932
edits
Changes
m
Switching the host away from scripted rules to a saved file, so that we can be sure it has basic working security.
You should have learned in OPS235 how to view existing iptables rules with the command: iptables -L -v. Although you may assume that this listing of rules should be empty, they may not be!
In fact, several rules were '''automatically added''' to your chains because you are using a '''virtual network'''. As an exercise, we will determine which of those rules were added when running a virtual network were added.
'''Perform the Following Steps:'''
#Are there any differences between those 2 files? What does this mean if your VMs get disconnected in terms of the firewall rules?
{{Admon/tip|Graphically Compare File Differences|You can also install a graphical tool that makes it much easier to see differences: '''kompare before.txt after.txt<br><br>NOTE: Make certain to run the command as a regular user (not root!).}}
=== Practice Setting Firewall Rules ===
We will run some iptables commands on your vm1 to practice and get a basic understanding of how to set rules.
# First, issue an ''iptables command'' to set the policy to disable '''all forwarding traffic''', and remove the rule that is rejecting it.
# Next, set the default policy to drop '''all inbound traffic''', and remove the rule that is rejecting traffic.
# Issue an iptables command to list rules for verification.<br />The remaining tasks will relate to that same '''inbound''' traffic chain.
# Issue an ''iptables command'' to delete the default ssh rule.
# Issue an ''iptables command'' to add a rule that allows ssh traffic (i.e. tcp packets with destination port 22) that originates from any machine within your virtual network.
# Issue an ''iptables command'' to delete the default icmp rule.
# Issue an ''iptables command'' to allow icmp traffic from addresses in your virtual network.
# Test that your machines can still use ping and ssh to communicate with each other.
# Store the commands you used to modify the iptables into a shell script called: '''firewall_restore.bash'''
# Set up a cron entry so that your rules are automatically applied every time the host machine boots.
# Now copy the script to your other VMs and make it apply to them when they boot as well.
# Reboot each machine and make sure this works before you move on.
'''Record steps, commands, and your observations in INVESTIGATION 1 in your OPS335 lab log-book'''
# Make a backup of the original default rules: <source lang='bash'>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# Stop libvirtd and restart iptables so that you have only the minimal default rules.
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains that are rejecting all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Create a new chain named '''MYSSH''' in the filter table. Refer to notes or other resources to learn now to name a chain.
# Add a rule to the '''INPUT''' chain of your filter table that sends all '''ssh''' traffic (i.e. tcp packets with destination port 22) to your '''MYSSH''' chain. Make sure this new rule follows (not preceeds) the RELATED,ESTABLISHED rule, so it doesn't apply to existing connections.
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Make a new chain named '''MYICMP'''.
# Add a rule to the beginning of the '''INPUT''' chain to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the ipaddress and MAC address of their external facing interface. If you don't have a partner - use a virtual machine.
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the beginning of your '''MYICMP''' chain that denies '''ICMP pings''' originating with MAC address of your partner's machine.
# Add a rule to the beginning of your '''MYICMP''' chain that denies '''ICMP pings''' originating with IP address of your partner's machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Store Have your partner attempt to connect to your machine (using the commands you used external facing address) to ensure your rules are working.<br />They should not be able to modify connect, and the counters in iptables into a shell script called: should show that packets are being caught in your MYICMP and MYSSH chains. Your system logs should also show their failed attempts to ssh to you.# When you are confident the rules are working, save them by running <source lang='bash''firewall_restore>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.bash'''# Set up a cron entry so Now start libvirtd again, and test that your rules are automatically applied every time firewall still allows the VMs to connect to the host machine bootsand each other (ping and ssh). Do not continue until it works.
Upon completion of this lab, each of your vms has a firewall protecting them from unexpected traffic. You should now have a basic understanding of the commands necessary to modify firewalls using iptables. You will be building on these rules for the rest of the course. Record the URLs of the websites you've used to figure out how to do the work.
