SRT210 Lab 3
Objectives
- Understand how port forwarding works and how it relates to security.
- Set up port forwarding using iptables.
- Understand fundamental concepts that make up SELinux.
- Troubleshoot problems caused by SELinux.
PART 1: FIX IPTABLES MISTAKES
Most of you will have experimented with iptables last week and have made mistakes, which should be fixed before you start this week's lab. Here are some tips:
- You should start with the default iptables setup which you got when you installed iptables-services. If you've lost that - you can get it back by by putting the default values into /etc/sysconfig/iptables:
# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
- Then re-add the rules you created last week, and make them persistent by running
service iptables save
PART 2: NAT
This website has a decent overview of port forwarding.
- We'll set up your lin1 machine to be a web server accessible from the internet (in our case specifically that means accessible from the Seneca network).
- Create a text file on lin1 named index.html in the /var/www/html directory with the following contents (replace Andrew with your name):
Hello, this is Andrew's web server on lin1.
- Feel free to add as much HTML in there as you like.
- Confirm that:
- Apache on lin1 is running, and accessible from lin1.
- It's accessible from c7host
- Notice that if you try to access 192.168.210.11 from outside your vmware environment - there will not be a route to get to it.
- Try to go to the Seneca IP address of your c7host using a web browser on your VMware host (Windows for lab machines). That should also not work but at least you should have a route to it.
- Note that if you're using a laptop on wireless - you probably have your c7host network adapter set to NAT instead of bridged mode. If that's the case - you might need to modify some steps from this lab.
- Now we'll configure port forwarding so that any requests to TCP port 80 arriving at c7host will be forwarded to lin1:
iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.210.11:80
iptables -I FORWARD -p tcp -d 192.168.210.11 --dport 80 -j ACCEPT
- Don't just run those commands blindly - understand what they do.
- Try accessing your c7host from a web browser again. You should see the web page from your lin1 web server.
PART 3: YOUR TASKS
Use what you learned so far and what you can learn online in order to set up the following:
- lin1 will allow access to Apache from any source.
- c7host will allow access to SSH from hosts on the 192.168.210.* subnet and deny it from why other source.
Lab completion
- Make sure you understand what you've done in this lab, so that you're ready to answer questions about it.
- Have notes in your labbook from this lab.
- Show your work to the professor and have them sign your labbook.