summaryrefslogtreecommitdiff
path: root/firewall.asciidoci
diff options
context:
space:
mode:
Diffstat (limited to 'firewall.asciidoci')
-rw-r--r--firewall.asciidoci117
1 files changed, 117 insertions, 0 deletions
diff --git a/firewall.asciidoci b/firewall.asciidoci
new file mode 100644
index 0000000..6839aa3
--- /dev/null
+++ b/firewall.asciidoci
@@ -0,0 +1,117 @@
+== Firewall Practical, Week 10 ==
+
+The purpose of this practical is to make us create and modify rules of iptables
+firewall.
+
+At the end of this practical, we should be able to add rules to block or allow
+different IP addresses on different ports.
+
+=== Problem 1: Take the necessary precautions ===
+
+When playing with a firewall (especially on a remote machine), we must
+always assume that the worst will happen. Indeed, it is very easy to completely
+lose access to our machine by making a single mistake.
+
+==== Resolution ====
+
+We will first create an executable file named 'iptables-allow-ssh' that will
+create rules allowing a SSH connection from outside. When executed, this file
+should be able to allow-ssh a connection no matter what we put in our 'INPUT'
+table. If everything is completely messed up, we even prefer performing a
+reboot than leaving our machine unreachable.
+
+......
+#/bin/sh
+
+# accept ssh as input
+
+/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot
+/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot
+......
+
+In case we lose our connection, we want this file to be executed. We will use
+'cron' to schedule its execution every minute.
+
+Here is the content that we put in our 'crontab' file.
+
+......
+* * * * * /home/student/iptables-allow-ssh
+......
+
+After waiting one minute, we can notice that our scheduled task has been
+executed.
+
+ $ sudo iptables -L INPUT
+ > Chain INPUT (policy ACCEPT)
+ > target prot opt source destination
+ > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
+ > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
+
+We can now modify our 'INPUT' chain almost safely. When we will stop making
+modifications, we will be able to remove the duplicate iptables rules and then
+delete the 'crontab' file.
+
+=== Problem 2: Write the proper rules ===
+
+All we have to do now is to create our rules to allow or deny HTTP and HTTPS
+access. We have to keep in mind that it is better to write as less rules as
+possible.
+
+==== Resolution ====
+
+Since we do not want to block multiple ports, we will leave the policy of
+'INPUT' to 'ACCEPT'.
+
+The rule to block HTTPS is quite simple:
+
+ $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT
+
+Result:
+
+ $ curl https://csvm2c4e.kent.ac.uk
+ > curl: (7) couldn't connect to host
+ $ curl http://csvm2c4e.kent.ac.uk
+ > <h1>It works!</h1>
+
+The rule to only allow HTTPS is almost the same (but first, we delete our
+previous rule):
+
+ $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT
+ $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT
+
+Result:
+
+ $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt
+ > <h1>It works!</h1>
+ $ curl http://csvm2c4e.kent.ac.uk
+ > curl: (7) couldn't connect to host
+
+To block both HTTP and HTTPS in only one rule we can use a match extension (but
+first, we delete our previous rule):
+
+ $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT
+ $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT
+
+Result:
+
+ $ curl https://csvm2c4e.kent.ac.uk
+ > curl: (7) couldn't connect to host
+ $ curl http://csvm2c4e.kent.ac.uk
+ > curl: (7) couldn't connect to host
+
+Last but not least, to deny only one host (but first, we delete our previous
+rule):
+
+ $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT
+ $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT
+
+Result from our VM
+
+ $ curl http://localhost
+ > <h1>It works!</h1>
+
+Result from 'raptor.kent.ac.uk'
+
+ $ curl http://csvm2c4e.kent.ac.uk
+ > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused
+