Data Networking/Fall 2015/DIAO

Group Members[edit | edit source]

• Yue Ye
• Han Zhan
• Yu Du
• Lyu Min

Motivation[edit | edit source]

Our team aimed to build up a robust, secure, dynamic and intelligent enough network for a startup company. We worked to use limited resources in hand to fulfill the basic and extended functions of the company network which include DHCP, DNS, WEBSERVER/FIREWALL, BACKUP and VPN, NIS, NFS, NTP, Mail server. The DHCP server should be able to lease IP to clients; the client should be able to access the web page hosted by the web browser by resolving its IP from the DNS, and later the Firewall should be able to block the client; the client must also be able to receive backup files from the backup server.

Understanding the protocol[edit | edit source]

DHCP[edit | edit source]

DHCP server is the abbreviation for Dynamic Host Configuration Protocol. We configure a VMware to be DHCP server which take responsibility for distributing both IPv4 and IPv6 addresses for other company’s devices. It can be considered as a P-P (plug and play) protocol which means when a client joins into the network or leave, the DHCP sever will dynamic allocate or withdraw the IP address and update its available IP pool. There are four essential steps for DHCP:

• 1. DHCP server discovery
• 2. DHCP server offers
• 3. DHCP request
• 4. DHCP ACK

The receive of DHCP ACK at client side means the accomplishment of the DHCP process. Client could also renew its lease on a specified IP address if it wants.

DNS[edit | edit source]

DNS is the short form of Domain Name Service. It is like a distributed database of domain names and IP addresses. It enables users to access the Internet more convenient, and need not to remember IP address which usually used by machines. Through the host name, users can get the corresponding IP address of the host name. This process is called the domain name resolution.

HTTP[edit | edit source]

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.[1] HTTP is the foundation of data communication for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. HTTP is the protocol to exchange or transfer hypertext.

Rsync[edit | edit source]

Rsync is an effective tools to backup files. The algorithm of Rsync is compare the properties of files on two devices, and synchronize the files that has been modified. During the transition, the files are compressed to relief the load of the network.

SSH[edit | edit source]

Secure Shell, or SSH, is a cryptographic (encrypted) network protocol to allow remote login and other network services to operate securely over an unsecured network. SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.

VPN[edit | edit source]

The function of the VPN is to establish a special network on the public network. In the enterprise network has a wide range of applications. The gateway of VPN establish Remote Access through the encryption of data packets and change of target address of data packets.

NIS[edit | edit source]

NIS is the abbreviation of the "Network Information Service" which is originally called Yellow Pages or YP. NIS is a directory service protocol based on client–server hierarchy, it enables the configuration for a distribution network of different devices. Sun Microsystems developed the NIS and licensed it; the technology is licensed to almost all the Unix and Linux systems.

NFS[edit | edit source]

NFS is the abbreviation for Network File System which is a RPC service, it enables us to share files among different systems. The clients can simply use the command “mount” to put the files in NFS server into their own devices.

• First, we need to configure /etc/exports and add a line in the end of the file:
• /home/duyu/bak *(rw,sync)
• Second, we need to restart the service
• sudo /etc/init.d/nfs-kernel-server restart
• Third, choose a device in the same network to mount the file in NFS server by using the command:
• Mount –t nfs –o nolock 192.168.4.171: /home/duyu/bak /home/server/Documents/test
• Then, we can see the file named “bak” originally in NFS server is mounted to the directory of /home/server/Documents/test in another NFS client device.

Requirements[edit | edit source]

Our task is configuring all the following functions and integrate them to successfully work together at the same network.

DNS:[edit | edit source]

Build a DNS implementation for a start-up company in the city of Boston. Downloading BIND9 as the DNS server, then creating 5 DNS records for clients and servers with implementing IPv4 and IPv6 parsing. We assign a set of IP addresses that have to be used for this project

• Create any 5 DNS records
• Use IPv4 and IPv6 addresses in your implementation of records
• Create reverse domains in in-addr.arpa and ipv6.arpa for the addresses you have been allocated
• Configure a Master DNS server as well as a Slave DNS server, the Slave DNS should automatically update with Master DNS server.
• Test plan and implementation with examples

DHCP:[edit | edit source]

By downloading and using isc-dhcp-server, it is supposed to assign a IP address for a new client from the IP addresses pool except some special addresses with a particular expire time. Implement the PXE boot and RARP in additional.

