CPSC 441, Fall 2018
Lab 6: NFS / iptables
The lab has two unrelated sections. In the first part of the lab, you will work with NFS (Network File System). In the second part, you will use iptables, the Linux firewall configuration tool. Both parts will be done on your virtual machine.
This lab is due next Monday, October 29.
About NFS
NFS (Network File System) is used to share directories among computers. It is used for the home directories for your netXX account. Those directories are actually stored in a directory on a server in a closet down the hall from my office. That computer is an NFS server. It "exports" the directory that contains your home directory. The computers running Linux in the Lansing and Rosenberg labs are NFS clients. They "mount" the shared directory in their own filesystem. The shared directory from the NFS server is seen on the clients as the directory /nfshome, but the contents of /nfshome are actually on the NFS server.
NFS is not very secure, so we don't use it for the home directory for your regular Linux account. For that, we use AFS, a much more secure networked file system.
Using NFS
For this part of the lab, you will work in a group of three people. You will each work on your own virtual machine, but you will need to do some coordination. One virtual machine will be the NFS server for the group; that VM will also be a client of itself. The other two virtual machines will only be NFS clients. For the groups, we will just break up the class alphabetically into groups of three. Find your group in this list:
Hamdan Ahmed IP: 172.21.6.26 Emily Bak IP: 172.21.6.4 Alex Beal IP: 172.21.6.5 Read Bohanan IP: 172.21.6.13 Max Brodheim IP: 172.21.6.6 Chase Brown IP: 172.21.6.18 Erika Cardenas IP: 172.21.6.23 Andrew Chait IP: 172.21.6.7 Allie Doherty IP: 172.21.6.17 Will Elliman IP: 172.21.6.27 Camera Finn IP: 172.21.6.2 Parker Guo IP: 172.21.6.14 Ross Higgins IP: 172.21.6.20 Jack Koch IP: 172.21.6.8 Dean Levey IP: 172.21.6.1 AJ McFarlane IP: 172.21.6.21 Brett Milligan IP: 172.21.6.16 Aleem Mohammad IP: 172.21.6.22 William Ortlieb IP: 172.21.6.25 Thomas Perry IP: 172.21.6.10 Samantha Petruzzo IP: 172.21.6.11 Matthew Straughn IP: 172.21.6.19 CJ Tattan IP: 172.21.6.12 Kemal Turksonmez IP: 172.21.6.15 Collin Urie IP: 172.21.6.28 Josh Walker IP: 172.21.6.24 Max Zibitsker IP: 172.21.6.29
Each group should choose one person from the group to run the NFS server. Only that person needs to install the server software. All three people need to install the client software. (However, everyone in the group should understand how to set up both the server side and the client side. ) You will use the apt command to install the software. For the server:
apt install nfs-kernel-server
and for the client:
apt install nfs-client
Note that my instructions assume that you are working as root. If not, you can use sudo to run the commands.
NFS Server Configuration: The server needs a directory to share. This is typically a directory inside /srv, so create a directory such as /srv/nfs. Also, for testing purposes, make a file in this directory. (The command for making a directory is mkdir.)
Next, you need to tell NFS that that directory is shared, and you need to control who can access it. The configuration for the NFS server is in the file /etc/exports, so you need to edit that file. The file already has some commented-out examples of directory shares. There are two kinds of shares, one for NFS version 3 and one for version 4. We will use version 3. (Version 4 uses "kerberos," a secure authentication server, to authenticate the client machines. Since we are not running kerberos, we will stick to version 3.) The example defines a share to a computer named hostname1 as
/srv/homes hostname1(rw,sync,no_subtree_check)
You should imitate this example. Note that the "hostname1" can be replaced by an IP address. (It could also be a network address if you want to share to an entire subnet of addresses.) The only other thing that you need to know is that "rw" means "read/write", and it allows the client to write to the shared directory as well as read its content.
You should share your directory to the IP addresses for the virtual machines of the other two members of your group. You should also set up a share to hostname localhost, so that the server machine can also be a client of itself.
NFS Client configuration: All three members of the group will do this. You want to mount the shared directory from the server into the file system on your virtual machine. The way that mounting works in Linux is this: You need an existing directory, which is usually empty. You can then mount an NFS share, a disk partition, and other kinds of file containers on that directory. The files from the thing that you mount appear as if they are contained in the actual diretory where you mount it. (If that directory already contained some files, those files will be hidden and inaccessible.)
So, you need to create a directory. Everyone in your group should use the same name for the directory, such as /nfshome. To test whether access to the NFS server is working, you can mount the NFS share by hand, using a command similar to this:
mount -t nfs 172.21.6.30:/srv/nfs /nfshome
or
mount -t nfs localhost:/srv/nfs /nfshome
where the IP address would be the IP address of the NFS server. The file that was created in /srv/nfs on the server will then be visible in the directory /nfshome.
