My-Tiny.Net :: Breaking Bad

Migrating to Net-R

---

Having everything on a single subnet can be convenient for pentesting. Once you have your regular TinyNet fully configured, you can clone your WebServer, MailHost, and LDAPhost and add them to Net-R.

Net-R is a single subnet, so the DomServ replaces the TinyNet Gateway.
Do not clone the Gateway VM - clone your ToClone server and use SetRole.sh to configure it as Net-R DomServ

When the DomServ VM is ready, clone the MailServer VM: after you start it up

1. edit /etc/HOSTNAME and change the second part of the cname from net-c to net-r
   
   
2. edit /etc/postfix/main.cf to serve the subnet (add net-r.$mydomain, change the IP address ranges, change relayhost)

         mydestination = localhost, $mydomain, localhost.$mydomain, 
               $myhostname, webmail.$mydomain,
               net-a.$mydomain, net-b.$mydomain, net-c.$mydomain
               net-r.$mydomain 
               
         mynetworks = 127.0.0.0/8 
               # 192.168.56.0/24  192.168.66.0/24  192.168.76.0/24
               192.168.234.0/24
   
         relay_domains = 
   
         # next-hop destination for non-local mail 
         # relayhost = [gateway.tinynet.edu]
         # relayhost = [gateway.tinynet.edu]:submission 
         relayhost = [mailhost.net-r.tinynet.edu]:ccmail
   

   
   
3. edit /etc/stunnel/mh.server.conf and add a section to allow the server to take in mail

         ; Net-R addition 
         [smtps]
         accept  = 465
         connect = 587
   

Then clone the WebServer, and

1. edit /etc/HOSTNAME and change the second part of the cname from net-a to net-r
   
   
2. adjust the server for sending mail in /var/www/squirrelmail/config/svr_adrs.php

       $smtpServerAddress = 'mailhost.tinynet.edu';
   

   
   
3. change /etc/stunnel/www.server.conf to use the MailServer

         [smtps]
         accept  = 587
         ; connect = gw.tinynet.edu:465
         connect = mailhost.tinynet.edu:465
   

Then clone the LDAPserver and change the second part of the name from net-b to net-r in /etc/HOSTNAME

On the Domserv VM edit /etc/dnsmasq.conf (remember- only one file here, no dnsmasq.d directory) and add these cnames

    cname = mailhost.net-r.tinynet.edu, the.net-r.mailserver.hostname
    cname = mailhost.tinynet.edu, the.net-r.mailserver.hostname
    cname = mail.tinynet.edu, the.net-r.mailserver.hostname

    cname = www.tinynet.edu, the.net-r.webserver.hostname
    cname = webmail.tinynet.edu, the.net-r.webserver.hostname

    cname = ldap.tinynet.edu, the.net-r.ldapserver.hostname

Finally, poweroff all of the new VMs, and start them up again. Remember to let the DomServ VM get to the login screen before starting the others, so the DHCP service is ready to give them IP addressess.

---

---

Notes:

• the relayhost [name] (before the port) in /etc/postfix/main.cf must match the mx-target name in the DNS Resource Records section in /etc/dnsmasq.conf, and must match a real hostname or a cname - Postfix ALWAYS does DNS lookups when the port is specified, even if we use an IP address.
  
  
• mail going outside the subnet will fail because of the designated relayhost, but that's OK because we want this network isolated. If you don't like seeing all those [BOUNCED] messages in the logs, it is easy to set up the Mail send/sink scripts from the menu.
  
  
• You will be able to use your Host system browser because of the virtual ethernet interface (see Linux Notes::Virtual ethif on the TinyNet menu, and /etc/rc.d/rc.local on the Webserver), so the last step is to add iptabes rules to accept only incoming and outgoing http, https, and ssh on the 192.168.56.252 interface (see Packet Filters::Firewalls on the TinyNet menu).

---

---