SE5 IdO sécurité des objets 2025/2026 b5
Aller à la navigation
Aller à la recherche
Serveur Virtuel :
Pour créer la VM : xen-create-image --hostname=SE5-crhanim --dhcp --dir=/usr/local/xen --size=20Gb --memory=2048mb --dist=daedalus --bridge=bridgeStudents
Configuration réseau de la VM :
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 172.26.145.108
netmask 255.255.255.0
gateway 172.26.145.251
dsn-nameservers 172.26.145.251
# post-up ethtool -K eth0 tx off
#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users. It is disabled by default
#Vérification :
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=5.72 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=5.72 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=6.27 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 5.717/5.901/6.267/0.258 msAjout d'une interface dans le VLAN 408 :
#VLAN 408
auto eth1
iface eth1 inet static
address 172.16.8.1
netmask 255.255.255.0
#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users. It is disabled by default
#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:d7:30:83 brd ff:ff:ff:ff:ff:ff
inet 172.26.145.108/24 brd 172.26.145.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:660:4401:6050:216:3eff:fed7:3083/64 scope global dynamic mngtmpaddr
valid_lft 989sec preferred_lft 889sec
inet6 2a01:c916:2047:c850:216:3eff:fed7:3083/64 scope global dynamic mngtmpaddr
valid_lft 2591989sec preferred_lft 604789sec
inet6 fe80::216:3eff:fed7:3083/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:d7:30:84 brd ff:ff:ff:ff:ff:ff
inet 172.16.8.0/24 brd 172.16.8.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fed7:3084/64 scope link
valid_lft forever preferred_lft foreverSur Capbreton: etc/xen/SE5-crhanim.cfg
#
# Networking
#
dhcp = 'dhcp'
vif = [ 'mac=00:16:3E:D7:30:83,bridge=bridgeStudents',
'mac=00:16:3E:D7:30:84,bridge=g5_crhanim' ]Sur /etc/network/interfaces.d/g5_crhanim Configuration de l'interface Vlan408 et bridge: g5_crhanim
auto Trunk.408
iface Trunk.408 inet manual
vlan-raw-device Trunk
up ip link set $IFACE up
down ip link set $IFACE down
auto g5_crhanim
iface g5_crhanim inet manual
bridge_ports Trunk.408
up ip link set $IFACE up
down ip link set $IFACE downSécurisation WiFi par WPA2-PSK
dot11 ssid SE5-crhanim
vlan 408
authentication open
authentication key-management wpa
wpa-psk ascii 0 " "
mbssid guest-mode
exit
interface Dot11Radio1
encryption vlan 408 mode ciphers aes-ccm
ssid SE5-crhanim
mbssid
no shutdown
exit
interface Dot11Radio1.408
encapsulation dot1Q 408
bridge-group 8
exit
interface GigabitEthernet0.408
encapsulation dot1Q 408
bridge-group 8
exitPour vérifier : ap#sh dot11 bssid
ap#sh dot11 bssid
Interface BSSID Guest SSID
Dot11Radio1 04da.d2d1.4bf0 Yes SE5-azongo
Dot11Radio1 04da.d2d1.4bf1 Yes SE5-crhanim
Dot11Radio1 04da.d2d1.4bf2 Yes SE5-handriandans la VM : /etc/dhcp/dhcpd.conf
subnet 172.16.8.0 netmask 255.255.255.0 {
range 172.16.8.100 172.16.8.200;
option routers 172.16.8.1;
#option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
option domain-name-servers 172.16.8.1;
}dans /etc/sysctl.conf : j'ai décommenté la ligne : net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf : pour recharger configuration sysctl.
sysctl net.ipv4.ip_forward : pour vérifier
Pour implémenter un serveur DNS, dans le fichier /etc/bind/named.conf.options :
options {
directory "/var/cache/bind";
recursion yes;
allow-query {172.16.8.0/24; 127.0.0.1;};
forwarders {
8.8.8.8;
1.1.1.1;
};
dnssec-validation auto;
listen-on { 127.0.0.1; 172.16.8.1; };
listen-on-v6 { none; };
};Pour implémenter une mascarade sur le serveur virtuel :
iptables -t nat -A POSTROUTING -j MASQUERADE -s 172.16.8.0/24Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
122 51438 MASQUERADE 0 -- * * 172.16.8.0/24 0.0.0.0/0Redirection par DNS
Modification de /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "github.com"{
type master;
file "/etc/bind/db.github.com";
};création de la zone db.github.com
$TTL 604800
@ IN SOA ns.github.com. admin.github.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.github.com.
ns IN A 172.16.8.1
@ IN A 172.16.8.1
www IN A 172.16.8.1