Difference between revisions of "OPS335 Firewall Lab"

From CDOT Wiki
Jump to: navigation, search
(IPTABLES)
Line 1: Line 1:
 
[[Category:OPS335]][[Category:OPS335 Labs]]
 
[[Category:OPS335]][[Category:OPS335 Labs]]
==IPTABLES and Firewalld==
+
= PACKET FILTERING USING IPTABLES =
In this lab you will learn how to use iptables and firewalld to build and test a simple Linux firewall on your servers.
 
  
You're supposed to find and use documentation to learn how to complete these tasks, and of course you can ask your prof or lab assistant for help. Some introductory commands are provided to help you get started but the important part is that you learn this yourself. Learning how to find relevant documentation and understand it is just as important as the exact commands you'll finally use.
+
==OVERVIEW & PREPARATION==
 +
In this lab, you will learn how to use '''iptables''' to build a simple '''Linux firewall''' on your servers.
  
== Instructions ==
+
iptables is a <u>very complex</u> topic. Fortunately, you are not required to become an "iptables expert", but by the end of the course, you should be able to use iptables to properly secure your servers.
  
Prior to beginning this lab verify network connectivity between your host and your VMs.
+
You were exposed to iptables in your OPS235 course. You should refer to those notes or find and use documentation to learn how to complete these tasks. You can also ask your professor or lab assistant during the lab for help when using iptables. Some basic iptables commands are provided in this lab for reference, but it is also essential that you know how to obtain help (man pages and online) in order to become self-reliant.
* Boot up your host.
 
* Login with your LearnID.
 
* Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
 
* Start your VMs.
 
* On the VMs
 
** Login with your LearnID to your VM and use "su -" to become root.
 
** Find out the MAC address of the NIC (usually eth0 or ens3) and the IP address assigned to it. Record this information on your lab log book.
 
  
*On your Host
 
** Open a terminal window and perform the following connectivity tests to each vm:
 
*** ping -c 2 [ip-of-vm]
 
*** ssh [LearnID]@[ip-of-vm]
 
  
*On both systems (Host and VMs)
+
{{Admon/important |firewalld|In this lab we will be using ''iptables'', '''<u>not</u>''' ''firewalld''. Although both can be used at the same time, that would be too advantaged that this point of learning Linux network administration.<br>In the first labs, '''Prep for labs''', you should have disabled and stopped the firewalld service: [http://zenit.senecac.on.ca/wiki/index.php/OPS335_Installation_Lab#Using_iptables Prep for Labs].<br><br>You can also check the status of the firewalld service by issuing the '''systemctl''' command. You can also check if the firewalld service is running by issuing '''iptables -L''' and noting a high volume of unexpected output (i.e. "a strange result").
** Run the command "ip neighbour show", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
+
}}
** For a brief summary of the output format view the [http://linux-ip.net/gl/ip-cref/node61.html online documentation]
 
  
*You will now modify the firewall on your host to be more secure.  As several rules are automatically added for you because of the virtual network, the next portion of the lab is will be done with your virtual network shut off.
 
*Shutdown your VMs
 
*Stop the libvirtd service on the host
 
*Restart the iptables service on the host
 
  
== IPTABLES ==
+
===iptables Resources===
  
Iptables is a relatively simple technology but the syntax is a little verbose and it takes a bit of time to figure out how to create a whole set of rules that works properly. Here's a process you can follow to get this part of the lab done:
 
  
* Start with the default settings. When you install Iptables in CentOS it already has some rules predefined. The instructions below assume you have those default rules.
+
Some documentation to get started with (you'll need to find more):
* Add one rule at a time using the appropriate iptables command (which you'll figure out yourself). Then check to make sure your command worked using:
+
* [https://prezi.com/akyqt4h40oel/iptables-packet-filtering/ Week 3 Notes] Recommended to review and understand prior to performing this lab.
** <code>iptables -L</code> or <code>iptables -L -n</code> if you'd like to see numeric port numbers.
+
* [https://en.wikipedia.org/wiki/Iptables#Overview Overview] A excellent concise overview of iptables (ignore diagram).
** If possible - test it with an application (e.g. if SSH access is disabled/enabled - test with ssh).
+
* [https://wiki.centos.org/HowTos/Network/IPTables CentOS Wiki] Listing of basic commands (not all required to know).
* Save your rule in a bash script (.sh file) so you don't lose it and can rerun it easily.
+
 
