U ovom zadatku je obrađen primer topologije virtualne mreže sa tri noda. Opisan je postupak kloniranja osnovne VM, konfigurisanja čvorova i postavljanja firewall-a korišćenjem ufw
alata za konfigurisanje firewall-a.
Potrebno je definisati virtualnu mrežu sa tri noda (node1, node2 i node3).
Mrežni interfejs eth1
čvora node1 ima IP adresu 192.168.1.11. Mrežni interfejs eth1
čvora node2 ima IP adresu 192.168.1.1. Mreža između čvora node1 i node2 se zove neta. Mrežni interfejs eth2
čvora node2 ima IP adresu 192.168.2.1. Mrežni interfejs eth1
čvora node3 ima IP adresu 192.168.2.21. Mreža između čvorova node2 i node3 se zove netb.
Saobraćaj sa čvora node1 koji je upućen na adrese iz opsega 192.168.0.0/16 se obavlja preko čvora node2, saobraćaj sa čvora node3 koji je upućen na adrese iz opsega 192.168.0.0/16 se obavlja preko čvora node2. Node2 se ponaša kao ruter.
Na node1 konfigurisati firewall tako da dozvoljava dolazeće UDP pakete samo iz podmreže 192.168.2.0/24. Na node3 konfigurisati firewall tako da dozvoljava samo dolazeće pakete sa adrese 192.168.1.11.
Naša virtualna mreža se sastoji od skupa virtualnih mašina, ili čvorova. Svaki čvor se kreira kloniranjem osnovne VM. Postupak kloniranja osnovne VM mora se ponoviti onoliko puta koliko je potrebno čvorova za virtualnu mrežu. U našem slušaju potrebno je tri puta klonirati osnovnu VM. Takođe, nakon kloniranja potrebno je dodatno konfigurisati svaki nod.
Postupak kloniranja je sledeći:
Za topologiju virtualne mreže koja je naš cilj potrebno je kreirati tri čvora.
Ako želimo da topologija mreže izgleda kao tražena virtualna mreža onda nije potrebno menjati konfiguraciju mrežnih adaptera (Setting/Network) za čvor node1, za čvor node2 je potrebno čekirati opciju Cable Connected Adaptera 3, a za čvor node3 je potrebno promeniti ime mreže Adaptera 2 u netb.
Nakon kreiranja i konfigurisanja pokrenuti svaki čvor i prijaviti se. Potrebno je definisati nekoliko koraka da bi se završila konfiguracija čvorova.
nano
(sudo
nano
/etc/…
) ili direktnom promenom korišćenjem sledećih komandi (u komandama zameniti node1 sa imenom odgovarajućeg čvora):student@osnovna:~$ sudo sed -i 's/osnovna/node1' /etc/hostname student@osnovna:~$ sudo sed -i 's/osnovna/node1' /etc/hosts
Ako želimo da topologija mreže bude kao tražena potrebno je da fajlovi /etc/network/interface budu definisani na sledeći način:
auto eth0 iface eth0 inet dhcp # VBoxNetwork: neta auto eth1 iface eth1 inet static address 192.168.1.11 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 #auto eth2 #iface eth2 inet static # address 192.168.2.2 # netmask 255.255.255.0 # network 192.168.2.0 # broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
# The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp # VBoxNetwork: neta auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 # VBoxNetwork: netb auto eth2 iface eth2 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
# The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp # VBoxNetwork: netb auto eth1 iface eth1 inet static address 192.168.2.21 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth1 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth1 #auto eth2 #iface eth2 inet static # address 192.168.2.2 # netmask 255.255.255.0 # network 192.168.2.0 # broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
ip_forward
na 1 komandom:student@node2:~$ sudo sysctl net.ipv4.ip_forward=1
Ovo je privremeno podešavanje koje, ako želimo da postane trajno, moramo promeniti u fajlu /etc/sysctl.conf korišćenjem nano
editora ili :
student@osnovna:~$ sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
U našoj topologiji čvor koji se ponaša kao ruter je node2.
