Assignment 3 Firewalls



Similar documents
1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Linux Routers and Community Networks

+ iptables. packet filtering && firewall

netkit lab load balancer web switch 1.1 Giuseppe Di Battista, Massimo Rimondini Version Author(s)

Lab Objectives & Turn In

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

CS Computer and Network Security: Firewalls

Linux Networking: IP Packet Filter Firewalling

Chapter 7. Firewalls

CS Computer and Network Security: Firewalls

Firewall Examples. Using a firewall to control traffic in networks

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Firewalls. Chien-Chung Shen

Rapid Access Cloud: Se1ng up a Proxy Host

Network security Exercise 9 How to build a wall of fire Linux Netfilter

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Linux Firewalls (Ubuntu IPTables) II

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

CSC574 - Computer and Network Security Module: Firewalls

Linux Firewall Wizardry. By Nemus

Network Security Exercise 10 How to build a wall of fire

Lab Configuring Access Policies and DMZ Settings

THE HONG KONG POLYTECHNIC UNIVERSITY Department of Electronic and Information Engineering

CIS 433/533 - Computer and Network Security Firewalls

How To Understand A Firewall

CSE543 - Computer and Network Security Module: Firewalls

Load Balancing Trend Micro InterScan Web Gateway

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Load Balancing Clearswift Secure Web Gateway

Architecture. Dual homed box Internet /8

ipchains and iptables for Firewalling and Routing

Firewall Firewall August, 2003

Linux: 20 Iptables Examples For New SysAdmins

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

IP Address: the per-network unique identifier used to find you on a network

Load Balancing Sophos Web Gateway. Deployment Guide

Load Balancing Bloxx Web Filter. Deployment Guide

Load Balancing Smoothwall Secure Web Gateway

Linux Administrator (Advance)

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

Load Balancing McAfee Web Gateway. Deployment Guide

Linux Squid Proxy Server

Firewalls. Firewall types. Packet filter. Proxy server. linux, iptables-based Windows XP s built-in router device built-ins single TCP conversation

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Firewall implementation and testing

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Definition of firewall

Manuale Turtle Firewall

How to install PowerChute Network Shutdown on VMware ESXi 3.5, 4.0 and 4.1

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

allow all such packets? While outgoing communications request information from a

Main functions of Linux Netfilter

Computer Firewalls. The term firewall was originally used with forest fires, as a means to describe the

Network Security Management

How to Turn a Unix Computer into a Router and Firewall Using IPTables

GregSowell.com. Mikrotik Security

Firewalls. October 23, 2015

Packet filtering with Linux

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

How to Secure RHEL 6.2 Part 2

Lab Configuring Access Policies and DMZ Settings

Intro to Linux Kernel Firewall

Focus on Security. Keeping the bad guys out

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

IP Filter/Firewall Setup

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewalling and Network Security I -Linux. Jeff Muday Academic Computing Specialist Wake Forest University

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Linux Firewall. Linux workshop #2.

Smoothwall Web Filter Deployment Guide

Worksheet 9. Linux as a router, packet filtering, traffic shaping

Background General Firewall setup Iptables Introduction Iptables commands Limit Function Explanation with icmp and syn floods Zone Alarm

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

CERN Cloud Infrastructure. Cloud Networking

LAB THREE STATIC ROUTING

Firewalls. Pehr Söderman KTH-CSC

Firewalls (IPTABLES)

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

How to set up multiple web servers (VMs) on XenServer reusing host's static IP

Firewall Configuration and Assessment

10.4. Multiple Connections to the Internet

Development of an Educational Data Acquisition System to Profile Cyber Attacks

Linux Cluster Security Neil Gorsuch NCSA, University of Illinois, Urbana, Illinois.

Microsegmentation Using NSX Distributed Firewall: Getting Started

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Firewall Defaults and Some Basic Rules

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Linux Network Security

CIT 480: Securing Computer Systems. Firewalls

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Evaluation guide. Vyatta Quick Evaluation Guide

How to protect your home/office network?

Linux Home Networking II Websites At Home

DSL-G604T Install Guides

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

TECHNICAL NOTES. Security Firewall IP Tables

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Linux Networking Basics

Transcription:

LEIC/MEIC - IST Alameda ONLY For ALAMEDA LAB equipment Network and Computer Security 2013/2014 Assignment 3 Firewalls Goal: Configure a firewall using iptables and fwbuilder. 1 Introduction This lab assignment focuses on using iptables and fwbuilder to improve your network security. Consider the following network topology and implement it based on the virtual machines used by the previous assignments. Y=192,%W=168%at%Alameda,% Y=172,%W=20%at%Taguspark% VM4% Eth1% %host%ip%address=192.168.1.1% eth0% %192.168.23.x%(Alameda),%or% 172.20.28.x%(Taguspark)% Host%subnet%192.168.1/24% eth0%@%192.168.23.(x+30)%(alameda),% or%172.20.28.(x@100)%(taguspark)% Eth1% [host%subnet].[group%number]% VM2% Eth2%&%192.168.3.1% eth1% %Y.W.3.1% Eth1%&%192.168.3.2% etho% %Y.W.3.2% VM1% Eth3%&%192.168.4.1% eth0% %Y.W.4.2% eth2% %Y.W.4.1% Eth1%&%192.168.4.2% VM3% Subnet%192.168.3/24% Subnet%192.168.4/24% Note 1: Create a new virtual machine which will act as the host machine (although is not the real host machine) marked as 1 in the figure, with host address 192.168.1.1 on eth1. For all other VMs, VM(i) is machine (i+1) in the figure. 1

