CSG 254 - Network Security

Lab: Firewall

In this lab, you will setup a firewall on your Linux router to limit access to both your users and attackers. Your main tool will be iptables.

1. Introduction

Before learning about iptables, it is important to understand the purpose of a firewall, the difference is between a stateful and stateless firewall, and the protocol layers at which firewalls operate. You must research this if you have never worked with firewalls before or don't feel comfortable with all of these concepts.

The native Linux firewalling software is part of the netfilter project. The bulk of this software is compiled as a part of the kernel, but filter rules can be added and removed via the iptables command. Recent versions of the Linux kernel (2.4+) support stateful packet inspection, allowing one to configure a stateful firewall. Read the man page on the iptables command and become familiar with the options. In addition, these articles on iptables basics and iptables tutorial may help. There are many other tutorials available online as well.

One of the most basic functions of a firewall is the mitigation of spoofing attacks. Since routers and firewalls sit in a unique position on the network, they are ideal for limiting the types of spoofing possible. Specifically, one can configure a firewall to allow packets from a network segment only if those packets have a source address which falls within the designated network IP range. In addition, when receiving traffic from the internet, where almost any source IP is allowed, one can drop packets which contain source IPs belonging to segments within a trusted network.

Before beginning this lab, please complete these steps:

1. A set of shell scripts have been provided to get you started building a proper firewall. These scripts are installed on your system in the directory /etc/iptables. Become familiar with these scripts. In particular, pay attention to the way /etc/iptables/start.sh defines ethernet interfaces through the variables OUTSIDE_IF and TRUSTED_IF and how it kicks off all the other scripts. Also, review the structure of the /etc/iptables/ipv4/filter.sh script, as this is the primary place you'll be making changes.

2. Make a backup copy of the /etc/iptables directory. Hint: see the tar command.

2. Configuring Iptables

Modify the /etc/iptables/ipv4/start.sh script:

1. Set the correct TRUSTED and OUTSIDE_IP variables, based on your team's number. See the script for details.

Open the script /etc/iptables/ipv4/filter.sh and make these changes:

1. Change the FORWARD chain's default policy to DROP. Also, add a rule to the end of the FORWARD chain which sends all traffic to the logdrop chain.

2. Add a rule at the top of the FORWARD chain which sends all packets coming from the TRUSTED network to the trusted-outside chain for further evaluation.

3. Add a rule as the second item in the FORWARD chain which sends all packets coming from in from the Internet to the TRUSTED network to the outside-trusted chain for further evaluation.

NOTE: The rules which jump to trusted-outside and outside-trusted must not allow obviously spoofed traffic. In particular, an external attacker should not be able to send packets in on the OUTSIDE_IF interface with a TRUSTED address. Also, you should not allow your TRUSTED users to send packets from something other than a TRUSTED IP address.

Add rules to the outside-trusted chain such that the following kinds of traffic are allowed:

• All ICMP traffic.

• TCP packets with the SYN flag set, which are headed to destination ports: 21, 22, 23, 25, 80, 135, 137, 138, 139, 443, 445, and 3389.

• All packets which are members of ESTABLISHED connections. (Hint: -m state)

Next, add a rule at the end of that chain which sends all traffic to the logdrop chain.

3. Testing the Firewall

Carefully review your firewall rules to be sure you didn't make any typos. Once you are reasonably confident you have it right, run the /etc/iptables/start.sh script to install the rules. If you see the script spit out any error messages, it is likely because of improper usage of the iptables command, or due to syntax errors in the shell script itself. Fix any of these before continuing, and re-run the /etc/iptables/start.sh script each time to flush and re-load all rules.

You should now test to make sure you can still access your Windows server's RDP port. This is port 3389/TCP, and simply logging in from the internet while the firewall is running should be sufficient. If this doesn't work for some reason, packets may be getting blocked. Log messages to this effect will show up in /var/log/kern.log Also, try pinging a system on the 10.0.0.0/24 network (besides your Fedora system) from your Windows server. Since you allowed all ICMP earlier, this should route just fine still. If somehow you lock yourself out of your Linux system, contact the lab TA and it will be reset.

4. Stronger ICMP rules

Take a look at the Smurf Amplifier Registry (SAR). Set up rules in your outside-trusted chain before your ICMP allow-all rule to block all ICMP echo-reply packets from these networks.

5. Automatic Startup

Once you are SURE you are satisfied with your firewall rules, add the /etc/iptables/start.sh script to your boot-up scripts in runlevels 2, 3, 4, and 5 through symlinks in /etc/rc?.d.

NOTE: The firewall rules you just setup are not complete, and this should not be considered a "secure" firewall. This lab is merely intended to help you learn how to use iptables. Be sure to consider the INPUT chain and what traffic you actually need to have allowed if you use this firewall as a basis for the competition.

Report

For this lab, your team must submit a report with the following information:

1. All of the files modified in /etc/iptables/.

2. Why does the File Transfer Protocol (FTP) pose a problem for firewalls? If you had blocked all traffic on your firewall, what iptables commands would you use to allow outgoing FTP connections from your router?

3. The standard port for RDP on Windows is 3389/TCP. Suppose you change the port for RDP on your Windows server to 13889/TCP. How could you use iptables to allow any packets from the outside network destined for your Windows server at port 3389/TCP to be forwarded to your Windows server at port 13889/TCP instead? What iptables commands would use? Hint: see the NAT table in iptables.

Grading

Your grade for this lab will be composed of:

• 80% - The modified firewall files.

• 20% - The rest of the questions.