diff options
author | Olivier Gayot <duskcoder@gmail.com> | 2015-05-10 20:36:08 +0100 |
---|---|---|
committer | Olivier Gayot <duskcoder@gmail.com> | 2015-05-10 20:36:08 +0100 |
commit | 0d0e3b3c05b5e3004f526bf0ace02885c36ce2d5 (patch) | |
tree | fa151f80dcdf2ca2174ac83aa137333947ef1a19 /firewall.asciidoci | |
parent | 013d621eb8e5493e1401a69ac99da1485d46cc37 (diff) |
use *.asciidoc(i) extension instead of *.adoc(i)
Signed-off-by: Olivier Gayot <duskcoder@gmail.com>
Diffstat (limited to 'firewall.asciidoci')
-rw-r--r-- | firewall.asciidoci | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/firewall.asciidoci b/firewall.asciidoci new file mode 100644 index 0000000..6839aa3 --- /dev/null +++ b/firewall.asciidoci @@ -0,0 +1,117 @@ +== Firewall Practical, Week 10 == + +The purpose of this practical is to make us create and modify rules of iptables +firewall. + +At the end of this practical, we should be able to add rules to block or allow +different IP addresses on different ports. + +=== Problem 1: Take the necessary precautions === + +When playing with a firewall (especially on a remote machine), we must +always assume that the worst will happen. Indeed, it is very easy to completely +lose access to our machine by making a single mistake. + +==== Resolution ==== + +We will first create an executable file named 'iptables-allow-ssh' that will +create rules allowing a SSH connection from outside. When executed, this file +should be able to allow-ssh a connection no matter what we put in our 'INPUT' +table. If everything is completely messed up, we even prefer performing a +reboot than leaving our machine unreachable. + +...... +#/bin/sh + +# accept ssh as input + +/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot +/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot +...... + +In case we lose our connection, we want this file to be executed. We will use +'cron' to schedule its execution every minute. + +Here is the content that we put in our 'crontab' file. + +...... +* * * * * /home/student/iptables-allow-ssh +...... + +After waiting one minute, we can notice that our scheduled task has been +executed. + + $ sudo iptables -L INPUT + > Chain INPUT (policy ACCEPT) + > target prot opt source destination + > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED + > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh + +We can now modify our 'INPUT' chain almost safely. When we will stop making +modifications, we will be able to remove the duplicate iptables rules and then +delete the 'crontab' file. + +=== Problem 2: Write the proper rules === + +All we have to do now is to create our rules to allow or deny HTTP and HTTPS +access. We have to keep in mind that it is better to write as less rules as +possible. + +==== Resolution ==== + +Since we do not want to block multiple ports, we will leave the policy of +'INPUT' to 'ACCEPT'. + +The rule to block HTTPS is quite simple: + + $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + > <h1>It works!</h1> + +The rule to only allow HTTPS is almost the same (but first, we delete our +previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt + > <h1>It works!</h1> + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +To block both HTTP and HTTPS in only one rule we can use a match extension (but +first, we delete our previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +Last but not least, to deny only one host (but first, we delete our previous +rule): + + $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT + +Result from our VM + + $ curl http://localhost + > <h1>It works!</h1> + +Result from 'raptor.kent.ac.uk' + + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused + |