If you can see this check that

next section prev section up prev page next page

Firewall Configuration


Firewalls

User:
Password:

Question 1: Firewall: Empty the Chains

In this tutorial we are going to work on the firewall configuration of your machine. Some care must be taken when doing this, or you will suddenly find you can no longer log in!

In all these cases the easiest way to do the experiment is to CREATE an executable program in /root called "firewall". You should make the contents of this something like:

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
# Accept ongoing connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# For your own safety, stop users logging in from other VMs
#
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 23 ! -s 10.0.0.0/16 -j ACCEPT

#
# Your changes go after here.
#

To execute this file, remember "chmod +x ./filewall" and then just "./firewall" or "/root/firewall" to run it. Execute it once and they press the check button to make sure everything is set up ok.

After executing this file you can use "iptables -L" to show you what rules have been stored in the kernel. The provided rule uses a default policy of ACCEPT, just in case you make a typo and lock yourself out. Default ACCEPT is a bad idea here, and this is just to get you going. Later on we look at the default policy of DROP.

NOTE: If at any time you mess up and can no longer connect via telnet or ssh, then you can either reboot or use VNC to fix the problem. The script is not reexecuted automatically when you reboot, and should still be there on the next boot. VNC is much faster. If you use VNC, once logged in, you can restore the default firewall by doing "systemctl restart iptables.service".

Tests - not attempted
iptable empty UNTESTED
firewall file ok UNTESTED

Make the default policy of the INPUT chain DROP. Leave the other chains as they are. Do this by editing the script appropriately, then rerunning the script. Just set the INPUT chain default once in the script.

Tests - not attempted
INPUT drop UNTESTED
firewall file edited UNTESTED

What is the device name for your primary network connection in your virtual machine. Hint: this is the one which is mentioned in your default route.

/dev/

Tests - not attempted
Network device name UNTESTED

Visit the firewall test page, which can be found as a link off the VM Management page, and run a test on 22,23,25, and 80. All will either be "open" (service there and no firewall) or "closed" (no service there and no firewall).

Add to the END of your /root/firewall script a rule which, when an http packet (tcp) comes in from your main interface, jumps to DROP. Execute the script to activate this change. Do not make this new rule stateful (so no conntrack).

Validate this with the firewall test (which should now say "filtered").

Tests - not attempted
Block 80 UNTESTED
80 filtered for 10.200.0.1 UNTESTED

Add another rule to the end of your /root/firewall script This new rule jumps to DROP when a tcp packet which has a source address of 20.0.0.0/24 comes in from your main network device. Execute the script to activate this change. You will be marked wrong if your rule has more conditions than those listed in the question. Do not use connection tracking.

Tests - not attempted
Block ip20 UNTESTED

If any packet is passed through the FORWARD chain, reject the packet with the default settings.

Tests - not attempted
FORWARD REJECT UNTESTED

Accept PING at a limit of 1 per second from any interface in the INPUT chain. Do not use connection tracking in the rule.

Warning. Even without conntrack specifically in the rule, you are still making us of connection tracking rules elsewhere in the file. Only the first ICMP ping is NEW, and the rest are RELATED. Therefore you MUST insert your new rules BEFORE the RELATED,ESTABLISHED test, and make sure that unwanted pings never reach the RELATED test (needs 2 rules).

Double check that this is working using the ping option of the firewall tests (via the "useful" tab in the control panel). You should see "limited,1/second" if you have done this correctly.

Tests - not attempted
PING limit UNTESTED

Continue on from the previous set of rules. Add in one more rule so that if you receive pings faster than 1 per second, those pings will be logged. Note that things getting logged will appear at the end of /var/log/messages. Do not use a new chain to do this, and keep the rule as simple as possible. Do not use connection tracking.

Tests - not attempted
PING limit still ok UNTESTED
ping logging UNTESTED

Using the firewall tests, run a ping test and then look at the log information created in /var/log/messages. With this information, what is the ip of the source of all these ping requests?

Enter the ping ip source:

Tests - not attempted
log check UNTESTED

Question 2: Firewall: Tighter Ruleset

In this tutorial we are going to work on a strict firewall configuration of your machine. Extra-special care must be taken when doing this, or you will suddenly find you can no longer log in!

Create the following as a script called firewall2 in /root.

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
#
iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# --- Put a rule here if you want to be inserting at the start of INPUT
#
# --- 
#
# Make sure ssh and telnet stay working, and that users on
# other VMs cannot log in.
#
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport ssh ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport telnet ! -s 10.0.0.0/16 -j ACCEPT
#
Tests - not attempted
iptable empty UNTESTED

Your ssh and telnet connections are proxied from 10.200.0.1. Thus when you telnet or ssh into linuxzoo, a special program catches this traffic and forwards it on your behalf. This makes ssh and telnet traffic appear to arrive at your virtual machine from a single networked address, the proxy address of 10.200.0.1.

Insert a single rule using this script, inserting at the start of the INPUT chain so that telnet is ONLY permitted from 10.200.0.1 arriving on and device. Leave the other rules shown above unchanged. If telnet connections arrive from anywhere else, they should be directed to REJECT. Make this a stateful rule, and check the state before any other test.

Note that if you change one of the other rules, insert more than 1 rule, or do anything other than insert a single rule at the start of the chain, you will always be marked wrong!

Hint: you can put the "!" character in front of a "-s" test and the rule checks that it is NOT that address.

Tests - not attempted
Block not ip 10.200.0.1 UNTESTED
23 open for 10.200.0.1 UNTESTED
23 reject for non-10.200.0.1 UNTESTED

Add a rule to the firewall so that if someone on your virtual machine tries to open an http connection to 10.200.0.1, the packet it ACCEPTED. Add this rule to the END of the appropriate chain. Do not change any of the existing rules. Use a stateful rule, and check for NEW state before any other tests.

Tests - not attempted
Previous rules and newrule count seem ok UNTESTED
Can get http on 10.200.0.1 UNTESTED
New rule looks ok UNTESTED

Add appropriate rules so that, if this machine was a router, it would allow RELATED and ESTABLISHED traffic to flow in both directions, as well as permitting http and ping requests to an intranet machine 192.168.1.5. For your rules you can assume the intranet is on device eth9, and you should make sure that the NEW packets are sent on eth9. Do not change any rules or policy definitions from that of the previous question.

Note that in reality eth9 does not exist. However this should have no effect on the rules. Add only 1 rules for RELATED,ESTABLISHED testing, 1 rule for http, and 1 rule for ping (a total of 3 rules), and create them in that order. Make all rules stateful.

Tests - not attempted
Right number of rules UNTESTED
Right policy UNTESTED
Stateful continuing UNTESTED
Stateful http UNTESTED
Stateful ping UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 Mail
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2017 Edinburgh Napier University