* If your command didn't work - the easiest thing to do is:
+
 
** Reload the default rules. You can do that by restarting the iptables service.
+
===How Firewalls (iptables) Relate to the Labs in this Course===
** Then run your script with all the working iptables commands that you already finished.
+
 
** Go back to writing the rule that didn't work.
+
We will use an example of setting up a firewall to secure a web server. You will be installing, configuring, protecting, and maintaining a web-server of one of your VMs in a later lab.
 +
 
 +
 
 +
'''The diagram displayed below shows how iptables can be used with a web-server:'''
 +
 
 +
 
 +
[[Image:iptables.png]]
 +
 
 +
 
 +
'''There are some important things to be aware of in terms of this diagram:'''
 +
 
 +
:*There are '''<u>two sets</u> of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about from the perspective from the client as well as the server.
 +
 
 +
:* '''Outbound traffic from a server (in our case the web-server) is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router (this is a topic which will be discussed later in this course).
 +
 
 +
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:
 +
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.
 +
::# '''Incoming <u>data</u> that's a response to a request''': the web page that the server sent back in the diagram above.
 +
 
 +
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br>
 +
::::<pre>ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED</pre>
 +
 
 +
:* '''Rules are applied to:''' '''chains''' (e.g. ''input/output''), '''protocols''' (e.g. ''tcp/udp/icmp''), and '''ports''' (e.g. ''22, 80, 443'').
 +
::# For the ''request'', the '''source port (sport) is 40112''' and the '''destination port (dport) is 80'''
 +
::# For the ''response'', the '''source port is 80''' and the '''destination port is 40112'''
 +
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about controlling the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
 +
 
 +
:* Basically all other services that you learn to install, configure, and maintain will required the same knowledge just discussed.
 +
 
 +
 
 +
===Critical iptables Elements===
 +
 
 +
This may seem like another task to perform, but it is an essential task! You need to "become one" with basic iptables and focus on these important elements on this section, since you will be troubleshooting MANY connection issues with MANY VMs for labs and assignments! You need to become comfortable when using iptables to not only set policy, but troubleshoot and fix mistakes when you set your firewall policies!
 +
 
 +
''... the more you practice and get comfortable with iptables, the quicker you will be able to isolate and fix connection issues...''
 +
 
 +
'''We don't expect you to become firewall experts, but there are some basics you need to become familiar for this and future labs:'''
 +
* What is a '''chain'''?
 +
* '''Which chain''' applies to which traffic?
 +
* What's the '''default action''' for a chain and when that applies?
 +
* What '''order the rules are executed in'''?
 +
* '''Reading and/or creating a rule''' for a specific service. That includes a basic understanding of:
 +
** '''Ports'''
 +
** '''Protocols'''
 +
** The best way to learn that is to <u>'''practice'''</u>.
 +
 
 +
 
 +
'''Record steps, commands, and your observations from this section in your OPS335 lab log-book'''
 +
 
 +
 
 +
==INVESTIGATION 1: PREPARATION &amp; GETTING TO KNOW IPTABLES COMMANDS==
 +
 
 +
=== Confirming Existing Network Connections ===
 +
 
 +
Before proceeding with iptables, we should first verify that your host machine and vms can connect with one another. We can also take the opportunity to record some observations which could be used for future labs.<br><br>
 +
'''Perform the Following Steps:'''
 +
 
 +
# Find the ''MAC address'' of the virtual network device on the host and the ''IP address'' assigned to it. Record this information in your lab log book.
 +
# Launch all three of your VMs.
 +
# For each VM:
 +
#* Login as root.
 +
#* Find the MAC address of the virtual NIC and the IP address assigned to it. Record this information on your lab log book.
 +
# Change to your host machine, open a terminal window, and perform the following connectivity tests for each vm:<br><br>
 +
<source lang="bash">
 +
ping -c 1 [ip-of-vm]
 +
ssh [ip-of-vm]
 +
</source>
 +
 
 +
===Default vs Updated Firewall Rules for VMs===
 +
 
 +
You should have learned in OPS235 how to view existing iptables rules with the command: iptables -L.Although you may assume that this listing of rules should be empty, they may not be!<br>There might be default rules that already exist, or that exist when the firewall is reset to default (i.e. iptables -F).
 +
 
 +
In fact, several rules were '''automatically added''' to your chains because you are using a '''virtual network'''. As an exercise, we will determine which of those rules when running a virtual network were added.
 +
 