You want the NFS mount to survive a reboot of the virtual machine. To make that happen, you need to add a line to /etc/fstab. This file lists things that are always to be mounted at boot time. You need to add a line to this file to mount the NFS share. You can add a line at the end similar to
172.21.6.30:/srv/nfs /nfshome nfs defaults 0 0
or
localhost:/srv/nfs /nfshome nfs defaults 0 0
When something is entered in fstab, it can be mounted and unmounted simply by giving the name of the directory. Try commands like the following to check whether your fstab entry is correct:
umount /nfshome
mount /nfshome
User accounts: As the last step, I would like you to create user accounts with home directories in the shared NFS directory. The idea is that a user can log in to any of the three virtual machines and will see the same home directory. You should create four user accounts: one for me and one for each person in your group. Each person in the group should make the same four accounts, with the same passwords, on their virtual machine. Furthermore, the UID numbers for the accounts should be the same on each machine. (Each user is identified by a UID number, which is listed in the file /etc/passwd. This number is associated with the user name, and it is used by the system to record file ownership.) You can use the adduser command to create the users. However, since you will not be using the default home directory or UID for the users, you have to specify them as options to the adduser command. And to make things more complicated, adduser usually creates the home directory, but since the new users will have the same home directory on each machine, only one of you should create the home directories for the users. In fact, the home directories have to be created in the original directory on the server. So, on the NFS server VM, create the users with commands such as
adduser --uid=2000 --home=/srv/nfs/jane jane
and on the client VM with commands such as
adduser --uid=2000 --home=/nfshome/jane --no-create-home jane
The user name for my account should be david and the password should be fred123. I will try to log into your VM using this user name and password.
Note: For more information on the commands and configuration files used in this section, you can try the man command: man exports, man fstab, man mount, man adduser.
Note: If it seems silly to you to have to create the users on every machine individually, you are right. We should be using another kind of network server, such as an "nis" or "ldap" server, to distribute user account information to the machines. That's what done for our Linux network and for the campus Windows network. The computers then just have to be configured to get the user account information from the right server.
Note: By default, the root user is not allowed to modify directories that have been mounted using NFS. (This is a "root_squash" option that you can read about in man exports.) This explains why the root user can't use adduser to create home directories in a directory mounted using NFS. However, the root user can take on the identity of any user, with the su command, and can then proceed to modify that user's files in the NFS mount.
Using iptables
Linux can be configured to do IP packet filtering and mangling using a tool called iptables. The iptables command is used to configure firewalls and packet forwarding. It is an important tool on computers that are acting as routers, but it can be used on any Linux computer to increase network security. For example, it can be used to accept ssh connections only from certain IP addresses. It can also be used to control outgoing connections.
The iptables command is used to install "rules" that will be applied to packets that arrive at the computer or that are about to leave the computer. A rule specifies some action to be taken on any packet that matches the rule. For example, the rule might say that the packet should simply be discarded. Or the rule might mangle (that is, modify) the packet in some way. If the Linux computer is being used as a router, iptables can specify rules to be applied to packets passing through the router. For example, NAT (Network Address Translation) can be implemented by mangling packets with iptables. (In fact, iptables actually includes simple, direct support for NAT.)
Unfortunately, we are not configuring a router. However, you can use iptables to protect your VM from undesirable connections. In fact, I would like you to stop me from doing two things from my office computer, which has IP address 172.21.7.12. First, if I try to ssh from that computer to your VM, the connection request should be simply be ignored. Second, if I try to access the web server running on port 80, that connection request should be actively rejected.
Furthermore, I would like you to discover how to do this by doing some research on iptables. You can try the man command. If you google iptables, you will probably find some tutorials, including this Ubuntu Linux site:
https://help.ubuntu.com/community/IptablesHowTo
To make your iptables rules survive a reboot, you can simply add the iptables commands to the script /etc/rc.local. You might read about fancier ways to do it, but rc.local is good enough for this exercise.
If you need help on this, please ask. If you think of something extra to do with iptables, let me know.
Things to Look At
Here are a few places to look for network configuration on your virtual machine, or on the Linux computers in the labs.
- The file /etc/network/interfaces contains configuration for network interfaces. For a statically configured interface, it can specify the IP address, netmask, and gateway. DNS information can also be included here. (Desktop Linux computers often use something called NetworkManager instead of or in addition to this file for network configuration.)
- The file /etc/resolv.conf specifies DNS nameservers. It can specify a default domain for DNS searches. For example on the lab computers, hws.edu is specified as the default search domain. This makes it possible to use names like math and www instead of math.hws.edu and www.hws.edu on those machines.
- The /proc file system is a fake file system containing system information and configuration at run time. In particular, /proc/sys/net/ipv4 is for the IPv4 protocol, as well as some stuff for TCP, UDP, ICMP. I mentioned the ip_forward file in class, but there's lots more (but don't expect to understand much of it).
- The file /etc/hosts maps host names to IP addresses. It will be used in preference to DNS, and it can be used even if DNS is not working. In the very early days of networking, before DNS existed, domain name mapping was done by distributing a hosts file to computers on the network.
- The file /etc/hostname is how a Linux computer knows its own name. To change the name, you can edit this file and /etc/hosts. (Of course, this doesn't change the name in DNS servers.)