Introduction to Firewalls using IPTables

Similar documents
Assignment 3 Firewalls

Network Address Translation

Dual-stack Firewalling with husk

Certification. Securing Networks

Network Security Fundamentals

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

iptables and ip6tables An introduction to LINUX firewall

Università Ca Foscari Venezia

Worksheet 8. Linux as a router, packet filtering, traffic shaping

CSC 474/574 Information Systems Security

Definition of firewall

11 aid sheets., A non-programmable calculator.

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Written by Muhammad Kamran Azeem Wednesday, 02 July :48 - Last Updated Saturday, 25 December :45

CS Computer and Network Security: Firewalls

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2016/2017 NETWORK SECURITY

Lab - Troubleshooting ACL Configuration and Placement Topology

COSC 301 Network Management

This material is based on work supported by the National Science Foundation under Grant No

THE INTERNET PROTOCOL INTERFACES

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

The Internet Protocol

Stateless Firewall Implementation

CyberP3i Course Module Series

Firewalls, VPNs, and SSL Tunnels

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Three interface Router without NAT Cisco IOS Firewall Configuration

IPtables and Netfilter

THE INTERNET PROTOCOL/1

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Firewalls. October 13, 2017

VG422R. User s Manual. Rev , 5

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Port Forwarding Setup (NB7)

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

CCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11

Loadbalancer.org Virtual Appliance quick start guide v6.3

Lab - Using Wireshark to Examine TCP and UDP Captures

Computer Security Spring Firewalls. Aggelos Kiayias University of Connecticut

Implementing Firewall Technologies

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

CS356 Lab NIL (Lam) In this lab you will learn: Cisco 2600 Router Configuration Static Routing PartB 20 min Access Control Lists PartC 30 min Explore!

Linux System Administration, level 2

CCNA Access List Questions

CS 326e Lab 2, Edmondson-Yurkanan, Spring 2004 Router Configuration, Routing and Access Lists

PreLab for CS356 Lab NIL (Lam) (To be submitted when you come for the lab)

Lab Using Wireshark to Examine Ethernet Frames

1. Which OSI layers offers reliable, connection-oriented data communication services?

The Research and Application of Firewall based on Netfilter

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

Basic Linux Desktop Security. Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

Static and source based routing

Chapter 8 roadmap. Network Security

Express EtherNetwork TM DI-604

Avaya Port Matrix: Avaya Diagnostic Server 3.0

PVS Deployment in the Cloud. Last Updated: June 17, 2016

A Technique for improving the scheduling of network communicating processes in MOSIX

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Unit 4: Firewalls (I)

1.3 Analyzing the performance of various configurations and protocols

CSCI 680: Computer & Network Security

Sirindhorn International Institute of Technology Thammasat University

4-Port Cable/DSL Router DX-E401. Product Name [French] Product Name [Spanish] USER GUIDE GUIDE DE L UTILISATEUR GUÍA DEL USUARIO

How to open ports in the DSL router firmware version 2.xx and above

Lab Using Wireshark to Examine Ethernet Frames

ECE 435 Network Engineering Lecture 23

SecBlade Firewall Cards NAT Configuration Examples

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

RX3041. User's Manual

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

Configuring Commonly Used IP ACLs

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Chapter 7. Local Area Network Communications Protocols

CSE 461 Midterm Winter 2018

CSC Network Security

How To Manually Open Ports In Internet Connection Firewall In Windows 8 >>>CLICK HERE<<<

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

Networking Fundamentals. An Introduction to Networks. tel: +44 (0) fax: +44 (0) web:

Linux. Sirindhorn International Institute of Technology Thammasat University. Linux. Firewalls with iptables. Concepts. Examples

Lab Configuring and Verifying Extended ACLs Topology

CHAPTER 7 ADVANCED ADMINISTRATION PC

Extended ACL Configuration Mode Commands

SonicWALL / Toshiba General Installation Guide

Networking 101 By: Stefan Jagroop

Quick Note 05. Configuring Port Forwarding to access an IP camera user interface on a TransPort LR54. 7 November 2017

CIS 192 Linux Lab Exercise

The Administration Tab - Diagnostics

Information About NAT

4. The transport layer

Chapter 6. The Protocol TCP/IP. Introduction to Protocols

Advanced Security and Forensic Computing

Lab 1: Creating Secure Architectures (Revision)

Transcription:

