In this lab, you will setup a firewall on your Linux router to limit
access to both your users and attackers. Your main tool will be
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
Before learning about
iptables, it is important to
understand the purpose of a
the difference is between a stateful
and stateless firewall, and
the protocol layers at which firewalls operate. You must research this if you have never worked with
firewalls before or don't feel comfortable with all of these concepts.
The native Linux firewalling software is part of the
netfilter project. The
bulk of this software is compiled as a part of the kernel, but
filter rules can be added and removed via the
command. Recent versions of the Linux kernel (2.4+) support
stateful packet inspection, allowing one to configure a stateful
firewall. Read the man page on the
and become familiar with the options. In addition, these articles on
iptables basics and
may help. There are many other tutorials available online as well.
One of the most basic functions of a firewall is the mitigation of spoofing attacks. Since routers and firewalls sit in a unique position on the network, they are ideal for limiting the types of spoofing possible. Specifically, one can configure a firewall to allow packets from a network segment only if those packets have a source address which falls within the designated network IP range. In addition, when receiving traffic from the internet, where almost any source IP is allowed, one can drop packets which contain source IPs belonging to segments within a trusted network.
Before beginning this lab, please complete these steps:
A set of shell scripts have been provided to get you started building a proper firewall. These scripts are installed on your system in the directory
/etc/iptables. Become familiar with these scripts. In particular, pay attention to the way
/etc/iptables/start.shdefines ethernet interfaces through the variables OUTSIDE_IF and TRUSTED_IF and how it kicks off all the other scripts. Also, review the structure of the
/etc/iptables/ipv4/filter.shscript, as this is the primary place you'll be making changes.
Make a backup copy of the
/etc/iptablesdirectory. Hint: see the tar command.
2. Configuring Iptables
Check the contents of the
Check that the TRUSTED and OUTSIDE_IP variables are correct based on the network settings you discovered during the introduction lab. See the script for details.
Open the script
/etc/iptables/ipv4/filter.sh and make
Change the FORWARD chain's default policy to DROP. Remove the FORWARD chain ACCEPT rule. Also, add a rule to the end of the FORWARD chain which sends all traffic to the
Add a rule at the top of the FORWARD chain which sends all packets coming from the TRUSTED network to the
trusted-outsidechain for further evaluation.
Add a rule as the second item in the FORWARD chain which sends all packets coming in from non-TRUSTED networks to the TRUSTED network to the
outside-trustedchain for further evaluation.
NOTE: The rules which jump to
outside-trusted must not allow obviously
traffic. In particular, an external attacker should not be able to
send packets in on the OUTSIDE_IF interface with a TRUSTED
address. Also, you should not allow your TRUSTED users to send
packets from something other than a TRUSTED IP address.
Add rules to the
outside-trusted chain such that the
following kinds of traffic are allowed:
All ICMP traffic.
TCP packets with the SYN flag set, which are headed to destination ports: 21, 22, 23, 25, 80, 135, 137, 138, 139, 443, 445, and 3389.
All packets which are members of ESTABLISHED connections. (Hint:
Next, add a rule at the end of that chain which sends all
traffic to the
3. Testing the Firewall
Carefully review your firewall rules to be sure you didn't
make any typos. Once you are reasonably confident you have it
right, run the
/etc/iptables/start.sh script to
install the rules. If you see the script spit out any error
messages, it is likely because of improper usage of the
iptables command, or due to syntax errors in the shell
script itself. Fix any of these before continuing, and re-run the
/etc/iptables/start.sh script each time to flush and
re-load all rules.
You should now test to make sure your Windows
server's can access the network.
Try pinging a system on the
10.0.0.0/24 network (besides your own machine) from
your Windows server. Since you allowed all ICMP earlier, this should route just
fine still. If not, then log messages at
/var/log/syslog may assist
you in finding out what is going wrong.
4. Stronger ICMP rules
Take a look at the
Smurf Amplifier Registry (SAR).
Set up rules in your
outside-trusted chain before your
ICMP allow-all rule to block all ICMP echo-reply packets from these
5. Automatic Startup
Once you are SURE you are satisfied with your firewall rules, add
/etc/iptables/start.sh script to your boot-up sequence,
calling it from /etc/rc.local
NOTE: The firewall rules you just setup are not complete, and this
should not be considered a "secure" firewall. This lab is merely
intended to help you learn how to use
sure to consider the INPUT chain and what traffic you actually
need to have allowed if you use this firewall as a basis for the
For this lab, your team must submit a report with the following information:
All of the files modified in
Why does the File Transfer Protocol (FTP) pose a problem for firewalls? If you had blocked all traffic on your firewall, what iptables commands would you use to allow outgoing FTP connections from your router?
The standard port for RDP on Windows is 3389/TCP. Suppose you change the port for RDP on your Windows server to 13889/TCP. How could you use
iptablesto allow any packets from the outside network destined for your Windows server at port 3389/TCP to be forwarded to your Windows server at port 13889/TCP instead? What
iptablescommands would use? Hint: see the NAT table in iptables.
Your grade for this lab will be composed of:
80% - The modified firewall files.
20% - The rest of the questions.