Introduction to Firewalls using IPTables The goal of this lab is to implement a firewall solution using IPTables, and to write and to customize new rules to achieve security. You will need to turn in your IPTables rule file for this assignment. Before You Begin 1. Deactivate Windows Firewall. 2. Revert the applied security template in Windows XP to setup security or compatws. 3. Make sure the following services are running on your Windows XP machine: a. File Sharing b. FTP via IIS c. Telnet via IIS d. HTTP via IIS e. All of the components under Networking Services 4. Make sure the following services are running on your Linux machine: a. SSH b. nessusd is running on port 1241 Installation of IPTables Download and install iptables-1.3.3 from http://www.netfilter.org/downloads.html#iptables-1.3.3 Documentation of IPTables http://www.netfilter.org/documentation/ Configuring the Network Topology In order for the network to function properly, the Linux box will serve as a router for your Windows XP machine. There are three requirements: 1. The Linux machine will require 2 ethernet network interfaces (provided by the Systems Group) 2. The Linux machine will require a crossover CAT5 cable (you will make these yourselves). a. A crossover cable crosses over pins 1 and 2 to 3 and 6 and visa versa. The standard crossover color configuration is as follows. i. OS O GS BL BLS G BRS BR -> GS G OS BL BLS O BRS BR. ii. Notice that the orange and orange striped pins change to the green and green striped pins. 3. You will need to configure NATing so the network traffic to the Windows machine will route properly through the Linux machine (this MUST BE performed after IPTables is installed). a. Assign eth0 on the Linux machine the IP address of your Windows machine. b. Create a sub-interface on eth0 on the Linux machine and assign it the former IP address of eth0.
c. Assign your Windows machine an IP address from any of the private address ranges. d. Assign eth1 on your Linux machine a private IP address that resides in the same subnet as the Windows machine s IP address. e. Make the IP address of eth1 the default gateway on your Windows machine. f. Run the following commands from the command prompt and add the following lines to your S99local file for rc3 and rc5: i. touch /var/lock/subsys/local ii. echo 1 > /proc/sys/net/ipv4/ip_forward g. Activate NAT routing (where x is the fourth octet of the Linux box IP address on eth0): i. iptables t nat A POSTROUTING o eth0 s YOUR WINDOWS BOX IP/32 j SNAT --to-source 192.168.10.x ii. iptables t nat A PREROUTING i eth0 d 192.168.10.x/32 j DNAT --to-destination YOUR WINDOWS BOX IP Further Reference http://www.netfilter.org/documentation/index.html#documentation-howto http://www.faqs.org/docs/iptables/howaruleisbuilt.html http://www.google.com (google is your friend) Firewall rules location: /etc/sysconfig/iptables 1. Examine this file and understand its layout. 2. Make a copy of the rules file and rename it (in case an insurmountable problem occurs, you can restore your firewall to a usable state). General Information on IPTables The rules in IPTables are written to deal 3 different scenarios: 1. Those packets entering your machine that are destined for your machine. (INPUT) 2. Those packets leaving your machine. (OUTPUT) 3. Those packets entering your machine, but are destined for another machine and will pass through your machine (FORWARD). In Iptables, these scenarios are referred to as INPUT, OUTPUT, and FORWARD, respectively. Once the traffic type has been specified, three actions may be taken: 1. ACCEPT allows packets to pass through the firewall. 2. DROP ignores the packet and sends no response to the request. 3. REJECT ignores the packet, but responds to the request with a packet denied message. Common IPTable flags REALIZE THAT YOU MAY EDIT THE FILE DIRECTLY OR ADD RULES FROM THE COMMAND PROMPT. -s source
-d destination -p protocol (tcp, udp, icmp) -i input interface -o output interface -j jump (what happens to the packet) -A will append the rule to the end if a rule before it matches, that rule will fire -I will insert a rule, so if we wanted this rule to fire before another we use a number lower than that rule. Rule Example 1: iptables A INPUT s 192.168.10.35 j REJECT This rule would reject any incoming packet from ip address 192.168.10.35. The host would respond with a message indicating that it was not accepting packets due to the REJECT action. Because A appends this rule to the end of the rule list, any other rules before this rule dealing with this situation such as iptables A INPUT s 192.168.10.35 j DROP would fire first. To force the rule to fire first, use iptables I INPUT 1 s 192.168.10.35 j DROP. This inserts the rule before our previous matching rule and with a priority of 1 (which will fire first). Rule Example 2: iptables A INPUT s 192.168.10.35 j DROP p tcp --destination-port telnet This is a more advance rule, which drops all incoming packets coming from 192.168.10.35 using port 23 (telnet) Rule Example 3: iptables A INPUT DROP iptables A OUTPUT DROP iptables A FORWARD DROP Here is an example of three simple, yet dangerous, rules. If placed at the top of the rule chain, it will drop all packets, allowing no network traffic whatsoever. Yet if placed at the bottom, they will only drop packets if there are no rules identified to allow that traffic through. Rule Example 4: iptables A OUTPUT p icmp --icmp-type echo-request j ACCEPT iptables A INPUT p icmp --icmp-type echo-reply -j ACCEPT These two rules allow ICMP echo traffic (PING) to pass through. Creating General Rules Create the following firewall rules: 1. Allow SSH traffic to your Linux machine from 192.168.10.63. 2. Allow remote desktop traffic to your Windows XP machine from 192.168.10.63. 3. Allow ICMP echo traffic to your Linux machine from 192.168.10.63.
