2026 NA HW 1 (Debian)

HW1

Part0 - Env Setting

Install package

sudo apt install dnsmasq wireguard iptables iptables-persistent rsyslog

Setting the interfaces

sudo vim /etc/network/interfaces

# # Private Zone
# auto enp0s8
# iface enp0s8 inet static
#     address 172.16.1.254
#     netmask 255.255.255.0

# # DMZ Zone
# auto enp0s9
# iface enp0s9 inet static
#     address 172.16.0.254
#     netmask 255.255.255.0

Restart interfaces

sudo ifdown enp0s8 2>/dev/null
sudo ifdown enp0s9 2>/dev/null

sudo ifup enp0s8
sudo ifup enp0s9

Configure the DHCP server

sudo vim /etc/dnsmasq.conf

# interface=enp0s8
# interface=enp0s9
listen-address=172.16.0.254
listen-address=172.16.1.254

# bind-interfaces

# dhcp-range=set:private,172.16.1.100,172.16.1.150,255.255.255.0,12h
# dhcp-range=set:dmzzone,172.16.0.100,172.16.0.150,255.255.255.0,12h

# dhcp-option=tag:private,option:router,172.16.1.254
# dhcp-option=tag:dmzzone,option:router,172.16.0.254

# # Replace by DNS ip at HW1-1
# dhcp-option=tag:private,option:dns-server,172.16.1.254
# dhcp-option=tag:dmzzone,option:dns-server,172.16.0.254

# # Static IP for agent
# dhcp-host=aa:bb:cc:dd:ee:01,set:private,172.16.1.123
# dhcp-host=aa:bb:cc:dd:ee:02,set:dmzzone,172.16.0.123

Restart / Verify the service

sudo dnsmasq --test

sudo systemctl restart dnsmasq
sudo systemctl status dnsmasq

cat /var/lib/misc/dnsmasq.leases

Routing Rules

sudo vim /etc/sysctl.d/ip_forword.conf
# net.ipv4.ip_forward=1

sudo sysctl -p /etc/sysctl.d/ip_forword.conf
sudo sysctl --system

iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o enp0s3 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o enp0s3 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o wg0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 10001 -j DNAT --to-destination 172.16.0.123:2222
iptables -t nat -A PREROUTING -p tcp --dport 10002 -j DNAT --to-destination 172.16.1.123:2222

Firewall Rules

iptables -A INPUT   -p icmp -j ACCEPT
iptables -A INPUT -i wg0 -p tcp --dport 22 -j REJECT

iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 172.16.1.123 -p tcp --dport 2222 -j REJECT
iptables -A FORWARD -d 172.16.0.123 -p tcp --dport 2222 -j ACCEPT
iptables -A FORWARD -s 172.16.1.123 -p tcp --sport 2222 -j ACCEPT
iptables -A FORWARD -d 172.16.1.123 -p tcp --dport 2222 -j ACCEPT
iptables -A FORWARD -s 172.16.1.0/24 -d 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 172.16.1.0/24 -p tcp --dport 55688 -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/24 -d 172.16.1.0/24 -p udp --dport 55688 -j ACCEPT
iptables -A FORWARD -s 172.16.1.0/24 -o wg0 -j REJECT
# iptables -A FORWARD -d 172.16.1.0/24 -j REJECT

iptables -A OUTPUT  -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp -d 172.16.0.123 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d 172.16.1.123 --dport 22 -j ACCEPT

Check & Save the iptables rules

sudo iptables -L
sudo iptables -t nat -L

sudo netfilter-persistent save

HW1#

Part0 - Env Setting#

HW1

Part0 - Env Setting