Nakon restartovanja svih nodova i prijavom na sisteme moguće je proveriti da li su podešavanja adekvatna.
Sistemskim alatom ifconfig
možemo proveriti podešavanja mrežnih interfejsa koje smo prethodno konfigurisali.
eth1
. Komandastudent@node1:~$ ifconfig eth1
ispisuje na standardnom izlazu sledeće linije:
eth1 Link encap:Ethernet HWaddr 08:00:27:09:6f:f6 inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe09:6ff6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)
Ako je konfiguracija urađena kako treba druga linija (inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
) mora biti ista. Takođe, treba obratiti pažnju i na parametar Hwaddr
(HWaddr 08:00:27:09:6f:f6
) koji mora da se razlikuje od čvora do čvora i ne mora biti isti kao u ovom primeru.
eth1
i eth2
. Komandastudent@node2:~$ ifconfig eth1
ispisuje na standardnom izlazu sledeće linije:
eth1 Link encap:Ethernet HWaddr 08:00:27:62:07:cd inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe62:7cd/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)
Proveriti da li je druga linija ista i da li se Hwaddr
razlikuje od Hwaddr
u node1.
Komanda
student@node2:~$ ifconfig eth2
Ispisuje
eth2 Link encap:Ethernet HWaddr 08:00:27:40:b6:ea inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe40:b6ea/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)
Komanda
student@node3:~$ ifconfig eth1
ispisuje
eth1 Link encap:Ethernet HWaddr 08:00:27:5d:67:6b inet addr:192.168.2.21 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe5d:676b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)
Komandom hostname
proveravamo da li smo dobro konfigurisali hostname. Za node1 hostname je node1, node2 hostname je node2 i node3 hostname
je node3.
Sistemski alat netstat
, između ostalog, ispisuje i putanje iz IP route
tabele. Izlaz komade
student@osnovna:~$ netstat -rn
za odgovarajuće nodove je sledeći:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.1.1 255.255.0.0 UG 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.2.1 255.255.0.0 UG 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Takođe, ako želimo da proverimo da li nam je rutiranje ispravno to možemo uraditi komandom traceroute
. Sa čvora node3 možemo da zadamo komandu
student@node3:~$ traceroute 192.168.1.11
Ako je ispravno na ekranu bi trebalo da postoji dve ip adrese preko kojih paketi idu
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 60 byte packets 1 192.168.2.1 (192.168.2.1) 0.784 ms 0.807 ms 0.813 ms 2 192.168.1.11 (192.168.1.11) 1.606 ms 1.606 ms 1.606 ms
Objašnjenje: Svi paketi koji su upućeni iz čvora node3 ka adresama iz opsega 192.168.0.0/16 se prosleđuju preko računara sa adresom 192.168.2.1 (to je u našem slučaju eth2
VM node2). Pošto smo definisali da se node2 ponaša kao ruter onda on prosledjuje sve pakete upućene ka adresama iz opsega 192.168.1.0/24 na eth1
i tako “pogađa” VM node1 sa adresom 192.168.1.11
Glavni firewall na Linux sistemima je iptables. Osnovni alat za konfiguraciju firewall-a na Ubuntu sistemima je ufw
. Ufw
je razvijen da bi se lakše konfigurisao deo iptables
-a vezan za firewall. Pre konfigurisanja firewall neophodno je omogućiti ufw
na odgovarajućem čvoru.