4. Drop ICMP echo traffic to your Windows machine from 192.168.10.63. 5. Allow file sharing traffic to your Windows machine from 192.168.10.63. 6. Allow your Windows box to only communicate web traffic to and from 192.168.10.63. 7. Allow both machines to accept DNS packets only from 128.186.120.179. Creating Team-Specific Rules Team 1 1. Drop all incoming SSH traffic to your machine from team 4 2. Allow icmp echo traffic from team 3 3. REJECT all incoming Telnet traffic 4. Allow all outgoing Telnet traffic Team 2 1. REJECT all incoming FTP traffic 2. REJECT icmp traffic coming from team 2 (yourself) 3. Drop anything coming from port 79 from 192.168.10.63 4. Allow all incoming traffic from port 5190 Team 3 1. REJECT icmp incoming traffic from team 4 2. Allow incoming traffic to port 3306 3. Drop outgoing traffic on port 194 4 Allow incoming traffic on port 79 from 192.168.10.63 Team 4 1. Allow SSH traffic from team 1 2. REJECT any and all traffic from team 3 3. Drop Telnet traffic from team 2 4. REJECT incoming telnet from 192.168.10.63 Team 5 1.Allow all outgoing SSH traffic 2. REJECT icmp echo traffic from team 2 3. Allow incoming telnet from 192.168.10.63 4. Drop any incoming and outgoing traffic to port 69 Team 6 1. Allow incoming port scan traffic on port 1241 from 192.168.10.63 2. Drop incoming port scan traffic on port 1241 3. REJECT incoming SSH traffic from team 2 4. Allow incoming telnet from team 1 Team 7 1. Drop all incoming telnet traffic originating from team 5 2. REJECT all incoming telnet traffic originating from team 6
3. Allow SSH traffic coming from team 1 4. Make a policy to allow all forward traffic Hint -P After creating the general rules and your team-specific rules, perform some research and create 3-5 additional rules that might be necessary if you had other services or applications running. For example, your systems might be running applications for online gaming, P2P, streaming Internet video, etc. After adding these rules to your iptables rule file, explain their purpose. FOR ALL TEAMS: Write the set of firewall rules for each of the routers, in order to implement the specified policies: Admin
Visibility Rules: -The machine named Net monitor should be visible to no machine, except to a single administrative machine in the general Intranet, on TCP port 8080 -The machine labeled www server is the server for the outside world. It should be visible to Internet users and the www proxy server only on TCP ports 80/443 and to the administrative machine on TCP port 8080. No other access allowed. -The general servers (www proxy server, mail server, and print server) are visible on their respective TCP ports (80, 25, 8000) to machines in the general Intranet only. All of them are administered via TCP port 8080 from the admin machine. -The private database servers are accessible on TCP port 8000 to machines in the general intranet and on TCP port 8080 for administration by the admin machine. -Internet hosts are visible from the DMZ, but not from the General Intranet, or the LANs, except that external web servers (TCP port 80) are visible by the www proxy server and external mail servers (port 25) are visible by the mail server. -Traffic coming from the Internet to the DMZ is only filtered if it has addresses valid in the Internal networks. -The www server has IP address 123.123.123.1 -The net monitor has IP address 123.123.123.2 -The general Intranet is a class B private network 192.168.0.0/16 -The private LAN is a class C private network 10.1.1.0/24 -The general servers LAN is a class B private network 10.10.0.0/16 -The internal router has IP address 123.123.123.3 in the DMZ which it uses for address translation, representing both www proxy server and mail server when their requests go into the Internet -The internal router has IP address 192.168.0.1 in the Internal network for administration by the admin machine (TCP port 8080). It has no addresses in the server LANs. - The external router should only enforce that source addresses of incoming packets are not valid internally, and source addresses of outgoing packets have only valid IP addresses that are assigned to our network.