Web Server & Firewall:[edit | edit source]

Practically implement a Web Server in Linux machine. Try to use the simplest way to secure the network from external networks attacks. By combining Apache2, MySQL5 and PHP5, we are going to establish a simple web server, which could make pages accessible to clients under the same network when using a web browser. We dedicate to making the server at the most secured status only by using command line and original packages. In particular, server is able to filter IP addresses and protocols, etc.

#Backup:[edit | edit source]

By using Rync as backup server, it could make files and configures periodically backup.

#Adds On[edit | edit source]

Configure VPN, NIS, NFS, NTP, Mail server to enrich our company's function modules.

Steps[edit | edit source]

DHCP Server[edit | edit source]

DHCP server is the abbreviation for Dynamic Host Configuration Protocol. We configure a VMware to be DHCP server which take responsibility for distributing both IPv4 and IPv6 addresses for other company’s devices.

• Part I. IPv4

   First, we need to install the isc-dhcp-server using the command

sudo apt-get install isc-dhcp-server

   Second, modify the IPv4 addresses configuration in dhcpd.conf file

vi /etc/dhcp/dhcpd.conf

   We assume the IP subnet for the company is 192.168.4.0/24, and we set two IP addresses pools for future use, one is 192.168.4.4 ~ 192.168.4.169; another one is 192.168.4.180 ~ 192.168.4.254. The DHCP server itself uses static IP which is 192.168.4.1. 
   Then we use the mac addresses for other servers to assign fixed IP addresses to them. The master DNS server’s fixed IP is 192.168.4.172; The slave DNS’s fixed IP address is 192.168.4.173. Because we set BACKUP server in the same computer with slave DNS, therefore, we only need to assign one IP address to these two servers.      The WEB server’s fixed IP is 192.168.4.171. 
   default-lease-time 600 means the general IP lease time is 600 seconds;
   max-lease-time 7200 means the maximum lease time is 7200 seconds;
   After the configuration, we need to restart the isc-dhcp-server to enable the change.   

sudo /etc/init.d/isc-dhcp-server restart

   Then we should assign assign a static IP for network card eth0

ifconfig eth0 192.168.4.171 netmask 255.255.255.0

• Part II. IPv6

   First, we need to install radvd on Ubuntu system.

sudo apt-get install radvd

   Second, we should configure /etc/radvd.conf

vi /etc/radvd.conf

   This will allocate IPv6 addresses that have the prefix of fec0:1111:2222:3333:: /64 to other clients. 
   Third, we need to configure /etc/sysctl.conf to activate IPV6 forwarding by removing the #. Then run it.

• The problem I met:

The Macbooks we use don’t have the interface for network cable, so we set up wifi to guarantee all the devices are in the same network.

DNS Server[edit | edit source]

Installation Command: sudo apt-get install bind9 Install DNS on local machine using Ubuntu & BIND9 package. Configuration Commands: Master DNS The DNS configuration files are usually stored in the /etc/bind directory. Use command vim /etc/bind/named.conf.local to edit the file named.conf.local Create different zone using below command: zone "www.diaobi.com" { type master; file "/etc/bind/db.www.diaobi.com"; allow-transfer { 192.168.4.173; }; also-notify { 192.168.4.173; }; }; www.diaobi.com is the domain name of our web. 192.168.1.173 is the IP address of the slave server. In order to enable the slave DNS server could get the files from the master DNS server,we must announce that the type is master and give the master server authority to send files. To create the reverse zone file of IPV4 in the named.conf.local, we add following commands: zone "4.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer { 192.168.4.173; }; also-notify { 192.168.4.173; }; }; Then create 4 more records: www.diaobi1.com, www.diaoib2.com, www.diaobi3.com, www.diaobi4.com, for the base domain. The command is like the way to create www.diaobi.com. To create the reverse zone file of IPV6 in the named.conf.local, we add following commands: zone "c.c.c.c.b.b.b.b.a.a.a.a.0.c.e.f.ip6.arpa" { type master; file "/etc/bind/db.ipv6"; allow-transfer { 192.168.4.173; }; also-notify { 192.168.4.173; }; }; Create the new zone file /etc/bind/db.www.diaobi1.com. 192.168.4.174 is the ip address of the web server. Create the new zone file /etc/bind/db.192 For the other files like /etc/bind/db.www.diaobi2.com and /etc/bind/db.ipv6, the command is similar to the commands above. Pay attention when edit /etc/bind/db.ipv6 for reverse zone file ipve, use the format: X.X.X.X.Y.Y.Y.Y.Z.Z.Z.Z.M.M.M.M IN PTR www.diaobi.com Slave DNS Use command vim /etc/bind/named.conf.local to edit the file named.conf.local Create different zone using below command: zone "www.diaobi.com" { type slave; file "/etc/bind/db.www.diaobi.com"; masters { 192.168.4.172; }; }; 192.168.1.172 is the IP address of the master server. In order to enable the slave DNS server could get the files from the master DNS server, we must make sure the slave server know the address of master server. The reverse zone file of IPV4 can be changed in the same way: zone "4.168.192.in-addr.arpa" { type slave; file "/etc/bind/db.192"; masters { 192.168.4.172; }; }; The other records like www.diaobi1.com, www.diaoib2.com, www.diaobi3.com, www.diaobi4.com and db.ipv6 can also be edited by using the command above. Since it is the slave server, it need not have the comments in db.X . If the connection is successful, the master server could send these files to slave server. When the master DNS is shut down, the slave DNS server can work as usual. Remember after finish the configuration of the slave server, we should declare that there are two DNS servers in DHCP. Otherwise, the slave DNS server can not work when the master DNS server stops its work.

