572
edits
Changes
m
* [http://matrix.senecac.on.ca/~murray.saul/ops335/ops335_w3.pdf Week 3 Notes] Recommended to review and understand prior to performing this lab.
Refer Let's set a '''default policy''' to the following [httpsdisable all inbound traffic://prezi.com/akyqt4h40oel/iptables-packet-filtering/ OPS335 NOTES] if you need to review how to use the iptables command. You can also perform a Netsearch for additional examples (such as deleting iptables rules for a chain).
Let's set a default '''policy''' to '''disable all inbound traffic''': # Issue an ''iptables command'' to set the default policy to disable all inbound traffic.# Issue an ''iptables command '' to list rules to verify you correctly disabled all inbound traffic.
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
'''Depending You may choose to:* Submit screenshots of your work on your professor Blackboard, in which case you will either be asked don't need to come to submit the lab in class, or online. Follow * Or come to the appropriate set of instructions belowlab, show me your work, and talk to me about it.I want to hear what you'''ve learned and answer any questions you have.
===Online Submission (Peter CallaghanYou's Classes only)===Follow ll get the instructions for lab 2a on moodlesame grade regardless of how you choose to submit your work.
===In Class Submission===[[Image:lab1_signoff.png|thumb|right|200px|Students should be prepared with '''all required commands (system information) displayed in a terminal (or multiple terminals) prior to calling the instructor for signoff'''.]]'''Arrange evidence (command output) for each Expected results of these items on your screen, then ask your instructor to review them and sign off on the this lab's completionare:'''
→Creating Customized Chains
In this lab, you will learn how to use '''iptables''' to build a simple '''Linux firewall''' on your servers.
iptables is a <u>very complex</u> topic. Fortunately, you are not required to become an ''"iptables expert"'', but by the end of the course, you should be able to use iptables to properly secure your servers.
You were exposed to iptables in your OPS235 course. You should refer to [http://zenit.senecac.on.ca/wiki/index.php/Lab_6_Warnings_/_Debrief#Investigation_2:_Networking_Tweaks OPS235] or [https://prezi.com/akyqt4h40oel/iptables-packet-filtering/ OPS335] notes or find and use documentation to learn how to complete these tasks. You can also ask your professor or lab assistant during the lab for help when using iptables. Some basic iptables commands are provided in this lab for reference, but it is also essential that you know how to obtain help (man pages and online) in order to become self-reliant.
{{Admon/important |firewalld|In this course, we will be using ''iptables'', '''<u>not</u>''' ''firewalld''. Although firewalld can present information in the familiar iptables format, learning both would be too advanced at this point of learning Linux network administration.<br>In the first labs [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS335_Installation_Lab#Using_iptables OPS335_Weekly_Schedule Prep for Labs], you should have disabled and stopped the firewalld service: .<br><br>You can also check the status of the firewalld service by issuing the [http://zenit.senecac.on.ca/wiki/index.php/Init_vs_systemd#systemd_Command_Usage systemctl] command. You can also check if the firewalld service is running by issuing '''iptables -L''' and noting a high volume of unexpected output (i.e. "a strange result").
}}
=== Online Resources===
* [https://en.wikipedia.org/wiki/Iptables#Overview Overview] A excellent concise overview of iptables (ignore diagram).
* [https://wiki.centos.org/HowTos/Network/IPTables CentOS Wiki] Listing of basic commands (not all required to know).
'''There are some important things to be aware of in terms of this diagram:'''
:*There are '''<u>two sets</u> ''' of IPtables rules (chains) that apply:''' '''OUTPUT/INPUT on the client''' and '''INPUT/OUTPUT on the server'''.<br>It is important to think about trafic from the perspective from the client as well as the server.
:* '''Outbound traffic is rarely blocked <u>unless</u> there is a security policy to <u>prevent</u> some kind of traffic'''.<br>Even in that case, that security policy is usually performed on a router.
:* '''Inbound traffic is of two distinct types'''. Our diagram shows:
::# '''New incoming <u>connections</u>''' (what you normally think of as '''<u>inbound traffic</u>'''): the web server receives a '''new incoming connection'''.::# '''Incoming <u>data</u> that client receives as a response from the server''': the web page that the server sent back in the diagram above.
