From db59b68c56e083c05fd6dbc7b00cf783313be69d Mon Sep 17 00:00:00 2001 From: Olivier Gayot Date: Sat, 17 Jan 2015 02:52:15 +0100 Subject: added the content for the Firewall practical Signed-off-by: Olivier Gayot --- firewall.adoci | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 firewall.adoci (limited to 'firewall.adoci') diff --git a/firewall.adoci b/firewall.adoci new file mode 100644 index 0000000..6839aa3 --- /dev/null +++ b/firewall.adoci @@ -0,0 +1,117 @@ +== Firewall Practical, Week 10 == + +The purpose of this practical is to make us create and modify rules of iptables +firewall. + +At the end of this practical, we should be able to add rules to block or allow +different IP addresses on different ports. + +=== Problem 1: Take the necessary precautions === + +When playing with a firewall (especially on a remote machine), we must +always assume that the worst will happen. Indeed, it is very easy to completely +lose access to our machine by making a single mistake. + +==== Resolution ==== + +We will first create an executable file named 'iptables-allow-ssh' that will +create rules allowing a SSH connection from outside. When executed, this file +should be able to allow-ssh a connection no matter what we put in our 'INPUT' +table. If everything is completely messed up, we even prefer performing a +reboot than leaving our machine unreachable. + +...... +#/bin/sh + +# accept ssh as input + +/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot +/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot +...... + +In case we lose our connection, we want this file to be executed. We will use +'cron' to schedule its execution every minute. + +Here is the content that we put in our 'crontab' file. + +...... +* * * * * /home/student/iptables-allow-ssh +...... + +After waiting one minute, we can notice that our scheduled task has been +executed. + + $ sudo iptables -L INPUT + > Chain INPUT (policy ACCEPT) + > target prot opt source destination + > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED + > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh + +We can now modify our 'INPUT' chain almost safely. When we will stop making +modifications, we will be able to remove the duplicate iptables rules and then +delete the 'crontab' file. + +=== Problem 2: Write the proper rules === + +All we have to do now is to create our rules to allow or deny HTTP and HTTPS +access. We have to keep in mind that it is better to write as less rules as +possible. + +==== Resolution ==== + +Since we do not want to block multiple ports, we will leave the policy of +'INPUT' to 'ACCEPT'. + +The rule to block HTTPS is quite simple: + + $ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + >

It works!

+ +The rule to only allow HTTPS is almost the same (but first, we delete our +previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt + >

It works!

+ $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +To block both HTTP and HTTPS in only one rule we can use a match extension (but +first, we delete our previous rule): + + $ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT + +Result: + + $ curl https://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) couldn't connect to host + +Last but not least, to deny only one host (but first, we delete our previous +rule): + + $ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT + $ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT + +Result from our VM + + $ curl http://localhost + >

It works!

+ +Result from 'raptor.kent.ac.uk' + + $ curl http://csvm2c4e.kent.ac.uk + > curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused + -- cgit v1.2.3