 +
'''Perform the Following Steps:'''
 +
# Run '''iptables -L''' but redirect the output to a text file called '''before.txt''' (you will be using this file later).
 +
# Shutdown all of your VMs.
 +
# Stop the '''libvirtd''' service
 +
# Restart the '''iptables''' service
 +
# Re-issue '''iptables -L''' commands making certain to redirect output to a second file ('''after.txt'''). This should provide a listing of the new state of your firewall settings.
 +
# You now should have two text files representing the <u>before</u> and <u>after</u> states of your firewall. Compare differences between these two files using the diff command (You should have used this tool in '''ULI101''').
 +
#Run '''diff -u before.txt after.txt''' and figure out how to read the output.<br><br>'''TIP:''' You can also install a graphical tool that makes it much easier to see differences: '''kompare before.txt after.txt'''<br><br>
 +
# You can use these tools to compare any two text files, they often come in handy. Note in your lab logbook the iptables rules that were added automatically by the '''libvirtd''' service.
 +
 
 +
=== Simple Rule Changes ===
 +
 
 +
We will run some iptables commands to practice and get a basic understanding of how to set rules.
 +
 
 +
# First, issue an iptables command to set the policy to disable all '''inbound''' traffic. Issue the iptables command to list rules for verification. The remaining tasks will relate to that same '''inbound''' traffic chain.
 +
# Issue an iptables command to delete the default ssh rule, and issue another iptables command to verify.
 +
# Issue an iptables command to insert the SSH rule in the beginning instead of appending to the bottom. Issue a command to verify, then delete that rule (by number), and verify that it was deleted.
 +
# Issue an iptables command to append the SSH rule to the end of that chain, verify, delete that same rule, and verify.
 +
# Issue an iptables command to delete the related,established rule. Test your network connectivity between your hosts and vms. What happened?
 +
# Issue an iptables command to restore your firewall to its default settings.
 +
 
 +
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
 +
 
 +
 
 +
==INVESTIGATION 2: CREATING CUSTOMIZED CHAINS &amp; USING SHELL SCRIPTS==
 +
 
 +
In this investigation, we will use shell scripting to help automate our firewalls, and create our own customized chains for packet filtering.
 +
 
 +
===Best Practices===
 +
 
 +
#'''Always start with the default iptables settings''':
 +
:*When you install Iptables in CentOS it already has some rules predefined.
 +
:*You will always get the default rules if you restart the iptables service.
 +
 
 +
 
 +
<ol><li value="2">'''Place your iptables commands (i.e. Rules) within a bash script''' (.bash) so you don't lose it and can rerun it easily.<br><br></li><li>'''If you are disconnected from a VM:''' Some of the traffic between your host and VirtManager goes through IPtables.<br> When you mess with IPtables rules on the host - you may end up losing the console connection to the virtual machines. '''Don't worry, they're still running and you can still use them'''.</li></ol>
 +
 
 +
 
 +
<ol><li value="4">'''If your command didn't work:'''<ul><li>'''Reload the default rules'''. You can do that by restarting the iptables service (you can also do that at the beginning of your shell script).</li><li>Then '''run your script with all the working iptables commands''' that you already finished.</li><li>'''Return to work on creating the rule that didn't work'''.</li></ul></li></ol>
 +
 
 +
 
 +
===Creating Customized Chains===
 +
 
 +
You have the ability to create your own customized chains - you can actually name them!
  
Some documentation to get started with (you'll need to find more):
 
* [https://en.wikipedia.org/wiki/Iptables#Overview Overview] section on Wikipedia is a good (short) overview of the system. You don't need to understand that diagram though.
 
* [https://wiki.centos.org/HowTos/Network/IPTables CentOS Wiki] has some basic commands, you won't need to use all of them for the work below.
 
  
=== Your tasks ===
+
'''Perform the following steps:'''
  
