Lab Objectives & Turn In

Similar documents
How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Linux Routers and Community Networks

+ iptables. packet filtering && firewall

Assignment 3 Firewalls

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

IP Address: the per-network unique identifier used to find you on a network

How to protect your home/office network?

Linux Firewalls (Ubuntu IPTables) II

Project 2: Firewall Design (Phase I)

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Firewalls. Chien-Chung Shen

Firewalls. Pehr Söderman KTH-CSC

Linux Networking: IP Packet Filter Firewalling

Penetration Testing LAB Setup Guide

Firewalls (IPTABLES)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

Firewall Examples. Using a firewall to control traffic in networks

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Install and configure a Debian based UniFi controller

Linux: 20 Iptables Examples For New SysAdmins

Lab Configuring Access Policies and DMZ Settings

CS Computer and Network Security: Firewalls

Linux Firewall Wizardry. By Nemus

Parallels Plesk Panel

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Protecting and controlling Virtual LANs by Linux router-firewall

Packet filtering with Linux

Linux Administrator (Advance)

CS Computer and Network Security: Firewalls

LAB THREE STATIC ROUTING

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

Firewall Firewall August, 2003

Cisco Configuring Commonly Used IP ACLs

Building a Penetration Testing Virtual Computer Laboratory

Firewalls. Network Security. Firewalls Defined. Firewalls

CSC574 - Computer and Network Security Module: Firewalls

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

1 Scope of Assessment

Manage a Firewall Using your Plesk Control Panel Contents

Firewall VPN Router. Quick Installation Guide M73-APO09-380

EXPLORER. TFT Filter CONFIGURATION

Multi-Homing Dual WAN Firewall Router

Firewall implementation and testing

Information Security Training. Assignment 1 Networking

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Linux Networking Basics

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Automated Penetration Test

Overview. Packet filter

Linux MDS Firewall Supplement

pp=pod number, xxx=static IP address assigned to your pod

Lab 1: Network Devices and Technologies - Capturing Network Traffic

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Parallels Plesk Control Panel

Security Type of attacks Firewalls Protocols Packet filter

Load Balancing Clearswift Secure Web Gateway

GregSowell.com. Mikrotik Security

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

Technical Support Information

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Automating Server Firewalls

Load Balancing Trend Micro InterScan Web Gateway

Corso di Configurazione e Gestione di Reti Locali

Laboration 3 - Administration

My FreeScan Vulnerabilities Report

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Firewalls and Software Updates

How to Secure RHEL 6.2 Part 2

Web Application Firewall

Lab Configuring Access Policies and DMZ Settings

F-SECURE MESSAGING SECURITY GATEWAY

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Building a Home Gateway/Firewall with Linux (aka Firewalling and NAT with iptables )

Lab Developing ACLs to Implement Firewall Rule Sets

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Firewalls. Chapter 3

Setting up a Raspberry Pi as a WiFi access point

Contrail Lab Manual. Contrail Specific Service Chaining

Guideline for setting up a functional VPN

Network Traffic Analysis

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

CIS 433/533 - Computer and Network Security Firewalls

PasserellesNumeriquesCambodia (PNC)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Load Balancing Smoothwall Secure Web Gateway

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Transcription:

Firewall Lab This lab will apply several theories discussed throughout the networking series. The routing, installing/configuring DHCP, and setting up the services is already done. All that is left for setting up the environment below is starting the VMs and entering the given commands in this document. Our lab will look similar to the diagram below. What is not given is the firewall rules which you will need to apply. Lab Objectives & Turn In We are tasked with building firewall rules to prevent access to unauthorized ports of our Server machine. From this point on our Attacking machine is the Host box. Use nmap from the Host to view all open ports to see how many services are listening and to test your firewall rules later. The following services are to be allowed, all others need to be blocked: ICMP SSH SMTP FTP HTTP NetBIOS (SAMBA) You need to turn in the output of your iptable rules that allow the above services and deny all others, include a PDF with the nmap output from Host to Server VM and your iptables file. The following command will output everything you need to turn in: Gateway# iptables -L Note: Outputting and importing rules to and from a file can be done with the following commands: Gateway# iptables-save > firewall.conf Gateway# iptables-restore < firewall.conf

Setting up your environment First thing we need to do is set up our environment. We are using three machines which will be called the following throughout the guide: Host is your physical machine, Gateway is the Backtrack5 virtual machine, and the Server is the Metasploitable virtual machine. We are going to be building a firewall on the Gateway machine which will serve as the proxy/gateway for the Server machine. This means all traffic to and from the Server will need to pass through the Gateway. First lets start the Gateway VM, Backtrack5 from the Virtualbox list. From the command line start the DHCP server. Gateway# /etc/init.d/dhcp3-server start Now set up IP_Forwarding. This will allow the Gateway machine to forward packets not addressed to itself. Gateway# echo 1 > /proc/sys/net/ipv4/ip_forward

