AgendaTrack1: exercises-iptables.txt

File exercises-iptables.txt, 6.4 KB (added by admin, 7 years ago)

Line
1	% Security Topics
2	%
3	% Firewall exercises using iptables
4
5	# Introduction
6
7	In this exercise we will see examples of how to set up packet filtering on a
8	host running Ubuntu Linux using the iptables firewall.
9
10	# Notes
11
12	* Commands preceded with "$" imply that you should execute the command as
13	a general user - not as root.
14	* Commands preceded with "#" imply that you should be working as root.
15	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
16	imply that you are executing commands on remote equipment, or within
17	another program.
18
19	# Goals
20
21	* Install iptables
22	* Understand basic iptables commands
23	* Build packet filtering rules to restrict access to certain applications
24	depending on the target audience
25	* Learn how to permanently save the iptables rules
26
27	# Installation
28
29	You can check if iptables is installed in your system by doing
30
31	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32	$ sudo iptables -V
33	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
34
35	If it is not installed:
36
37	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
38	$ sudo apt-get install iptables
39	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
40
41	# Filtering policy:
42
43	## Host must be able to access all of its own applications (localhost)
44	## Host must allow SMTP connections from anywhere
45	## Host must allow SSH access only from the campus network
46	## Host must allow access to to the web server only from the local network
47	## Host must allow access to SNMP only from the local network
48	## All incoming TCP/UDP traffic must be blocked, except for established
49	connections
50	## ICMP must be rate-limited to 3 packets per second
51
52	For that, we are going to create a text file, which will help us build the
53	ruleset more easily. Make sure to replace "X" with your group number when
54	necessary
55
56	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
57	$ vi /home/sysadm/iptables.sh
58
59	# Flush any existing rules
60	iptables -F
61
62	# Permit any incoming packet on the loopback interface
63	iptables -A INPUT -i lo -j ACCEPT
64
65	# SMTP must be open so that we can accept mail from the world
66	iptables -A INPUT -p tcp --dport 25 -j ACCEPT
67
68	# SSH restricted to the campus network
69	iptables -A INPUT -s 10.10.0.0/16 -p tcp --dport 22 -j ACCEPT
70
71	# HTTP and HTTPS restricted to the local network only
72	iptables -A INPUT -s 10.10.X.0/24 -p tcp --dport 80 -j ACCEPT
73	iptables -A INPUT -s 10.10.X.0/24 -p tcp --dport 443 -j ACCEPT
74
75	# SNMP restricted to the local network only
76	iptables -A INPUT -s 10.10.X.0/24 -p udp --dport 161 -j ACCEPT
77
78	# Rate-limit ICMP traffic to 3 packets per second
79	iptables -A INPUT -p icmp -m recent --set
80	iptables -A INPUT -p icmp -m recent --update --seconds 1 --hitcount 3 -j DROP
81
82	# Then, permit all traffic initiated from this machine to come back
83	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
84
85	# And finally, block all incoming TCP traffic
86	iptables -A INPUT -s 0/0 -p tcp --tcp-flags SYN,RST,ACK SYN -j REJECT
87
88	# and all UDP traffic
89	iptables -A INPUT -s 0/0 -p udp -j REJECT
90	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92	Now, let's apply those rules
93
94	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
95	$ sudo sh /home/sysadm/iptables.sh
96	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
97
98	And verify that the rules are there:
99
100	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
101	$ sudo iptables -L
102	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103
104	You should see the rules you have created. If you'd rather see numeric output,
105	do the following
106
107	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
108	$ sudo itpables -L -n
109	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110
111	Now, let's test to make sure that the rules are working:
112
113	Check that you can connect to services on localhost:
114
115	(if you have not installed Apache, do so now)
116
117	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
118	$ telnet localhost 80
119	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
120
121	You should see something like this:
122
123	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
124	# telnet localhost 80
125	Trying 127.0.0.1...
126	Connected to localhost.
127	Escape character is '^]'.
128	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129
130	To exit, type 'Ctrl-]', and then 'quit'
131
132	Now, ask the members of your group to check connectivity against your web
133	server:
134
135	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136	sysadm@pc2:~$ telnet pc1 80
137	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139	They should be able to connect.
140
141	Now, ask someone from ANOTHER group, to test:
142
143	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
144	sysadm@pc5:~$ telnet pc1 80
145	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
146
147	(If they are able to connect, then you did something wrong. Go back to your file, fix the rules, and run the sh command again).
148
149	Now, test the ICMP rate limiting. Ask one of your classmates to do the following against your pc:
150
151	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
152	sysadm@pc2:~$ sudo ping -f pc1
153	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
154
155	What is that "-f"? It stands for "flood", which means that pc2 will try to
156	send as many ICMP echo request packets as possible. Ask your classmate to run
157	that for about 5 seconds, and then stop with 'Ctrl-C'. Then, ask them to check
158	the statistics. There should be a high "packet loss" value, and the number of
159	packets received should not be greater than 3 per second (15 packets total if
160	they ran it for 5 secs)
161
162	If all the tests look good, then you should save those rules in order to
163	have Linux re-apply them when it reboots:
164
165	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
166	$ sudo iptables-save > /etc/iptables.rules
167	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
168
169	And now, tell Ubuntu to restore those rules at boot time:
170
171	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
172	$ sudo vi /etc/network/if-pre-up.d/iptablesload
173
174	#!/bin/sh
175	iptables-restore < /etc/iptables.rules
176	exit 0
177	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
178
179	Make it executable:
180
181	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
182	sudo chmod +x /etc/network/if-pre-up.d/iptablesload
183	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
184
185	Don't forget to use "iptables-save" each time you modify your rules. Otherwise, you will lose your changes next time you reboot.
186
187