diff options
Diffstat (limited to 'firewall.adoci')
-rw-r--r-- | firewall.adoci | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/firewall.adoci b/firewall.adoci deleted file mode 100644 index 6839aa3..0000000 --- a/firewall.adoci +++ /dev/null @@ -1,117 +0,0 @@ -== Firewall Practical, Week 10 == - -The purpose of this practical is to make us create and modify rules of iptables -firewall. - -At the end of this practical, we should be able to add rules to block or allow -different IP addresses on different ports. - -=== Problem 1: Take the necessary precautions === - -When playing with a firewall (especially on a remote machine), we must -always assume that the worst will happen. Indeed, it is very easy to completely -lose access to our machine by making a single mistake. - -==== Resolution ==== - -We will first create an executable file named 'iptables-allow-ssh' that will -create rules allowing a SSH connection from outside. When executed, this file -should be able to allow-ssh a connection no matter what we put in our 'INPUT' -table. If everything is completely messed up, we even prefer performing a -reboot than leaving our machine unreachable. - -...... -#/bin/sh - -# accept ssh as input - -/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot -/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot -...... - -In case we lose our connection, we want this file to be executed. We will use -'cron' to schedule its execution every minute. - -Here is the content that we put in our 'crontab' file. - -...... -* * * * * /home/student/iptables-allow-ssh -...... - -After waiting one minute, we can notice that our scheduled task has been -executed. - - $ sudo iptables -L INPUT - > Chain INPUT (policy ACCEPT) - > target prot opt source destination - > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED - > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh - -We can now modify our 'INPUT' chain almost safely. When we will stop making -modifications, we will be able to remove the duplicate iptables rules and then -delete the 'crontab' file. - -=== Problem 2: Write the proper rules === - -All we have to do now is to create our rules to allow or deny HTTP and HTTPS -access. We have to keep in mind that it is better to write as less rules as -possible. - -==== Resolution ==== - -Since we do not want to block multiple ports, we will leave the policy of -'INPUT' to 'ACCEPT'. - -The rule to block HTTPS is quite simple: - - $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT - -Result: - - $ curl https://csvm2c4e.kent.ac.uk - > curl: (7) couldn't connect to host - $ curl http://csvm2c4e.kent.ac.uk - > <h1>It works!</h1> - -The rule to only allow HTTPS is almost the same (but first, we delete our -previous rule): - - $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT - $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT - -Result: - - $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt - > <h1>It works!</h1> - $ curl http://csvm2c4e.kent.ac.uk - > curl: (7) couldn't connect to host - -To block both HTTP and HTTPS in only one rule we can use a match extension (but -first, we delete our previous rule): - - $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT - $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT - -Result: - - $ curl https://csvm2c4e.kent.ac.uk - > curl: (7) couldn't connect to host - $ curl http://csvm2c4e.kent.ac.uk - > curl: (7) couldn't connect to host - -Last but not least, to deny only one host (but first, we delete our previous -rule): - - $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT - $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT - -Result from our VM - - $ curl http://localhost - > <h1>It works!</h1> - -Result from 'raptor.kent.ac.uk' - - $ curl http://csvm2c4e.kent.ac.uk - > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused - |