From CDOT Wiki
Jump to: navigation, search

OPS335 Lab 2

4 bytes removed, 22:00, 24 May 2018
Updating instructions to use vmware host machine instead of a partner
# Make a backup of the original default rules: <source>cp /etc/sysconfig/iptables /etc/sysconfig/iptables.original</source>
# '''Stop libvirtd''' and '''restart iptables''' so that you have only the minimal default rules.
# Use the ifconfig or ip address command to determine the IP ADDRESS of your external facing address (i.e. IP address beginning with '''10.x.x.x''' or '''192.168.48.x''' if you are using an SSD).# Find Open a partner to terminal on the Windows machine and '''ping''' your external facing IP address. Was your partner it successful? (it should have worked)
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains (if any) that are '''rejecting''' all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Make a new chain named '''MYICMP'''.
# Insert a rule to the '''beginning of the INPUT chain''' to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's ''their''' '''external internal facing interface''' (should be an internal address beginning with '''10192.x168.x48.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your partner's Windows machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your partner's Windows machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />They You should not be able to connectfrom your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show their your failed attempts to '''ssh''' to you with your '''customized''' message.
# When you are confident the rules are working, save them by running <source>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.

Navigation menu