student@osnovna:~$ sudo ufw enable
Pri prvom pokretanju ufw
je automatki podešen tako da dozvoljava odlazni saobraćaj, a odbija dolazni. Komandom
student@osnovna:~$ sudo ufw status verbose
se proveravaju zadata pravila. Na svakom čvoru izlaz iz prethodne komande je
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip
Da bi na node1 konfiguristai firewall tako da dozvoljava dolazeće UDP pakete samo iz podmreže 192.168.2.0/24 potrebno je dodati sledeće pravilo
student@node1:~$ sudo ufw allow from 192.168.2.0/24 to any proto udp
Ako se sada zada komanda
student@node1:~$ sudo ufw status numbered
izlaz je sledeći
Status: active To Action From -- ------ ---- [ 1] Anywhere ALLOW IN 192.168.2.0/24/udp
Ispravnost postavljenog pravila možemo testirati tako što ćemo sa node3 probati da pronadjemo rutu do node1, prvo neuspešno korišćenjem TCP paketa, a zatim uspešno korišćenjem UDP paketa. Koristićemo alat tracerute
:
student@node3:~$ sudo traceroute 192.168.1.11 -T -m 3
Argument -T označava korišćenje TCP paketa, dok -m znači da destinacija mora biti dostignuta u tri koraka. Izlaz pokazuje da računar sa adresom 192.168.1.11 nije pronađen.
traceroute to 192.168.1.11 (192.168.1.11), 3 hops max, 60 byte packets 1 192.168.2.1 (192.168.2.1) 1.263 ms 1.124 ms 1.039 ms 2 * * * 3 * * *
Komandom
student@node3:~$ sudo traceroute 192.168.1.11 -U -m 3
za pronalaženje putanje koristimo UDP paketi i izlaz nam pokazuje da je računar pronadjen
traceroute to 192.168.1.11 (192.168.1.11), 3 hops max, 60 byte packets 1 192.168.2.1 (192.168.2.1) 0.441 ms 0.871 ms 0.898 ms 2 192.168.1.11 (192.168.1.11) 1.643 ms 1.660 ms 1.673 ms
Da bi na node3 konfigurisati firewall tako da dozvoljava samo dolazeće pakete sa adrese 192.168.1.11 potrebno je dodati ufw
pravilo
student@node3:~$ sudo ufw allow from 192.168.1.11 to any
Status ufw
student@node3:~$ sudo ufw status nubmered
ispisuje
Status: active To Action From -- ------ ---- [ 1] Anywhere ALLOW IN 192.168.1.11
Ispravnost možemo proveriti traženjem putanje ka node3 (adresa 192.168.2.21) sa node1 i node2.
Zadavanjem komande
student@osnovna:~$ traceroute 192.168.2.21 -m 3
sa node1 dobijamo ispravnu putanju
traceroute to 192.168.2.21 (192.168.2.21), 3 hops max, 60 byte packets 1 192.168.1.1 (192.168.1.1) 0.287 ms 0.383 ms 0.390 ms 2 192.168.2.21 (192.168.2.21) 1.099 ms 1.106 ms 1.110 ms
dok sa node2 ne dobijamo putanju
traceroute to 192.168.2.21 (192.168.2.21), 3 hops max, 60 byte packets 1 * * * 2 * * * 3 * * *
Potrebno je definisati virtualnu mrežu sa šest čvorova.
Podesiti odgovarajuće parametre kao na slici.
Rutiranja:
U ovom zadatku potrebno je šest puta klonirati osnovnu VM. Takođe, nakon kloniranja potrebno je dodatno konfigurisati svaki čvor.
Postupak kloniranja je sledeći:
Za topologiju virtualne mreže koja je naš cilj potrebno je kreirati šest čvorova.
Ako želimo da topologija mreže izgleda kao na slici 10. onda je potrebno konfiguraciju mrežnih adaptera (Setting/Network) promeniti na sledeći način:
Nakon kreiranja i konfigurisanja pokrenuti svaki čvor i prijaviti se. Potrebno je definisati nekoliko koraka da bi se završila konfiguracija čvorova.
Promeniti ime hosta u fajlovima /etc/hostname i /etc/hosts. Oni mogu da se ručno menjaju korišćenjem editora nano
(sudo
nano
/etc/…
) ili direktnom promenom korišćenjem sledećih komandi (u komandama zameniti node1 sa imenom odgovarajućeg noda):
student@osnovna:~$ sudo sed -i 's/osnovna/node1' /etc/hostname student@osnovna:~$ sudo sed -i 's/osnovna/node1' /etc/hosts
Promeniti fajl /etc/network/interfaces tako da promene odgovaraju traženoj topologiji mreže.
