Osa artikkelisarjaa Tekniikka | |
Digabi Abitti Laitteisto |
Abitin tutkintoverkko muodostuu koetilan palvelimista, opiskelijoiden koneista, kytkimistä sekä mahdollisesti WLAN-tukiasemista. Laitteiden sähkösyöttöjä ei käsitellä tässä artikkelissa.
Tämä sivu on suunnattu ensisijaisesti IT-tukihenkilöille verkon rakentamiseen ja ongelmatilanteiden selvittämiseen.
Verkon rakentaminen[]
Koetilan palvelimia tulee lopulliseen järjestelmään kaksi kappaletta toisen ollessa varalla, nykyínen Digabin koetilan palvelimen versio ei tue varakonetta. Koetilan palvelimet ovat yhteydessä YTL:n palvelimeen esimerkiksi koulun verkon tai 3G/4G-yhteyden kautta.
Oheinen kaaviokuva langallisesti toteutetusta tutkintoverkosta kuvaa tilanteen, jossa kaikki opiskelijoiden koneet on kytketty kytkinten välityksellä koetilan palvelimeen.
Toinen kuva esittää langattomasti toteutettua tutkintoverkkoa. On huomioitava, että sähköisissä ylioppilaskokeissa langattoman verkon käyttöön liittyy useita YTL:n vaatimuksia.
Omat sisältöpalvelimet (web-palvelimet)[]
Tutkintoverkkoon voi ainakin tällä hetkellä liittää melko helposti oman web-palvelimen. Palvelimen IP-osoitteen pitää olla 10.10.0.10 - 10.10.0.255 avaruudessa ja kuunnella porttia 443. Palvelimen liikenteen ei ole pakko olla salattua (https). Tällä tavalla on mahdollista jakaa kokeissa materiaaleja (videot, äänitiedostot, taulukot, pdf, geogebra, ...). Koska tehtävissä toimii html-muotoilut, materiaalit on myös mahdollista linkittää suoraan kokeisiin.
IP-osoitteet[]
Subnet Mask: 255.255.0.0
Järjestelmän osa | IP-osoite |
---|---|
Koetilapalvelin 1 | 10.10.0.1
|
Koetilapalvelin 2 | 10.10.0.2
|
WLAN AP (reserved) | 10.10.0.10
|
Valvontakonsolit
vendor-class-identifier = "supo-abitti" |
10.10.0.100 - 10.10.0.250
|
Opiskelijoiden koneet
vendor-class-identifier = "abitti" |
10.10.1.1 - 10.10.255.250
|
Digabi.fi | 83.145.200.151
|
DHCP-palveluissa käytetään vendor-class-identifier -toimintoa erittelemään opiskelijoiden koneet ja opettajien valvontakonsolit toisistaan. Samalla tämä toiminto estää kolmansien osapuolien laitteiden osalta DHCP-palvelun.
DHCP-osoiteavaruuksien määrittelyt löytyvät koetilan palvelimesta, tiedosto "/lib/live/config/0005-abitti".
Palomuuri[]
DigabiOS käyttää verkkoyhteyksien hallintaan iptables
-työkalua.
Koetilapalvelin[]
Sisääntuleva liikenne[]
Koetilan palvelimen sisääntulevan liikenteen rajoittaminen tapahtuu seuraavan taulukon mukaisesti
Lähde osoite |
Protokolla | Kohde osoite |
Portti | Selitys |
---|---|---|---|---|
* | udp | * | spt:bootpc[68]
dpt:bootps[67] |
Allow DHCP (client-to-server) |
* | icmp | * | echo-request | Allow ping request (someone pinging us) |
* | tcp | * | dpt:http[80] | Allow access to webserver. |
* | tcp | * | dpt:https[443] | Allow access to HTTPS webserver. |
* | tcp | * | dpt:8020 | Allow access to exam server |
lo | all | lo | * | Allow localhost access |
* | udp | * | dpt:ntp[123] | Allow NTP (net time protocol) |
* | tcp | * | dpt:shell[514] | Allow access to syslog |
* | udp | * | dpt:syslog[514] | Allow access to syslog |
Kaikki muu sisääntuleva liikenne logitetaan säännöllä "LOG all limit: avg 2/min burst 5 LOG level warning
" ja hylätään.
