* # As root on the fedora host enter the following commands at the prompt:*#* <code>iptables -F</code> (This flushes out or clears all of your rules from the chains)*#* <code>iptables -L</code>*#You should see something similar to this:
<pre>
Chain INPUT (policy ACCEPT)
See the MAN page for <code>iptables</code> for detailed information on switches and options.}}
* # Set the default policy for the INPUT chain to DROP:*#* <code>iptables -P INPUT DROP</code>
{{Admon/note| |The <code>-P</code> switch stands for POLICY. This tells <code>iptables</code> that we are changing the policy for the INPUT chain. The policy is to be changed to DROP.
Note that <code>iptables</code> commands (as well as all other Linux commands) are case sensitive. Check your syntax carefully.}}
* # Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP* # Write the commands you executed in your lab book.* # Can we mix these policies? Try to set the FORWARD chain policy to ACCEPT. Did it work?
'''Testing policies'''
* # Execute the command <code>iptables -L</code> and check that the policies on your INPUT and OUTPUT chain are set to DROP* # Open a browser and attempt to access the Internet. Were you successful?* # Using the commands you have learned so far, change the policies on the INPUT and OUTPUT chains to ACCEPT* # Open your browser and attempt to access the Internet again. Were you successful? * # Change the policies on all of the chains to DROP* # In the OUTPUT chain, add the following rule:*#* <code>iptables -A OUTPUT -j LOG</code>* # The above rule tells <code>iptables</code> to log packets and relevant information to <code>/var/log/messages</code>. * # This entry in the OUTPUT policy will therefore log all packets being sent out of the machine.* # Try to access the Internet again. Because the policies have been set to DROP, you should be unsuccessful. However, every packet of data that your PC attempted to send out was logged. Let's have a look at the log file and analyze the data.*#* <code>tail /var/log/messages</code>* # This command shows us the last 10 lines of the file. While there are many things being logged to this file, the last thing we did was try to access the Internet so we should be able to see the data we need. Look for a line that looks similar to the following:
<blockquote><code>Mar 3 09:21:03 koala-laptop kernel: [90775.407304] IN= OUT=wlan0 SRC=192.168.1.107 DST=66.249.90.104 LEN=1470 TOS=0x00 PREC=0x00 TTL=64 ID=19752 DF PROTO=TCP SPT=45431 DPT=80 WINDOW=108 RES=0x00 ACK PSH URGP=0</code></blockquote>
* # Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value. * # When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?* # Using the commands we already know, change the default policies on all of your chains to ACCEPT. * # Open a browser and confirm that you can access the world wide web.* # Enter the command:*#* <code>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP</code>
{{Admon/note| |This command can be read like this, Insert a line into the iptables OUTPUT chain that will look at tcp information and DROP any packet with a source address from anywhere, to a destination address to anywhere if the destination port is 80. Let's break down the command to see how it works.
}}
* # Try to access the Web. If you have done everything right, you should not have been successful.* # After you have completed the test execute the following command:*#* <code>iptables -F</code>
'''Additional Exercises'''
* # Using the information you have learned, try on your own to achieve the same goal as above (block www access to your computer) by using the INPUT chain instead of the OUTPUT chain.* # After you have completed this task, flush the iptables again.* # Make sure that your ssh server is running on the host machine and try to access it from a virtual machine of your choice. * # Once you have confirmed that ssh is running on the host machine, insert an iptables rule on the host machine to prevent access to the ssh server from all VM's on the virtual network.* # Confirm that your rule works by testing from your VM's* # Does iptables close the port? Check using <code>netstat</code>* # Now insert a rule on the fedora host that would ACCEPT connections from the fedora2 VM only.* # Fully test your configuration.
{{Admon/note | |When your iptables service starts or at boot time it has to load the rules from the file <code>/etc/sysconfig/iptables</code>.}}
* # Make a backup of the file <code>/etc/sysconfig/iptables</code>* # Examine the file to see how rules are added.* # Enter in your 2 new rules created above.
{{Admon/important | Carefull! | Remember mistakes in iptables can have a significant impact on your system. Make sure you are '''appending the rules to the INPUT chain'''}}
* # Restart your iptables service and test your configuration. * # Write a short bash script to append a rule allowing the fedora1 and fedora3 VM's to connect to <code>ssh</code> on the fedora host.* # Answer the investigation in your logbook
== New Configuration ==
