OPS335 Firewall Lab

From CDOT Wiki
Revision as of 14:27, 19 December 2012 by Peter.callaghan (talk | contribs) (Clarified ICMP rules)
Jump to: navigation, search

IPTABLES - The Linux firewall

In this lab you will learn how to use iptables to build and test a simple Linux firewall on your first Virtual Machine.

Instructions

Verifying network connectivity between your Fedora host and your VM

  • Boot up your Fedora Host.
  • Login in to your Fedora host with your LearnID.
  • Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
  • Start your 1st VM.

On your VM

  • Login with your LearnID to your VM and use "su -" to become root.
  • Find out the MAC address of the NIC (eth0) and the IP address assigned to it. Record this information on your lab log book.
  • Disable your current firewall by flushing all rules in all chains in all tables and set up default policy for the INPUT, FORWARD, and OUTPUT chains to ACCEPT.

On your Fedora Host

  • Open a terminal window and perform the following connectivity tests:
    • ping -c 2 [ip-of-vm1]
    • ssh [LearnID]@[ip-of-vm1]

On both system (Fedora Host and VM1)

  • Run the command "ip neighbour show", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
  • For a brief summary of the output format view the online documentation

Building a Simple Firewall on VM1

On your VM1 build a custom firewall by performing the following steps:

  1. Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
  2. Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
  3. Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
  4. Create a new chain named MYSSH in the filter table.
  5. Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
  6. Add a rule to your MYSSH chain to deny all traffic from 192.168.X.1 (i.e. your Fedora host). Also log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH".
  7. Add a rule to the end of the INPUT chain of the filter table that allows all new tcp ssh connections.
  8. Make a new chain named MYICMP in the filter table.
  9. Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
  10. Add a rule to your MYICMP chain that denies ICMP pings from 192.168.X.1 (your Fedora host).
  11. Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of Fedora host's virbr0.
  12. Add a rule to the end of your INPUT chain that allows ICMP pings from anywhere.
  13. Change the default policy on the INPUT chain in the filter table to DROP.

Testing your custom firewall

  1. On your Fedora host, use nmap to scan your firewall on your VM. If you don't have nmap on your Fedora host then install it. Save the output of the nmap scan to a text file.
  2. Use ping and ssh from your Fedora host (192.168.x.1) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
  3. Save your firewall rules.

Building a Simple Firewall on your Other VMs

  1. Repeat the steps from 'Building a Simple Firewall on VM1' and 'Testing your custom firewall' on your other VMs.
  2. Double check that the VMs can still ping and SSH each other.

Completing the Lab

Answer the following questions

  1. Show your firewall rules using the output of the 'iptables -L -n -v' command. Also save the output to a text file.
  2. Show the results of your nmap scans. Be sure to also show the exact nmap command you used.
  3. Show the log records generated by your invalid ssh attempts. Do not include unrelated entries.
  4. What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from your Fedora host to your VM?
  5. Which rule in the MYICMP chain is actually responsible for denying icmp packets from your Fedora host?