Lab Objectives & Turn In

Transcription

1 Firewall Lab This lab will apply several theories discussed throughout the networking series. The routing, installing/configuring DHCP, and setting up the services is already done. All that is left for setting up the environment below is starting the VMs and entering the given commands in this document. Our lab will look similar to the diagram below. What is not given is the firewall rules which you will need to apply. Lab Objectives & Turn In We are tasked with building firewall rules to prevent access to unauthorized ports of our Server machine. From this point on our Attacking machine is the Host box. Use nmap from the Host to view all open ports to see how many services are listening and to test your firewall rules later. The following services are to be allowed, all others need to be blocked: ICMP SSH SMTP FTP HTTP NetBIOS (SAMBA) You need to turn in the output of your iptable rules that allow the above services and deny all others, include a PDF with the nmap output from Host to Server VM and your iptables file. The following command will output everything you need to turn in: Gateway# iptables -L Note: Outputting and importing rules to and from a file can be done with the following commands: Gateway# iptables-save > firewall.conf Gateway# iptables-restore < firewall.conf

2 Setting up your environment First thing we need to do is set up our environment. We are using three machines which will be called the following throughout the guide: Host is your physical machine, Gateway is the Backtrack5 virtual machine, and the Server is the Metasploitable virtual machine. We are going to be building a firewall on the Gateway machine which will serve as the proxy/gateway for the Server machine. This means all traffic to and from the Server will need to pass through the Gateway. First lets start the Gateway VM, Backtrack5 from the Virtualbox list. From the command line start the DHCP server. Gateway# /etc/init.d/dhcp3-server start Now set up IP_Forwarding. This will allow the Gateway machine to forward packets not addressed to itself. Gateway# echo 1 > /proc/sys/net/ipv4/ip_forward

3 From here we can verify that all traffic can pass through the Gateway without being dropped by any firewall by typing the following. We will go over the firewall configuration later in this guide so don't worry about the iptables command for now. Gateway# iptables -L Now our Gateway machine is ready to give out DHCP addresses and forward traffic to and from our Host and Server. Lets move on to the Server now. Start up Metasploitable VM and log in so we can verify it received an IP address from our DHCP server Gateway. Login with

4 Username: Password: msfadmin msfadmin then type the following to verify its IP: Server# ifconfig This should tell you its IP address is something in the range of /24. Now make sure you can connect to the Gateway by pinging it. You can also scan the Server from the Gateway to see a list of open ports. Server# ping However, pinging the Host does not work. You will need to adjust you routes on the Server Server# sudo route add default gw Server# sudo route del -net /24 At this point you should also be able to connect to the Gateway from your Host. Verify this by pinging the Gateway from the host: Host# ping Now our Server and Gateway are complete and routing between them should be final. The host system is a little different because it still needs access to the lab internal network as well as the Internet. So we will just add a static route to send all traffic addressed to the /8 network to the Gateway. Enter the following command: Host# sudo route add -net /8 gw dev vboxnet0 You should now have full access to our Server from the Host. Try this by doing a quick port scan of the Server from the Host. This is where our firewall comes in. We are going to only allow access to a handful of ports. Our firewall is to be implemented on our Gateway box. Firewall configuration guide Look through the basic command set by entering the following from any machine: iptables -h and/or navigating to ubuntu s iptables guide Quick Primer On standard Ubuntu there is no default deny all rule as there is in Cisco ACLs, in fact the default rule is to accept all (this varies depending on your linux distro). This means that a blank iptable rule set is going to allow all incoming, outgoing and forwarding traffic. To see your iptable rules enter the following command: Gateway# iptables -L

5 The first thing to note here is that there are three default chains for rules to be placed in. INPUT and OUTPUT only get checked if the packet is destined to the local host (our gateway in this case). The FORWARD chain is checked against for all traffic destined somewhere other than this local machine. The following is just an example of commands in action. Now to add a rule to our Gateway to accept all incoming SSH traffic (TCP/22) and deny all other traffic we would set up the following rules. #if packet is tcp port 22 accept packet sudo iptables -A FORWARD -p tcp --dport 22 -j ACCEPT #if the packet makes it here that means it didn't match any rules above. All packets match #this rule and are therefore dropped sudo iptables -A FORWARD -j DROP Now this is only half of the firewall. What happens to the traffic coming from the SSH server? It will most likely be denied because it wont be on port 22. We need to add a rule to allow all traffic going out from the server. sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This means that all new connections will be denied coming in except for on the ports we allow (SSH in this case) and allow all traffic going out from our server that is an established connection. This is very similar to how corporate firewalls actually operate. Obviously there are some other caveats but that is outside of the scope of this lab like allowing types of internal traffic to access Internet resources.

6 Note: All checks start from the top and work there way down. To insert a rule anywhere into the list (or at least above the DROP rule) you use a -I flag instead o the -A. For example: sudo iptables -I <INPUT/FORWARD/OUTPUT> <integer index in list> -p tcp --dport 4444 ACCEPT Now look at the iptables: sudo iptables -L Steps to completing this guide are: 1. Discover the ports and protocols of the allowed services (port number, UDP, TCP, etc...) a. use google if necessary, most should be obvious by now 2. From the Host machine scan the Metasploitable machine to see what ports you can see 3. Proceed to write the rules on the Gateway machine 4. Use the Host machine to port scan your server to test if the rules are working. For the ICMP rule, ensure that you can ping your server from the Host. Extended Learning So far this lab discussed allowing services on a specific server. What if we had users on the inside of this network that wanted to use a network resources. For example, we have the server set up to allow connections like we would for a corporate network. However, on a corporate network you also have users that need access to network resources such as browsing web sites, ssh to other networked servers, etc... How would we allow NEW network traffic originating from our internal network access to external network resources? 1. Allow the internal client (Metasploitable) to ping hosts eth0 ( X) 2. Stop the host from scanning the gateway