Difference between revisions of "OPS335 Firewall Lab"

From CDOT Wiki
Jump to: navigation, search
(Verifying network connectivity to your VM)
(Redirected page to OPS335 Lab 2)
 
(90 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[[Category:OPS335]][[Category:OPS335 Labs]]
+
#REDIRECT [[OPS335_Lab_2]]
{{Admon/caution|Draft:Do not use - Working in Progress|This warning message will be removed when it is ready.}}
 
 
 
 
 
==IPTABLES - The Linux firewall==
 
 
 
In this lab you will learn how to use iptables to build a simple Linux firewall on your first Virtual Machine.
 
 
 
==Instructions==
 
===Verifying network connectivity to your VM===
 
* Boot up your Fedora Host.
 
* Login in to your Fedora host with your LearnID.
 
* Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
 
* Start the 1st VM.
 
====On your VM ====
 
* Login with your LearnID to your VM.
 
* Open a terminal window and "su -" to root.
 
* Find out the MAC address of the NIC and the IP address assigned to it. Record this information on your lab log book.
 
* Disable your current firewall by flushing all rules in all chains in all tables and set up default policy for the INPUT, FORWARD, and OUTPUT chains to ACCEPT.
 
====On your Fedora Host ====
 
* Open a terminal window and perform the following connectivity tests:
 
** ping -c 2 [ip-of-vm1]
 
** ssh [LearnID]@[ip-of-vm1]
 
 
 
===Building a Simple Firewall on VM1 ===
 
'''On your VM1, on the "root" terminal, build a custom firewall by performing the following steps:'''
 
#Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
 
#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
 
#Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
 
#Create a new chain named MYSSH in the filter table.
 
#Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
 
#Add a rule to your MYSSH chain to deny all traffic from 192.168.122.1 (i.e. your Fedora host). Also log these denied packets with log level 'info'.
 
#Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
 
#Make a new chain named MYICMP in the filter table.
 
#Add a rule to your MYICMP chain that denies ICMP pings from 192.168.122.1 (your Fedora host).
 
#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of Fedora host's virbr0.
 
#Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
 
#Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
 
#Change the default policy on the INPUT chain in the filter table to DROP.
 
 
 
===Testing your custom firewall===
 
#Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
 
#Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
 
#Save your firewall rules.
 
 
 
== Completing the Lab ==
 
Answer the following questions
 
#What is your full name and Seneca student ID?
 
#Show your firewall rules using the output of the 'iptables -L' command.
 
#Show the results of your nmap scans. Be sure to also show the exact nmap command you used.
 
#Show the log records generated by your invalid ssh attempts.
 
#What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?
 

Latest revision as of 11:13, 23 January 2016

Redirect to: