Closed nyameko closed 1 week ago
Hi Team @lisabeeaan @thinker-bell @JCheney20 @Ghost-3342
As week 3 is ending, I am just checking in under week 3 tasks, hopefully your exams are still going well. Please don't hesitate to ask any questions should you have any.
Remember to @ me when you need me to attend to something so that I can get a notification and I will do the same.
All the best
Hi @zsanda1. Please see deliverables below for the week 3 tasks.
Nftables ruleset:
table inet firewall {
set allowed_tcp_dports {
type inet_service
elements = { ssh, http, https }
}
set allowed_udp_dports {
type inet_service
elements = { http, https, 53 }
}
chain input {
type filter hook input priority filter; policy drop;
ct state vmap {established: accept, related: accept, invalid: drop }
iif lo accept
meta l4proto icmp accept
ct state new tcp dport @allowed_tcp_dports accept
ct state new udp dport @allowed_udp_dports accept
reject with icmpx port-unreachable
}
}
Dnsmasq configuration:
user=dnsmasq
group=dnsmasq
interface=eth0
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
Compute node /etc/resolv.conf
:
nameserver 10.100.50.172
Head node /etc/resolv.conf
:
nameserver 8.8.8.8
Head node /etc/hosts
:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.100.50.224 compute_node
Head node tcp ports listening:
Scanning head nodes tcp ports {80, 111, 22} from the compute node:
Excellent work Team!
~I need you to also complete these additional tasks:~
route
all network traffic via the head node.~
Never mind, I see that the above was already done in previous week.
In your documentation and write-up, please ensure that you explain forward
, input
and output
chains when describe behavior / implementation of your firewall and nftables
rules.
Keep up the good work.
Topics: Secure the cloud infrastructure by configuring firewall rules and setting up DNS on the head node for routing and traffic control.
Tasks:
Configure the head node’s firewall:
Only allow inbound traffic on necessary ports (e.g., SSH, web ports).
Restrict outbound traffic from the compute node to flow only through the head node.
Configure the firewall to drop any other traffic by default (deny-all policy) to ensure maximum security.
Install and configure DNS on the head node:
Ensure that the head node handles name resolution requests from the compute node.
Set up DNS entries for internal communication between the head node and compute node (e.g., map the static IP addresses to meaningful hostnames).
Test name resolution from the compute node to verify that DNS queries are being processed by the head node.
Test firewall configurations to ensure that only the required traffic is permitted:
Try to access blocked services from the compute node to confirm they are denied.
Test the allowed services to ensure they function correctly (e.g., SSH and job scheduling).
Test the DNS configuration to ensure the compute node can resolve the head node’s hostname and any other necessary internal DNS entries.
Implement additional security hardening measures:
SSH key-based authentication only (disable password logins).
Limiting login attempts or enabling
fail2ban
to prevent brute force attacks.Disable any unnecessary services on both nodes to reduce attack surfaces.
Deliverable:
iptables
,nftables
rules or cloud security group settings).