WEB Server[edit | edit source]

We use Ubuntu 12.04 to build our web server. MYSQL+PHP+Apache approach is mostly wide use to install the web server. The process is as follows: 1. Switch to root status to write commands Sudo su 2. Install mysql5 apt-get install mysql-server mysql-client Then you will be asked a new password and repeat password for the mysql rooter user. 3. Install apache2 apt-get install apache2 Input http://localhost , you can the testing page of apache2. 4. Restart apache2 Ifconfig Sudo /etc/init.d/apache2 restart 5. Modify the home Page cd /var/www/ls Sudo nano /var/www/html/index.html

Backup Server[edit | edit source]

In Ubuntu, most configure files are stored in /etc/ and log files in /var/log/. That means that we can rehabilitate the servers if we can make backups for those two directory. And in WEB server, one more directory, /var/www, is needed. The overall process is that first compress the files in those directories then send them to the backup server. We use crontab to make the whole process automatically. The process in detail is shown as following: 1. SSH login without password Make sure the openssh-server is installed on backup server. If not, execute : sudo apt-get install openssh-server a. Log on clients as root user and generate a pair of authentication keys:

1. ssh-keygen

Press ‘enter’ till the picture of the key is shown b. install the keys on backup server

1. ssh-copy-id username@servers IP

c. Log on the backup server for the first time. Password is needed only in the first logging. Then clients can log in server without password. 2. Configuration of rsync: a. Install xinetd sudo apt-get install xinetd b. configure xinetd Create /etc/xinetd.d/rsync to enable xinetd to start rsync c. Configure rsync services: The configure file for rsync in /etc/rsyncd.conf In the file, we set up three modules for other three virtual PC used in the project and named them as DHCP DNS and WEB. Then indicate their IP addressed and directories for backup. The related options is shown: Host allow = #The IP address allowed in the module Auth allow = #Users allowed in the module Read only = no #Allow the clients to send files to the server Scerets file = #Indicate where the passwords stored in clients Use chroot = no #If the clients has to be root user d. Create ‘secrets files’ in server: In the directory indicated in the rsyncd.conf. Wrote key pairs of ‘username:password’ 3. Script: create a script to compress the files and use rsync to send the files to the backup server: 4. run the script automatically We use crontab to run the script automatically, and save the record in a txt file. 0 0 * * * ‘/home/duyu/bak/DHCP with rsync.sh/’>’/home/duyu/bak/record.txt’ 2>&1

Add-ons[edit | edit source]

VPN[edit | edit source]

1. Install PPTPD sudo vi /etc/ppp/pptpd-options

refuse-pap 

refuse-chap refuse-mschap require-mschap-v2

require-mppe-128 

ms-dns 114.114.114.114 ms-dns 8.8.4.4 2. Configure IP address sudo vi /etc/pptpd.conf bcrelay eth0

1. local IP

localip 192.168.4.174

1. assigning IP pool

remoteip 192.168.4.174-184 3. Add VPN account sudo vi /etc/ppp/chap-secrets 4.Add as follows vpn * 123456 * 5. The account name is vpn，password 123456. Restart PPTPD service。 sudo /etc/init.d/pptpd restart 6.Configure NAT and use ipv4 vi /etc/sysctl.conf net.ipv4.ip_forward=1 Reserve and exit sudo sysctl -p Modifying ufw configure file vi /etc/default/ufw Changing the value of “DEFAULT_FORWARD_POLICY” to “ACCEPT” vi /etc/ufw/before.rules Add the following content below *filter

