== Firewall Practical, Week 10 ==
The purpose of this practical is to make us create and modify rules of iptables
firewall.
At the end of this practical, we should be able to add rules to block or allow
different IP addresses on different ports.
=== Problem 1: Take the necessary precautions ===
When playing with a firewall (especially on a remote machine), we must
always assume that the worst will happen. Indeed, it is very easy to completely
lose access to our machine by making a single mistake.
==== Resolution ====
We will first create an executable file named 'iptables-allow-ssh' that will
create rules allowing a SSH connection from outside. When executed, this file
should be able to allow-ssh a connection no matter what we put in our 'INPUT'
table. If everything is completely messed up, we even prefer performing a
reboot than leaving our machine unreachable.
......
#/bin/sh
# accept ssh as input
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || /sbin/reboot
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT || /sbin/reboot
......
In case we lose our connection, we want this file to be executed. We will use
'cron' to schedule its execution every minute.
Here is the content that we put in our 'crontab' file.
......
* * * * * /home/student/iptables-allow-ssh
......
After waiting one minute, we can notice that our scheduled task has been
executed.
$ sudo iptables -L INPUT
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
We can now modify our 'INPUT' chain almost safely. When we will stop making
modifications, we will be able to remove the duplicate iptables rules and then
delete the 'crontab' file.
=== Problem 2: Write the proper rules ===
All we have to do now is to create our rules to allow or deny HTTP and HTTPS
access. We have to keep in mind that it is better to write as less rules as
possible.
==== Resolution ====
Since we do not want to block multiple ports, we will leave the policy of
'INPUT' to 'ACCEPT'.
The rule to block HTTPS is quite simple:
$ sudo /sbin/iptables -A INPUT -p tcp --dport https -j REJECT
Result:
$ curl https://csvm2c4e.kent.ac.uk
> curl: (7) couldn't connect to host
$ curl http://csvm2c4e.kent.ac.uk
> It works!
The rule to only allow HTTPS is almost the same (but first, we delete our
previous rule):
$ sudo /sbin/iptables -D INPUT -p tcp --dport https -j REJECT
$ sudo /sbin/iptables -A INPUT -p tcp --dport http -j REJECT
Result:
$ curl https://csvm2c4e.kent.ac.uk --cacert rootCA.crt
> It works!
$ curl http://csvm2c4e.kent.ac.uk
> curl: (7) couldn't connect to host
To block both HTTP and HTTPS in only one rule we can use a match extension (but
first, we delete our previous rule):
$ sudo /sbin/iptables -D INPUT -p tcp --dport http -j REJECT
$ sudo /sbin/iptables -A INPUT -p tcp -m multiport --dports http,https -j REJECT
Result:
$ curl https://csvm2c4e.kent.ac.uk
> curl: (7) couldn't connect to host
$ curl http://csvm2c4e.kent.ac.uk
> curl: (7) couldn't connect to host
Last but not least, to deny only one host (but first, we delete our previous
rule):
$ sudo /sbin/iptables -D INPUT -p tcp -m multiport --dports http,https -j REJECT
$ sudo /sbin/iptables -A INPUT -p tcp --source raptor.kent.ac.uk -m multiport --dports http,https -j REJECT
Result from our VM
$ curl http://localhost
> It works!
Result from 'raptor.kent.ac.uk'
$ curl http://csvm2c4e.kent.ac.uk
> curl: (7) Failed to connect to csvm2c4e.kent.ac.uk port 80: Connection refused