'''On your Host build a custom firewall by performing the following steps:'''
+
# Remove the rules in your INPUT chain that are allowing all icmp and ssh traffic.
#Remove the rules in your input chain that are allowing all icmp and ssh traffic.
+
# Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
+
# Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).
#Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
+
# Create a new chain named MYSSH in the filter table.
#Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).
+
# Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.
#Create a new chain named MYSSH in the filter table.
+
#* Use --jump not --goto for that.
#Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.
+
# Add a rule to your MYSSH chain to accpept all traffic on your virtual interface from 192.168.X.0/24 (i.e. your internal network).
#Add a rule to your MYSSH chain to accpept all traffic on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
+
# Add rules to the end of the MYSSH chain to drop all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Add rules to the end of the MYSSH chain to drops all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
+
# Make a new chain named MYICMP.
#Make a new chain named MYICMP in the filter table.
+
# Add a rule to the beginning of the INPUT chain to send ICMP ping packets to your MYICMP chain.
#Add a rule to the beginning of the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
+
# Find a partner and get the ipaddress and MAC address of their external facing interface. If you don't have a partner - use a virtual machine.
#find a partner and get the ipaddress and MAC address of their external facing interface.
+
# Add a rule to your MYICMP chain that allows ICMP packets coming in on your virtual interface from 192.168.X.0/24 (i.e. your internal network).
#Add a rule to your MYICMP chain that allows ICMP packets coming in on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).
+
# Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.
#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.
+
# Add a rule to your MYICMP chain that denies ICMP pings originating with IP address of your partner's machine.
#Add a rule to your MYICMP chain that denies ICMP pings originating with ip address of your partner's machine.
 
  
*Save your rules and list them.
+
Once you're happy with how your firewall works - make a backup of the original default rules:
*start the libvirtd service.
+
<source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
**Note how this adds a number of rules to your tables.  In the future, if you save your iptables rules with these rules in your tables, you will notice them start to duplicate.
+
And then overwrite the defaults with the current state of the firewall:
 +
<source lang='bash'>/usr/libexec/iptables/iptables.init save</source>
  
==Building a Firewall With Firewalld on VMs==
+
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
On your VMs we will build a firewall using the newer standard firewalld.
 
*Start VM1, become root, and make the following changes:
 
*Move your active interface into the zone 'work'.
 
*Remove all services except ssh from the work zone (effectively blocking all incoming traffic except ssh).
 
*Use the firewall-cmd rich rules to make the following changes:
 
**Block all ssh attempts from your host's ip address, adding a log entry with the message 'DENIED BY MYSSH' every time it attempts to connect.
 
**Block all pings expect for those that come from your internal network.
 
*Make sure your changes are permanent.
 
*Repeat these changes on your other VMs.
 
  
==Testing your custom firewall==
 
*On your host use nmap to scan your firewall on your VMs and observe the output.
 
**If you don't have nmap on your host then install it.  Install it on your VMs as well.
 
*Use ping and ssh between your host and VMs to verify your firewall is working properly. Be sure to check the log file on the host for your unsuccessful ssh attempts.
 
*Save your firewall rules.
 
*Turn the firewall on your VM off, then try scanning again.  Note how the output is different.
 
**Make sure you turn the firewall back on when you are done.
 
*Double check that the all VMs can still ping and SSH each other.
 
  
== Completing the Lab ==
+
= Completing the Lab =
Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic.  Reboot your machines and ensure that this protection remains in place after they are shut down.  You will be building on these rules for the rest of the course.
 
  
You should now have a basic understanding of the commands necessary to modify firewalls using iptables and firewalld. Scan each of your machines with nmap.  Observe how the results differ depending on which machine you scanned from.
+
Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic. You should now have a basic understanding of the commands necessary to modify firewalls using iptables. You will be building on these rules for the rest of the course.
  
 
Record the URLs of the websites you've used to figure out how to do the work.
 
Record the URLs of the websites you've used to figure out how to do the work.
Line 104: Line 183:
 
#Which optional module could be used to work with packets based on whether they are new connections or not?
 
#Which optional module could be used to work with packets based on whether they are new connections or not?
  
{{Admon/important|Time for a new backup!|Once have successfully completed this lab, make a new backup of your virtual machines.}}
+
{{Admon/tip|Time for a new backup!|Once have successfully completed this lab, make a new backup of your virtual machines.}}

Revision as of 15:51, 22 January 2016

PACKET FILTERING USING IPTABLES

OVERVIEW & PREPARATION

In this lab, you will learn how to use iptables to build a simple Linux firewall on your servers.

iptables is a very complex topic. Fortunately, you are not required to become an "iptables expert", but by the end of the course, you should be able to use iptables to properly secure your servers.

You were exposed to iptables in your OPS235 course. You should refer to those notes or find and use documentation to learn how to complete these tasks. You can also ask your professor or lab assistant during the lab for help when using iptables. Some basic iptables commands are provided in this lab for reference, but it is also essential that you know how to obtain help (man pages and online) in order to become self-reliant.


Important.png
firewalld
In this lab we will be using iptables, not firewalld. Although both can be used at the same time, that would be too advantaged that this point of learning Linux network administration.
In the first labs, Prep for labs, you should have disabled and stopped the firewalld service: Prep for Labs.