Introduction to Firewalls using IPTables The goal of this lab is to implement a firewall solution using IPTables, and to write and to customize new rules to achieve security. You will need to turn in your IPTables rule file for this assignment. Before You Begin 1. Deactivate Windows Firewall. 2. Revert the applied security template in Windows XP to setup security or compatws. 3. Make sure the following services are running on your Windows XP machine: a. File Sharing b. FTP via IIS c. Telnet via IIS d. HTTP via IIS e. All of the components under Networking Services 4. Make sure the following services are running on your Linux machine: a. SSH b. nessusd is running on port 1241 Installation of IPTables Download and install iptables-1.3.3 from http://www.netfilter.org/downloads.html#iptables-1.3.3 Documentation of IPTables http://www.netfilter.org/documentation/ Configuring the Network Topology In order for the network to function properly, the Linux box will serve as a router for your Windows XP machine. There are three requirements: 1. The Linux machine will require 2 ethernet network interfaces (provided by the Systems Group) 2. The Linux machine will require a crossover CAT5 cable (you will make these yourselves). a. A crossover cable crosses over pins 1 and 2 to 3 and 6 and visa versa. The standard crossover color configuration is as follows. i. OS O GS BL BLS G BRS BR -> GS G OS BL BLS O BRS BR. ii. Notice that the orange and orange striped pins change to the green and green striped pins. 3. You will need to configure NATing so the network traffic to the Windows machine will route properly through the Linux machine (this MUST BE performed after IPTables is installed). a. Assign eth0 on the Linux machine the IP address of your Windows machine. b. Create a sub-interface on eth0 on the Linux machine and assign it the former IP address of eth0.

c. Assign your Windows machine an IP address from any of the private address ranges. d. Assign eth1 on your Linux machine a private IP address that resides in the same subnet as the Windows machine s IP address. e. Make the IP address of eth1 the default gateway on your Windows machine. f. Run the following commands from the command prompt and add the following lines to your S99local file for rc3 and rc5: i. touch /var/lock/subsys/local ii. echo 1 > /proc/sys/net/ipv4/ip_forward g. Activate NAT routing (where x is the fourth octet of the Linux box IP address on eth0): i. iptables t nat A POSTROUTING o eth0 s YOUR WINDOWS BOX IP/32 j SNAT --to-source 192.168.10.x ii. iptables t nat A PREROUTING i eth0 d 192.168.10.x/32 j DNAT --to-destination YOUR WINDOWS BOX IP Further Reference http://www.netfilter.org/documentation/index.html#documentation-howto http://www.faqs.org/docs/iptables/howaruleisbuilt.html http://www.google.com (google is your friend) Firewall rules location: /etc/sysconfig/iptables 1. Examine this file and understand its layout. 2. Make a copy of the rules file and rename it (in case an insurmountable problem occurs, you can restore your firewall to a usable state). General Information on IPTables The rules in IPTables are written to deal 3 different scenarios: 1. Those packets entering your machine that are destined for your machine. (INPUT) 2. Those packets leaving your machine. (OUTPUT) 3. Those packets entering your machine, but are destined for another machine and will pass through your machine (FORWARD). In Iptables, these scenarios are referred to as INPUT, OUTPUT, and FORWARD, respectively. Once the traffic type has been specified, three actions may be taken: 1. ACCEPT allows packets to pass through the firewall. 2. DROP ignores the packet and sends no response to the request. 3. REJECT ignores the packet, but responds to the request with a packet denied message. Common IPTable flags REALIZE THAT YOU MAY EDIT THE FILE DIRECTLY OR ADD RULES FROM THE COMMAND PROMPT. -s source

-d destination -p protocol (tcp, udp, icmp) -i input interface -o output interface -j jump (what happens to the packet) -A will append the rule to the end if a rule before it matches, that rule will fire -I will insert a rule, so if we wanted this rule to fire before another we use a number lower than that rule. Rule Example 1: iptables A INPUT s 192.168.10.35 j REJECT This rule would reject any incoming packet from ip address 192.168.10.35. The host would respond with a message indicating that it was not accepting packets due to the REJECT action. Because A appends this rule to the end of the rule list, any other rules before this rule dealing with this situation such as iptables A INPUT s 192.168.10.35 j DROP would fire first. To force the rule to fire first, use iptables I INPUT 1 s 192.168.10.35 j DROP. This inserts the rule before our previous matching rule and with a priority of 1 (which will fire first). Rule Example 2: iptables A INPUT s 192.168.10.35 j DROP p tcp --destination-port telnet This is a more advance rule, which drops all incoming packets coming from 192.168.10.35 using port 23 (telnet) Rule Example 3: iptables A INPUT DROP iptables A OUTPUT DROP iptables A FORWARD DROP Here is an example of three simple, yet dangerous, rules. If placed at the top of the rule chain, it will drop all packets, allowing no network traffic whatsoever. Yet if placed at the bottom, they will only drop packets if there are no rules identified to allow that traffic through. Rule Example 4: iptables A OUTPUT p icmp --icmp-type echo-request j ACCEPT iptables A INPUT p icmp --icmp-type echo-reply -j ACCEPT These two rules allow ICMP echo traffic (PING) to pass through. Creating General Rules Create the following firewall rules: 1. Allow SSH traffic to your Linux machine from 192.168.10.63. 2. Allow remote desktop traffic to your Windows XP machine from 192.168.10.63. 3. Allow ICMP echo traffic to your Linux machine from 192.168.10.63.

