This homework is assessed.
Aim: Use iptables to create simple firewall rules.
See the presentation with the syntax and example of iptables: View, Print
There are 5 tasks. Most of the tasks require you to record a command/result and write an explanation in a text answers file. Use this template answers.txt file and just fill in the values. Submit that file (only as a text file, not RTF or DOC). The tasks assume you have created the following virtual network topology
That is, you ran the command:
bash vn-createtopology 7
Unless otherwise stated, the firewall is on node 3, i.e. the router connecting the two subnets together. Nodes 1 and 2 are 'inside' and nodes 4 and 5 are 'outside'. Try to write rules as general as possible. For example, although there are only two nodes outside, try to write rules such that the policy is achieved even if there were more than two nodes outside.
Flush all tables between tasks (that is, after completing task 1, make sure there are no rules before you start task 2).
Aim: understand the difference between INPUT, FORWARD and OUTPUT chains
To test each of the above rules, try to ping between the following pairs of nodes and observe whether it is successful or not: node1 to node4, node4 to node1, node1 to node3, node3 to node4, node1 to node2.
Record your rules, results (allowed or blocked) and an explanation of the difference between the three chains in the answers file.
Aim: filter based on ports and IP, observe retransmissions and timeouts
Add Rule4 to the firewall filter table to prevent node1 from SSHing to any outside nodes. When testing, observe how the TCP packets to initiate the connection are retransmitted, including how many transmissions are attempted before SSH fails and what is the time between retransmissions? Include your answers in the answer file.
Aim: filter based on ports, understand HTTP request/response format
Enable the web server on nodes 4 and 5 by running the command:
sudo service apache2 start
Use a text editor to change the index.html file to include your name in the heading (within the <h1> tags):
sudo nano /var/www/index.html
Use nc (in client mode) on node 1 to send a HTTP GET request to a web server. note that nc creates a TCP connection to a specified server
nc serverip serverport
Once the connection is created, you can type in the data that you want to send. Since HTTP is a text-based protocol, you can type in the exact HTTP request message, e.g.
GET /index.html HTTP/1.1
Host: serverip
Note you must include the actual server IP and finish with a blank line (press Enter two times). If the HTTP request is structured correctly, the server should process it and send back a 200 Ok response. Check the response - make sure it is what you expect. Obersve the HTTP messages sent between client and server by capturing the packets on the firewall using:
sudo tcpdump -i eth1 -n -q -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > http.txt
What does this command do?
Add Rule5 to prevent internal nodes from accessing the web server on node4.
Copy-and-paste the contents of http.txt into your answer file.
Aim: change default policy
Tasks 1 to 3 used the default policy of ACCEPT. For task 5 we will use the default policy of DROP.
Change the default policy of the firewall filter table to DROP:
sudo iptables -P FORWARD DROP
Aim: use Stateful Packet Inspection
Enable Stateful Packet Inspection on the firewall with:
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Add Rule6 and Rule7 so that inside hosts can access outside websites and that outside hosts can SSH into node1. No other access should be allowed. Hint: you can use "-i" and "-o" to specify the input or output interfaces.
To view the SPI table you need to install the conntrack package on the firewall:
sudo apt-get install conntrack
Then you can view the SPI table with:
sudo conntrack -L
You should use this to view the SPI entries while testing the firewall.