You can also check the status of the firewalld service by issuing the systemctl command. You can also check if the firewalld service is running by issuing iptables -L and noting a high volume of unexpected output (i.e. "a strange result").


iptables Resources

Some documentation to get started with (you'll need to find more):

  • Week 3 Notes Recommended to review and understand prior to performing this lab.
  • Overview A excellent concise overview of iptables (ignore diagram).
  • CentOS Wiki Listing of basic commands (not all required to know).


How Firewalls (iptables) Relate to the Labs in this Course

We will use an example of setting up a firewall to secure a web server. You will be installing, configuring, protecting, and maintaining a web-server of one of your VMs in a later lab.


The diagram displayed below shows how iptables can be used with a web-server:


Iptables.png


There are some important things to be aware of in terms of this diagram:

  • There are two sets of IPtables rules (chains) that apply: OUTPUT/INPUT on the client and INPUT/OUTPUT on the server.
    It is important to think about from the perspective from the client as well as the server.
  • Outbound traffic from a server (in our case the web-server) is rarely blocked unless there is a security policy to prevent some kind of traffic.
    Even in that case, that security policy is usually performed on a router (this is a topic which will be discussed later in this course).
  • Inbound traffic is of two distinct types. Our diagram shows:
  1. New incoming connections (what you normally think of as inbound traffic): the web server receives a new incoming connection.
  2. Incoming data that's a response to a request: the web page that the server sent back in the diagram above.
We normally don't want to do anything special for the response. It is safe to assume that a connection that was allowed to be established should be allowed to receive a response. This is accomplished with the following INPUT chain rule that should be there by default on your machines:
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
  • Rules are applied to: chains (e.g. input/output), protocols (e.g. tcp/udp/icmp), and ports (e.g. 22, 80, 443).
  1. For the request, the source port (sport) is 40112 and the destination port (dport) is 80
  2. For the response, the source port is 80 and the destination port is 40112
  3. Since the RELATED,ESTABLISHED rule already exists, we are only concerned about controlling the incoming traffic on the server, which in our example, the chain is: INPUT, the protocol is: tcp, and the destination is: port 80.
  • Basically all other services that you learn to install, configure, and maintain will required the same knowledge just discussed.


Critical iptables Elements

This may seem like another task to perform, but it is an essential task! You need to "become one" with basic iptables and focus on these important elements on this section, since you will be troubleshooting MANY connection issues with MANY VMs for labs and assignments! You need to become comfortable when using iptables to not only set policy, but troubleshoot and fix mistakes when you set your firewall policies!

... the more you practice and get comfortable with iptables, the quicker you will be able to isolate and fix connection issues...

We don't expect you to become firewall experts, but there are some basics you need to become familiar for this and future labs:

  • What is a chain?
  • Which chain applies to which traffic?
  • What's the default action for a chain and when that applies?
  • What order the rules are executed in?
  • Reading and/or creating a rule for a specific service. That includes a basic understanding of:
    • Ports
    • Protocols
    • The best way to learn that is to practice.


Record steps, commands, and your observations from this section in your OPS335 lab log-book


INVESTIGATION 1: PREPARATION & GETTING TO KNOW IPTABLES COMMANDS

Confirming Existing Network Connections

Before proceeding with iptables, we should first verify that your host machine and vms can connect with one another. We can also take the opportunity to record some observations which could be used for future labs.

Perform the Following Steps:

  1. Find the MAC address of the virtual network device on the host and the IP address assigned to it. Record this information in your lab log book.
  2. Launch all three of your VMs.
  3. For each VM:
    • Login as root.
    • Find the MAC address of the virtual NIC and the IP address assigned to it. Record this information on your lab log book.
  4. Change to your host machine, open a terminal window, and perform the following connectivity tests for each vm:

ping -c 1 [ip-of-vm]
ssh [ip-of-vm]

Default vs Updated Firewall Rules for VMs

You should have learned in OPS235 how to view existing iptables rules with the command: iptables -L.Although you may assume that this listing of rules should be empty, they may not be!
There might be default rules that already exist, or that exist when the firewall is reset to default (i.e. iptables -F).

In fact, several rules were automatically added to your chains because you are using a virtual network. As an exercise, we will determine which of those rules when running a virtual network were added.

