diff options
author | Olivier Gayot <duskcoder@gmail.com> | 2015-01-17 02:52:15 +0100 |
---|---|---|
committer | Olivier Gayot <duskcoder@gmail.com> | 2015-01-17 17:51:44 +0100 |
commit | db59b68c56e083c05fd6dbc7b00cf783313be69d (patch) | |
tree | 8f74241826b31f5bc9ea0aecd035b34eb52265b3 | |
parent | 0ad40b88ba4e2f00da0e3b861dd535516b3597cc (diff) |
added the content for the Firewall practical
Signed-off-by: Olivier Gayot <duskcoder@gmail.com>
-rw-r--r-- | firewall.adoci | 117 | ||||
-rw-r--r-- | practicals.adoc | 1 |
2 files changed, 118 insertions, 0 deletions
diff --git a/firewall.adoci b/firewall.adoci new file mode 100644 index 0000000..6839aa3 --- /dev/null +++ b/firewall.adoci @@ -0,0 +1,117 @@ +== Firewall Practical, Week 10 == + +The purpose of this practical is to make us create and modify rules of iptables +firewall. + +At the end of this practical, we should be able to add rules to block or allow +different IP addresses on different ports. + +=== Problem 1: Take the necessary precautions === + +When playing with a firewall (especially on a remote machine), we must +always assume that the worst will happen. Indeed, it is very easy to completely +lose access to our machine by making a single mistake. + +==== Resolution ==== + +We will first create an executable file named 'iptables-allow-ssh' that will +create rules allowing a SSH connection from outside. When executed, this file +should be able to allow-ssh a connection no matter what we put in our 'INPUT' +table. If everything is completely messed up, we even prefer performing a +reboot than leaving our machine unreachable. + +...... +#/bin/sh + +# accept ssh as input + +/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot +/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot +...... + +In case we lose our connection, we want this file to be executed. We will use +'cron' to schedule its execution every minute. + +Here is the content that we put in our 'crontab' file. + +...... +* * * * * /home/student/iptables-allow-ssh +...... + +After waiting one minute, we can notice that our scheduled task has been +executed. + + $ sudo iptables -L INPUT + > Chain INPUT (policy ACCEPT) + > target prot opt source destination + > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED + > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh + +We can now modify our 'INPUT' chain almost safely. When we will stop making +modifications, we will be able to remove the duplicate iptables rules and then +delete the 'crontab' file. + +=== Problem 2: Write the proper rules === + +All we have to do now is to create our rules to allow or deny HTTP and HTTPS +access. We have to keep in mind that it is better to write as less rules as +possible. + +==== Resolution ==== + +Since we do not want to block multiple ports, we will leave the policy of +'INPUT' to 'ACCEPT'. + +The rule to block HTTPS is quite simple: + + $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + > <h1>It works!</h1> + +The rule to only allow HTTPS is almost the same (but first, we delete our +previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt + > <h1>It works!</h1> + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +To block both HTTP and HTTPS in only one rule we can use a match extension (but +first, we delete our previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +Last but not least, to deny only one host (but first, we delete our previous +rule): + + $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT + +Result from our VM + + $ curl http://localhost + > <h1>It works!</h1> + +Result from 'raptor.kent.ac.uk' + + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused + diff --git a/practicals.adoc b/practicals.adoc index 2d1bde3..d09fdd3 100644 --- a/practicals.adoc +++ b/practicals.adoc @@ -4,3 +4,4 @@ include::ldap1.adoci[] include::ldap2.adoci[] include::dns.adoci[] include::ssl.adoci[] +include::firewall.adoci[] |