A: Basic Network Services (Routing, DHCP, Relaying, and DNS)

Part I: Creating the VMware Setup

1. Create a Virtual Machine (VM) under CentOS 7 Minimal:

• Install the following packages:

dhcp, bind, nfs-utils, samba, vsftpd, openssh-server, openldap, openldap-clients, openldap-servers,

httpd, mod_ssl, postfix, dovecot

• These packages are necessary for setting up various services like DHCP, DNS, FTP, email,
etc.

2. Create a Virtual Machine under CentOS 6 Minimal:

• Install the same packages as for CentOS 7 above, except dhcp-devel instead of dhcp.

• Ensure to use CentOS 6 because the setup might require backward compatibility features
for testing.

3. Create the VM Network Setup:

• VM 1: “Srv-interne” with CentOS 7 and 256MB RAM.

• VM 2: “Srv-externe” with CentOS 6 and 128MB RAM.

• VM 3: “Routeur” with CentOS 6 and 128MB RAM.

• Note: After copying VMs, modify the MAC addresses to avoid network conflicts.

4. Connect Network Interfaces to Virtual Networks:

• Use the virtual machine network interface to connect each VM to the corresponding
virtual network as per your network design.

5. Configure Network Interfaces:

• Set up IP addresses and networking details on all VMs.

• Disable firewalls (both iptables and firewalld) for initial setup and troubleshooting.

6. Verify Package Installation:

• After installation, check that all required packages are installed on each VM using
commands like:

rpm -qa | grep <package-name>

7. Configure Services to Start at Boot:

• Use systemctl to enable the required services (e.g., DHCP, DNS, FTP, HTTP, etc.) to start
automatically on boot:
systemctl enable <service-name>

8. Disable SELinux Permanently:

• To disable SELinux permanently, edit the /etc/selinux/config file and set:

SELINUX=disabled

• Apply the changes and reboot the machine for the settings to take effect.

Part II: Routing on “Routeur” and Default Gateway on Other Machines

1. Enable Routing on “Routeur”:

• Enable IP forwarding (routing) on “Routeur”:

sysctl -w net.ipv4.ip_forward=1

• Make the change permanent by modifying /etc/sysctl.conf:

net.ipv4.ip_forward = 1

2. Add Route to “Srv-externe” Network on “Routeur”:

• Add a route on “Routeur” to reach the network of “Srv-externe”:

ip route add <network> via <next-hop-ip>

3. Add Default Route on “Routeur” to “ISP”:

• Set the default route on “Routeur” towards the ISP machine (the next-hop gateway):

ip route add default via <ISP-IP>

4. Configure Default Gateway on Other Machines:

• On Srv-interne and Srv-externe, set the default gateway to the IP address of the
“Routeur”:

ip route add default via <Routeur-IP>

Part III: DHCP on “Srv-interne”

1. Install DHCP Server on “Srv-interne”:

• Set up the DHCP service to provide IP addresses dynamically on two networks (Vmnet2
and Vmnet3).

• Example for configuring DHCP ranges:

subnet 192.168.1.0 netmask 255.255.255.0 {

range 192.168.1.100 192.168.1.200;

}

subnet 192.168.2.0 netmask 255.255.255.0 {

range 192.168.2.100 192.168.2.200;

• Add a reservation for “Srv-externe” using its MAC address.

Part IV: DHCP Relay Agent on “Routeur”

1. Configure DHCP Relay on “Routeur”:

• Install and configure the DHCP relay service on the “Routeur” to forward DHCP requests
from the Vmnet3 network to the DHCP server on Srv-interne.

Part V: DNS Configuration

1. External DNS Service on “Srv-externe”:

• Install DNS (BIND) on “Srv-externe” and configure it for the external domain BAIDRIS.ma.

• Add NS (Name Server) and A records for Srv-externe.

2. Register the Domain:

• Register your domain BAIDRIS.ma with a registrar for .ma.

3. Internal DNS Service on “Srv-interne”:

• Install DNS (BIND) on “Srv-interne” and configure it for the internal domain BAIDRIS.isgi.

• Add NS and A records for Srv-interne.

4. Configure DNS Redirection:

• Set “Srv-interne” to use “Srv-externe” as a DNS forwarder for resolving external domain
names:

• In the named.conf file, set up the forwarders section:

forwarders {

<Srv-externe-IP>;

};

Summary of Required Commands and Configuration Files:

• Install packages: yum install <package-name>

• Enable services: systemctl enable <service-name>

 • Configure routes: ip route add <network> via <gateway>

• DHCP configuration: Modify /etc/dhcp/dhcpd.conf

• DNS configuration: Modify /etc/named.conf and */var/named/zone files.

Part B: Internal Services (FTP, HTTP, SMTP, POP3, NFS, SAMBA, and SSH)

Part I: FTP on “Srv-interne”

1. Install FTP Service:

• Install the FTP service (vsftpd) on “Srv-interne”:

yum install vsftpd

2. Configure FTP for Authenticated Access:

• Edit the /etc/vsftpd/vsftpd.conf file to allow only authenticated users:

anonymous_enable=NO

local_enable=YES

write_enable=YES

chroot_local_user=YES

• Restart the FTP service:

systemctl restart vsftpd

systemctl enable vsftpd

Part II: HTTP for Two Sites on Two Different Ports on “Srv-interne”

1. Install Web Service (Apache):

• Install Apache HTTP Server:

yum install httpd

2. Create and Declare Two Websites on Different Ports:

• Edit the /etc/httpd/conf/httpd.conf file to add configurations for two sites running on
ports 80 and 8008.

• For Port 80:

Listen 80

<VirtualHost *:80>

DocumentRoot /var/www/html/site1
 ServerName site1.local

</VirtualHost>

• For Port 8008:

Listen 8008

<VirtualHost *:8008>

DocumentRoot /var/www/html/site2

ServerName site2.local

</VirtualHost>

• Create directories and default pages:

mkdir /var/www/html/site1 /var/www/html/site2

echo "Welcome to Site 1" > /var/www/html/site1/index.html

echo "Welcome to Site 2" > /var/www/html/site2/index.html

• Restart the Apache service:

systemctl restart httpd

systemctl enable httpd

Part III: SMTP on “Srv-interne”

1. Install and Configure SMTP for Internal Domain:

• Install the Postfix service:

yum install postfix

• Edit the /etc/postfix/main.cf to configure the domain and relay settings:

myhostname = srv-interne.local

mydomain = baidris.local

mydestination = $myhostname, localhost.$mydomain, localhost

relayhost = [20.20.4.2]

2. Enable Routing for SMTP:

• To allow mail routing (relaying) to [20.20.4.2], configure Postfix and restart:

systemctl restart postfix

systemctl enable postfix

• Why you can’t receive emails: You haven’t set up a mail receiving server (like Dovecot or
another MX server) to accept incoming emails.

Part IV: POP3 on “Srv-interne”

1. Install and Configure POP3 for Internal Domain:

• Install Dovecot for POP3 functionality:

yum install dovecot

• Configure Dovecot to handle POP3:

• Edit /etc/dovecot

dovecot.conf to enable POP3:

protocols = imap pop3

• Restart Dovecot service:

systemctl restart dovecot

systemctl enable dovecot

Part V: NFS and Samba on “Srv-interne”

1. Create User and Assign Samba Password:

• Create the user HAMZA and assign a system password:

useradd HAMZA

passwd HAMZA

smbpasswd -a HAMZA

2. Create Group and Add User:

• Create group BAIDRIS and add HAMZA to it:

groupadd BAIDRIS

usermod -aG BAIDRIS HAMZA

3. Create Directory for User HAMZA:

• Create the directory /BAIDRIS/HAMZA and set permissions:

mkdir -p /BAIDRIS/HAMZA

chmod 777 /BAIDRIS/HAMZA

NFS Setup:

4. Share Directory via NFS:

• Edit /etc/exports to share /BAIDRIS with different access rules:

