OPS335 Firewall Lab

From CDOT Wiki
Revision as of 10:34, 21 January 2012 by Rchan (talk | contribs)
Jump to: navigation, search
Stop (medium size).png
Draft:Do not use - Working in Progress
This warning message will be removed when it is ready.


IPTABLES - The Linux firewall

In this lab you will learn how to use iptables to build a simple Linux firewall.

Instructions

Building a Simple Firewall

  • Login as joker to your Fedora 13 PC.
    • It's not necessary to use a VM for this lab. Just use your original Fedora system created in lab #0.
  • Open a terminal window and "su -" to root.
  • Disable your current firewall. i.e. flush all rules in all chains in all tables.

Build a custom firewall by performing the following steps:

  1. Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.
  2. Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.
  3. Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.
  4. Create a new chain named MYSSH in the filter table.
  5. Add a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.
  6. Add a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.
  7. Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.
  8. Make a new chain named MYICMP in the filter table.
  9. Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).
  10. Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 00:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).
  11. Add a rule to your MYICMP chain that allows ICMP pings from anywhere.
  12. Add a rule to the INPUT chain of the filter table to send ICMP ping packets to your MYICMP chain.
  13. Change the default policy on the INPUT chain in the filter table to DROP.

Testing your custom firewall

  1. Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.
  2. Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.
  3. Save your firewall rules.

Completing the Lab

Answer the following questions

  1. What is your full name and Seneca student ID?
  2. Show your firewall rules using the output of the 'iptables -L' command.
  3. Show the results of your nmap scans. Be sure to also show the exact nmap command you used.
  4. Show the log records generated by your invalid ssh attempts.
  5. What iptables rule would you need to add to your firewall to allow a maximum of 3 concurrent ssh connections from 142.204.141.XXX to your host?
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/w/index.php?title=OPS335_Firewall_Lab&oldid=79272"