'%3E%3Cg fill='%23000'%3E%3Cpath clip-rule='evenodd' d='m89 11.7c-.8 0-2.2.2-3.2 1.6v-8.10005h-2.8v16.80005h2.7v-1.3c1.1 1.5 2.6 1.5999 3.2 1.5999 3 0 5-2.2999 5-5.2999s-2-5.3-4.9-5.3zm-.7 2.5c1.7 0 2.8 1.2 2.8 2.8s-1.2 2.8-2.8 2.8c-1.7 0-2.8-1.2-2.8-2.8s1.1-2.8 2.8-2.8z' fill-rule='evenodd'/%3E%3Cpath d='m71.2 21.9999v-7.6h1.9v-2.4h-1.9v-3.40005h-2.8v3.40005h-1.1v2.4h1.1v7.6z'/%3E%3Cpath clip-rule='evenodd' d='m65.6999 12h-2.9v1.3c-.8999-1.5-2.4-1.6-3.2-1.6-2.9 0-4.8999 2.4-4.8999 5.3s1.9999 5.2999 5.0999 5.2999c.8 0 2.1001-.0999 3.1001-1.5999v1.3h2.7999zm-5.1999 7.8c-1.7001 0-2.8-1.2-2.8-2.8s1.2-2.8 2.8-2.8c1.7 0 2.7999 1.2 2.7999 2.8s-1.1999 2.8-2.7999 2.8z' fill-rule='evenodd'/%3E%3Cpath d='m79.7001 14.4c-.7-.6-1.3-.7-1.6-.7-.7 0-1.1.3-1.1.8 0 .3.1.6.9.9l.7.2c.1261.0472.2621.0945.4037.1437.7571.2632 1.6751.5823 2.0963 1.2563.3.4.5 1 .5 1.7 0 .9-.3 1.8-1.1 2.5s-1.8 1.0999-3 1.0999c-2.1 0-3.2-.9999-3.9-1.6999l1.5-1.7c.6.6 1.4 1.2 2.2 1.2s1.4-.4 1.4-1.1c0-.6-.5-.9-.9-1l-.6-.2c-.0687-.0295-.1384-.0589-.2087-.0887l-.0011-.0004c-.6458-.2729-1.3496-.5704-1.8902-1.1109-.5-.5-.8-1.1-.8-1.9 0-1 .5-1.8 1-2.3.8-.6 1.8-.7 2.6-.7.7 0 1.9.1 3.2 1.1z'/%3E%3Cpath d='m98.5 20.5-4.8-8.5h3.3l3.1 5.7 2.8-5.7h3.2l-8 15.3h-3.2z'/%3E%3Cpath d='m47 13.7h7c0 .0634.01.1267.0206.1932.0227.1435.0477.3018-.0206.5068 0 4.5-3.4 8.1-8 8.1s-8-3.6-8-8.1c0-4.49995 3.6-8.09995 8-8.09995 2.6 0 5 1.2 6.5 3.3l-2.3 1.49995c-1-1.29995-2.6-2.09995-4.2-2.09995-2.9 0-4.9 2.49995-4.9 5.39995s2.1 5.3 5 5.3c2.6 0 4-1.3 4.6-3.2h-3.7z'/%3E%3C/g%3E%3Cpath d='m18 14h7c0 5.2-3.7 9.6-8.5 10.8l-13.19995-13.2c1.1-4.9 5.5-8.6 10.69995-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.29995 2.5-8.49995 6l11.49995 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8z' fill='%23fff'/%3E%3Cpath d='m6.2 21.7001c-2.1-2.1-3.2-4.8-3.2-7.6l10.8 10.8c-2.7 0-5.5-1.1-7.6-3.2z' fill='%23fff'/%3E%3Cpath d='m14 0c-7.7 0-14 6.3-14 14s6.3 14 14 14 14-6.3 14-14-6.3-14-14-14zm-7.8 21.8c-2.1-2.1-3.2-4.9-3.2-7.6l10.9 10.8c-2.8-.1-5.6-1.1-7.7-3.2zm10.2 2.9-13.1-13.1c1.1-4.9 5.5-8.6 10.7-8.6 3.7 0 6.9 1.8 8.9 4.5l-1.5 1.3c-1.7-2.3-4.4-3.8-7.4-3.8-3.9 0-7.2 2.5-8.5 6l11.5 11.5c2.9-1 5.1-3.5 5.8-6.5h-4.8v-2h7c0 5.2-3.7 9.6-8.6 10.7z' fill='%237026b9'/%3E%3C/g%3E%3C/svg%3E){kind=small}
#LinuxServer
Easy install with sbeteta42's command lines : https://github.com/sbeteta42/ez-debian-server
System Schema
NAT | v WAN -| ==Router== |- LAN (ens35) (ens33) | v Routage = IP_Forwarding NAT rule
SRVLX01 3 Disks (RAID 1) (1 of them is the Spare Disk) 2 Interfaces Ethernet (IP Address Bonding)
-
Fix IP address | v ==SERVICES (DAEMONS)== __ DHCP __ DNS __ HTTP __ FTP __ SAMBA
IP_STATE (Client)
IP address : 192.168.3.10 255.255.255.0 Gateway : 192.168.3.254 DNS : 1.1.1.1
We're configuring this Debian OS to be the router for this server.
Installing Debian Server on VM and configuring the IP address of the second network card
- Add 2 network cards
- Edit > Virtual Network Settings
- Add new VMNet2 and make it host-only, disable the DHCP
- ![[Pasted image 20240326093838.png]]
- In the second network, we put the VMNet2 on custom network
- ![[Pasted image 20240326094130.png]]
To login : root or user / operations
when we do ifconfig we see only one network card. Second has [[127.0.0.1]] (loopback address, it pings back to the host, it's an impossible address, doesn't exist on Windows, just to test the interface connection)
![[Pasted image 20240326095248.png]]
-
We do
ifconfig -ato see the other network card even if it doesn't have an IP address. We'll configure it later- but this way we have seen the name of it; ==ens35==
- WAN network name is; ==ens33==
-
We login to the user which doesn't have the root rights.
- to get the root rights we tap
su -and we choose a password and pass to the root account - then we install sudo with
apt install sudo - we install
openssh-serverandopen-vm-toolsandtreebut we cannot install if the system is not up-to-date apt update && apt full-upgrade -yto update everything- sudo is installed but cannot be used on the user account, we need to configure it with nano. we go to
nano /etc/sudoersto configure sudo and give the user ALL rights. - when in the user account, we do
sudo suand we are the root of our own directory. - ![[Pasted image 20240326101710.png]]
- hostname router to change ???
- we go to /etc/hostname and edit the content, putting router in the text editor
- ``
- to get the root rights we tap
nano /etc/hosts and edit the 127.0.1.1 and edit it to be router.formation.lan router
![[Pasted image 20240326102706.png]]
-
we restart the machine and see the router login
-
and we connect on
user@routeraccount -
ifconfig -ato see the network cards settings -
we go to
nano /etc/network/interfacesand note the card names; ens33 and ens35 -
systemctl restart networking.service -
systemctl status networking.serviceto verify the status -
if the second network card still doesn't appear go back to
nano /etc/network/interfacesand put auto instead of allow-hotplug -
now when we do ifconfig we don't see the first card (ens33), we restart the machine an try again.
-
we do
sudo ifconfigand verify all the cards as in the image following; -
![[Pasted image 20240326103921.png]]
-
sudo nano /etc/sysctl.confactivate the IP routing -
go to the page down and remove the # before the
net.ipv4.ip_forward=1line to make IP forwarding active -
![[Pasted image 20240326141211.png]]
-
sudo sysctl -pto make it activ
Then we make a firewall rule:
-
ens33 is the network card that makes the connection between outside network connection
-
pass to root account
-
install iptables with
apt install iptables, if it's not found -
iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE -
-tfor target,-Afor add,-jmeans Joker; to put any command after -
iptables-save > /etc/iptables_rules.saveto create a file -
![[Pasted image 20240326113242.png]]
-
we go back to
nano /etc/network/interfacesand edit -
we add
post-up iptables-restore < /etc/iptables_rules.saveat the last line of the primary network interface -
save and exit
-
systemctl restart networking.service -
systemctl status networking.service -
Now we go to the client machine and set the IP address whether if it's Linux or Windows.
-
We put the settings as following
-
The Gateway is the Router !! ![[Pasted image 20240326134703.png]]
-
we ping the router, 192.168.3.254
-
we ping the DNS (1.1.1.1)
-
we ping a DNS like www.google.fr
Depannage / Troubleshooting
we might have done a mistake, disconnect the card and reconnect do the same for the LAN connection inside the VM check VM Network settings.
systemctl restart networking.service
Connecting the SSH
for rerouting ;
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 22 -j DNAT --to-destionation 192.168.3.101:22
this way we have connect the SSH
And we can connect to the user of the server (user@srvlx01) with a FTP client
![[Pasted image 20240326165147.png]]
Firewall Settings with [[pfSense]]
- Setting up pfSense replaces the router VM
- Now it's the router and we do the firewall settings on it
- We disabled the DHCP settings when installing because we have already put a static IP to our client.
- From the client we ping the gateway first !! always
- We go the a web browser in the client and go the gateway address (gateway is always the router address)
- admin and pfsense for the login credentials in the web browser.
- ![[Pasted image 20240327103425.png]]
- we enter the formation.lan and no DNS needed because automatically done by the main router connected
- we choose out timezone
- ![[Pasted image 20240327103752.png]]
- in the next step we remove the tick from the latest 2 options
- ![[Pasted image 20240327111858.png]]
- we're in
- ![[Pasted image 20240327104159.png]]
- we can add widgets
To activate DHCP server : Services > DHCP Server > LAN
![[Pasted image 20240327110857.png]]
Difference between NAT and Firewall Rules NAT : is only for one machine Rules : is for all the network (WAN)
ICMP : Internet Control Message Protocol ?? ==developer==
Authorizing SSH to Srvlx01 through NAT
We add a rule to NAT ![[Pasted image 20240327112458.png]]
installing dhcp to the server though SSH
sudo apt install isc-dhcp-server
if user doesn't have the right we add it in nano /etc/sudoers : with user ALL: etc...
sudo nano /etc/dhcp/dhcpd.conf
to see the DHCP settings and edit them
Configuring [[DHCP]] Settings
we will send this file into the server with SSH (don't put comments like this in this image) ![[Pasted image 20240327114743.png]]![[Pasted image 20240327122612.png]] no space before the parantheses !
-
we connect to the WAN address of the firewall/pfSense through the FTP client
-
and copy the dhcpd.conf file to the router
-
![[Pasted image 20240327115407.png]]
-
WAN address is found on the Dashboard (
172.16.254.129in my case) -
![[Pasted image 20240327115435.png]]
-
we will launch the DHCP service / daemon to activate it
-
to launch the service we enter
sudo systemctl start isc-dhcp-server.service -
to verify if it's active
sudo systemctl status isc-dhcp-server.service -
![[Pasted image 20240327123442.png]]
Now we see that it works on the client machine :
- ![[Pasted image 20240327123524.png]]
DNS Settings on the Server
What to not forget:
- bind9 is the program for DNS server in Linux, install with
apt install bind9 namedis the command to check it's details- Don't forget the "." after the domain like "srvlx01.formation.lan."
systemctl restart namedto start the DNS service,statusto see the active status.named-checkconf -zto see the DNS configuration
![[Pasted image 20240327144448.png]]
![[Pasted image 20240327144514.png]]
Troubleshooting:
- Sometimes we will not be able to ping
www.formation.lan. In this case, we will need to add the nameserver to the /etc/resolv.conf file but we cannot edit it. - To edit it once :
sudo chattr -i /etc/resolv.conf - We go to
nano /etc/resolv.confand addnameserver 192.168.3.101(which is the ip address of the server) to the second line - Save and exit
- Then we prevent the editing of the resolv.conf with the command of :
sudo chattr =i /etc/resolv.conf
We add the DNS address to the pfSense in System > General Setup as well, because pfsense dont see the domain by default (formation.lan) ![[Pasted image 20240327154542.png]] and disable the settings as following; ![[Pasted image 20240327155156.png]]