Ulosmenevä liikenne[]
Koetilan palvelimen ulosmenevän liikenteen rajoittaminen tapahtuu seuraavan taulukon mukaisesti
Lähde osoite |
Protokolla | Kohde osoite |
Portti | Selitys |
---|---|---|---|---|
* | udp | * | spt:bootps[67]
dpt:bootpc[68] |
Allow DHCP (server-to-client). |
* | udp | * | spt:bootpc[68]
dpt:bootps[67] |
Allow DHCP (client-to-server). |
* | icmp | * | icmp echo-reply | Allow ping reply (ie. allow sending pong) |
* | udp | * | dpt:domain[53] | Allow DNS out |
* | udp | * | dpt:domain[53] | Allow access to DNS. |
* | tcp | * | dpt:http[80] | Allow HTTP. |
* | tcp | * | dpt:https[443] | Allow HTTPS. |
* | tcp | * | dpt:8020 | Allow access from exam server |
lo | udp | lo | * | Allow localhost access |
* | udp | * | dpt:ntp[123] | Allow NTP |
* | tcp | 83.145.200.151
|
dpt:https[443] | Allow HTTPS access to digabi.fi |
Kaikki muu ulos menevä liikenne logitetaan säännöllä "LOG all limit: avg 2/min burst 5 LOG level warning
" ja hylätään.
Palomuurin detaljit[]
Koetilapalvelimen palomuurin konfiguraatio
## 0000-initialize-tables.conf
#
# digabi-firewall
#
# This MUST be the first rule
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
## 0001-add-digabi-tables.conf
# Create our custom tables
:digabi-input - [0:0]
:digabi-output - [0:0]
## 0200-allow-existing-connections.conf
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow existing connections." -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow existing connections."
## 0200-dhcp-server.conf
-A OUTPUT -p udp -m udp --sport 67 --dport 68 -m comment --comment "Allow DHCP (server-to-client)." -j ACCEPT
-A INPUT -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP (client-to-server)." -j ACCEPT
## 0210-allow-dhcp.conf
-A OUTPUT -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP (client-to-server)." -j ACCEPT
## 0250-allow-ping.conf
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping request (someone pinging us)."
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT -m comment --comment "Allow ping reply (ie. allow sending pong)."
## 0500-forward-traffic-to-digabi-tables.conf
#
# Forwards traffic to digabi-input and digabi-output tables for custom
# filtering
#
-A OUTPUT -m comment --comment "Custom Digabi rules." -j digabi-output
-A INPUT -m comment --comment "Custom Digabi rules." -j digabi-input
## 5000-digabi-misc.conf
# TODO: Split to separate files
-A digabi-input -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow access to webserver."
-A digabi-input -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow access to HTTPS webserver."
-A digabi-output -p udp -m udp --dport 53 -j ACCEPT -m comment --comment "Allow access to DNS."
-A digabi-output -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP."
-A digabi-output -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS."
## 5500-exam-server.conf
-A digabi-output -p tcp -m tcp --dport 8020 -j ACCEPT -m comment --comment "Allow access from exam server"
-A digabi-input -p tcp -m tcp --dport 8020 -j ACCEPT -m comment --comment "Allow access to exam server"
-A digabi-output -o lo -j ACCEPT -m comment --comment "Allow localhost access"
-A digabi-input -i lo -j ACCEPT -m comment --comment "Allow localhost access"
-A digabi-output -p udp -m udp --dport 123 -j ACCEPT -m comment --comment "Allow NTP"
-A digabi-input -p udp -m udp --dport 123 -j ACCEPT -m comment --comment "Allow NTP"
## 5600-syslog.conf
-A digabi-input -p tcp -m tcp --dport 514 -j ACCEPT -m comment --comment "Allow access to syslog"
-A digabi-input -p udp -m udp --dport 514 -j ACCEPT -m comment --comment "Allow access to syslog"
## 6000-allow-access-to-digabifi.conf
# Allow HTTPS access to digabi.fi server
-A digabi-output -p tcp -m tcp --dport 443 -d 83.145.200.151/32 -j ACCEPT -m comment --comment "Allow HTTPS access to digabi.fi"
## 6000-allow-dns.conf
-A OUTPUT -p udp --dport 53 -j ACCEPT -m comment --comment "Allow DNS out."
