Difference between revisions of "OPS335 Firewall Lab"

From CDOT Wiki
Jump to: navigation, search
m (Clarifying VM3 instructions because firewalld doesn't work on MAC addresses.)
(Rewriting for fall 2015. All vms now using firewalld, host now using much more secure iptables.)
Line 1: Line 1:
 
[[Category:OPS335]][[Category:OPS335 Labs]]
 
[[Category:OPS335]][[Category:OPS335 Labs]]
 
==IPTABLES and Firewalld==
 
==IPTABLES and Firewalld==
In this lab you will learn how to use iptables to build and test a simple Linux firewall on your first Virtual Machine.  You will also get an introduction to firewalld, a new service that manages some firewall configuration for you.
+
In this lab you will learn how to use iptables and firewalld to build and test a simple Linux firewall on your servers.
  
 
==Instructions==
 
==Instructions==
Prior to beginning this lab verifying network connectivity between your host and your VM 1.
+
Prior to beginning this lab verify network connectivity between your host and your VMs.
 
* Boot up your host.
 
* Boot up your host.
 
* Login with your LearnID.
 
* Login with your LearnID.
 
* Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
 
* Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
* Start your 1st VM.
+
* Start your VMs.
* On the VM
+
* On the VMs
 
** Login with your LearnID to your VM and use "su -" to become root.
 
** Login with your LearnID to your VM and use "su -" to become root.
** Find out the MAC address of the NIC (eth0) and the IP address assigned to it. Record this information on your lab log book.
+
** Find out the MAC address of the NIC (usually eth0 or ens3) and the IP address assigned to it. Record this information on your lab log book.
** Disable your current firewall (firewalld), and enable the iptables firewall.
 
systemctl disable firewalld
 
systemctl enable iptables
 
**Reboot the VM, and check to make sure that iptables is running and firewalld is not.
 
***If iptables refuses to start, check your system logs for an error message explaining why.  Fix the error and try again.
 
**Flush all rules in all chains in all tables and set the default policy for the INPUT, FORWARD, and OUTPUT chains to ACCEPT.
 
  
 
*On your Host
 
*On your Host
** Open a terminal window and perform the following connectivity tests:
+
** Open a terminal window and perform the following connectivity tests to each vm:
*** ping -c 2 [ip-of-vm1]
+
*** ping -c 2 [ip-of-vm]
*** ssh [LearnID]@[ip-of-vm1]
+
*** ssh [LearnID]@[ip-of-vm]
  
*On both systems (Host and VM1)
+
*On both systems (Host and VMs)
 
** Run the command "ip neighbour show", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
 
** Run the command "ip neighbour show", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
 
** For a brief summary of the output format view the [http://linux-ip.net/gl/ip-cref/node61.html online documentation]
 
** For a brief summary of the output format view the [http://linux-ip.net/gl/ip-cref/node61.html online documentation]
  
===Building a Simple Firewall on VM1 ===
+
*You will now modify the firewall on your host to be more secure.  As several rules are automatically added for you because of the virtual network, the next portion of the lab is will be done with your virtual network shut off.
'''On your VM1 build a custom firewall by performing the following steps:'''
+
*Shutdown your VMs
#Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
+
*Stop the libvirtd service on the host
 +
*Restart the iptables service on the host
 +
 
 +
==Building a Simple Firewall on the Host ==
 +
'''On your Host build a custom firewall by performing the following steps:'''
 +
#Remove the rules in your input chain that are allowing all icmp and ssh traffic.
 
#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
 
#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
#Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED and RELATED incoming connections.
+
#Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
 +
#Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).
 
#Create a new chain named MYSSH in the filter table.
 
#Create a new chain named MYSSH in the filter table.
#Add a rule to the beginning of the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
+
#Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.
#Add a rule to your MYSSH chain to deny all traffic from 192.168.X.1 (i.e. your host). Also log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH".
+
#Add a rule to your MYSSH chain to accpept all traffic on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
#Add a rule to the end of the INPUT chain of the filter table that allows all ssh connections.
+
#Add rules to the end of the MYSSH chain to drops all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
 
#Make a new chain named MYICMP in the filter table.
 
#Make a new chain named MYICMP in the filter table.
 
