Difference between revisions of "OPS335 Firewall Lab"
(→Building a Simple Firewall) |
(→Building a Simple Firewall) |
||
Line 26: | Line 26: | ||
#Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain. | #Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain. | ||
#Change the default policy on the INPUT chain in the filter table to DROP. | #Change the default policy on the INPUT chain in the filter table to DROP. | ||
+ | ===Testing your custom firewall=== | ||
#Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it. | #Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it. | ||
#Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts. | #Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts. | ||
− | # | + | #Save your firewall rules. |
== Completing the Lab == | == Completing the Lab == |
Revision as of 18:58, 6 September 2011
Contents
Basic IP Tables
In this lab you will learn how to use iptables to build a simple Linux firewall.
Instructions
Building a Simple Firewall
- Login as joker to your Fedora 13 PC.
- It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
- Open a terminal window and "su -" to root.
- Disable your current firewall. i.e. flush all rules in all chains in all tables.
Build a custom firewall by performing the following steps:
- Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
- Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
- Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
- Create a new chain named MYSSH in the filter table.
- Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
- Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
- Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
- Make a new chain named MYICMP in the filter table.
- Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
- Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
- Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
- Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
- Change the default policy on the INPUT chain in the filter table to DROP.
Testing your custom firewall
- Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
- Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
- Save your firewall rules.
Completing the Lab
Answer the following questions
- What is your full name and Seneca student ID?
- Show your firewall rules using the output of the iptables-save command.
- Show the results of your nmap scans from part A. Be sure to also show the exact nmap command you used.
- Show the log records generated by your invalid ssh attempts in part A.
- What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?