Open main menu

CDOT Wiki β

Changes

OPS235 Lab 7 - CentOS7 - HD2

85 bytes added, 13:02, 25 October 2016
no edit summary
# Issue the following Linux command: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Issue the iptables command verify the INPUT policy has been set (look for the Policy section, NOT INPUT).<br><br>After the overall default policy is set, then you can create policy rules that are "exceptions" to the default policy rules. These iptables commands are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -&gt;</td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-i CHAIN-NAME 5''' (insert before line 5) </td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' )</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''<span style="font-family:courier">--</span>sport 22''' (originating port 22 - SSH)<br>'''<span style="font-family:courier">--</span>sport 80''' (originating port 80 - http)<br><br>(refer to '''/etc/services''')</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br><br>
  * # Make certain you are in your '''c7host''' machine.* # Determine the '''external facing address ''' of your host c7host machine(ip address should start with 10. - otherwise, type ip address in web-browser)* # Have a lab neighbour try to ping that external facing address. Were they successful?* # Issue the following iptables policy to DROP all incoming connections:<br><b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>* # Have your neighbour try to ping your external facing IP Address. What happened? Why?* # Have your neighbour obtain their external facing IP Address* # Issue iptables command to ADD ping exception from your neighbour's IPAddress and neighbour test* # Have neighbour test sshing into your c7host. Successful?* # Issue iptables command to insert before rule #1 for ssh exception and neighbour test* # List iptables rules for INPUT chain* # Issue iptables rule at bottom of OUTPUT chain to DROP http (port 80 connections).* # Open another web-browser. Can you connect to a webpage?* # Issue iptables rule to flush the OUTPUT chain. Does your web-browser now work?* # We will keep the rules for the INPUT chain.* # Shutdown all VMs and restart your c7host Linux machine.* # List the iptables rules for the INPUT chain. What happened?* # Proceed to the next part to learn how to learn how to make your iptables rules persistent.
Msaul
Administrators
13,420
edits
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/120329"