#Add a rule to the beginning of the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
 
#Add a rule to the beginning of the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
#Add a rule to your MYICMP chain that denies ICMP pings from 192.168.X.1 (your host).
+
#find a partner and get the ipaddress and MAC address of their external facing interface.
#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of the host's virbr0.
+
#Add a rule to your MYICMP chain that allows ICMP packets coming in on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
#Add a rule to the end of your INPUT chain that allows ICMP pings from anywhere.
+
#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.
#Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
+
#Add a rule to your MYICMP chain that denies ICMP pings originating with ip address of your partner's machine.
  
===Testing your custom firewall===
+
*Save your rules and list them.
*On your host use nmap to scan your firewall on your VM and observe the output.
+
*start the libvirtd service.
**If you don't have nmap on your host then install it.
+
**Note how this adds a number of rules to your tables. In the future, if you save your iptables rules with these rules in your tables, you will notice them start to duplicate.
*Use ping and ssh from your host (192.168.x.1) to verify your firewall is working properly. Be sure to check the log file on the VM for your unsuccessful ssh attempts.
 
*Save your firewall rules.
 
*Turn the firewall on your VM off, then try scanning again.  Note how the output is different.
 
**Make sure you turn the firewall back on when you are done.
 
  
==Building a Firewall With Firewalld on VM3==
+
==Building a Firewall With Firewalld on VMs==
On your VM 3 we will build a firewall using the newer standard firewalld.
+
On your VMs we will build a firewall using the newer standard firewalld.
*Move your eth0 interface into the zone 'work'.
+
*Start VM1, become root, and make the following changes:
 +
*Move your active interface into the zone 'work'.
 
*Remove all services except ssh from the work zone (effectively blocking all incoming traffic except ssh).
 
*Remove all services except ssh from the work zone (effectively blocking all incoming traffic except ssh).
*Use the firewallcmd rich rules to make the following changes (very similar to what you did on VM 1):
+
*Use the firewall-cmd rich rules to make the following changes:
**Log and block all ssh attempts from your host's ip address.  Use the same log message as on your other machines.
+
**Block all ssh attempts from your host's ip address, adding a log entry with the message 'DENIED BY MYSSH' every time it attempts to connect.
**Block all pings from the host's ip address.
+
**Block all pings expect for those that come from your internal network.
**Allow pings from your other VMs.
 
*Unlike iptables where you save your current state in bulk, firewalld requires you to save each change independently.
 
 
*Make sure your changes are permanent.
 
*Make sure your changes are permanent.
 +
*Repeat these changes on your other VMs.
  
==Building a Simple Firewall on your VM 2 ==
+
==Testing your custom firewall==
#Repeat the steps from 'Building a Simple Firewall on VM1' and 'Testing your custom firewall' on your VM 2.
+
*On your host use nmap to scan your firewall on your VMs and observe the output.
#Double check that the all VMs can still ping and SSH each other.
+
**If you don't have nmap on your host then install it.  Install it on your VMs as well.
 +
*Use ping and ssh between your host and VMs to verify your firewall is working properly. Be sure to check the log file on the host for your unsuccessful ssh attempts.
 +
*Save your firewall rules.
 +
*Turn the firewall on your VM off, then try scanning again.  Note how the output is different.
 +
**Make sure you turn the firewall back on when you are done.
 +
*Double check that the all VMs can still ping and SSH each other.
  
 
== Completing the Lab ==
 
== Completing the Lab ==
Upon completion of this lab each of your VMs has a firewall protecting them from unexpected traffic.  Reboot your machines and ensure that this protection remains in place after they are shut down.  You will be building on these rules for the rest of the course.  You should now have a basic understanding of the commands necessary to modify firewalls using iptables and firewalld.
+
Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic.  Reboot your machines and ensure that this protection remains in place after they are shut down.  You will be building on these rules for the rest of the course.
  
Scan each of your machines with nmap.  Observe how the results are different depending on which machine you scanned from.
+
You should now have a basic understanding of the commands necessary to modify firewalls using iptables and firewalld.  Scan each of your machines with nmap.  Observe how the results differ depending on which machine you scanned from.
  
 
Exploration questions
 
Exploration questions
Line 76: Line 77:
 
#How could you display the log records generated by your invalid ssh attempts without including any unrelated entries.
 
#How could you display the log records generated by your invalid ssh attempts without including any unrelated entries.
 
#What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from your host to your VM1?
 
#What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from your host to your VM1?
#Which rule in the MYICMP chain is actually responsible for denying icmp packets from your Fedora host? Why?
+
#Which rule in the MYICMP chain is actually responsible for denying icmp packets from your partner? Why?
 +
#Which optional module could be used to work with packets based on whether they are new connections or not?
  
