Open main menu

CDOT Wiki β

Changes

OPS335 Firewall Lab

10 bytes added, 21:51, 30 August 2011
Building a Simple Firewall
===Building a Simple Firewall===
#Login as joker to your Fedora 13 PC. NOTE: It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
#Open a terminal window and "su -" to root.
#Disable your current firewall. *i.e. flush all rules in all chains in all tables.#Now build a custom firewall by performing the following steps:
Now build a custom firewall by performing the following steps: #Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.#Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.#Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.#Create a new chain named MYSSH in the filter table.#Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.#Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.#Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.#Make a new chain named MYICMP in the filter table.#Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).#Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).#Add a rule to your MYICMP chain that allows ICMP pings from anywhere.#Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.#Change the default policy on the INPUT chain in the filter table to DROP.
Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
1
edit