Ako želimo da topologija mreže bude kao ona na slici potrebno je da fajlovi /etc/network/interface budu definisani na sledeći način:
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.1.11 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 #auto eth2 #iface eth2 inet static # address 192.168.2.2 # netmask 255.255.255.0 # network 192.168.2.0 # broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.2.21 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth1 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.1 dev eth1 #auto eth2 #iface eth2 inet static # address 192.168.2.2 # netmask 255.255.255.0 # network 192.168.2.0 # broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.3.31 netmask 255.255.255.0 network 192.168.3.0 broadcast 192.168.3.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.1 dev eth1 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.1 dev eth1 #auto eth2 #iface eth2 inet static # address 192.168.2.2 # netmask 255.255.255.0 # network 192.168.2.0 # broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.2.2 dev eth2 #auto eth3 #iface eth3 inet static # address 192.168.3.3 # netmask 255.255.255.0 # network 192.168.3.0 # broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.3.3 dev eth3
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 auto eth2 iface eth2 inet static address 192.168.4.1 netmask 255.255.255.0 network 192.168.4.0 broadcast 192.168.4.255 post-up route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.4.2 dev eth2 pre-down route del -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.4.2 dev eth2 auto eth3 iface eth3 inet static address 192.168.5.1 netmask 255.255.255.0 network 192.168.5.0 broadcast 192.168.5.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.5.2 dev eth3 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.5.2 dev eth3
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 auto eth2 iface eth2 inet static address 192.168.4.2 netmask 255.255.255.0 network 192.168.4.0 broadcast 192.168.4.255 post-up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.4.1 dev eth2 pre-down route del -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.4.1 dev eth2 auto eth3 iface eth3 inet static address 192.168.6.2 netmask 255.255.255.0 network 192.168.6.0 broadcast 192.168.6.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.6.1 dev eth3 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.6.1 dev eth3
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.3.1 netmask 255.255.255.0 network 192.168.3.0 broadcast 192.168.3.255 # post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 # pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth1 auto eth2 iface eth2 inet static address 192.168.5.2 netmask 255.255.255.0 network 192.168.5.0 broadcast 192.168.5.255 post-up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.5.1 dev eth2 pre-down route del -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.5.1 dev eth2 auto eth3 iface eth3 inet static address 192.168.6.1 netmask 255.255.255.0 network 192.168.6.0 broadcast 192.168.6.255 post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.6.2 dev eth3 pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.6.2 dev eth3
Da bi se čvor ponašao kao ruter u virtualnoj mreži, neophodno je omogućiti prosleđivanje portova. U jezgru OS-a potrebno je promeniti podesavanje ip_forward
na 1 komandom:
student@osnovna:~$ sudo susctl net.ipv4.ip_forward=1
Ovo je privremeno podešavanje koje, ako želimo da postane trajno, moramo promeniti u fajlu /etc/sysctl.conf korišćenjem nano
editora ili :
student@osnovna:~$ sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
U našoj topologiji čvorovi koji se ponaša kao ruter su node4, node5 i node6.
Restartovati sve čvorove da bi promene stupile na snagu.
Nakon restartovanja svih čvorova i prijavom na sisteme moguće je proveriti da li su podešavanja adekvatna.
Sistemskim alatom ifconfig
možemo proveriti podešavanja mrežnih interfejsa koje smo prethodno konfigurisali.
