Ziltoid
From CSLabsWiki
Ziltoid | |
IP Address(es): | 128.153.145.2 |
Contact Person: | Xperia64 |
Last Update: | October 2016 |
Services: | Various |
Hostname: | ziltoid.cslabs.clarkson.edu |
Operating system: | Debian 8.3 |
NIC 1: | Clarkson Network MAC: 0c:c4:7a:41:a7:bc IP: 128.153.145.2 |
NIC 2: | Clarkson Network MAC: 0c:c4:7a:41:a7:bd IP: Not Applicable |
CPU: | Intel Xeon CPU E3-1220 V2 @ 3.10GHz |
RAM: | 4 GB |
Ziltoid is our latest ssh gateway box/firewall, following in the footsteps of (chronologically): Isengard, Mordor, Zuul and Zuko. But hopefully mostly Isengard.
The IP address allocated for Ziltoid is 128.153.145.2, necessitated by the fact that OIT's router for our subnets already occupies 128.153.144.1 and 128.153.145.1.
Setup
Start with a base 8.3.0 Debian install, follow the Kerberos setup instructions, and perform the following modifications:
Packages
The following must be uninstalled:
rdnssd
The following can be uninstalled:
nfs-client gcc-4.8-base ispell wamerican libthai-data libgtk2.0-0 libthai0 mlocate laptop-detect sgml-base debian-faq reportbug libwww-robotrules-perl aptitude m4 man-db texinfo file mutt os-prober sensible-utils installation-report install-info manpages
The following should be installed:
tcpdump nmap lm-sensors bridge-utils iptables iptables-persistent traceroute memtest86+
Network Config
This is the current /etc/network/interfaces file:
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # To output switch iface eth1 inet manual # From input switch iface eth3 inet manual auto br0 iface br0 inet static bridge_ports eth3 eth1 bridge_stp off address 128.153.145.2 netmask 255.255.254.0 gateway 128.153.145.1 broadcast 128.153.145.255 dns-search cslabs.clarkson.edu dns-nameservers 128.153.145.3
iptables Firewall
# Generated by iptables-save v1.4.21 on Fri Mar 25 19:14:27 2016 *filter :INPUT ACCEPT [132:9112] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [72:6652] -A FORWARD -s 128.153.144.0/23 -j ACCEPT -A FORWARD -d 128.153.145.0/24 -j ACCEPT -A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -p tcp -j DROP COMMIT # Completed on Fri Mar 25 19:14:27 2016
sshd Config
Disable sftp via this:
Subsystem sftp /bin/false #/usr/lib/openssh/sftp-server
And block LDAP users from executing commands
Match Group users AllowTCPForwarding yes X11Forwarding no ForceCommand /bin/false