Hands on Session

iptables firewall:

Basic command : iptables -t filter -L -n

 

dhcppc12:~# iptables -t filter -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destinati

 

Port Scanning using nmap (from LinuxTLE to scan Debian server)

 

$ nmap -sS -P0 192.168.1.117

 

[root@dhcppc13 ~]# nmap -sS -P0 192.168.1.117

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-12-04 14:23 ICT

Interesting ports on 192.168.1.117:

(The 1653 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

22/tcp   open  ssh

25/tcp   open  smtp

80/tcp   open  http

143/tcp  open  imap

3000/tcp open  ppp

3128/tcp open  squid-http

9999/tcp open  abyss

MAC Address: 00:0C:29:99:00:01 (VMware)

 

Nmap run completed -- 1 IP address (1 host up) scanned in 0.597 seconds

Basic command : setting default policy

 

dhcppc12:~# iptables -t filter -L -n

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

[root@dhcppc13 ~]# iptables -P INPUT DROP

 

[root@dhcppc13 ~]# iptables -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

[root@dhcppc13 ~]# nmap -sS -P0 192.168.1.117

 

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2007-12-04 14:27 ICT

All 1660 scanned ports on 192.168.1.117 are: filtered

MAC Address: 00:0C:29:99:00:01 (VMware)

 

Nmap run completed -- 1 IP address (1 host up) scanned in 333.670 seconds

Basic command : stateful firewall

 

# ping 192.168.1.254

....no answer back....

 

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

dhcppc12:~# iptables -t filter -L -n

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

dhcppc12:~#

 

dhcppc12:~# iptables-save

# Generated by iptables-save v1.2.11 on Tue 04 14:37:17 2007

*filter

:INPUT DROP [10470:450261]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2275:178656]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT

Basic command : clear all rules in chain

# iptables -F INPUT

# iptables -F OUTPUT

# iptables -F FORWARD

 

Basic command : chaining default policy

# iptables -P INPUT DROP

# iptables -P OUTPUT DROP

# iptables -P FORWARD DROP

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD ACCEPT

 Exercise: iptables#1

On debian server, implement the best stateful firewall in the world with the following features

 

[1] drop all incoming IP packets

[2] allow request to go out and reply to get in

[3]Type in the following command on NOTEPAD 20 times

 

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# nmap -sS -P0 192.168.1.117

 

Basic command : allow incoming request (TCP)

E.g. SSH (TCP/22), IMAP (TCP/143), HTTP (TCP/80), DNS (TCP/53), SMTP (TCP/25), APT-PROXY (TCP/9999), SQUID PROXY (TCP/3128)

 

 

# iptables -A INPUT [...condition...] -j ACCEPT

 

# iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT

# iptables -A INPUT -p tcp --dport 53 --syn -j ACCEPT

# iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT

# iptables -A INPUT -p tcp --dport 143 --syn -j ACCEPT

# iptables -A INPUT -p tcp --dport 9999 --syn -j ACCEPT

# iptables -A INPUT -p tcp --dport 3128 --syn -j ACCEPT

 

Basic command : allow incoming request (UDP)

 

E.g. DHCP (UDP/67), DNS (UDP/53), NTP (UDP/123)

 

 

# iptables -A INPUT [...condition...] -j ACCEPT

 

# iptables -A INPUT -p udp --dport 67 -j ACCEPT

# iptables -A INPUT -p udp --dport 53 -j ACCEPT

# iptables -A INPUT -p udp --dport 123 -j ACCEPT

 

Basic command : allow incoming request (ICMP)

 

E.g. ICMP ping request (ICMP Type 8), ICMP Type 3 (Unreacheable), ICMP Type 11 (Time Exceeded)

 

# iptables -A INPUT [...condition...] -j ACCEPT

 

# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

# iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

Exercise: iptables #2

On debian server, implement the best stateful firewall in the world with the following features

 

[1] drop all incoming IP packets except “SSH”, “HTTP”

[2] allow request to go out and reply to get in

iptables as a GATEWAY firewall:

 

[1] On “firewall”, permit “ip_forward”

 

# vi /etc/sysctl.conf

net/ipv4/ip_forward=1

# sysctl -p

 

[2] On “firewall”, set “iptables” config as following

 

# iptables -F FORWARD

# iptables -P FORWARD DROP

# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 

[3] Assuming that “eth0” is EXTERNAL interface, and “eth1” is INTERNAL interface, do the following.

 

# iptables -A FORWARD -i eth1 -o eth0 -p icmp --icmp-type 8 -j ACCEPT

# iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

# iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT

# iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 53 -j ACCEPT

# iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j ACCEPT

« Previous | Next »