4. Drop ICMP echo traffic to your Windows machine from 192.168.10.63. 5. Allow file sharing traffic to your Windows machine from 192.168.10.63. 6. Allow your Windows box to only communicate web traffic to and from 192.168.10.63. 7. Allow both machines to accept DNS packets only from 128.186.120.179. Creating Team-Specific Rules Team 1 1. Drop all incoming SSH traffic to your machine from team 4 2. Allow icmp echo traffic from team 3 3. REJECT all incoming Telnet traffic 4. Allow all outgoing Telnet traffic Team 2 1. REJECT all incoming FTP traffic 2. REJECT icmp traffic coming from team 2 (yourself) 3. Drop anything coming from port 79 from 192.168.10.63 4. Allow all incoming traffic from port 5190 Team 3 1. REJECT icmp incoming traffic from team 4 2. Allow incoming traffic to port 3306 3. Drop outgoing traffic on port 194 4 Allow incoming traffic on port 79 from 192.168.10.63 Team 4 1. Allow SSH traffic from team 1 2. REJECT any and all traffic from team 3 3. Drop Telnet traffic from team 2 4. REJECT incoming telnet from 192.168.10.63 Team 5 1.Allow all outgoing SSH traffic 2. REJECT icmp echo traffic from team 2 3. Allow incoming telnet from 192.168.10.63 4. Drop any incoming and outgoing traffic to port 69 Team 6 1. Allow incoming port scan traffic on port 1241 from 192.168.10.63 2. Drop incoming port scan traffic on port 1241 3. REJECT incoming SSH traffic from team 2 4. Allow incoming telnet from team 1 Team 7 1. Drop all incoming telnet traffic originating from team 5 2. REJECT all incoming telnet traffic originating from team 6

3. Allow SSH traffic coming from team 1 4. Make a policy to allow all forward traffic Hint -P After creating the general rules and your team-specific rules, perform some research and create 3-5 additional rules that might be necessary if you had other services or applications running. For example, your systems might be running applications for online gaming, P2P, streaming Internet video, etc. After adding these rules to your iptables rule file, explain their purpose. FOR ALL TEAMS: Write the set of firewall rules for each of the routers, in order to implement the specified policies: Admin

Visibility Rules: -The machine named Net monitor should be visible to no machine, except to a single administrative machine in the general Intranet, on TCP port 8080 -The machine labeled www server is the server for the outside world. It should be visible to Internet users and the www proxy server only on TCP ports 80/443 and to the administrative machine on TCP port 8080. No other access allowed. -The general servers (www proxy server, mail server, and print server) are visible on their respective TCP ports (80, 25, 8000) to machines in the general Intranet only. All of them are administered via TCP port 8080 from the admin machine. -The private database servers are accessible on TCP port 8000 to machines in the general intranet and on TCP port 8080 for administration by the admin machine. -Internet hosts are visible from the DMZ, but not from the General Intranet, or the LANs, except that external web servers (TCP port 80) are visible by the www proxy server and external mail servers (port 25) are visible by the mail server. -Traffic coming from the Internet to the DMZ is only filtered if it has addresses valid in the Internal networks. -The www server has IP address 123.123.123.1 -The net monitor has IP address 123.123.123.2 -The general Intranet is a class B private network 192.168.0.0/16 -The private LAN is a class C private network 10.1.1.0/24 -The general servers LAN is a class B private network 10.10.0.0/16 -The internal router has IP address 123.123.123.3 in the DMZ which it uses for address translation, representing both www proxy server and mail server when their requests go into the Internet -The internal router has IP address 192.168.0.1 in the Internal network for administration by the admin machine (TCP port 8080). It has no addresses in the server LANs. - The external router should only enforce that source addresses of incoming packets are not valid internally, and source addresses of outgoing packets have only valid IP addresses that are assigned to our network.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback