1. SSH into the jump server, Loadbalancer, App server 1, App server 2, and App server 3 and switch

to root (You cannot switch to root on LB).

2. On both the Load Balancer and the Jump server, try to curl all the App servers using the specified port.

Both should be able to curl the App servers.

3. On each App Server, install the iptables-services.

Enable, starts, and verify status afterwards.

4. Put in the necessary rules to allow traffic only from the LBR host from the specified port.

Traffic coming from sources other than the LBR HOST thru the specified port should be denied.

5. Verify that the rules are in place be checking the ip-tables.

This can be done by using the three commands below. Their outputs are also shown below.

6. Similar with STEP 2, curl the App servers again thru the specified port from botht LBR and Jump server.

This time, only the LBR host should succeed.

III. STEPS - BREAKDOWN

1. SSH into the jump server, Loadbalancer, App server 1, App server 2, and App server 3 and switch

to root (You cannot switch to root on LB).

sudo su -

sshpass -p '******' ssh -o StrictHostKeyChecking=no loki@172.16.238.14

sshpass -p '******' ssh -o StrictHostKeyChecking=no tony@172.16.238.10 sudo su -

sshpass -p '******' ssh -o StrictHostKeyChecking=no steve@172.16.238.11 sudo su -

sshpass -p '******' ssh -o StrictHostKeyChecking=no banner@172.16.238.12 sudo su -

2. On both the Load Balancer and the Jump server, try to curl all the App servers using the specified port.

Both should be able to curl the App servers.

curl stapp01:5004 curl stapp02:5004 curl stapp03:5004

3. On each App Server, install the iptables-services.

Enable, starts, and verify status afterwards.

sudo yum install -y iptables-services

systemctl enable iptables systemctl start iptables systemctl status iptables

4. Put in the necessary rules to allow traffic only from the LBR host from the specified port.

Traffic coming from sources other than the LBR HOST thru the specified port should be denied.

Ensure the rules will persist even after system reboots.

iptables -R INPUT 5 -p tcp --destination-port 5004 -s 172.16.238.14 -j ACCEPT iptables -A INPUT -p tcp --destination-port 5004 -j DROP

service iptables save

5. Verify that the rules are in place be checking the ip-tables.

This can be done by using the three commands below. Their outputs are also shown below.

rpm -qc iptables-services

/etc/sysconfig/ip6tables /etc/sysconfig/iptables

sudo /sbin/iptables-save

Generated by iptables-save v1.4.21 on Sun Sep 13 13:15:00 2020

*nat :PREROUTING ACCEPT [27:2880] :INPUT ACCEPT [7:356] :OUTPUT ACCEPT [308:19366] :POSTROUTING ACCEPT [456:29083] :DOCKER_OUTPUT - [0:0] :DOCKER_POSTROUTING - [0:0] -A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT -A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING -A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:34710 -A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:52247 -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 34710 -j SNAT --to-source :53 -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 52247 -j SNAT --to-source :53 COMMIT

Completed on Sun Sep 13 13:15:00 2020

Generated by iptables-save v1.4.21 on Sun Sep 13 13:15:00 2020

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [25:3344] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 172.16.238.14/32 -p tcp -m tcp --dport 5004 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5004 -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

Completed on Sun Sep 13 13:15:00 2020

iptables -L

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- stlb01 anywhere tcp dpt:avt-profile-1 DROP tcp -- anywhere anywhere tcp dpt:avt-profile-1

Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination

6. Similar with STEP 2, curl the App servers again thru the specified port from botht LBR and Jump server.

This time, only the LBR host should succeed.

curl stapp01:5004 curl stapp02:5004 curl stapp03:5004

############################################################################################################

####### ### ### ####### ####### ######### ####### ####### ### ###

#### ### ### #### #### #### #### ######### #### #### #### #### ###

### ### ### ### ### ### ### ### ### ### ### ### ###

### ### ### ### ### ### ### ###

####### ### ### ### ### ######## ####### ####### ### ### ####### ### ### ### ### ######## ####### ####### ### ###

### ### ### ### ### ### ### ###

### ### ### ### ### ### ### ### ### ### ###

######### ######### #### #### #### #### ######### ######### ######### ### ### ####### ####### ####### ####### ######### ####### ####### ### ###

############################################################################################################

to root (You cannot switch to root on LB).

2. On both the Load Balancer and the Jump server, try to curl all the App servers using the specified port.

Both should be able to curl the App servers.

3. On each App Server, install the iptables-services.

Enable, starts, and verify status afterwards.

4. Put in the necessary rules to allow traffic only from the LBR host from the specified port.

Traffic coming from sources other than the LBR HOST thru the specified port should be denied.

5. Verify that the rules are in place be checking the ip-tables.

This can be done by using the three commands below. Their outputs are also shown below.

6. Similar with STEP 2, curl the App servers again thru the specified port from botht LBR and Jump server.

This time, only the LBR host should succeed.

1. SSH into the jump server, Loadbalancer, App server 1, App server 2, and App server 3 and switch

to root (You cannot switch to root on LB).

2. On both the Load Balancer and the Jump server, try to curl all the App servers using the specified port.

Both should be able to curl the App servers.

3. On each App Server, install the iptables-services.

Enable, starts, and verify status afterwards.

4. Put in the necessary rules to allow traffic only from the LBR host from the specified port.

Traffic coming from sources other than the LBR HOST thru the specified port should be denied.

Ensure the rules will persist even after system reboots.

5. Verify that the rules are in place be checking the ip-tables.

This can be done by using the three commands below. Their outputs are also shown below.

Generated by iptables-save v1.4.21 on Sun Sep 13 13:15:00 2020

Completed on Sun Sep 13 13:15:00 2020

Generated by iptables-save v1.4.21 on Sun Sep 13 13:15:00 2020

Completed on Sun Sep 13 13:15:00 2020

6. Similar with STEP 2, curl the App servers again thru the specified port from botht LBR and Jump server.

This time, only the LBR host should succeed.

#### ### ### #### #### #### #### ######### #### #### #### #### ###​

### ### ### ### ### ### ### ### ### ### ### ### ###​

### ### ### ### ### ### ### ###​

### ### ### ### ### ### ### ###​

### ### ### ### ### ### ### ### ### ### ###​

#### ### ### #### #### #### #### ######### #### #### #### #### ###

### ### ### ### ### ### ### ### ### ### ### ### ###

### ### ### ### ### ### ### ###

### ### ### ### ### ### ### ###

### ### ### ### ### ### ### ### ### ### ###