1. NAT table rules

• nat :

POSTROUTING ACCEPT [0:0]

1. Allow forward traffic to eth0

-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

1. Process the NAT table rules

COMMIT NFS Client: First, we need to configure /etc/exports and add a line in the end of the file: /home/duyu/bak *(rw,sync) Second, we need to restart the service sudo /etc/init.d/nfs-kernel-server restart Third, choose a device in the same network to mount the file in NFS server by using the command: Mount –t nfs –o nolock 192.168.4.171: /home/duyu/bak /home/server/Documents/test Then, we can see the file named “bak” originally in NFS server is mounted to the directory of /home/server/Documents/test in another NFS client device.

NIS[edit | edit source]

   NIS is the abbreviation for Network Information Service which is used to simplify the clients’ management work.
   First, we need to install nis on Ubuntu system.

sudo apt-get install nis portmap

   Second, configure /etc/default/nis to make NISSERVER=master
   Third, configure /etc/yp.conf to add the domain name and host name of NIS server.
   Fourth, initialize the database and after that, we can see some new files in the /var/yp

sudo /usr/lib/yp/ypinit –m

   Then, we also need to do some easy configuration on client side same as server side.
   First, install nis.

sudo apt-get install nis portmap

   Second, configure /etc/yp.conf to add the NIS server’s IP address 192.168.4.171
   Third, configure /etc/passwd, /etc/group, /etc/shadow by adding following sentences.
   Then, the configuration of the client is over and we can use NIS combined with NFS function.

NFS[edit | edit source]

   NFS is the abbreviation for Network File System which is a RPC service, it enables us to share files among different systems. The clients can simply use the command “mount” to put the files in NFS server into their own devices.
   First, we need to configure /etc/exports and add a line in the end of the file:

/home/duyu/bak *(rw,sync)

   Second, we need to restart the service

sudo /etc/init.d/nfs-kernel-server restart

   Third, choose a device in the same network to mount the file in NFS server by using the command:

Mount –t nfs –o nolock 192.168.4.171: /home/duyu/bak /home/server/Documents/test

   Then, we can see the file named “bak” originally in NFS server is mounted to the directory of /home/server/Documents/test in another NFS client device.

NTP[edit | edit source]

Install ntp server: sudo apt-get install ntp Edit /etc/ntp.conf to add some server lines. Restart ntp Use command sudo ntpq –p to see the result. Mail Server Exim4 is aMessage Transfer Agent (MTA) Exim can be installed in place of sendmail. Install exim4 sudo apt-get install exim4 Use command sudo dpkg-reconfigure exim4-config to edit the parameters. Please pay attention that you need not edit the master configuration file. It will updated automatically. Exim-gencert and sasl2-bin should also be installed in order to support the function of exim-4.

Mail Server[edit | edit source]

Testing[edit | edit source]

DHCP[edit | edit source]

 Connected to switch with other servers and a client, and disabled the Wi-Fi networking of the windows machine, and then bridged the virtual network adaptor with the real one.  Started the DHCP service, and rebooted others.  Then we can see that client get a dynamic IP address while servers get the fixed-IP addresses.

Master DNS & Slave DNS[edit | edit source]

 The DHCP sever has allocated an IP address as 192.168.4.172 for master and 192.168.4.173 for slave.  Use “ nslookup” to see if it could get the IP address by the domain name Nslookup www.diaobi.com.

  Turn down the master DNS, clients can still accessing to the website, which testify the availability of Slave DNS.

Web server[edit | edit source]

 Self-test by using the loopback address 127.0.0.1 to access the designed web pages.

Firewall[edit | edit source]

 Let a client with the static IP address in different subnet

  When the client tries to access the web pages, the firewall works by denying the access from other subnet.

Backup[edit | edit source]

To run the backup.sh and find the backup file from one PC in other PC

NFS[edit | edit source]

 Type /armnfs in the firefox browser

NIS[edit | edit source]

===Mail Server

VPN[edit | edit source]

Connect to the VPN Server to see if can get access.

NTP[edit | edit source]

Start NTP service and the system time will the synchronize with time on the exact server.