Open main menu

CDOT Wiki β

Changes

OPS335 Firewall Lab

2,478 bytes removed, 21:30, 30 August 2011
no edit summary
FOCUS: Configure a Linux Gateway for Linux Hosts inside an IntranetThis lab will show you how to set up a simple intranet using one Fedora PC as a gateway. The same Fedora PC will be a host to a Fedora VM (Virtual Machine) which will act as a PC inside an intranet. Here is a diagram of your setup.- OPS335 -
REQUIREMENTS: Lab00 should be completed and you should have a copy of Fedora 13, x86_64 live CD.OPEN SERVER ADMINISTRATION
PART A - Setting up the VM Host PC with one guest VM.Lab #02
Boot up your Fedora 13 x86_64 system, login as joker and use Firefox to authenticate your web access using your LEARN account and password.Open a terminal window and su to root.Ensure your system date and time are correct. Start your ssh server [ service sshd start ] - you'll need this later in the lab. If you want your ssh server to be started each time you boot up, enter this command [ chkconfig --levels 2345 sshd on ].Ensure your system is up to date [ yum update ].Install the virtualization software [ yum groupinstall virtualization ].Start the libvirt daemon [ service libvirtd start ]. If you want the libvirt daemon to start at every boot up, enter this command [ chkconfig --levels 2345 libvirtd on ].Restart your firewall [ service iptables restart ].You are now ready to build a VM guest. You learned how to do this last semester in OPS235. If you need to be refreshed please refer to OPS235 LAB06.FOCUS: Basic IP Tables
Start the virtual machine manager [ virt-manager ].Enter the root password.Click on the icon "Create a new virtual machine".Name your machine "vm01" then click on the "forward" button.Insert your F13 CD and select "Use CDROM".For "OS type" select "Linux" and for Version select "Fedora 13" then click on the "Forward" button.Let the RAM default to 512MB and the CPUs to 1. Then click on the "Forward" button.Leave the disk image size set at 8GB and ensure "Allocate entire disk now" is checked, then click on the "Forward" button.At the "Ready to begin installation" window click on the "Finish" button.Once your Fedora Live CD boots up, login and double click the "Install In this lab you will learn how to Hard Disk" icon.Click the "Next" button use iptables to begin your F13 installation.Select "US English" for your keyboard and click on the "Next" button.Ensure "Basic Storage Devices" is selected and click on the "Next" button.Select the "Virtio Block Device" check box and click on the "Next" button.Click on the "Re-initialize All" button".Change your hostname to "vm01.localdomain" and click on the "Next" button.Select "America/Toronto" as your timezone and click on the "Next" button.Enter the password for root and click on the "Next" button.Select "Use All Space" and click on the "Next" button.Click on the "Write Changes to Disk" button.When the "Congratulations" window is displayed click on the "Close" button.Now, from the System men on the host PC, select "Shutdown" and then click on the "Restart" button.At the "Welcome" screen click on the "Froward" button.At the "License" window click on the "Forward" button.Enter build a user name of "Joker" and add the password then click the "Forward" button.Enter the correct date and time and click on the "Forward" button.In the "Profile" window, click on the "Finish" button and "Do not send profile".Now login as user "joker" and open a terminal window.Switch to root and update your VM guest machine [ yum update ]. This could take a long time and you should reboot after it's done.Ensure your VM guest has internet access [ host cbc.ca ]simple Linux firewall.
Proceed Part A: Building a Simple FirewallLogin as joker to PART B.PART B - Testing your GatewayFedora 13 PC.Try pinging each machine from the other.Try pinging Matrix from each machine.Start the ssh server on both machines [ service sshd start ].Enable the ssh server at startup on both machines [ chkconfig --levels 2345 sshd on ].Start Firefox on your host machine and authenticate yourself on Senenet.Try to ssh from the guest to the host machine. This should work.Try to ssh from the host NOTE: It's not necessary to the guest machine. This should not workuse a VM for this lab.Try to ssh to Just use your Matrix account from both the host and guest machinesoriginal Fedora system created in lab #0.Try to ssh from your Matrix account back to your host Open a terminal window and guest machines.Add one iptables rule to the guest firewall that will accept new ssh connections "su -" to the guest machineroot.Save Disable your new current firewall rules [ iptables-save > /etc/sysconfig/iptables ]Reboot your guest machine.Try to ssh from the host to the guest machine. This should now work.Start Firefox on the guest machine and try surfing the web without authicating yourself on Senenet. i.e. only the host machine is authenticatedflush all rules in all chains in all tables.PART C - Answer Now build a custom firewall by performing the following questions and and email them to your instructor in ASCII text format.steps:
Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
Create a new chain named MYSSH in the filter table.
Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
Make a new chain named MYICMP in the filter table.
Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
Change the default policy on the INPUT chain in the filter table to DROP.
Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
Use iptables-save command to save your firewall rules.
 
Part B: Answer the following questions
What is your full name and Seneca student ID?
What Show your firewall rules using the output of the iptables rule did you add in PART B step 10?-save command.Explain how Network Address Translation is accomplished on Show the hostresults of your nmap scans from part A. Refer specifically Be sure to also show the 3 rules in the POSTROUTING chain of the nat table on the host machineexact nmap command you used.How is ping and Show the log records generated by your invalid ssh affected (on both machines) if you disable ip forwarding on the host machine [ echo 0 > /proc/sys/net/ipv4/ip_forward ]?attempts in part A.Did What iptables rule would you clean up need to add to your work area, power off firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your PC and push your chair under the table when you completed this labhost?
1
edit