Open main menu

CDOT Wiki β

Changes

OPS235 Lab 7

263 bytes added, 07:53, 4 November 2016
no edit summary
:'''Perform the following steps:'''
# Make certain you are in your '''c7host''' machine.
# Issue the following Linux command: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Issue the '''iptables -L''' command verify . Can you see the INPUT policy has been to DROP all incoming connections?# Although you have set (look for a default policy to DROP all incoming connections, there is a problem: now, you cannot browse the Policy section, NOT INPUT)Internet. You can confirm that by opening a SEPARATE web-browser and perform a Net-search.<br><br>After the overall default policy is setIn order to fix that problem, then you can create policy rules that are "exceptions" make an exception to the default policy rulesallow incoming web-based traffic (via port 80). These Those iptables commands to create exceptions are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -&gt;</td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-i CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''<span style="font-family:courier">--</span>sport 22''' (originating port 22 - SSH)<br>'''<span style="font-family:courier">--</span>sport 80''' (originating port 80 - http)<br><br>(refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br><br># Make certain you are in your '''c7host''' machine.# Determine Issue the '''external facing address''' of your c7host machine (ip address should start with 10. - otherwise, type ip address in web-browser)# Have a lab neighbour try following Linux command to ADD an exception to ping that external facing address. Were they successful?# Issue the following iptables policy INPUT chain to DROP all allow web-based incoming connectionstraffic (ie. port 80):<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P A INPUT DROP-p tcp --dport 80 -j ACCEPT</span></code></b># Have Issue an iptables command to confirm that their is an exception rule to handle incoming tcp packets over port 80.# Use your neighbour try other web-browser to ping confirm that you can now browse the Internet. If you cannot, contact your lab assistant or professor for help.# Determine the '''external facing address''' of your c7host machine.<br>('''Tip:''' in a web-browser, enter the term: '''"ip address"'''. The external facing IP Addressshould start with '''"10. What happened? Why"''').# Provide your external facing address, and provide another lab-mate to ping that external facing address. Were they successful?# Have your neighbour obtain the lab-mate determine THEIR external facing address and obtain that IP Address on THEIR c7host machine.# Issue the following iptables command to ADD ping allow an exception for pings from your neighbour's IPAddresslab-mate:<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -A INPUT -p icmp -s {neighbour's exeternal facing address} -j ACCEPT</span></code></b><br>Is # Have your neighbour able to ping YOUR repeat pinging your external facing IP Address. What happened? Why?
# Have your neighbour try to SSH into YOUR c7host. Were they Successful?
# Issue an iptables rule (in a similar way as with the following previous iptables command:<br><b><code><span style="pointer-events: none;cursor: default;color:) to allow an exception for incoming ssh traffic (eg. port #3366CC;font-size:1.2em;">iptables -A INPUT -p tcp -s {22) from your neighbour's exeternal external facing IP address} --sport 22 -j ACCEPT</span></code></b><br>.# Have your neighbour try to SSH into YOUR c7host(at least to get a password prompt). Were they Successful? If so, why?# Issue the following iptables command to add a rule at bottom of OUTPUT chain to DROP http (port 80 connections). Try to think of the command yourself.# Open another web-browser. Can you connect to a webpage?# Issue iptables rule to '''flush''' the OUTPUT chain. Does your web-browser now work?
# Shutdown all VMs and restart your c7host Linux machine.
# List the iptables rules for the INPUT chain. What happened to your iptables rules for the INPUT chain?
13,420
edits