Open main menu

CDOT Wiki β

Changes

OPS335 Firewall Lab

3,307 bytes removed, 12:13, 23 January 2016
Redirected page to OPS335 Lab 2
#REDIRECT [[Category:OPS335]][[Category:OPS335 Labs]]{{Admon/caution|Draft:Do not use - Working in Progress|This warning message will be removed when it is ready.}}  ==IPTABLES - The Linux firewall== In this lab you will learn how to use iptables to build a simple Linux firewall on your first Virtual Machine. ==Instructions=====Verifying network connectivity to your VM===* Boot up your Fedora Host.* Login in to your Fedora host with your LearnID.* Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.* Start the 1st VM.====On your VM ====* Login with your LearnID to your VM.* Open a terminal window and "su -" to root.* Find out the MAC address of the NIC and the IP address assigned to it. Record this information on your lab log book.* Disable your current firewall by flushing all rules in all chains in all tables and set up default policy for the INPUT, FORWARD, and OUTPUT chains to ACCEPT.====On your Fedora Host ====* Open a terminal window and perform the following connectivity tests:** ping -c 2 [ip-of-vm1]** ssh [LearnIDOPS335_Lab_2]@[ip-of-vm1===Building a Simple Firewall on VM1 ==='''On your VM1, on the "root" terminal, build a custom firewall by performing the following steps:'''#Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.#Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.#Create a new chain named MYSSH in the filter table.#Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.#Add a rule to your MYSSH chain to deny all traffic from 192.168.122.1 (i.e. your Fedora host). Also log these denied packets with log level 'info'.#Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.#Make a new chain named MYICMP in the filter table.#Add a rule to your MYICMP chain that denies ICMP pings from 192.168.122.1 (your Fedora host).#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of Fedora host's virbr0.#Add a rule to your MYICMP chain that allows ICMP pings from anywhere.#Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.#Change the default policy on the INPUT chain in the filter table to DROP. ===Testing your custom firewall===#Use nmap to scan your firewall from 192.168.122.1. If you don't have nmap on your system then install it.#Use ping and ssh from 192.168.122.1 (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.#Save your firewall rules. == Completing the Lab ==Answer the following questions#What is your full name and Seneca student ID?#Show your firewall rules using the output of the 'iptables -L' command.#Show the results of your nmap scans. Be sure to also show the exact nmap command you used.#Show the log records generated by your invalid ssh attempts.#What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 192.168.122.1 to your VM?