INE 2810 Mission 3
Version 1.3
Mission outlines
- Set up a DNS server for your branch office domain
- Set up a mail server for your branch office domain
- Configure your router access lists to protect your hosts in DMZ
Before you go into this mission, please make sure you have finished mission
2. That is, from your hosts in DMZ, you can ping other hosts outsider
your branch office network.
Task 1 : Set up your DNS server
Set up your master DNS server first
- Choose a host in DMZ to set up your master DNS server. Its IP must
be the one specified in your enterprise background information.
- Configure your /etc/named.conf file so as to
- allow your slave DNS server to do DNS zone transfer from this master
DNS server
- set the DNS forwarder to be 192.168.11.1 so that all other DNS queries
will go through this IP
- define the zone filename for your branch office domain
- define the zone filename for your reverse IP mapping (in-addr.arpa)
domain
- Configure your zone files in /var/named
- in your branch office domain zone file define the followings:
- the SOA of your domain
- the NS of your domain
- the MX of your domain
- the IP of ns1 (master DNS name server)
- the IP of ns2 (slave DNS name server)
- the IP of fw (firewall interface to DMZ)
- the IP of gateway (router interface to DMZ)
- the IP of router (router interface to upstream ISP)
- the CNAME of mail (point to ns1)
- in your in-addr.arpa domain zone file
- define the reverse IP mapping for the hosts: ns1,ns2,fw and gateway
- Configure your /etc/resolv.conf file to define your domain and your
master DNS server IP
- Start your named by the command "/etc/rc.d/init.d/named start" and
use host command to verify your setting
- If you find your named does not work, tail /var/log/messages to see
if there is any error messages. If there is any error, fix the error and
restart the named by " /etc/rc.d/init.d/named restart"
Then set up your slave DNS server
- Choose another host in DMZ to set up your slave DNS server. Its IP
must be the one specified in your enterprise background information.
- Configure your /etc/named.conf file so as to define the domain zone
file of your domains and their master server IP.
- Configure your /etc/resolv.conf file to define your domain and your
master DNS server IP
- Start your named by the command "/etc/rc.d/init.d/named start" and
see if your slave DNS server can transfer the zone files from your master
server to your slave directory
- If you find your named does not work, tail /var/log/messages to see
if there is any error messages. If there is any error, fix the error and
restart the named by " /etc/rc.d/init.d/named restart"
Task 2 : Set up your mail server
- Choose your master DNS host as your mail server
- Configure your sendmail marco file (mc) file.
- copy /etc/mail/sendmail.mc to /usr/share/sendmail-cf/cf directory
- edit the sendmail.mc file to
- add the follow entries:
MASQUERADE_AS([your_domain])
FEATURE(masquerade_envelope)
FEATURE(allmasquerade)dnl
- to comment the following entries by dnl keyword
dnl EXPOSED_USER(`root')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
- cd to the directory of /usr/share/sendmail-cf/cf and type "make sendmail.cf"
to generate the sendmail.cf file
- backup the original sendmail.cf file: cp -p /etc/sendmail.cf
/etc/sendmail.cf.orig
- replace the /etc/sendmail.cf file with yours in /usr/share/sendmail-cf/cf
- Edit the /etc/mail/local-host-names to include your domain
- Restart the sendmail daemon: /etc/rc.d/init.d/sendmail restart
- tail /var/log/messages to see if there is any error messages. If there
is any error, fix the error and restart the sendmail by " /etc/rc.d/init.d/sendmail
restart"
- create user accounts for yourselves at your mail server. If you do
not know how to create, man useradd and man passwd.
- Test your mail server by sending mails from your mail server to your
INE account. See if your mail sending out from your mail server is masqueraded
as your office domain
- Try to send mail from your INE account to your user account at your
mail server. See if your mail server can receive mails from outside
Task 3 : Configure your router access list to protect your DMZ host
Here is the specification of your router access list
- permit any host in your enterprise network to have IP access to your
hosts in DMZ
- permit gateway.ine.cuhk.edu.hk to have ICMP and ssh access to
your hosts in DMZ
- permit network 192.168.8.0/22 to have ICMP and ssh access to your
hosts in DMZ
- permit DNS query (udp port 53) from any host to your ns1 and
ns2 DNS server
- permit DNS qurey result (udp port above 1023) from the DNS forwarder
(192.168.11.1) to your ns1 (your master DNS servers)
- permit SMTP traffic (tcp port 25) from any host to your mail server
- permit ICMP echo-reply from any hosts to any hosts in your branch
office network
- permit any tcp estahlished packets (initated from your hosts in DMZ)
to your hosts in DMZ
- deny all packets by default and log the deny packet
Collaborate with other OTs in your enterprise and your partner enterprise
to test your access list. You may open guest accounts for the other OTs to
facilitate the test if needed.
Enable the log buffer at your router by "logging buffer 7".
"show log" at your router can give you some information to debug your
access list.
References