summaryrefslogtreecommitdiff
path: root/firewall.adoci
diff options
context:
space:
mode:
Diffstat (limited to 'firewall.adoci')
-rw-r--r--firewall.adoci117
1 files changed, 0 insertions, 117 deletions
diff --git a/firewall.adoci b/firewall.adoci
deleted file mode 100644
index 6839aa3..0000000
--- a/firewall.adoci
+++ /dev/null
@@ -1,117 +0,0 @@
-== Firewall Practical, Week 10 ==
-
-The purpose of this practical is to make us create and modify rules of iptables
-firewall.
-
-At the end of this practical, we should be able to add rules to block or allow
-different IP addresses on different ports.
-
-=== Problem 1: Take the necessary precautions ===
-
-When playing with a firewall (especially on a remote machine), we must
-always assume that the worst will happen. Indeed, it is very easy to completely
-lose access to our machine by making a single mistake.
-
-==== Resolution ====
-
-We will first create an executable file named 'iptables-allow-ssh' that will
-create rules allowing a SSH connection from outside. When executed, this file
-should be able to allow-ssh a connection no matter what we put in our 'INPUT'
-table. If everything is completely messed up, we even prefer performing a
-reboot than leaving our machine unreachable.
-
-......
-#/bin/sh
-
-# accept ssh as input
-
-/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot
-/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot
-......
-
-In case we lose our connection, we want this file to be executed. We will use
-'cron' to schedule its execution every minute.
-
-Here is the content that we put in our 'crontab' file.
-
-......
-* * * * * /home/student/iptables-allow-ssh
-......
-
-After waiting one minute, we can notice that our scheduled task has been
-executed.
-
- $ sudo iptables -L INPUT
- > Chain INPUT (policy ACCEPT)
- > target prot opt source destination
- > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
-
-We can now modify our 'INPUT' chain almost safely. When we will stop making
-modifications, we will be able to remove the duplicate iptables rules and then
-delete the 'crontab' file.
-
-=== Problem 2: Write the proper rules ===
-
-All we have to do now is to create our rules to allow or deny HTTP and HTTPS
-access. We have to keep in mind that it is better to write as less rules as
-possible.
-
-==== Resolution ====
-
-Since we do not want to block multiple ports, we will leave the policy of
-'INPUT' to 'ACCEPT'.
-
-The rule to block HTTPS is quite simple:
-
- $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT
-
-Result:
-
- $ curl https://csvm2c4e.kent.ac.uk
- > curl: (7) couldn't connect to host
- $ curl http://csvm2c4e.kent.ac.uk
- > <h1>It works!</h1>
-
-The rule to only allow HTTPS is almost the same (but first, we delete our
-previous rule):
-
- $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT
- $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT
-
-Result:
-
- $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt
- > <h1>It works!</h1>
- $ curl http://csvm2c4e.kent.ac.uk
- > curl: (7) couldn't connect to host
-
-To block both HTTP and HTTPS in only one rule we can use a match extension (but
-first, we delete our previous rule):
-
- $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT
- $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT
-
-Result:
-
- $ curl https://csvm2c4e.kent.ac.uk
- > curl: (7) couldn't connect to host
- $ curl http://csvm2c4e.kent.ac.uk
- > curl: (7) couldn't connect to host
-
-Last but not least, to deny only one host (but first, we delete our previous
-rule):
-
- $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT
- $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT
-
-Result from our VM
-
- $ curl http://localhost
- > <h1>It works!</h1>
-
-Result from 'raptor.kent.ac.uk'
-
- $ curl http://csvm2c4e.kent.ac.uk
- > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused
-