Changes

Jump to: navigation, search

OPS235 Lab 6 - CentOS7 - SSD

8,351 bytes removed, 10:39, 15 June 2016
no edit summary
{| width="40%" align="right" cellpadding="10"
|- valign="top"
|{{Admon/note | | '''[http://en.wikipedia.org/wiki/Iptables Iptables] is the built-in firewall for LINUX'''consisting of a '''list of rules''' (or '''"tables of policies"'''). If data matches a specified <u>policy</u>, it must “jump” to an existing '''condition'''. Simple conditions include '''ACCEPT''', '''DROP''' and '''LOG''' but there are also more complex conditions that can be applied and there is even the option to create your own conditions.
When using iptables, the '''Filter''' table is important because it contains the following essential '''chains'''[[Image:<br><br> iptable-image.png|thumb|600px|right|'''INPUT:iptables'''<br>Data is checked against the INPUT chain to see if it is <u>allowed into</u> one of the PCfirewall utilities that can be used with Linux.<br><br>'''OUTPUT:'''<br>Data is checked against One of the OUTPUT chain to see if it main purposes (for this course) is <u>allowed to go outside</u> of the PC.<br><br>use iptables for '''FORWARD:packet filtering'''<br>PC is acting as a router it does not actually send or receive data, it <u>FORWARDS</u> data from one machine to another.}} ]]
|}
==== More about iptables Using Firewalls in Linux ====
Since Linux servers may be connected to the Internet, it is very important to run a firewall to control what comes into the computer system, what goes out of the computer system, and what may be forwarded to another computer. Linux uses the command called '''iptables''' to set the firewall rules. Although graphical programs can be used to configure iptables, it is important for students of Linux Administration to learn how to use the iptables command for more complex and automated configuration via shell scripting.
'''Perform the following steps:'''
# For the remainder of this section, use your '''c7host''' machine.# As root on the CentOS host enter the following commands at the prompt:#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b>#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b># What did those commands issued above do? Refer to the ''manpages'' for ''iptables'' if not certain.# Set the default policy for the INPUT chain to DROP by issuing the command:#: <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b># Now try on your own to change the default policies for the OUTPUT and FORWARD chains to DROP# Write the commands you executed in your lab book.# Can we mix these policies? Try to set the FORWARD chain policy to ACCEPT. Did it work?x
==== Testing iptables Policies ====
# Execute the command <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b> and check that the policies on your INPUT and OUTPUT chain are set to DROP# Open a browser and attempt to access the Internet. Were you successful?# Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT# Open your browser and attempt to access the Internet again. Were you successful?# Change the policies on all of the chains to DROP{| width="40%" align="right"x
|- valign="top" |{{Admon/note| Interpreting iptables commands |Here is the command you issue in step #15:  iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped. '''Let's break down Perform the command to see how it worksfollowing steps:''' The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables rules where multiple matches can occur, it is important that the lines go in the right order. If you follow the -I with a number, the new rule will be inserted at that location in the chain (for example, <code>-I 3 OUTPUT</code> will insert the rule into the 3rd position in the OUTPUT chain, moving the existing rules down as necessary (the old rule #3 will become the new rule #4, for example). The '''-p tcp''' switch tells iptables to only match TCP packets. Alternately, the protocol could be set to udp, icmp, or all. The '''-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC. The '''-d0/0''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed.
The switch '''--dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch.# x
'''-j''' means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.
 
'''DROP''' means drop the packet – make it disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the LOG target is the only one that does not stop rule-checking in the chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.
 
}}
 
|}
<ol>
<li value="6"> In the OUTPUT chain, add the following rule:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -A OUTPUT -j LOG</span></code></b></li>
<li>The above rule tells '''iptables''' to log packets and relevant information to '''/var/log/messages'''.</li>
<li>This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.</li>
<li>Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged. Let's have a look at the log file and analyze the data:<br><b><code><span style="color:#3366CC;font-size:1.2em;">tail /var/log/messages</span></code></b></li>
<li>This command shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:<br /><blockquote><code>Jun 24 12:41:26 c7host kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=16442 DF PROTO=TCP SPT=57151 DPT=5902 WINDOW=1024 RES=0x00 ACK URGP=0</code></blockquote></li>
<li>Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.</li>
<li>When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?</li>
<li>Using the commands we already know, change the default policies on all of your chains to ACCEPT.</li>
<li>Open a browser and confirm that you can access the world wide web.</li>
<li>Enter the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</span></code></b></li>
<li>Try to access the Web. If you have done everything right, you should not have been successful.</li>
<li>After you have completed the test execute the following command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -F</span></code></b><br></li>
<li>Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.</li>
<li>After you have completed this task, flush the iptables again.</li>
<li>Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice.</li>
<li>Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.</li>
<li>Confirm that your rule works by testing from your VM's</li>
<li>Does iptables close the port? Check using '''netstat'''</li>
<li>Now insert a rule on the CentOS host that would ACCEPT connections from the centos2 VM only.</li>
<li>Fully test your configuration.</li>
</ol>
==== Making iptables Policies Persistent ====
It should be noted that all of the commands that we do here with iptables will not be persistent unless you have your configuration. That means if you re-boot, the default iptables configuration will be loaded. When your iptables service starts or at boot time it has to load the rules from the file '''/etc/sysconfig/iptables-config'''.
The final section below teaches you to make your iptables settings permanent.x
'''Perform the following steps:'''
Msaul
Administrators
13,420
edits
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/118472"

Navigation menu