Open main menu

CDOT Wiki β

Changes

OPS235 Lab 7

No change in size, 14:48, 28 July 2020
Part 2: Setting a Default Policy / Setting Policy Exceptions (iptables)
# Issue the following Linux command: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Issue the '''iptables -L''' command. Can you see the policy to DROP all incoming connections?
# Although you have set a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search.<br><br>In order to fix that problem, you can make an exception to allow incoming web-based traffic (via port 80). Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -&gt;</td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-I CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''<span style="font-family:courier">--</span>sport 22''' (originating port 22 - SSH)<br>'''<span style="font-family:courier">--</span>sport dport 80''' (originating port 80 - http)<br><br>(refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br>
# Issue the following Linux commands to ensure the loopback interface is not affected by these rules. The computer should be able to communicate with itself with any state and protocol:<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -i lo -p all -j ACCEPT</span></code><br><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span></code></b>
# Issue the following Linux command to ADD an exception to the INPUT chain to allow web-based incoming traffic (ie. port 80):<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -p tcp --dport 80 -j ACCEPT</span></code></b>
572
edits