Open main menu

CDOT Wiki β

Changes

OPS335 Lab 2 draft

1,568 bytes removed, 12:10, 21 January 2016
Your tasks
** Go back to writing the rule that didn't work.
'''On your Host build a custom firewall by performing Perform the following steps:'''#Remove the rules in your input chain that are allowing all icmp and ssh traffic.#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.#Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.#Remove the rules from the INPUT and FORWARD chains that are rejecting all traffic (we are now better protected by the default policy).#Create a new chain named MYSSH in the filter table.#Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.#Add a rule to your MYSSH chain to accpept all traffic on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).#Add rules to the end of the MYSSH chain to drops all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.#Make a new chain named MYICMP in the filter table.#Add a rule to the beginning of the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.#find a partner and get the ipaddress and MAC address of their external facing interface.#Add a rule to your MYICMP chain that allows ICMP packets coming in on your virbr0 interface from 192.168.X.0/24 (i.e. your internal network).#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of your partner's machine.#Add a rule to your MYICMP chain that denies ICMP pings originating with ip address of your partner's machine.
*Save # Remove the rules in your INPUT chain that are allowing all icmp and ssh traffic.# Change the default policy on the INPUT and FORWARD chains in the filter table to DROP.# Remove the rules from the INPUT and list themFORWARD chains that are rejecting all traffic (we are now better protected by the default policy).# Create a new chain named MYSSH in the filter table.# Add a rule to the beginning of the INPUT chain of your filter table that sends all ssh traffic (tcp packets with destination port 22) to your MYSSH chain.#*start Use --jump not --goto for that.# Add a rule to your MYSSH chain to accpept all traffic on your virtual interface from 192.168.X.0/24 (i.e. your internal network).# Add rules to the end of the libvirtd serviceMYSSH chain to drop all remaining ssh connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.# Make a new chain named MYICMP.**Note how this adds # Add a number rule to the beginning of rules the INPUT chain to send ICMP ping packets to your tablesMYICMP chain. In # Find a partner and get the future, if ipaddress and MAC address of their external facing interface. If you save don't have a partner - use a virtual machine.# Add a rule to your iptables rules MYICMP chain that allows ICMP packets coming in on your virtual interface from 192.168.X.0/24 (i.e. your internal network).# Add a rule to your MYICMP chain that denies ICMP pings originating with these rules in MAC address of your tables, you will notice them start partner's machine.# Add a rule to duplicateyour MYICMP chain that denies ICMP pings originating with IP address of your partner's machine.
==Building a Firewall With Firewalld on VMs==On Once you're happy with how your VMs we will build a firewall using the newer standard firewalld.*Start VM1, become root, and works - make a backup of the following changesoriginal default rules:*Move your active interface into the zone <source lang='workbash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>*Remove all services except ssh from And then overwrite the work zone (effectively blocking all incoming traffic except ssh).*Use defaults with the current state of the firewall-cmd rich rules to make the following changes:**Block all ssh attempts from your host's ip address, adding a log entry with the message <source lang='DENIED BY MYSSHbash' every time it attempts to connect.**Block all pings expect for those that come from your internal network.*Make sure your changes are permanent.*Repeat these changes on your other VMs>/usr/libexec/iptables/iptables.init save</source>
=Completing the Lab =Testing your custom firewall==*On your host use nmap to scan your firewall on your VMs and observe the output.**If you don't have nmap on your host then install it. Install it on your VMs as well.*Use ping and ssh between your host and VMs to verify your firewall is working properly. Be sure to check the log file on the host for your unsuccessful ssh attempts.*Save your firewall rules.*Turn the firewall on your VM off, then try scanning again. Note how the output is different.**Make sure you turn the firewall back on when you are done.*Double check that the all VMs can still ping and SSH each other.
== Completing the Lab ==Upon completion of this lab each of your machines has a firewall protecting them from unexpected traffic. Reboot your machines and ensure that this protection remains in place after they are shut down. You will be building on these rules for the rest of the course. You should now have a basic understanding of the commands necessary to modify firewalls using iptables and firewalld. Scan each You will be building on these rules for the rest of your machines with nmap. Observe how the results differ depending on which machine you scanned fromcourse.
Record the URLs of the websites you've used to figure out how to do the work.
#Which optional module could be used to work with packets based on whether they are new connections or not?
{{Admon/importantinfo|Time for a new backup!|Once have successfully completed this lab, make a new backup of your virtual machines.}}