::::The analogy would be like making a '''telephone call''':<ul><li>A '''NEW''' packet is like the phone ringing</li><li>An '''ESTABLISHED''' packet is the connection and the packet says "hello", along with any further communication.</li><li>A '''RELATED''' packet would be the same person calling on a second line. (eg. a second connection that is made because of something that happened in the first, like an ftp transfer).</li></ul>
::::We normally don't want to do anything special for the response. It is safe to assume that '''a connection that was allowed to be established should be allowed to receive a response'''. This is accomplished with the following '''INPUT chain rule''' that should be there by default on your machines:<br>
::# For the ''request'', the '''source port (sport) for the example in the above diagram is 40112''' and the '''destination port (dport) is 80'''
::# For the ''response'', the '''source port (sport) is 80''' and the '''destination port (dport) is 40112'''
::# Since the '''RELATED,ESTABLISHED''' rule already exists, we are only concerned about <u>'''controlling'''</u> the '''incoming traffic on the server''', which in our example, the '''chain is: INPUT''', the '''protocol is: tcp''', and the '''destination is: port 80'''.
:* '''Basically, most other services work in a similar way as discussed above'''.
:** HWADDR (MAC Address)
:** Network Interface name
:The best way to learn that is to <u>'''practice'''</u>.
'''Record essential concepts from this section into your OPS335 lab log-book'''
=INVESTIGATION 1: PREPARATION & GETTING TO KNOW IPTABLES=
=== Confirming Existing Network Connections ===
Before proceeding with iptables, we should first verify that your '''host machine''' and '''vmsVMs''' can connect with each other. We can also take the opportunity to record some observations which could be used for future labs.<br><br>
'''Perform the Following Steps:'''
#* Find the MAC address of the '''Network Interface''' and the '''IP address''' assigned to it. Record this information on your lab log book.
# Change to your '''host machine''', open a terminal window, and perform the following connectivity tests for each vm:<br><br>
<source lang="bash">
ping -c 1 [ip-of-vm]
ssh [ip-of-vm]
We will run some iptables commands on your '''host machine''' to practice and get a basic understanding of how to set rules. We will NOT be saving the iptables rules in this section, so you don't have to worry about "messing-up" your host machine - you can simply reboot your host machine to load the default iptables rules.
The remaining iptables rules will relate to that same '''inbound''' traffic chain:
'''Perform the following steps for your <u>host </u> machine:'''
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Make a backup of the original default rules: <source>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source># Use the '''ifconfig ''' or '''ip address ''' command to determine the IP ADDRESS of your external facing address [ens33] (i.e. IP address beginning with '''10192.x168.x40.x'''if you are using an SSD).# Find Open a partner to terminal on the Windows machine and '''ping''' your external facing IP addressof your Linux host (ens33). Was your partner it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the '''beginning of your MYSSH chain''' that allows traffic from the IP address of your main host (probably Windows or Mac) machine.
# Add a rule to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of your Windows machine'''their''' '''external s internal facing interface''' (should be an internal address beginning with '''10192.x168.x40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your partner's main host (probably Windows) machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your partner's main host (probably Windows) machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They should not be able to connect, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show their your failed attempts to '''ssh''' to you with your '''customized''' message.# When you are confident the rules are working, save them by running <source lang=(''bash'>iptables-save > /etc/sysconfig/iptables</source><br />Note ''' ''that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.'') <source>iptables-save > /etc/sysconfig/iptables</source>
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump or rsync command, and you should use the Bash shell script that you were adviced to create in order to backup all of your VMs.}}
'''Record steps, commands, and your observations in INVESTIGATION 2 in your OPS335 lab log-book'''
== COMPLETING THE LAB ==
Upon completion of this lab, your host machine has a firewall protecting it from unexpected traffic. You should now have a basic understanding of the commands necessary to modify firewalls using iptables. You will be building on these rules for the rest of the course.
===Online Submission===
Follow the instructions for lab 2a on blackboard.
<!--
===Andrew's sections===
::<span style="color:green;font-size:1.5em;">✓</span>You can explain what the purpose is of the INPUT and OUTPUT iptables chains, and how traffic is evaluated against each rule.
::<span style="color:green;font-size:1.5em;">✓</span>Proof that the iptables rules work for your host.
::<span style="color:green;font-size:1.5em;">✓</span>Download and run https://ict.senecacollege.ca/~andrew.smith/ops335/labcheck2a.bash
::<span style="color:green;font-size:1.5em;">✓</span>Issue command: '''journalctl --dmesg | grep -i MYSSH''' to confirm that outside ssh connections logged.
::<span style="color:green;font-size:1.5em;">✓</span>Download the labcheck2a.bash checking bash shell script by issuing the command:<br><br>'''wget http://matrix.senecac.on.ca/~peter.callaghan/files/OPS335/labcheck2a.bash'''<br><br>set execute permission and run the shell script on your '''c7host''' machine. ::*For '''Peter's classes''', follow his Online Submission instructions in Moodle.::*For '''Murray's classes''', run command (piping to the '''more''' command) and show output You know how to instructorread a diff file.-->
=EXPLORATION QUESTIONS=