#-A OUTPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "Allow DNS out."
## 8999-return-digabi-tables.conf
-A digabi-output -j RETURN
-A digabi-input -j RETURN
## 9000-log-and-reject.conf
#
# Log traffic, and then reject it
#
# Note: currently blocks only TCP, UDP, and relies that default rules
# for these tables = DROP (otherwise other protocols might pass the
# firewall)
#
-A OUTPUT -m comment --comment "Log other traffic, before dropping it." -m limit --limit 2/min -j LOG --log-prefix "iptables reject "
-A OUTPUT -m comment --comment "Reject traffic (tcp)." -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -m comment --comment "Reject traffic (udp)." -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m comment --comment "Log other traffic, before dropping it." -m limit --limit 2/min -j LOG --log-prefix "iptables reject "
-A INPUT -m comment --comment "Reject traffic (tcp)." -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -m comment --comment "Reject traffic (udp)." -p udp -j REJECT --reject-with icmp-port-unreachable
## 9999-commit.conf
#
# digabi-firewall
#
# This MUST be the last rule
#
COMMIT
Koetilapalvelimen palomuurilistaus (iptables -L
)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* Allow existing connections. */
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP (client-to-server). */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow ping request (someone pinging us). */
digabi-input all -- anywhere anywhere /* Custom Digabi rules. */
LOG all -- anywhere anywhere /* Log other traffic, before dropping it. */ limit: avg 2/min burst 5 LOG level warning prefix "iptables reject "
REJECT tcp -- anywhere anywhere /* Reject traffic (tcp). */ reject-with tcp-reset
REJECT udp -- anywhere anywhere /* Reject traffic (udp). */ reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* Allow existing connections. */
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Allow DHCP (server-to-client). */
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP (client-to-server). */
ACCEPT icmp -- anywhere anywhere icmp echo-reply /* Allow ping reply (ie. allow sending pong). */
digabi-output all -- anywhere anywhere /* Custom Digabi rules. */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* Allow DNS out. */
LOG all -- anywhere anywhere /* Log other traffic, before dropping it. */ limit: avg 2/min burst 5 LOG level warning prefix "iptables reject "
REJECT tcp -- anywhere anywhere /* Reject traffic (tcp). */ reject-with tcp-reset
REJECT udp -- anywhere anywhere /* Reject traffic (udp). */ reject-with icmp-port-unreachable
Chain digabi-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* Allow access to webserver. */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* Allow access to HTTPS webserver. */
ACCEPT tcp -- anywhere anywhere tcp dpt:8020 /* Allow access to exam server */
ACCEPT all -- anywhere anywhere /* Allow localhost access */
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* Allow NTP */
ACCEPT tcp -- anywhere anywhere tcp dpt:shell /* Allow access to syslog */
ACCEPT udp -- anywhere anywhere udp dpt:syslog /* Allow access to syslog */
RETURN all -- anywhere anywhere
Chain digabi-output (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain /* Allow access to DNS. */
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* Allow HTTP. */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* Allow HTTPS. */
ACCEPT tcp -- anywhere anywhere tcp dpt:8020 /* Allow access from exam server */
ACCEPT all -- anywhere anywhere /* Allow localhost access */
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* Allow NTP */
ACCEPT tcp -- anywhere 83.145.200.151 tcp dpt:https /* Allow HTTPS access to digabi.fi */
RETURN all -- anywhere anywhere
Opiskelijan kone[]
Sisääntuleva liikenne[]
Opiskelijen koneen sisääntulevan liikenteen rajoittaminen tapahtuu seuraavan taulukon mukaisesti
Lähde osoite |
Protokolla | Kohde osoite |
Portti | Selitys |
---|---|---|---|---|
* | icmp | * | echo-request | Allow ping request (someone pinging us) |
* | tcp | * | dpt:8010 | Allow access to node server |
* | udp | * | dpt:ntp[123] | Allow NTP |
* | udp | 10.10.0.0/24
|
dpt:https[443] | Allow exam server |
Kaikki muu sisääntuleva liikenne logitetaan säännöllä "LOG all limit: avg 2/min burst 5 LOG level warning
" ja hylätään.
