A.

Part I: Creation of the Model Using VMware

1. Create Virtual Machines (VMs):

• VM1: CentOS 7 minimal with packages:

dhcp, bind, nfs-utils, samba, vsftpd, openssh-server, openldap, openldap-clients, openldap-servers,

httpd, mod_ssl, postfix, dovecot

• VM2: CentOS 6 minimal with packages:

dhcp, dhcp-devel, bind, nfs-utils, samba, vsftpd, openssh-server, openldap, openldap-clients, openldap-
servers, httpd, mod_ssl, postfix, dovecot

2. Copy VMs for the Model:

• Srv-interne: CentOS 7, 256MB RAM

• Srv-externe: CentOS 6, 128MB RAM

• Routeur: CentOS 6, 128MB RAM

3. Configure Network Interfaces: Connect the virtual network cards according to the
provided network diagram.

4. Disable Firewalls:

• For iptables (CentOS 6):

service iptables stop

chkconfig iptables off

• For firewalld (CentOS 7):

systemctl stop firewalld

systemctl disable firewalld

5. Verify Package Installation: Ensure all specified packages are installed on both machines.

6. Configure Services: Enable the following services to start automatically:

• DHCP

• DHCP Relay

• DNS

• NFS
 • Samba

• FTP

• SSH

• HTTP

• SMTP

• POP3

7. Disable SELinux Permanently:

• Edit /etc/selinux/config and set:

SELINUX=disabled

• Reboot the system.

Part II: Routing on “Routeur” and Default Gateway Configuration

1. Enable Routing on “Routeur”:

• Edit /etc/sysctl.conf and add:

net.ipv4.ip_forward = 1

• Apply the change:

sysctl -p

2. Add a Route to “Srv-externe”:

route add -net <Srv-externe network> netmask <subnet mask> gw <gateway>

3. Add a Default Route to “ISP”:

route add default gw <ISP gateway>

4. Set Default Gateway for All Machines:

Edit /etc/sysconfig/network-scripts/ifcfg-<interface> on all machines to set the default gateway.

Part III: DHCP on “Srv-interne”

1. Install and Configure DHCP Server:

• Install the package:

yum install dhcp

• Edit /etc/dhcp/dhcpd.conf to create two address pools:

 • For Vmnet2

• For Vmnet3 (include a reservation for “Srv-externe”).

Part IV: DHCP Relay on “Routeur”

1. Install and Configure DHCP Relay:

• Install the package:

yum install dhcp-relay

• Configure the relay to forward requests from Vmnet3 to the DHCP server on Srv-interne.

Part V: DNS Configuration

External DNS on “Srv-externe”:

1. Install and configure Bind for the domain HOUCHAIMI.ma:

• Add NS and A records for “Srv-externe”.

2. Register the external domain with a .ma registrar (handled by the instructor).

Internal DNS on “Srv-interne”:

3. Install and configure Bind for the domain HOUCHAIMI.isgi:

• Add NS and A records for “Srv-interne”.

4. Configure “Srv-interne” to use “Srv-externe” as a DNS Forwarder.

B.

Part I: FTP on “Srv-interne”

1. Install FTP Service:

yum install vsftpd

2. Configure FTP for Authenticated Access Only:

• Edit /etc/vsftpd/vsftpd.conf:

anonymous_enable=NO

local_enable=YES

• Restart the service:

systemctl restart vsftpd

systemctl enable vsftpd

Part II: HTTP for Two Websites on “Srv-interne”

1. Install HTTP Service:

yum install httpd

2. Create Two Websites on Different Ports:

• Site 1 (Port 80):

• Create the directory and default page:

mkdir /site1

echo "Welcome to Site 1" > /site1/index.html

• Configure a virtual host:

Edit /etc/httpd/conf.d/site1.conf:

<VirtualHost *:80>

DocumentRoot /site1

</VirtualHost>

• Site 2 (Port 8008):

• Create the directory and default page:

mkdir /site2

echo "Welcome to Site 2" > /site2/index.html

• Configure a virtual host:

Edit /etc/httpd/conf.d/site2.conf:

<VirtualHost *:8008>

DocumentRoot /site2

Listen 8008

</VirtualHost>

• Restart HTTP service:

systemctl restart httpd

systemctl enable httpd

Part III: SMTP on “Srv-interne”

 1. Install SMTP Service (Postfix):

yum install postfix

2. Configure SMTP for Internal Domain:

• Edit /etc/postfix/main.cf:

myhostname = mail.HOUCHAIMI.isgi

mydomain = HOUCHAIMI.isgi

relayhost = [20.20.16.2]

• Restart Postfix:

systemctl restart postfix

systemctl enable postfix

Part IV: POP3 on “Srv-interne”

1. Install POP3 Service (Dovecot):

yum install dovecot

2. Configure Dovecot for the Internal Domain:

• Edit /etc/dovecot/dovecot.conf and /etc/dovecot/conf.d/10-mail.conf to enable POP3.

