Difference between revisions of "OPS335 Firewall Lab"

From CDOT Wiki
Jump to: navigation, search
(Created page with 'FOCUS: Configure a Linux Gateway for Linux Hosts inside an Intranet This lab will show you how to set up a simple intranet using one Fedora PC as a gateway. The same Fedora PC w…')
 
Line 1: Line 1:
FOCUS: Configure a Linux Gateway for Linux Hosts inside an Intranet
+
- OPS335 -
This lab will show you how to set up a simple intranet using one Fedora PC as a gateway.  The same Fedora PC will be a host to a Fedora VM (Virtual Machine) which will act as a PC inside an intranet. Here is a diagram of your setup.
 
  
REQUIREMENTS: Lab00 should be completed and you should have a copy of Fedora 13, x86_64 live CD.
+
OPEN SERVER ADMINISTRATION
  
PART A - Setting up the VM Host PC with one guest VM.
+
Lab #02
  
Boot up your Fedora 13 x86_64 system, login as joker and use Firefox to authenticate your web access using your LEARN account and password.
+
FOCUS: Basic IP Tables
Open a terminal window and su to root.
 
Ensure your system date and time are correct.
 
Start your ssh server [ service sshd start ] - you'll need this later in the lab. If you want your ssh server to be started each time you boot up, enter this command [ chkconfig --levels 2345 sshd on ].
 
Ensure your system is up to date [ yum update ].
 
Install the virtualization software [ yum groupinstall virtualization ].
 
Start the libvirt daemon [ service libvirtd start ]. If you want the libvirt daemon to start at every boot up, enter this command [ chkconfig --levels 2345 libvirtd on ].
 
Restart your firewall [ service iptables restart ].
 
You are now ready to build a VM guest. You learned how to do this last semester in OPS235. If you need to be refreshed please refer to OPS235 LAB06.
 
  
Start the virtual machine manager [ virt-manager ].
+
In this lab you will learn how to use iptables to build a simple Linux firewall.
Enter the root password.
 
Click on the icon "Create a new virtual machine".
 
Name your machine "vm01" then click on the "forward" button.
 
Insert your F13 CD and select "Use CDROM".
 
For "OS type" select "Linux" and for Version select "Fedora 13" then click on the "Forward" button.
 
Let the RAM default to 512MB and the CPUs to 1. Then click on the "Forward" button.
 
Leave the disk image size set at 8GB and ensure "Allocate entire disk now" is checked, then click on the "Forward" button.
 
At the "Ready to begin installation" window click on the "Finish" button.
 
Once your Fedora Live CD boots up, login and double click the "Install to Hard Disk" icon.
 
Click the "Next" button to begin your F13 installation.
 
Select "US English" for your keyboard and click on the "Next" button.
 
Ensure "Basic Storage Devices" is selected and click on the "Next" button.
 
Select the "Virtio Block Device" check box and click on the "Next" button.
 
Click on the "Re-initialize All" button".
 
Change your hostname to "vm01.localdomain" and click on the "Next" button.
 
Select "America/Toronto" as your timezone and click on the "Next" button.
 
Enter the password for root and click on the "Next" button.
 
Select "Use All Space" and click on the "Next" button.
 
Click on the "Write Changes to Disk" button.
 
When the "Congratulations" window is displayed click on the "Close" button.
 
Now, from the System men on the host PC, select "Shutdown" and then click on the "Restart" button.
 
At the "Welcome" screen click on the "Froward" button.
 
At the "License" window click on the "Forward" button.
 
Enter a user name of "Joker" and add the password then click the "Forward" button.
 
Enter the correct date and time and click on the "Forward" button.
 
In the "Profile" window, click on the "Finish" button and "Do not send profile".
 
Now login as user "joker" and open a terminal window.
 
Switch to root and update your VM guest machine [ yum update ]. This could take a long time and you should reboot after it's done.
 
Ensure your VM guest has internet access [ host cbc.ca ].
 
  
Proceed to PART B.
+
Part A:  Building a Simple Firewall
PART B - Testing your Gateway.
+
Login as joker to your Fedora 13 PC. NOTE: It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
Try pinging each machine from the other.
+
Open a terminal window and "su -" to root.
Try pinging Matrix from each machine.
+
Disable your current firewall. i.e. flush all rules in all chains in all tables.
Start the ssh server on both machines [ service sshd start ].
+
Now build a custom firewall by performing the following steps:
Enable the ssh server at startup on both machines [ chkconfig --levels 2345 sshd on ].
 
Start Firefox on your host machine and authenticate yourself on Senenet.
 
Try to ssh from the guest to the host machine. This should work.
 
Try to ssh from the host to the guest machine. This should not work.
 
Try to ssh to your Matrix account from both the host and guest machines.
 
Try to ssh from your Matrix account back to your host and guest machines.
 
Add one iptables rule to the guest firewall that will accept new ssh connections to the guest machine.
 
Save your new firewall rules [ iptables-save > /etc/sysconfig/iptables ]
 
Reboot your guest machine.
 
Try to ssh from the host to the guest machine. This should now work.
 
Start Firefox on the guest machine and try surfing the web without authicating yourself on Senenet. i.e. only the host machine is authenticated.
 
PART C - Answer the following questions and and email them to your instructor in ASCII text format.
 
  
 +
Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
 +
Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
 +
Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
 +
Create a new chain named MYSSH in the filter table.
 +
Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
 +
Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
 +
Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
 +
Make a new chain named MYICMP in the filter table.
 +
Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
 +
Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
 +
Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
 +
Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
 +
Change the default policy on the INPUT chain in the filter table to DROP.
 +
Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
 +
Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
 +
Use iptables-save command to save your firewall rules.
 +
 +
Part B: Answer the following questions
 
What is your full name and Seneca student ID?
 
What is your full name and Seneca student ID?
What iptables rule did you add in PART B step 10?
+
Show your firewall rules using the output of the iptables-save command.
Explain how Network Address Translation is accomplished on the host. Refer specifically to the 3 rules in the POSTROUTING chain of the nat table on the host machine.
+
Show the results of your nmap scans from part A. Be sure to also show the exact nmap command you used.
How is ping and ssh affected (on both machines) if you disable ip forwarding on the host machine [ echo 0 > /proc/sys/net/ipv4/ip_forward ]?
+
Show the log records generated by your invalid ssh attempts in part A.
Did you clean up your work area, power off your PC and push your chair under the table when you completed this lab?
+
What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?

Revision as of 21:30, 30 August 2011

- OPS335 -

OPEN SERVER ADMINISTRATION

Lab #02

FOCUS: Basic IP Tables

In this lab you will learn how to use iptables to build a simple Linux firewall.

Part A: Building a Simple Firewall Login as joker to your Fedora 13 PC. NOTE: It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0. Open a terminal window and "su -" to root. Disable your current firewall. i.e. flush all rules in all chains in all tables. Now build a custom firewall by performing the following steps:

Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface. Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53. Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections. Create a new chain named MYSSH in the filter table. Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain. Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'. Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections. Make a new chain named MYICMP in the filter table. Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you). Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command). Add a rule to your MYICMP chain that allows ICMP pings from anywhere. Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain. Change the default policy on the INPUT chain in the filter table to DROP. Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it. Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts. Use iptables-save command to save your firewall rules.

Part B: Answer the following questions What is your full name and Seneca student ID? Show your firewall rules using the output of the iptables-save command. Show the results of your nmap scans from part A. Be sure to also show the exact nmap command you used. Show the log records generated by your invalid ssh attempts in part A. What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?