/BAIDRIS 192.168.1.0/24(rw) *(ro)

• Apply the NFS export:

exportfs -a

systemctl restart nfs-server

systemctl enable nfs-server

Samba Setup:

5. Share Directory via Samba:

• Edit /etc/samba/smb.conf to configure the share:

[partage-HAMZA]

path = /BAIDRIS/HAMZA

valid users = HAMZA, root

read only = no

create mask = 0775

directory mask = 0775

• Restart Samba:

systemctl restart smb

systemctl enable smb

Part VI: SSH on “Srv-interne”, “Srv-externe”, and “Routeur”

1. Generate SSH Key Pair on “Srv-interne” for User HAMZA:

• Generate a DSA key pair:

ssh-keygen -t dsa -f /home/HAMZA/.ssh/id_dsa

2. Configure “Srv-externe” and “Routeur” to Accept SSH Keys:

• Copy the public key to /home/HAMZA/.ssh/authorized_keys on both “Srv-externe” and

“Routeur”:

ssh-copy-id -i /home/HAMZA/.ssh/id_dsa.pub HAMZA@<Srv-externe-IP>

ssh-copy-id -i /home/HAMZA/.ssh/id_dsa.pub HAMZA@<Routeur-IP>

Part VII: Adding CNAME Records on “Srv-interne” DNS Server

1. Add CNAME Records for FTP and Web Sites:

• Edit the DNS configuration file on “Srv-interne” to add CNAME records:

ftp IN CNAME srv-interne.local.

site1 IN CNAME srv-interne.local.

site2 IN CNAME srv-interne.local.

• Restart the DNS service:

systemctl restart named

systemctl enable named

Summary of Commands:

• Install services: yum install <service-name>

• Start and enable services: systemctl start <service-name>, systemctl enable <service-
name>

• Configure services: Edit configuration files like /etc/vsftpd/vsftpd.conf,

/etc/httpd/conf/httpd.conf, /etc/postfix/main.cf, etc.

• Create users: useradd <username>, passwd <username>, smbpasswd -a <username>

• Manage NFS/Samba: Edit /etc/exports, /etc/samba/smb.conf, restart the respective

services.

C. External Services: FTP, HTTP, and SMTP

Part I: FTP on “Srv-externe”

1. Assign a second IP address to the network interface (20.20.4.3/29):

• You need to assign a second IP to the network interface on “Srv-externe”. This can be
done by modifying the network configuration:

• Edit /etc/sysconfig/network-scripts/ifcfg-eth0 (or your interface name):

IPADDR1=20.20.4.3

NETMASK=255.255.255.248

GATEWAY=20.20.4.1
 • Restart the network service:

systemctl restart network

2. Install FTP Service on “Srv-externe”:

• Install vsftpd (FTP server):

yum install vsftpd

• Configure FTP (for example, to allow only authenticated access):

Edit the /etc/vsftpd/vsftpd.conf:

anonymous_enable=NO

local_enable=YES

write_enable=YES

chroot_local_user=YES

• Start and enable the FTP service:

systemctl start vsftpd

systemctl enable vsftpd

3. Create Documents in the Default FTP Site Directory:

• By default, the FTP directory is /var/ftp. Create sample files:

echo "FTP Home Page" > /var/ftp/index.html

echo "Welcome to FTP on Srv-externe" > /var/ftp/welcome.txt

• You can also set permissions on this directory if needed:

chmod -R 755 /var/ftp

Part II: HTTP for Two Sites with Different Addresses on “Srv-externe”

1. Install Web Service (Apache HTTP Server):

• Install Apache HTTP Server:

yum install httpd

• Start and enable Apache:

systemctl start httpd

systemctl enable httpd

 2. Create Two Websites on Different IP Addresses:

• You will configure two virtual hosts on different IPs (20.20.4.3 and another address):

• Edit /etc/httpd/conf.d/vhost.conf to define the two sites.

