LEIC/MEIC - IST Alameda ONLY For ALAMEDA LAB equipment Network and Computer Security 2013/2014 Assignment 3 Firewalls Goal: Configure a firewall using iptables and fwbuilder. 1 Introduction This lab assignment focuses on using iptables and fwbuilder to improve your network security. Consider the following network topology and implement it based on the virtual machines used by the previous assignments. Y=192,%W=168%at%Alameda,% Y=172,%W=20%at%Taguspark% VM4% Eth1% %host%ip%address=192.168.1.1% eth0% %192.168.23.x%(Alameda),%or% 172.20.28.x%(Taguspark)% Host%subnet%192.168.1/24% eth0%@%192.168.23.(x+30)%(alameda),% or%172.20.28.(x@100)%(taguspark)% Eth1% [host%subnet].[group%number]% VM2% Eth2%&%192.168.3.1% eth1% %Y.W.3.1% Eth1%&%192.168.3.2% etho% %Y.W.3.2% VM1% Eth3%&%192.168.4.1% eth0% %Y.W.4.2% eth2% %Y.W.4.1% Eth1%&%192.168.4.2% VM3% Subnet%192.168.3/24% Subnet%192.168.4/24% Note 1: Create a new virtual machine which will act as the host machine (although is not the real host machine) marked as 1 in the figure, with host address 192.168.1.1 on eth1. For all other VMs, VM(i) is machine (i+1) in the figure. 1
2 iptables The native firewall software in Linux is part of the kernel. However, you can use the iptables tool (man iptables) to manage its rules. 2.1 Simple rules Experiment with some simple rules in Machine 2. 2.1.1 Reject ICMP packets Execute: iptables A INPUT p icmp j DROP The previous command adds a rule to drop all incoming ICMP packets. See the new rule by listing all rules managed by iptables: iptables L Test this new rule by sending a ping from Machine 3 to Machine 2. Use one of the following commands to erase this rule from Machine 2: iptables D INPUT 1 iptables D INPUT p icmp j DROP 2.1.2 Reject telnet connections Confirm that you can establish a telnet connection to Machine 2. Block these connections using the following command: iptables A INPUT p tcp -dport 23 j DROP Check whether telnet connections to Machine 2 are still possible. Delete the previous rule by running one of the following commands: iptables D INPUT 1 iptables D INPUT p tcp -dport 23 j DROP 2.1.3 Reject telnet connections from specific ip addresses Ignore telnet connections from Machine 1: iptables A INPUT p tcp s [host address] -dport 23 j DROP Confirm that all machines except Machine 1 are able to open a telnet connection with Machine 2. 2.1.4 Reject telnet connections from a specific subnet Ignore telnet connections from the subnet that includes Machine 4. iptables A INPUT p tcp s 192.168.4.0/24 -dport 23 j DROP At this point you should only be able to open a telnet connection to Machine 2 from Machine 3. Delete all existing rules: iptables F 2.2 Redirect connections The previous exercises used the INPUT chain from the Filter table. We will now use the PREROUTING chain in the NAT table in order to redirect network packets. 2
Execute: iptables -t nat -A PREROUTING - dst [host subnet address].[group number] -p tcp --dport 23 j DNAT --to-destination 192.168.3.2 Make a telnet connection from Machine 1 to Machine 2: telnet [host subnet address].[group number] Confirm that the connection was established between Machine 1 and Machine 3 using the netstat t command on all virtual machines. In order to redirect http traffic to Machine 3 replace the port value: iptables -t nat -A PREROUTING --dst [host subnet address].[group number] -p tcp --dport 80 -j DNAT --to-destination 192.168.3.2 Use a browser in Machine 1 and go to http://[host subnet address].[group number]. Run netstat t to confirm that the connection is between Machines 1 and 3. Delete all existing rules: iptables F iptables -t nat F iptables -X 3 Fwbuilder This section introduces fwbuilder, a cross platform firewall management software. Use the instructions in the appendix section in order to install the iptables extensions in fwbuilder. 3.1 Simple rules Run fwbuilder and create a new project. 3.1.1 Create a new firewall Click Object -> New Object -> New Firewall. Configure the firewall options with iptables and linux. Add the network interfaces. Set a management interface by selecting it in the tree. 3.1.2 Accept ssh connections Fwbuilder requires that the machine accepts ssh connections in order to install new firewall rules. Create a new TCP service with destination port 22 (Object -> New Object -> New TCP service). Create a new rule (Rules -> Insert Rule). Drag the new service into the Service field. Change the Action field to Accept. Click Rules -> Install. Test the ssh connections. 3
3.1.3 Accept telnet connections Check whether your current machine is accepting telnet connections. Check all firewall rules with iptables L Create a new TCP service with destination port 23. Create a new rule accepting connections to the new service. Install the firewall. Test the telnet connections. 3.1.4 Redirect telnet connections Configure eth1 as external. Add the ip address for Machine 3 in addresses (Objects ->Address) Add the necessary rule in the NAT table. Set the original address, service and redirect address. Install the firewall and test this rule. 3.2 Internal Network + DMZ Y=192,%W=168%at%Alameda,% Y=172,%W=20%at%Taguspark% External$ VM4$ Eth1$ $host$ip$address=192.168.1.1$ eth0% %192.168.23.x%(Alameda),%or% 172.20.28.x%(Taguspark)% Host$subnet$192.168.1/24$ eth0%@%192.168.23.(x+30)%(alameda),% or%172.20.28.(x@100)%(taguspark)% Eth1$ [host$subnet].[group$number]$ VM2$ Eth2$3$192.168.3.1$ eth1% %Y.W.3.1% Eth1$3$192.168.3.2$ etho% %Y.W.3.2% VM1$ Eth3$3$192.168.4.1$ eth0% %Y.W.4.2% eth2% %Y.W.4.1% Eth1$3$192.168.4.2$ VM3$ DMZ$ Subnet$192.168.3/24$ Firewall$ Subnet$192.168.4/24$ Internal$ Use fwbuilder to configure the following requirements: Machine 1 is an external machine: o Machine 1 will only be able to open ssh (port 22) and http (port 80) connections with Machine 2. Machine 2 is the firewall o Requests from the internal network 192.168.4/8 are only accepted if destined to the ssh port. o All http (port 80) connections are redirected to Machine 3. o All ssh connections from the external network are redirected to Machine 4. o All other traffic is rejected. Machine 3 is a Web server in a DMZ: o Accepts http connections from both the internal and external network. o Accepts ssh connections from the internal network. 4
o Does not start any new connections. Machine 4 is an internal machine: o Accepts ssh requests. o Is able to open ssh connections to both the external network and the DMZ. 5
1 Install fwbuilder extensions Appendix 1. On VM1 (Machine2) Download the fwbuilder-extensions.iso file from the course homepage 2. Execute o o mkdir p /mnt/disk mount o loop fwbuilder-extensions.iso /mnt/disk 3. Install the fwbuilder extension: rpm i /mnt/disk/fwbuilder-ipt-2.0.9-1.pm.1.i586.rpm 6