If you can see this check that

next section prev section up prev page next page

Firewall Configuration

Firewalls
User:
Password:

Question 1: Firewall: Empty the Chains

In this tutorial we are going to work on the firewall configuration of your machine. Some care must be taken when doing this, or you will suddenly find you can no longer log in!

In all these cases the easiest way to do the experiment is to CREATE an executable program in /root called "firewall". You should make the contents of this something like: 

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
#
# For your own safety, stop users logging in from other VMs
#
iptables -A INPUT -i eth0 -p tcp --dport ssh -s 10.0.0.0/16 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport telnet -s 10.0.0.0/16 -j DROP
#
# Your changes go after here.
#

To execute this file, remember "chmod +x ./filewall" and then just "./firewall" or "/root/firewall" to run it. Execute it once and they press the check button to make sure everything is set up ok.

After executing this file you can use "iptables -L" to show you what rules have been stored in the kernel. The provided rule uses a default policy of ACCEPT. Later on we look at the default policy of DROP.

Tests - not attempted
iptable empty UNTESTED

Question 2: Block port 80

Visit the firewall test page, which can be found as a link off the VM Management page, and run a test on 22,23,25, and 80. All will either be "open" (service there and no firewall) or "closed" (no service there and no firewall).

Add to the end of your /root/firewall script a rule which, when an http packet (tcp) comes in from eth0, jumps to DROP. Execute the script to activate this change.

Validate this with the firewall test (which should now say "filtered").

Tests - not attempted
Block 80 UNTESTED

Question 3: Block From 20.0.0.0/24

Add another rule to the end of your /root/firewall script This new rule jumps to DROP when a tcp packet which has a source address of 20.0.0.0/24 comes in from eth0. Execute the script to activate this change. You will be marked wrong if your rule has more conditions than those listed in the question.

Tests - not attempted
Block ip20 UNTESTED

Question 4: FORWARD drop

Make the default policy of the FORWARD chain DROP. Leave the other chains as ACCEPT.

Tests - not attempted
FORWARD drop UNTESTED

Question 5: PING limit

Accept PING at a limit of 1 per second from any interface. This is tricky, as your default for the INPUT chain is ACCEPT. Attempt this question in two stages... first accept the PING if the rate is acceptable, and then have a check which jumps to DROP if it is a PING. The drop will always be done if reached and the packet is a PING, but it will not be reached if the first rule accepts it.

Double check that this is working using the ping option of the firewall tests. You should see "limited,1/second" if you have done this correctly.

Tests - not attempted
PING limit UNTESTED

Question 6: PING logging

Continue on from the previous set of rules. Add in one more rule so that if you receive pings faster than 1 per second, those pings will be logged. Note that things getting logged will appear at the end of /var/log/messages. Do not use a new chain to do this, and keep the rule as simple as possible.

Tests - not attempted
ping logging UNTESTED

Question 7: PING log

Using the firewall tests, run a ping test and then look at the log information created in /var/log/messages. With this information, what is the ip of the source of all these ping requests?

Enter the ping ip source:

Tests - not attempted
log check UNTESTED

Question 8: Firewall: Tighter Ruleset

In this tutorial we are going to work on a strict firewall configuration of your machine. Extra-special care must be taken when doing this, or you will suddenly find you can no longer log in!

Create the following as a script called firewall2 in /root. 

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
# Make sure ssh and telnet stay working, and that users on
# other VMs cannot log in.
#
# --- Put a rule here if you want to be inserting at the start of INPUT
#
iptables -A INPUT -i eth0 -p tcp --dport ssh ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport telnet ! -s 10.0.0.0/16 -j ACCEPT
#
# Sockets, once connected, continue to work
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
Tests - not attempted
iptable empty UNTESTED

Question 9: Block From linuxzoo.net

Your ssh and telnet connections are proxied from 10.200.0.1. Thus when you telnet or ssh into linuxzoo, a special program catches this traffic and forwards it on your behalf. This makes ssh and telnet traffic appear to arrive at your virtual machine from a single networked address, the proxy address of 10.200.0.1.

Insert a single rule using this script, inserting at the start of the INPUT chain so that ssh is ONLY supported from 10.200.0.1 arriving on eth0. Leave the other rules shown above unchanged. If ssh connections arrive from anywhere else, they should be directed to REJECT.

Note that if you change one of the other rules, insert more than 1 rule, or do anything other than insert a single rule at the start of the chain, you will always be marked wrong!

Hint: you can put the "!" character in front of a "-s" test and the rule checks that it is NOT that address.

Tests - not attempted
Block not ip 10.200.0.1 UNTESTED
22 open for 10.200.0.1 UNTESTED
22 reject for non-10.200.0.1 UNTESTED
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2 MySQL1 MySQL2
Caine 3.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2012 Gordon Russell. All rights reserved.