OPS335 Firewall Lab
Contents
IPTABLES - The Linux firewall
In this lab you will learn how to use iptables to build and test a simple Linux firewall on your first Virtual Machine.
Instructions
Verifying network connectivity between your Fedora host and your VM
- Boot up your Fedora Host.
- Login in to your Fedora host with your LearnID.
- Find out the MAC address of the virtual network device virbr0 and the IP address assigned to it. Record this information on your lab log book.
- Start your 1st VM.
On your VM
- Login with your LearnID to your VM.
- Open a terminal window and "su -" to root.
- Find out the MAC address of the NIC (eth0) and the IP address assigned to it. Record this information on your lab log book.
- Disable your current firewall by flushing all rules in all chains in all tables and set up default policy for the INPUT, FORWARD, and OUTPUT chains to ACCEPT.
- On the terminal window, run the command "tail -f /var/log/messages" and leave it running until the end of this lab.
On your Fedora Host
- Open a terminal window and perform the following connectivity tests:
- ping -c 2 [ip-of-vm1]
- ssh [LearnID]@[ip-of-vm1]
On both system (Fedora Host and VM1)
- Run the command "arp -a", extract relevant information from the outputs and record them on your lab log book. Indicate clearly the system on which the information was obtained.
Building a Simple Firewall on VM1
On your VM1, open another "root" terminal and build a custom firewall by performing the following steps:
- Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
- Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
- Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
- Create a new chain named MYSSH in the filter table.
- Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
- Add a rule to your MYSSH chain to deny all traffic from 192.168.122.1 (i.e. your Fedora host). Also log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH".
- Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
- Make a new chain named MYICMP in the filter table.
- Add a rule to your MYICMP chain that denies ICMP pings from 192.168.122.1 (your Fedora host).
- Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of Fedora host's virbr0.
- Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
- Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
- Change the default policy on the INPUT chain in the filter table to DROP.
Testing your custom firewall
- On your Fedora host, use nmap to scan your firewall on your VM. If you don't have nmap on your Fedora host then install it.
- Use ping and ssh from your Fedora host (192.168.122.1) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
- Save your firewall rules.
Completing the Lab
Answer the following questions
- What is your full name and Seneca student ID?
- Show your firewall rules using the output of the 'iptables -L' command.
- Show the results of your nmap scans. Be sure to also show the exact nmap command you used.
- Show the log records generated by your invalid ssh attempts.
- What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 192.168.122.1 to your VM?