932
edits
Changes
Setting up a proper set of firewall rules on the host.
'''Perform the following steps for your vm1 host machine:'''
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains that are rejecting all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Create a new chain named '''MYSSH''' in the filter table. Refer to notes or other resources to learn now to name a chain.
# Add a rule to the '''INPUT''' chain of your filter table that sends all '''ssh''' traffic (i.e. tcp packets with destination port 22) to your '''MYSSH''' chain. Make sure this new rule follows (not preceeds) the RELATED,ESTABLISHED rule, so it doesn't apply to existing connections.
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add rules to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chain.<br/><br/>LetNext we's ll create a new chain to create handle rules relating only to the '''ICMP''' protocol (ping):<br><br> # Remove the rules rule in your '''INPUT''' chain that are is allowing all '''icmp''' and '''ssh''' traffic.
# Make a new chain named '''MYICMP'''.
# Add a rule to the beginning of the '''INPUT''' chain to send '''ICMP''' packets to your '''MYICMP''' chain.
# Add a rule to the beginning of your '''MYICMP''' chain that denies '''ICMP pings''' originating with IP address of your partner's machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Once Store the commands you are happy with how your firewall works - make a backup of used to modify the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source># Overwrite the defaults with the current state of the firewall:<source lang='bash'>/usr/libexec/iptables/iptables.init save</source># Store the above commands into a shell script called: '''myicmp_restorefirewall_restore.bash'''<br><br># Since the same iptables rules (i.e. above steps) for your ''vm1'' also apply for your ''vm2'', ''vm3'', and other vms, it would make sense to use your shell script you created to set your iptables rules for vm1 for these other vms.# Copy your '''myicmp_restore.bash''' script to both of your '''vm2''' and '''vm3''' machines, set execute permisisons, and then run the shell script in order to setup the same firewall rules.# Make certain to save your firewall rules for both '''vm2''' and '''vm3'''.<br><br>'''NOTE:''' We have now demonstrated how a simple shell script has saved you time when setting up firewall rules for other vms.