Ulosmenevä liikenne[]
Opiskelijan koneen ulosmenevän liikenteen rajoittaminen tapahtuu seuraavan taulukon mukaisesti
Lähde osoite |
Protokolla | Kohde osoite |
Portti | Selitys |
---|---|---|---|---|
* | udp | * | spt:bootpc[68]
dpt:bootps[67] |
Allow DHCP (client-to-server). |
* | icmp | * | echo-reply | Allow ping reply (ie. allow sending pong) |
* | udp | * | dpt:domain[53] | Allow DNS out |
* | udp | * | dpt:domain[53] | |
* | tcp | * | dpt:8010 | Allow access from node server |
* | udp | * | dpt:ntp[123] | Allow NTP |
* | tcp | 10.10.0.0/24
|
dpt:https[443] | Allow exam server |
* | tcp | * | dpt:http[80] | Reject HTTP / reject-with icmp-port-unreachable |
* | tcp | * | dpt:https[443] | Reject HTTPS / reject-with icmp-port-unreachable |
* | tcp | * | dpt:shell[514] | Allow remote syslog |
* | tcp | * | dpt:http[80] | Allow HTTP. |
* | tcp | * | dpt:https[514] | Allow HTTPS. |
lo/8 | tcp | lo/8 | dpts:4010:4012 | Allow Maxima |
* | tcp | 83.145.200.151
|
dpt:https[443] | Allow HTTPS access to digabi.fi |
Kaikki muu ulosmenevä liikenne logitetaan säännöllä "LOG all limit: avg 2/min burst 5 LOG level warning
" ja hylätään.
Palomuurin detaljit[]
Opiskelijan koneen palomuurin konfiguraatio
## 0000-initialize-tables.conf
#
# digabi-firewall
#
# This MUST be the first rule
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
## 0001-add-digabi-tables.conf
# Create our custom tables
:digabi-input - [0:0]
:digabi-output - [0:0]
## 0200-allow-existing-connections.conf
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow existing connections." -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow existing connections."
## 0210-allow-dhcp.conf
-A OUTPUT -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP (client-to-server)." -j ACCEPT
## 0250-allow-ping.conf
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow ping request (someone pinging us)."
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT -m comment --comment "Allow ping reply (ie. allow sending pong)."
## 0500-forward-traffic-to-digabi-tables.conf
#
# Forwards traffic to digabi-input and digabi-output tables for custom
# filtering
#
-A OUTPUT -m comment --comment "Custom Digabi rules." -j digabi-output
-A INPUT -m comment --comment "Custom Digabi rules." -j digabi-input
## 4000-allow-dns-out.conf
-A digabi-output -p udp -m udp --dport 53 -j ACCEPT
## 4500-exam.conf
-A digabi-output -p tcp -m tcp --dport 8010 -j ACCEPT -m comment --comment "Allow access from node server"
-A digabi-input -p tcp -m tcp --dport 8010 -j ACCEPT -m comment --comment "Allow access to node server"
-A digabi-output -p udp -m udp --dport 123 -j ACCEPT -m comment --comment "Allow NTP"
-A digabi-input -p udp -m udp --dport 123 -j ACCEPT -m comment --comment "Allow NTP"
-A digabi-input -d 10.10.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow exam server"
-A digabi-output -d 10.10.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow exam server"
-A digabi-output -p tcp -m tcp --dport 80 -j REJECT -m comment --comment "Reject HTTP"
-A digabi-output -p tcp -m tcp --dport 443 -j REJECT -m comment --comment "Reject HTTPS"
## 4600-syslog.conf
-A digabi-output -p tcp -m tcp --dport 514 -j ACCEPT -m comment --comment "Allow remote syslog"
## 5100-allow-http_https_out.conf
-A digabi-output -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP."
