572
edits
Changes
m
Refer to the following [https://prezi.com/akyqt4h40oel/iptables-packet-filtering/ OPS335 NOTES] if you need to review how to use the iptables command. You can also perform a Netsearch for additional examples (such as deleting iptables rules for a chain).
→Creating Customized Chains
In this lab, you will learn how to use '''iptables''' to build a simple '''Linux firewall''' on your servers.
iptables is a <u>very complex</u> topic. Fortunately, you are not required to become an ''"iptables expert"'', but by the end of the course, you should be able to use iptables to properly secure your servers.
You were exposed to iptables in your OPS235 course. You should refer to [http://zenit.senecac.on.ca/wiki/index.php/Lab_6_Warnings_/_Debrief#Investigation_2:_Networking_Tweaks OPS235] or [https://prezi.com/akyqt4h40oel/iptables-packet-filtering/ OPS335] notes or find and use documentation to learn how to complete these tasks. You can also ask your professor or lab assistant during the lab for help when using iptables. Some basic iptables commands are provided in this lab for reference, but it is also essential that you know how to obtain help (man pages and online) in order to become self-reliant.
We will run some iptables commands on your '''host machine''' to practice and get a basic understanding of how to set rules. We will NOT be saving the iptables rules in this section, so you don't have to worry about "messing-up" your host machine - you can simply reboot your host machine to load the default iptables rules.
Let's set a '''default policy''' to disable all inbound traffic:
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Make a backup of the original default rules: <source>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# Use the '''ifconfig ''' or '''ip address ''' command to determine the IP ADDRESS of your external facing address [ens33] (i.e. IP address beginning with '''192.168.40.x''' if you are using an SSD).# Open a terminal on the Windows machine and '''ping''' your external facing IP addressof your Linux host (ens33). Was it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the '''beginning of your MYSSH chain''' that allows traffic from the IP address of your main host (probably Windows or Mac) machine.
# Add a rule to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's '''internal facing interface''' (should be an internal address beginning with '''192.168.40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your main host (probably Windows ) machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your main host (probably Windows ) machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />You should not be able to connect from your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show your failed attempts to '''ssh''' to you with your '''customized''' message.# When you are confident the rules are working, save them by running ('''Note''' ''that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.'') <source>iptables-save > /etc/sysconfig/iptables</source><br />
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