• For Site 1 (using IP 20.20.4.3):

<VirtualHost 20.20.4.3:80>

DocumentRoot /var/www/html/site1

ServerName site1.srv-externe.local

</VirtualHost

• For Site 2 (using another IP, e.g., 20.20.4.4):

<VirtualHost 20.20.4.4:80>

DocumentRoot /var/www/html/site2

ServerName site2.srv-externe.local

</VirtualHost>

• Create the directories and HTML files:

mkdir /var/www/html/site1 /var/www/html/site2

echo "Welcome to Site 1" > /var/www/html/site1/index.html

echo "Welcome to Site 2" > /var/www/html/site2/index.html

3. Add A and CNAME Records to the Public DNS:

• You need to add A records for the sites and a CNAME for FTP in the public DNS.

• A records:

site1.srv-externe.local IN A 20.20.4.3

site2.srv-externe.local IN A 20.20.4.4

• CNAME for FTP:

ftp.srv-externe.local IN CNAME srv-externe.local

Ensure that DNS updates are propagated.

Part III: SMTP on “Srv-externe”

1. Install SMTP Services for the External Domain:

 • Install Postfix to handle SMTP:

yum install postfix

• Configure Postfix for the external domain. Edit /etc/postfix/main.cf:

myhostname = srv-externe.local

mydomain = baidris.ma

mydestination = $myhostname, localhost.$mydomain, localhost

relayhost = [smtp.internet-provider.com]

• Start and enable Postfix:

systemctl start postfix

systemctl enable postfix

D. NAT and Firewall Services on “Routeur”

1. Configure NAT for Internal Clients and Verify Internet Access:

• You will configure NAT to allow internal clients to access the internet.

• Use iptables to set up NAT (Source NAT):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

systemctl restart iptables

• Verify that internal clients can access the internet by testing ping or browsing.

2. Enable IPTables and Remove All Existing Rules:

• To ensure the firewall blocks everything, you will first delete existing rules and then set
the default policies to DROP.

iptables -F

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

3. Modify Default Policy to Block All Traffic (Incoming, Outgoing, and Transit):

• Ensure the default policies are set to DROP as mentioned above.

4. Allow Communications to and from the Loopback Address:

• To ensure the system works properly, you need to allow loopback traffic:
iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

5. Allow Established Communications:

• To allow established connections (responses to outgoing traffic), add:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

6.

a.Create Specific Rules for Communication Between Zones (Internal → DMZ, NAT, etc.):

• Allow traffic from internal to DMZ and for NAT:

iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT # Internal → DMZ

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # NAT

b. Allow Specific Traffic (HTTPs, FTP, DNS, SMTP, etc.) from Internal to External (Internet):

• Create rules for the traffic allowed to the internet:

iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT # HTTPS

iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT # FTP

iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT # DNS

iptables -A FORWARD -i eth1 -p tcp --dport 25 -j ACCEPT # SMTP

c. Allow Traffic from External to DMZ (Internet → DMZ):

• Create rules for traffic from the internet to the DMZ:

iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 443 -j ACCEPT # HTTPS

iptables -A FORWARD -i eth0 -o eth2 -p tcp --dport 21 -j ACCEPT # FTP

d. Allow DNS Traffic from Srv-externe to Internet (DMZ → Internet):

• Allow DNS requests from Srv-externe to external DNS servers:

iptables -A FORWARD -i eth2 -o eth0 -p udp --dport 53 -j ACCEPT

 e. Enable POP3s, IMAP4s on “Srv-interne” and Publish These Services (Port Forwarding):

• Enable POP3s and IMAP4s on “srv-interne” and use port forwarding for email services:

iptables -A PREROUTING -t nat -p tcp --dport 995 -j DNAT --to-destination 20.20.4.5:995 # POP3s

iptables -A PREROUTING -t nat -p tcp --dport 993 -j DNAT --to-destination 20.20.4.5:993 # IMAP4s

iptables -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to-destination 20.20.4.5:25 # SMTP

f. Save the Firewall Rules:

• Save the current iptables configuration:

service iptables save

Summary of Key Commands:

• Install Services: yum install <service-name>

• Configure IPTables: `iptables -A FORWARD -