-A digabi-output -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS."
## 5100-allow-local-maximia.conf
-A digabi-output -o lo -p tcp -m tcp --dport 4010:4012 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -m comment --comment "Allow Maxima."
## 6000-allow-access-to-digabifi.conf
# Allow HTTPS access to digabi.fi server
-A digabi-output -p tcp -m tcp --dport 443 -d 83.145.200.151/32 -j ACCEPT -m comment --comment "Allow HTTPS access to digabi.fi"
## 6000-allow-dns.conf
-A OUTPUT -p udp --dport 53 -j ACCEPT -m comment --comment "Allow DNS out."
#-A OUTPUT -p tcp --dport 53 -j ACCEPT -m comment --comment "Allow DNS out."
## 8999-return-digabi-tables.conf
-A digabi-output -j RETURN
-A digabi-input -j RETURN
## 9000-log-and-reject.conf
#
# Log traffic, and then reject it
#
# Note: currently blocks only TCP, UDP, and relies that default rules
# for these tables = DROP (otherwise other protocols might pass the
# firewall)
#
-A OUTPUT -m comment --comment "Log other traffic, before dropping it." -m limit --limit 2/min -j LOG --log-prefix "iptables reject "
-A OUTPUT -m comment --comment "Reject traffic (tcp)." -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -m comment --comment "Reject traffic (udp)." -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m comment --comment "Log other traffic, before dropping it." -m limit --limit 2/min -j LOG --log-prefix "iptables reject "
-A INPUT -m comment --comment "Reject traffic (tcp)." -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -m comment --comment "Reject traffic (udp)." -p udp -j REJECT --reject-with icmp-port-unreachable
## 9999-commit.conf
#
# digabi-firewall
#
# This MUST be the last rule
#
COMMIT
Opiskelijan koneen palomuurilistaus (iptables -L
)
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* Allow existing connections. */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow ping request (someone pinging us). */
digabi-input all -- anywhere anywhere /* Custom Digabi rules. */
LOG all -- anywhere anywhere /* Log other traffic, before dropping it. */ limit: avg 2/min burst 5 LOG level warning prefix "iptables reject "
REJECT tcp -- anywhere anywhere /* Reject traffic (tcp). */ reject-with tcp-reset
REJECT udp -- anywhere anywhere /* Reject traffic (udp). */ reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED /* Allow existing connections. */
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP (client-to-server). */
ACCEPT icmp -- anywhere anywhere icmp echo-reply /* Allow ping reply (ie. allow sending pong). */
digabi-output all -- anywhere anywhere /* Custom Digabi rules. */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* Allow DNS out. */
LOG all -- anywhere anywhere /* Log other traffic, before dropping it. */ limit: avg 2/min burst 5 LOG level warning prefix "iptables reject "
REJECT tcp -- anywhere anywhere /* Reject traffic (tcp). */ reject-with tcp-reset
REJECT udp -- anywhere anywhere /* Reject traffic (udp). */ reject-with icmp-port-unreachable
Chain digabi-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:8010 /* Allow access to node server */
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* Allow NTP */
ACCEPT tcp -- anywhere 10.10.0.0/24 tcp dpt:https /* Allow exam server */
RETURN all -- anywhere anywhere
Chain digabi-output (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:8010 /* Allow access from node server */
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* Allow NTP */
ACCEPT tcp -- anywhere 10.10.0.0/24 tcp dpt:https /* Allow exam server */
REJECT tcp -- anywhere anywhere tcp dpt:http /* Reject HTTP */ reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:https /* Reject HTTPS */ reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:shell /* Allow remote syslog */
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* Allow HTTP. */
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* Allow HTTPS. */
ACCEPT tcp -- loopback/8 loopback/8 tcp dpts:4010:4012 /* Allow Maxima. */
ACCEPT tcp -- anywhere 83.145.200.151 tcp dpt:https /* Allow HTTPS access to digabi.fi */
RETURN all -- anywhere anywhere