Changes

Jump to: navigation, search

OPS235 Lab 7

11,863 bytes added, 06:35, 12 October 2016
no edit summary
<li>Inspect the log to see what kind of information is logged.</li>
</ol>
 
 
 
 
{| width="40%" align="right" cellpadding="10"
|- valign="top"
|
[[Image:chains.png|thumb|600px|right|When using iptables packets must pass-through "a chain of policy rules" in order to handle packets. If a packet matches a rule, then an action is taken (some examples include: '''ACCEPT''', '''DROP''', '''REJECT''', or '''LOG'''); otherwise, the packet will be directed to the default policy chain. ]]
|}
==== Using Firewalls in Linux (iptables)====
 
Since Linux servers can be connected to the Internet, it is very important to run a firewall to control what comes into the computer system, what goes out of the computer system, and what may be forwarded to another computer. A utility called '''iptables''' can be used to set the firewall rules on a Linux server.
 
Basically, there is a list ('''chain''') of policy rules that <u>'''packets'''</u> must pass-through in order to handle packets. If a packet matches a rule, then an action is taken (some examples include: '''ACCEPT''', '''DROP''', '''REJECT''', or '''LOG'''). If the packet passes through the chain of rules without a match, then the packet is directed to the default policy chain (for example: ''ACCEPT'', ''REJECT'', or ''DROP'').
 
You can create your own '''customized chains''' (which you will learn in the OPS335 course) but to keep thing simple, we only deal with 3 '''common predefined chains''':
 
:*'''INPUT''': Packets coming into current Linux server
:*'''OUTPUT''': Packets leaving current Linux server
:*'''FORWARD''': Packets being routed between Linux servers
 
 
:'''Perform the following steps:'''
 
# For the remainder of this section, use your '''c7host''' machine.
# Issue the following command to list the existing iptables policy rules: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -L</span></code></b>.
# Were there already iptables policy rules that already existed by default?
# Issue the following command to reset the iptables policy rules: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -F</span></code></b>.
# Issue the '''iptables -L''' command to verify that the iptables rules have been reset.
 
 
==== Setting Default Policy and Policy Exceptions with iptables ====
 
Usually when setting policy rules with iptables, a general "overall" policy is set (default policy chain), and then set policy rules in other chains which act as exceptions to the default policy. A general policy would apply to ALL types of packets (tcp, udp, icmp) and all communication port numbers (80, 22, etc).
 
The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-P</span></code></b> is used with the iptables command to set a default policy chain.
 
'''Examples:'''
 
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="30%">'''iptables -P INPUT DROP'''</td><td>Set default policy to drop all incoming connections for ALL protocols, ALL communication ports, ALL IP addresses</td>
</tr><tr>
<td>'''iptables -P OUTPUT DROP'''</td><td>Set default policy to drop all outgoing connections for ALL protocols, ALL communication ports, ALL IP addresses</td>
</tr>
</table>
 
 
After the overall default policy is set, then you can create policy rules that are "exceptions" to the default policy rules. The <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-j</span></code></b> option is used to redirect (jump) packets to actions (ACCEPT, REJECT, DROP, LOG) if the packet match that policy rule. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-p</span></code></b> will indicate the protocol used (eg. tcp, upd, icmp). The options <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">--dport</span></code></b> or <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">--sport</span></code></b> indicate the "destination communication port" or "source communication port" respectively. You can view the file '''/etc/services''' to determine the communication port number for the appropriate network service. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-A</span></code></b> is used to append the policy rule to the <u>bottom</u> of the chain. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-I</span></code></b> is used to insert a policy rule before an existing policy line number (if used with no number, will insert at the <u>top</u> of the chain)
 
'''Examples:'''
 
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="40%">'''iptables -A INPUT -p tcp --sport 80 -j ACCEPT'''</td><td>Append policy to <u>'''bottom'''</u> of INPUT chain to accept all tcp packets from port 80</td>
</tr><tr>
<td>'''iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT'''</td><td>Append policy to <u>'''bottom'''</u> of OUTPUT chain to accept all tcp packets to port 80</td>
</tr><tr>
<td>'''iptables -I INPUT -p tcp --sport 22 -j LOG'''</td><td>Insert policy at '''<u>top</u>''' of INPUT chain to log all tcp packets from port 22</td>
</tr><tr>
<td>'''iptables -I INPUT 3 -p tcp --dport 22 -j LOG'''</td><td>Insert policy <u>'''before line 3'''</u> of INPUT chain to log all tcp packets from port 22</td>
</tr>
</table>
 
