chpc-tech-eval / scc

Competition instructions for the Center for High Performance Computing (CHPC) 2024 Student Cluster Compettion (SCC). Which is hosted by the National Integrated Cyber Infrastructure Systems (NICIS), a division of the South African Council for Scientific and Industrial Research (CSIR).
https://scc.chpc.ac.za/
Apache License 2.0
10 stars 17 forks source link

Week 3: Network Configuration (Re) Routing #199

Closed nyameko closed 1 week ago

nyameko commented 1 month ago
zsanda1 commented 1 week ago

Hi Team @lisabeeaan @thinker-bell @JCheney20 @Ghost-3342

As week 3 is ending, I am just checking in under week 3 tasks, hopefully your exams are still going well. Please don't hesitate to ask any questions should you have any.

Remember to @ me when you need me to attend to something so that I can get a notification and I will do the same.

All the best

mukize commented 1 week ago

Hi @zsanda1. Please see deliverables below for the week 3 tasks.

Deliverables

1. Firewall Configuration

Nftables ruleset:

table inet firewall {
    set allowed_tcp_dports {
        type inet_service
        elements = { ssh, http, https }
    }

    set allowed_udp_dports {
        type inet_service
        elements = { http, https, 53 }
    }

    chain input {
        type filter hook input priority filter; policy drop;
        ct state vmap {established: accept, related: accept, invalid: drop }
        iif lo accept
        meta l4proto icmp accept
        ct state new tcp dport @allowed_tcp_dports accept
        ct state new udp dport @allowed_udp_dports accept

        reject with icmpx port-unreachable
    }
}

2. DNS Configuration

Dnsmasq configuration:

user=dnsmasq
group=dnsmasq
interface=eth0
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

Compute node /etc/resolv.conf:

nameserver 10.100.50.172

Head node /etc/resolv.conf:

nameserver 8.8.8.8

Head node /etc/hosts:

127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
::1             localhost localhost.localdomain localhost6 localhost6.localdomain6
10.100.50.224   compute_node

3. Evidence

1. DNS resolution via head node

Pasted image 20241118175635

2. Allowed port access

  1. Head node tcp ports listening: Pasted image 20241118183222

  2. Scanning head nodes tcp ports {80, 111, 22} from the compute node: Pasted image 20241118183407


nyameko commented 1 week ago

Excellent work Team!

~I need you to also complete these additional tasks:~

  1. ~Configure NAT and Masquerading on your head node's firewall.~
  2. ~Configure your compute node's default route to route all network traffic via the head node.~
    • ~Remove unnecessary routes on your compute node.~

Never mind, I see that the above was already done in previous week.

In your documentation and write-up, please ensure that you explain forward, input and output chains when describe behavior / implementation of your firewall and nftables rules.

Keep up the good work.