Perform the Following Steps:

  1. Run iptables -L but redirect the output to a text file called before.txt (you will be using this file later).
  2. Shutdown all of your VMs.
  3. Stop the libvirtd service
  4. Restart the iptables service
  5. Re-issue iptables -L commands making certain to redirect output to a second file (after.txt). This should provide a listing of the new state of your firewall settings.
  6. You now should have two text files representing the before and after states of your firewall. Compare differences between these two files using the diff command (You should have used this tool in ULI101).
  7. Run diff -u before.txt after.txt and figure out how to read the output.

    TIP: You can also install a graphical tool that makes it much easier to see differences: kompare before.txt after.txt

  8. You can use these tools to compare any two text files, they often come in handy. Note in your lab logbook the iptables rules that were added automatically by the libvirtd service.

Simple Rule Changes

We will run some iptables commands to practice and get a basic understanding of how to set rules.

  1. First, issue an iptables command to set the policy to disable all inbound traffic. Issue the iptables command to list rules for verification. The remaining tasks will relate to that same inbound traffic chain.
  2. Issue an iptables command to delete the default ssh rule, and issue another iptables command to verify.
  3. Issue an iptables command to insert the SSH rule in the beginning instead of appending to the bottom. Issue a command to verify, then delete that rule (by number), and verify that it was deleted.
  4. Issue an iptables command to append the SSH rule to the end of that chain, verify, delete that same rule, and verify.
  5. Issue an iptables command to delete the related,established rule. Test your network connectivity between your hosts and vms. What happened?
  6. Issue an iptables command to restore your firewall to its default settings.

Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book


INVESTIGATION 2: CREATING CUSTOMIZED CHAINS & USING SHELL SCRIPTS

In this investigation, we will use shell scripting to help automate our firewalls, and create our own customized chains for packet filtering.

Best Practices

  1. Always start with the default iptables settings:
  • When you install Iptables in CentOS it already has some rules predefined.
  • You will always get the default rules if you restart the iptables service.


  1. Place your iptables commands (i.e. Rules) within a bash script (.bash) so you don't lose it and can rerun it easily.

  2. If you are disconnected from a VM: Some of the traffic between your host and VirtManager goes through IPtables.
    When you mess with IPtables rules on the host - you may end up losing the console connection to the virtual machines. Don't worry, they're still running and you can still use them.


  1. If your command didn't work:
    • Reload the default rules. You can do that by restarting the iptables service (you can also do that at the beginning of your shell script).
    • Then run your script with all the working iptables commands that you already finished.
    • Return to work on creating the rule that didn't work.


Creating Customized Chains

You have the ability to create your own customized chains - you can actually name them!


Perform the following steps:

  1. Remove the rules in your INPUT chain that are allowing all icmp and ssh traffic.
  2. Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.
  3. Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).
  4. Create a new chain named MYSSH in the filter table.
  5. Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.
    • Use --jump not --goto for that.
  6. Add a rule to your MYSSH chain to accpept all traffic on your virtual interface from 192.168.X.0/24 (i.e. your internal network).
  7. Add rules to the end of the MYSSH chain to drop all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
  8. Make a new chain named MYICMP.
  9. Add a rule to the beginning of the INPUT chain to send ICMP ping packets to your MYICMP chain.
  10. Find a partner and get the ipaddress and MAC address of their external facing interface. If you don't have a partner - use a virtual machine.
  11. Add a rule to your MYICMP chain that allows ICMP packets coming in on your virtual interface from 192.168.X.0/24 (i.e. your internal network).
  12. Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.
  13. Add a rule to your MYICMP chain that denies ICMP pings originating with IP address of your partner's machine.

Once you're happy with how your firewall works - make a backup of the original default rules: 

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original

And then overwrite the defaults with the current state of the firewall: 

/usr/libexec/iptables/iptables.init save

Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book


Completing the Lab

Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic. You should now have a basic understanding of the commands necessary to modify firewalls using iptables. You will be building on these rules for the rest of the course.

Record the URLs of the websites you've used to figure out how to do the work.

Exploration questions

  1. View your firewall rules using the output of the 'iptables -L -n -v' command. Also save the output to a text file.
  2. How could you display the log records generated by your invalid ssh attempts without including any unrelated entries.
  3. What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from your host to your VM1?
  4. Which rule in the MYICMP chain is actually responsible for denying icmp packets from your partner? Why?
  5. Which optional module could be used to work with packets based on whether they are new connections or not?
Idea.png
Time for a new backup!
Once have successfully completed this lab, make a new backup of your virtual machines.
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OPS335_Firewall_Lab&oldid=114728"