of experience. Don’t get me wrong, I know that networking is not exactly easy. But can we just agree to admit that once in a while some things are easier done than said. Anyway, for me this was the case with configuring a DHCP pool on a Cisco Router.
In this instance I was working on getting a new virtual machine up and running on my ESXi host. This particular appliance needed to boot via dhcp so you could access its web interface. So I jumped on my 2621xm and created the pool.
First we enable the dhcp service
Then we create a pool
r-2621-1(config)#ip dhcp pool LabPool
r-2621-1(dhcp-config)#network 10.2.0.1 255.255.255.0
Next we set a few bits and bobbles so that clients can route.
r-2621-1#show ip dhcp binding
Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type
10.2.0.101 0050.569a.7dbe Oct 16 2013 11:21 PM Automatic
This handy command shows me information pertaining to my pool
r-2621-1#show ip dhcp pool
Pool LabPool :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 1
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.2.0.102 10.2.0.1 – 10.2.0.254 1
r-2621-1#show ip dhcp conflict
In the world of Linux there are numerous ways that you can configure a Linux server to allow or deny access to a service, and while many people like to rely solely on Iptables, I wanted to take the opportunity to get my feet wet with TCP Wrappers. Note that this post is not meant to be the be-all end-all post on tcp wrappers. I am not going to review each and every configuration option, and trust me there are quite a few. Rather this is going to be a simple post which explains how to use tcp wrappers.
First off you need to know that there are two configuration files for TCP wrappers. They are listed below.
To determine if a remote host is allowed to access a local service, the hosts.allow file referenced first, then the hosts.deny is referenced. Each file is read from the top down.
Rules in the hosts.allow take precedence over rules in the hosts.deny. Access will be granted for rules in the /etc/hosts.allow, and denied for rules in the /etc/hosts.deny ( note that this is not always the case, however this is how most people use tcpwrappers)
Below is a very simple and basic rule for sshd. In this example we want to allow all hosts in the domain fatmin.com to have access to sshd, and we want to deny sshd access to everyone else.
So in the /etc/hosts.allow
sshd : *.fatmin.com
and in /etc/hosts.deny
Creating Rule Matching Patterns
Ok, so what I have shown you above is a very simple example using a very simple matching rule, however there are actually quite a few ways to format a rule lets review a few of the more common ones that you might see.
Match by Hostname – All hosts below in the domain fatmin.com matched. Vsftpd is specified service
Match by IP address – All hosts in 192.168.x.x are matched. Vsftpd is specified service
Match by IP/Subnet – All hosts in 192.168.0.0/24 are matched. Vsftpd is specified service
Match All – All Services and Hosts are matched.
ALL : ALL
What Services Use TCP Wrappers
Initially TCP Wrapper only “wrapped” services that were configured as part of inet.d, or xinet.d, but over time more and more processes have been configured to use librap.so. The example below shows how see if a daemon used libwrap, and can therefore be allowed or blocked via tcpwrappers.
Below we are locating the sshd binary and seeing if it uses libwrap. Which is does.
Your mother and I were talking last night about how important it is to properly configure Iptables, and how despite that fact, many just choose to disable it. So today we are going to discuss iptables.
By far the easiest way to setup a simple firewall using Iptables is to use system-config-firewall, or system-config-firewall-tui. I prefer this method as iptables can be a bit confusing on the command line and in its config file (/etc/sysconfig/iptables) is not exactly user friendly. At the very least you can create a basic set of rules and then customize by hand. Lets take a look at the file in its default form on my RHEL 6 box.
But before we do that, lets review a couple of terms that we need to know.
INPUT – are inbound packets
OUTPUT are outbound packets
FORWARD – packets from another machine that the firewall should forward (like to a vm on the host).
ACCEPT – the packet is accepted
DROP – the packet is dropped as if it never existed
REJECT – the packed is rejected and and error message is returned to sender
RULE – the basic building block — tells the firewall what to do with a packet
CHAIN – a list of all rules which will be checked in order from first to last
POLICY – the default action, like accept, drip, reject, forward
Now that you have memorized the list above, here is my /etc/sysconfig/iptables.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited.
Now lets run system-config-firewall tui and enable apache and ftp, plus we want to configure our box to respond to ICMP ping requests. This process is pretty self explanitory once you start.
Once that is done lets view /etc/sysconfig/iptables again.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -m icmp –icmp-type echo-request -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -m icmp –icmp-type echo-reply -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -m icmp –icmp-type destination-unreachable -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT
The iptables command can be used in several different ways.
List the current rules in use, similar to viewing the /etc/sysconfig/iptables file
To set a default policy use iptables -P, in the example below we are setting the default INPUT policy to DROP.
#iptables -P INPUT DROP
Now lets say we want to delete all our existing rules, note that i did not say policy
To add a rule use iptables -a, for example lets say you have a default policy of INPUT DROP but we want to accept all established and related packets. Note that -m must be used when adding rules to a chain as it forces modprobe to load any necessary modules.
#iptables -A INPUT -m state –state ESTABLISHED, RELATED
Now lets say that we want to reject all packets from 192.168.10.10. Note -j specifies the action that the rule is to take — in the case below, REJECT
#iptables -A INPUT -s 192.168.10.10 -j REJECT
Now lets say we want to ACCEPT all ICMP traffic from our local subnet. The -p is protocol
#iptables -A INPUT -p ICMP -s 192.168.1.0/24 -j ACCEPT
Please note that under RHEL you can use following commands to save firewall rules.Make sure that you do this before you restart iptables.