student@node1:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:6a:3b:c8 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe6a:3bc8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:92 errors:0 dropped:0 overruns:0 frame:0 TX packets:75 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19388 (19.3 KB) TX bytes:12026 (12.0 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:b4:38:f5 inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:feb4:38f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:888 (888.0 B) TX bytes:888 (888.0 B)
student@node2:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:cf:28:7f inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fecf:287f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:100 errors:0 dropped:0 overruns:0 frame:0 TX packets:83 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20167 (20.1 KB) TX bytes:12746 (12.7 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:c0:c7:15 inet addr:192.168.2.21 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fec0:c715/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
student@node3:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:e7:ed:c0 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fee7:edc0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:100 errors:0 dropped:0 overruns:0 frame:0 TX packets:83 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20257 (20.2 KB) TX bytes:12746 (12.7 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:13:53:23 inet addr:192.168.3.31 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe13:5323/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
student@node4:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:a4:b6:64 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fea4:b664/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:100 errors:0 dropped:0 overruns:0 frame:0 TX packets:83 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20257 (20.2 KB) TX bytes:12746 (12.7 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:9d:1f:61 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe9d:1f61/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth2 Link encap:Ethernet HWaddr 08:00:27:fa:50:5c inet addr:192.168.4.1 Bcast:192.168.4.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fefa:505c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth3 Link encap:Ethernet HWaddr 08:00:27:92:d5:be inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe92:d5be/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
student@node5:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:da:74:5c inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:feda:745c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:100 errors:0 dropped:0 overruns:0 frame:0 TX packets:82 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20257 (20.2 KB) TX bytes:12692 (12.6 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:b0:a2:5c inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:feb0:a25c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth2 Link encap:Ethernet HWaddr 08:00:27:50:0f:b8 inet addr:192.168.4.2 Bcast:192.168.4.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe50:fb8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth3 Link encap:Ethernet HWaddr 08:00:27:a2:29:7d inet addr:192.168.6.2 Bcast:192.168.6.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fea2:297d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
student@node6:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:7f:b5:d3 inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe7f:b5d3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:92 errors:0 dropped:0 overruns:0 frame:0 TX packets:74 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19388 (19.3 KB) TX bytes:11972 (11.9 KB) eth1 Link encap:Ethernet HWaddr 08:00:27:71:57:9a inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe71:579a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth2 Link encap:Ethernet HWaddr 08:00:27:8b:62:27 inet addr:192.168.5.2 Bcast:192.168.5.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe8b:6227/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) eth3 Link encap:Ethernet HWaddr 08:00:27:c3:14:b1 inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fec3:14b1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:888 (888.0 B) TX bytes:888 (888.0 B)
Komandom hostname
proveravamo da li smo dobro konfigurisali hostname.
Sistemski alat netstat
, između ostalog, ispisuje i putanje iz IP route tabele. Za odgovarajuće čvorove izlaz iz netstat
-a je sledeći:
student@node1:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.1.1 255.255.0.0 UG 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
student@node2:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.2.1 255.255.0.0 UG 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
student@node3:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.3.1 255.255.0.0 UG 0 0 0 eth1 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
student@node4:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.5.2 255.255.0.0 UG 0 0 0 eth3 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 192.168.4.2 255.255.255.0 UG 0 0 0 eth2 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
student@node5:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.6.1 255.255.0.0 UG 0 0 0 eth3 192.168.1.0 192.168.4.1 255.255.255.0 UG 0 0 0 eth2 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
student@node6:~$ netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.6.2 255.255.0.0 UG 0 0 0 eth3 192.168.1.0 192.168.5.1 255.255.255.0 UG 0 0 0 eth2 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
Takođe ako želimo da proverimo da li nam je rutiranje ispravno to možemo uraditi komandom traceroute
. Probati da li izlaz iz komande traceroute
odgovara traženoj konfiguraciji mreže.
Prekonfigurisati virtualnu mrežu tako da se saobraćaj preko mreže nete ne odvija (paketi koji idu sa čvora node4 ka čvoru node6 i obrnuto preusmeriti preko čvora node5).
Dodati novi čvor node7 na mrežu neta.
U našem slučaju node1 je mysql server sa osetljivim podacima. Njemu bi trebalo da pristupaju samo računari sa mreže netc (mysql koristi default port 3306). Mreža netb je javna mreža koja ne bi smela da pristupa našem ssh serveru (port 22) node7. Računar node3 bi trebalo da prima samo UDP sa mreže netb i TCP na port 80 sa računara node1. Konfigurisati odgovarajuće firewall-ove.