Difference between revisions of "OPS335 Firewall Lab"

Revision as of 19:27, 6 September 2011

In this lab you will learn how to use iptables to build a simple Linux firewall.

Login as joker to your Fedora 13 PC.
- It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
Open a terminal window and "su -" to root.
Disable your current firewall. i.e. flush all rules in all chains in all tables.

Build a custom firewall by performing the following steps:

Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
Create a new chain named MYSSH in the filter table.
Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
Make a new chain named MYICMP in the filter table.
Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
Change the default policy on the INPUT chain in the filter table to DROP.

Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
Save your firewall rules.

Answer the following questions

What is your full name and Seneca student ID?
Show your firewall rules using the output of the iptables-save command.
Show the results of your nmap scans. Be sure to also show the exact nmap command you used.
Show the log records generated by your invalid ssh attempts.
What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?

@@ Line 7: / Line 7: @@
 ==Instructions==
 ===Building a Simple Firewall===
-#Login as joker to your Fedora 13 PC.
+*Login as joker to your Fedora 13 PC.
-#*It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
+**It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
-#Open a terminal window and "su -" to root.
+*Open a terminal window and "su -" to root.
-#Disable your current firewall. i.e. flush all rules in all chains in all tables.
+*Disable your current firewall. i.e. flush all rules in all chains in all tables.
 Build a custom firewall by performing the following steps:
 #Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
@@ Line 25: / Line 25: @@
 #Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
 #Change the default policy on the INPUT chain in the filter table to DROP.
 ===Testing your custom firewall===
 #Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.