• Restart Dovecot:

systemctl restart dovecot

systemctl enable dovecot

Part V: NFS and SAMBA on “Srv-interne”

1. Create the User and Group:

useradd AYOUB

passwd AYOUB

groupadd HOUCHAIMI

usermod -aG HOUCHAIMI AYOUB

2. Create Directory Structure and Set Permissions:

mkdir -p /HOUCHAIMI/AYOUB

chmod -R 777 /HOUCHAIMI/AYOUB

NFS Configuration:

3. Share Directory via NFS:

• Edit /etc/exports:

/HOUCHAIMI 192.168.1.0/24(rw,sync) *(ro,sync)

• Restart NFS:

systemctl restart nfs-server

systemctl enable nfs-server

Samba Configuration:

4. Share Directory via SAMBA:

• Add a Samba password for AYOUB:

smbpasswd -a AYOUB

• Edit /etc/samba/smb.conf:

[partage-AYOUB]

path = /HOUCHAIMI/AYOUB

valid users = AYOUB, @root

read only = no

create mask = 0660

directory mask = 0770

• Restart Samba:

systemctl restart smb

systemctl enable smb

Part VI: SSH on “Srv-interne” and Other Servers

1. Generate SSH Key Pair on “Srv-interne”:

ssh-keygen -t dsa -f /home/AYOUB/.ssh/id_dsa

2. Copy the Public Key to Other Machines:

ssh-copy-id AYOUB@<Srv-externe or Routeur IP>

Part VII: Add CNAME Records in Internal DNS

 1. Edit DNS Zone File for “HOUCHAIMI.isgi” on “Srv-interne”:

• Add the following CNAME records:

ftp IN CNAME srv-interne

www IN CNAME srv-interne

site2 IN CNAME srv-interne

2. Restart the DNS Service:

systemctl restart named

C: External Services (FTP, HTTP, and SMTP)

Part I: FTP on “Srv-externe”

1. Assign a Second IP Address:

• Add 20.20.16.3/29 to the network interface:

nmcli connection modify "ensXX" ipv4.addresses "20.20.16.3/29"

nmcli connection up "ensXX"

• Verify with:

ip addr show

2. Install FTP Service:

yum install vsftpd

3. Create Documents and Start the FTP Service:

• Add sample files in the FTP default directory (/var/ftp/pub):

echo "File1 Content" > /var/ftp/pub/file1.txt

echo "File2 Content" > /var/ftp/pub/file2.txt

• Start the service:

systemctl restart vsftpd

systemctl enable vsftpd

Part II: HTTP for Two Sites on Different Addresses

1. Install HTTP Service:

yum install httpd

 2. Create Two Websites on Different Addresses:

• Site 1:

• Create the directory and default page:

mkdir /var/www/html/site1

echo "Welcome to Site 1" > /var/www/html/site1/index.html

• Add a virtual host in /etc/httpd/conf.d/site1.conf:

<VirtualHost 20.20.16.3:80>

DocumentRoot /var/www/html/site1

</VirtualHost>

• Site 2:

• Create the directory and default page:

mkdir /var/www/html/site2

echo "Welcome to Site 2" > /var/www/html/site2/index.html

• Add a virtual host in /etc/httpd/conf.d/site2.conf:

<VirtualHost 20.20.16.4:80>

DocumentRoot /var/www/html/site2

</VirtualHost>

• Restart HTTP:

systemctl restart httpd

systemctl enable httpd

3. Add DNS Records:

• Update the DNS server zone file for public DNS:

site1 IN A 20.20.16.3

site2 IN A 20.20.16.4

ftp IN CNAME srv-externe

Part III: SMTP on “Srv-externe”

 1. Install SMTP Service (Postfix):

yum install postfix

2. Configure for External Domain:

• Edit /etc/postfix/main.cf:

myhostname = mail.HOUCHAIMI.ma

mydomain = HOUCHAIMI.ma

• Restart Postfix:

systemctl restart postfix

systemctl enable postfix

D: NAT and Firewall on “Routeur”

Part I: NAT Configuration

1. Enable IP Forwarding:

Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Apply the changes:

sysctl -p

2. Configure NAT for Internal Clients:

• Add NAT rule:

iptables -t nat -A POSTROUTING -o ensXX -j MASQUERADE

• Save the rules:

service iptables save

3. Verify Internet Access:

Test from internal clients using ping to an external IP.

Part II: Enable and Configure Firewall

1. Enable IPTABLES:

systemctl start iptables

systemctl enable iptables

 2. Delete All Existing Rules:

iptables -F

iptables -t nat -F

iptables -t mangle -F

3. Set Default Policies to Deny All Traffic:

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

4. Add Rules for Loopback Traffic:

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

5. Allow Established Connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Part III: Create Firewall Rules

1. Rules for Internal to DMZ Traffic and NAT:

iptables -A FORWARD -i ensXX -o dmzXX -j ACCEPT

iptables -A FORWARD -i dmzXX -o ensXX -j ACCEPT

iptables -t nat -A POSTROUTING -o ensXX -j MASQUERADE

2. Allow Specific Protocols (HTTPS, FTP, DNS, SMTPs, POP3s, PING):

iptables -A FORWARD -p tcp --dport 443 -j ACCEPT

iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

iptables -A FORWARD -p udp --dport 53 -j ACCEPT

iptables -A FORWARD -p tcp --dport 465 -j ACCEPT

iptables -A FORWARD -p tcp --dport 995 -j ACCEPT

iptables -A FORWARD -p icmp -j ACCEPT

3. DNS Access from “Srv-externe” to Internet:

iptables -A OUTPUT -s 20.20.16.3 -p udp --dport 53 -j ACCEPT

4. Port Forwarding for POP3s, IMAP4s, SMTPs:

iptables -t nat -A PREROUTING -p tcp --dport 995 -j DNAT --to-destination 192.168.x.x:995

iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 192.168.x.x:993

iptables -t nat -A PREROUTING -p tcp --dport 465 -j DNAT --to-destination 192.168.x.x:465

5. Save the Rules:

service iptables savenamed