From here we can verify that all traffic can pass through the Gateway without being dropped by any firewall by typing the following. We will go over the firewall configuration later in this guide so don't worry about the iptables command for now. Gateway# iptables -L Now our Gateway machine is ready to give out DHCP addresses and forward traffic to and from our Host and Server. Lets move on to the Server now. Start up Metasploitable VM and log in so we can verify it received an IP address from our DHCP server Gateway. Login with

Username: Password: msfadmin msfadmin then type the following to verify its IP: Server# ifconfig This should tell you its IP address is something in the range of 10.0.0.0/24. Now make sure you can connect to the Gateway by pinging it. You can also scan the Server from the Gateway to see a list of open ports. Server# ping 10.0.0.10 However, pinging the Host does not work. You will need to adjust you routes on the Server Server# sudo route add default gw 10.0.0.10 Server# sudo route del -net 10.0.0.0/24 At this point you should also be able to connect to the Gateway from your Host. Verify this by pinging the Gateway from the host: Host# ping 192.168.56.101 Now our Server and Gateway are complete and routing between them should be final. The host system is a little different because it still needs access to the lab internal network as well as the Internet. So we will just add a static route to send all traffic addressed to the 10.0.0.0/8 network to the Gateway. Enter the following command: Host# sudo route add -net 10.0.0.0/8 gw 192.168.56.101 dev vboxnet0 You should now have full access to our Server from the Host. Try this by doing a quick port scan of the Server from the Host. This is where our firewall comes in. We are going to only allow access to a handful of ports. Our firewall is to be implemented on our Gateway box. Firewall configuration guide Look through the basic command set by entering the following from any machine: iptables -h and/or navigating to ubuntu s iptables guide https://help.ubuntu.com/community/iptableshowto Quick Primer On standard Ubuntu there is no default deny all rule as there is in Cisco ACLs, in fact the default rule is to accept all (this varies depending on your linux distro). This means that a blank iptable rule set is going to allow all incoming, outgoing and forwarding traffic. To see your iptable rules enter the following command: Gateway# iptables -L

The first thing to note here is that there are three default chains for rules to be placed in. INPUT and OUTPUT only get checked if the packet is destined to the local host (our gateway in this case). The FORWARD chain is checked against for all traffic destined somewhere other than this local machine. The following is just an example of commands in action. Now to add a rule to our Gateway to accept all incoming SSH traffic (TCP/22) and deny all other traffic we would set up the following rules. #if packet is tcp port 22 accept packet sudo iptables -A FORWARD -p tcp --dport 22 -j ACCEPT #if the packet makes it here that means it didn't match any rules above. All packets match #this rule and are therefore dropped sudo iptables -A FORWARD -j DROP Now this is only half of the firewall. What happens to the traffic coming from the SSH server? It will most likely be denied because it wont be on port 22. We need to add a rule to allow all traffic going out from the server. sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This means that all new connections will be denied coming in except for on the ports we allow (SSH in this case) and allow all traffic going out from our server that is an established connection. This is very similar to how corporate firewalls actually operate. Obviously there are some other caveats but that is outside of the scope of this lab like allowing types of internal traffic to access Internet resources.

Note: All checks start from the top and work there way down. To insert a rule anywhere into the list (or at least above the DROP rule) you use a -I flag instead o the -A. For example: sudo iptables -I <INPUT/FORWARD/OUTPUT> <integer index in list> -p tcp --dport 4444 ACCEPT Now look at the iptables: sudo iptables -L Steps to completing this guide are: 1. Discover the ports and protocols of the allowed services (port number, UDP, TCP, etc...) a. use google if necessary, most should be obvious by now 2. From the Host machine scan the Metasploitable machine to see what ports you can see 3. Proceed to write the rules on the Gateway machine 4. Use the Host machine to port scan your server to test if the rules are working. For the ICMP rule, ensure that you can ping your server from the Host. Extended Learning So far this lab discussed allowing services on a specific server. What if we had users on the inside of this network that wanted to use a network resources. For example, we have the server set up to allow connections like we would for a corporate network. However, on a corporate network you also have users that need access to network resources such as browsing web sites, ssh to other networked servers, etc... How would we allow NEW network traffic originating from our internal network access to external network resources? 1. Allow the internal client (Metasploitable) to ping hosts eth0 (192.168.10.X) 2. Stop the host from scanning the gateway

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information