 
{{Admon/important|Time for a new backup!|Once have successfully completed this lab, make a new backup of your virtual machines.}}
 
{{Admon/important|Time for a new backup!|Once have successfully completed this lab, make a new backup of your virtual machines.}}

Revision as of 10:39, 3 September 2015

IPTABLES and Firewalld

In this lab you will learn how to use iptables and firewalld to build and test a simple Linux firewall on your servers.

Instructions

Prior to beginning this lab verify network connectivity between your host and your VMs.

  • Boot up your host.
  • Login with your LearnID.
  • Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
  • Start your VMs.
  • On the VMs
    • Login with your LearnID to your VM and use "su -" to become root.
    • Find out the MAC address of the NIC (usually eth0 or ens3) and the IP address assigned to it. Record this information on your lab log book.
  • On your Host
    • Open a terminal window and perform the following connectivity tests to each vm:
      • ping -c 2 [ip-of-vm]
      • ssh [LearnID]@[ip-of-vm]
  • On both systems (Host and VMs)
    • Run the command "ip neighbour show", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
    • For a brief summary of the output format view the online documentation
  • You will now modify the firewall on your host to be more secure. As several rules are automatically added for you because of the virtual network, the next portion of the lab is will be done with your virtual network shut off.
  • Shutdown your VMs
  • Stop the libvirtd service on the host
  • Restart the iptables service on the host

Building a Simple Firewall on the Host

On your Host build a custom firewall by performing the following steps:

  1. Remove the rules in your input chain that are allowing all icmp and ssh traffic.
  2. Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
  3. Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
  4. Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).
  5. Create a new chain named MYSSH in the filter table.
  6. Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.
  7. Add a rule to your MYSSH chain to accpept all traffic on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
  8. Add rules to the end of the MYSSH chain to drops all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
  9. Make a new chain named MYICMP in the filter table.
  10. Add a rule to the beginning of the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
  11. find a partner and get the ipaddress and MAC address of their external facing interface.
  12. Add a rule to your MYICMP chain that allows ICMP packets coming in on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
  13. Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.
  14. Add a rule to your MYICMP chain that denies ICMP pings originating with ip address of your partner's machine.
  • Save your rules and list them.
  • start the libvirtd service.
    • Note how this adds a number of rules to your tables. In the future, if you save your iptables rules with these rules in your tables, you will notice them start to duplicate.

Building a Firewall With Firewalld on VMs

On your VMs we will build a firewall using the newer standard firewalld.

  • Start VM1, become root, and make the following changes:
  • Move your active interface into the zone 'work'.
  • Remove all services except ssh from the work zone (effectively blocking all incoming traffic except ssh).
  • Use the firewall-cmd rich rules to make the following changes:
    • Block all ssh attempts from your host's ip address, adding a log entry with the message 'DENIED BY MYSSH' every time it attempts to connect.
    • Block all pings expect for those that come from your internal network.
  • Make sure your changes are permanent.
  • Repeat these changes on your other VMs.

Testing your custom firewall

  • On your host use nmap to scan your firewall on your VMs and observe the output.
    • If you don't have nmap on your host then install it. Install it on your VMs as well.
  • Use ping and ssh between your host and VMs to verify your firewall is working properly. Be sure to check the log file on the host for your unsuccessful ssh attempts.
  • Save your firewall rules.
  • Turn the firewall on your VM off, then try scanning again. Note how the output is different.
    • Make sure you turn the firewall back on when you are done.
  • Double check that the all VMs can still ping and SSH each other.

Completing the Lab

Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic. Reboot your machines and ensure that this protection remains in place after they are shut down. You will be building on these rules for the rest of the course.

You should now have a basic understanding of the commands necessary to modify firewalls using iptables and firewalld. Scan each of your machines with nmap. Observe how the results differ depending on which machine you scanned from.

Exploration questions

  1. View your firewall rules using the output of the 'iptables -L -n -v' command. Also save the output to a text file.
  2. How could you display the log records generated by your invalid ssh attempts without including any unrelated entries.
  3. What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from your host to your VM1?
  4. Which rule in the MYICMP chain is actually responsible for denying icmp packets from your partner? Why?
  5. Which optional module could be used to work with packets based on whether they are new connections or not?
Important.png
Time for a new backup!
Once have successfully completed this lab, make a new backup of your virtual machines.