2 iptables The native firewall software in Linux is part of the kernel. However, you can use the iptables tool (man iptables) to manage its rules. 2.1 Simple rules Experiment with some simple rules in Machine 2. 2.1.1 Reject ICMP packets Execute: iptables A INPUT p icmp j DROP The previous command adds a rule to drop all incoming ICMP packets. See the new rule by listing all rules managed by iptables: iptables L Test this new rule by sending a ping from Machine 3 to Machine 2. Use one of the following commands to erase this rule from Machine 2: iptables D INPUT 1 iptables D INPUT p icmp j DROP 2.1.2 Reject telnet connections Confirm that you can establish a telnet connection to Machine 2. Block these connections using the following command: iptables A INPUT p tcp -dport 23 j DROP Check whether telnet connections to Machine 2 are still possible. Delete the previous rule by running one of the following commands: iptables D INPUT 1 iptables D INPUT p tcp -dport 23 j DROP 2.1.3 Reject telnet connections from specific ip addresses Ignore telnet connections from Machine 1: iptables A INPUT p tcp s [host address] -dport 23 j DROP Confirm that all machines except Machine 1 are able to open a telnet connection with Machine 2. 2.1.4 Reject telnet connections from a specific subnet Ignore telnet connections from the subnet that includes Machine 4. iptables A INPUT p tcp s 192.168.4.0/24 -dport 23 j DROP At this point you should only be able to open a telnet connection to Machine 2 from Machine 3. Delete all existing rules: iptables F 2.2 Redirect connections The previous exercises used the INPUT chain from the Filter table. We will now use the PREROUTING chain in the NAT table in order to redirect network packets. 2

Execute: iptables -t nat -A PREROUTING - dst [host subnet address].[group number] -p tcp --dport 23 j DNAT --to-destination 192.168.3.2 Make a telnet connection from Machine 1 to Machine 2: telnet [host subnet address].[group number] Confirm that the connection was established between Machine 1 and Machine 3 using the netstat t command on all virtual machines. In order to redirect http traffic to Machine 3 replace the port value: iptables -t nat -A PREROUTING --dst [host subnet address].[group number] -p tcp --dport 80 -j DNAT --to-destination 192.168.3.2 Use a browser in Machine 1 and go to http://[host subnet address].[group number]. Run netstat t to confirm that the connection is between Machines 1 and 3. Delete all existing rules: iptables F iptables -t nat F iptables -X 3 Fwbuilder This section introduces fwbuilder, a cross platform firewall management software. Use the instructions in the appendix section in order to install the iptables extensions in fwbuilder. 3.1 Simple rules Run fwbuilder and create a new project. 3.1.1 Create a new firewall Click Object -> New Object -> New Firewall. Configure the firewall options with iptables and linux. Add the network interfaces. Set a management interface by selecting it in the tree. 3.1.2 Accept ssh connections Fwbuilder requires that the machine accepts ssh connections in order to install new firewall rules. Create a new TCP service with destination port 22 (Object -> New Object -> New TCP service). Create a new rule (Rules -> Insert Rule). Drag the new service into the Service field. Change the Action field to Accept. Click Rules -> Install. Test the ssh connections. 3

3.1.3 Accept telnet connections Check whether your current machine is accepting telnet connections. Check all firewall rules with iptables L Create a new TCP service with destination port 23. Create a new rule accepting connections to the new service. Install the firewall. Test the telnet connections. 3.1.4 Redirect telnet connections Configure eth1 as external. Add the ip address for Machine 3 in addresses (Objects ->Address) Add the necessary rule in the NAT table. Set the original address, service and redirect address. Install the firewall and test this rule. 3.2 Internal Network + DMZ Y=192,%W=168%at%Alameda,% Y=172,%W=20%at%Taguspark% External$ VM4$ Eth1$ $host$ip$address=192.168.1.1$ eth0% %192.168.23.x%(Alameda),%or% 172.20.28.x%(Taguspark)% Host$subnet$192.168.1/24$ eth0%@%192.168.23.(x+30)%(alameda),% or%172.20.28.(x@100)%(taguspark)% Eth1$ [host$subnet].[group$number]$ VM2$ Eth2$3$192.168.3.1$ eth1% %Y.W.3.1% Eth1$3$192.168.3.2$ etho% %Y.W.3.2% VM1$ Eth3$3$192.168.4.1$ eth0% %Y.W.4.2% eth2% %Y.W.4.1% Eth1$3$192.168.4.2$ VM3$ DMZ$ Subnet$192.168.3/24$ Firewall$ Subnet$192.168.4/24$ Internal$ Use fwbuilder to configure the following requirements: Machine 1 is an external machine: o Machine 1 will only be able to open ssh (port 22) and http (port 80) connections with Machine 2. Machine 2 is the firewall o Requests from the internal network 192.168.4/8 are only accepted if destined to the ssh port. o All http (port 80) connections are redirected to Machine 3. o All ssh connections from the external network are redirected to Machine 4. o All other traffic is rejected. Machine 3 is a Web server in a DMZ: o Accepts http connections from both the internal and external network. o Accepts ssh connections from the internal network. 4

o Does not start any new connections. Machine 4 is an internal machine: o Accepts ssh requests. o Is able to open ssh connections to both the external network and the DMZ. 5

1 Install fwbuilder extensions Appendix 1. On VM1 (Machine2) Download the fwbuilder-extensions.iso file from the course homepage 2. Execute o o mkdir p /mnt/disk mount o loop fwbuilder-extensions.iso /mnt/disk 3. Install the fwbuilder extension: rpm i /mnt/disk/fwbuilder-ipt-2.0.9-1.pm.1.i586.rpm 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information