Firewalls

In this tutorial we are going to work on the firewall configuration of your machine. Some care must be taken when doing this, or you will suddenly find you can no longer log in!

In all these cases the easiest way to do the experiment is to CREATE an executable program in /root called "firewall". You should make the contents of this something like:

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#
# Accept ongoing connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# For your own safety, stop users logging in from other VMs
#
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport 22 ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport 23 ! -s 10.0.0.0/16 -j ACCEPT

#
# Your changes go after here.
#

To execute this file, remember "chmod +x ./filewall" and then just "./firewall" or "/root/firewall" to run it. Execute it once and they press the check button to make sure everything is set up ok.

After executing this file you can use "iptables -L" to show you what rules have been stored in the kernel. The provided rule uses a default policy of ACCEPT, just in case you make a typo and lock yourself out. Default ACCEPT is a bad idea here, and this is just to get you going. Later on we look at the default policy of DROP.

NOTE: If at any time you mess up and can no longer connect via telnet or ssh, then you can either reboot or use VNC to fix the problem. The script is not reexecuted automatically when you reboot, and should still be there on the next boot. VNC is much faster. If you use VNC, once logged in, you can restore the default firewall by doing "systemctl restart iptables.service".

Make the default policy of the FORWARD chain DROP. Leave the other chains as they are. Do this by editing the script appropriately, then rerunning the script. Just set the FORWARD chain default once in the script.

What is the device name for your primary network connection in your virtual machine. Hint: this is the one which is mentioned in your default route.

/dev/

Visit the firewall test page, which can be found as a link off the VM Management page, and run a test on 22,23,25, and 80. All will either be "open" (service there and no firewall) or "closed" (no service there and no firewall).

Add to the END of your /root/firewall script a rule which, when an http packet (tcp) comes in from your main interface, jumps to DROP. Execute the script to activate this change. Do not make this new rule stateful (so no conntrack).

Validate this with the firewall test (which should now say "filtered").

Add another rule to the end of your /root/firewall script This new rule jumps to DROP when a tcp packet which has a source address of 20.0.0.0/24 comes in from your main network device. Execute the script to activate this change. You will be marked wrong if your rule has more conditions than those listed in the question. Do not use connection tracking.

If any packet is passed through the FORWARD chain, reject the packet with the default settings.

Accept PING at a limit of 1 per second from any interface in the INPUT chain. Do not use connection tracking in the rule. DROP pings faster than the limit.

Warning. Even without conntrack specifically in the rule, you are still making us of connection tracking rules elsewhere in the file. Only the first ICMP ping is NEW, and the rest are RELATED. Therefore you MUST insert your new rules BEFORE the RELATED,ESTABLISHED test, and make sure that unwanted pings never reach the RELATED test (needs 2 rules).

Double check that this is working using the ping option of the firewall tests (via the "useful" tab in the control panel). You should see "limited,1/second" if you have done this correctly.

Continue on from the previous set of rules. Add in one more rule so that if you receive pings faster than 1 per second, those pings will be logged. Note that things getting logged will appear at the end of /var/log/messages. Do not use a new chain to do this, and keep the rule as simple as possible. Do not use connection tracking.

Using the firewall tests, run a ping test and then look at the log information created in /var/log/messages. With this information, what is the ip of the source of all these ping requests?

Enter the ping ip source:

In this tutorial we are going to work on a strict firewall configuration of your machine. Extra-special care must be taken when doing this, or you will suddenly find you can no longer log in!

Create the following as a script called firewall2 in /root.

#!/bin/bash
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
#
iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#
# --- Put a rule here if you want to be inserting at the start of INPUT
#
# --- 
#
# Make sure ssh and telnet stay working, and that users on
# other VMs cannot log in.
#
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport ssh ! -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --dport telnet ! -s 10.0.0.0/16 -j ACCEPT
#

Your ssh and telnet connections are proxied from 10.200.0.1. Thus when you telnet or ssh into linuxzoo, a special program catches this traffic and forwards it on your behalf. This makes ssh and telnet traffic appear to arrive at your virtual machine from a single networked address, the proxy address of 10.200.0.1.

Insert a single rule using this script, inserting at the start of the INPUT chain so that telnet is ONLY permitted from 10.200.0.1 arriving on and device. Leave the other rules shown above unchanged. If telnet connections arrive from anywhere else, they should be directed to REJECT. Make this a stateful rule, and check the state before any other test.

Note that if you change one of the other rules, insert more than 1 rule, or do anything other than insert a single rule at the start of the chain, you will always be marked wrong!

Hint: you can put the "!" character in front of a "-s" test and the rule checks that it is NOT that address.

Add a rule to the firewall so that if someone on your virtual machine tries to open an http connection to 10.200.0.1, the packet it ACCEPTED. Add this rule to the END of the appropriate chain. Do not change any of the existing rules. Use a stateful rule, and check for NEW state before any other tests.

Add appropriate rules so that, if this machine was a router, it would allow RELATED and ESTABLISHED traffic to flow in both directions, as well as permitting http and ping requests to an intranet machine 192.168.1.5. For your rules you can assume the intranet is on device eth9, and you should make sure that the NEW packets are sent on eth9. Do not change any rules or policy definitions from that of the previous question.

Note that in reality eth9 does not exist. However this should have no effect on the rules. Add only 1 rules for RELATED,ESTABLISHED testing, 1 rule for http, and 1 rule for ping (a total of 3 rules), and create them in that order. Make all rules stateful.