 
You can also set exceptions to the default policy for specific IP Addresses by using the options <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-d IPADDR</span></code></b> or <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-s IPADDR</span></code></b>
 
 
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="45%">'''iptables -A INPUT -p tcp -s 192.168.0.0/24 -sport 22 -j ACCEPT'''</td><td>Append policy to bottom of INPUT chain to ACCEPT tcp packets from IP Address 192.168.0.0 from communication port 22</td>
</tr><tr>
<td>'''iptables -A OUTPUT -p tcp -d 192.168.0.138/24 -dport 80 -j REJECT'''</td><td>Append policy to bottom of OUTPUT chain to REJECT tcp packets to IP Address 192.168.0.138 via communication port 80</td>
</tr>
</table>
 
 
:'''Perform the following steps:'''
 
# Remain in your '''c7host''' VM for this section.
# Set the default policy for the INPUT chain to DROP by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Now try on your own to change the default policies for the OUTPUT chain to DROP
# Issue the commmand <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b> to verify that the policies on your INPUT and OUTPUT chain are set to DROP
# Open a browser and attempt to access the Internet. Were you successful?
# Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT
# Open your browser and attempt to access the Internet again. Were you successful?
# Change the policies on all of the chains to DROP
#In the OUTPUT chain, add the following rule:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -A OUTPUT -j LOG</span></code></b>. The above rule tells '''iptables''' to log packets and relevant information to '''/var/log/messages'''.
#Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged.
# Let's have a look at the log file and analyze the data: <b><code><span style="font-family:courier;color:#3366CC;font-size:1.2em;">tail /var/log/messages</span></code></b><br><br>
::This command shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:<br><code style="font-family:courier;font-size:1.2em;">Jun 24 12:41:26 c7host kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16442 DF PROTO=TCP SPT=57151 DPT=5902 WINDOW=1024 RES=0x00 ACK URGP=0</code><br><br>Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value. When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?<br><br>
<ol>
<li value="11">Using the commands we already know, change the default policies on all of your chains to ACCEPT.</li>
<li>Open a browser and confirm that you can access the world wide web.</li>
<li>Enter the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</span></code></b></li>
<li>Try to access the Web. If you have done everything right, you should not have been successful.</li>
<li>After you have completed the test execute the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b><br></li>
<li>Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.</li>
<li>After you have completed this task, flush the iptables again.</li>
<li>Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.</li>
<li>Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.</li>
<li>Confirm that your rule works by testing from your VM's</li>
<li>Does iptables close the port? Check using '''netstat'''</li>
<li>Now insert a rule on the CentOS host that would ACCEPT connections from the centos3 VM only.</li>
<li>Fully test your configuration.</li>
<li>Flush the iptables rules for INPUT, OUTPUT and FORWARD chains.</li></ol>
 
{{Admon/important|Make Certain iptables rules are Flushed Before Saving|In the next section, you will learn to keep your iptables rules persistent, so they remain even if the Linux system is rebooted. If you do NOT flush the iptables rules prior to the next section, your lab6-checking script will not generate all OKs, and you may experience problems in lab7.}}
==== Making iptables Policies Persistent ====
 
Any changes to your iptables policy rules will be lost when you restart your Linux server, unless you make your iptables rules persistent. Failure to perform the following steps after setting up your firewall rules can cause confusion and wasted time.
 
 
:'''Perform the following steps:'''
 
# Flush all of your iptables rules by issuing the following command: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b>
# Verify there are no iptables rules by issuing the command: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b>
# Make a backup of the file '''/etc/sysconfig/iptables''' by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables-save > /etc/sysconfig/iptables.bk</span></code></b>
#To make the iptables rules '''persistent''' (i.e. keeps rules when system restarts), you issue the command: <br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables-save > /etc/sysconfig/iptables</span></code></b>
# Verify that the file '''/etc/sysconfig/iptables''' exists.
# Restart your iptables service and test your configuration.
 
 
'''Answer INVESTIGATION 3 observations / questions in your lab log book.'''
13,420
edits

Navigation menu