Lesson 10

Date: 4/2/2014

Basics of Linux Security

Linux for Engineering and IT Applications

Configuring iptables firewall
Exercises
Make sure iptables have been installed on smbhost VM:

dpkg -l | grep iptables

Check the iptables rules on smbhost:

/sbin/iptables -n -L

On smbhost, download the iptables script from fw-script.sh, make it executable, then run:

wget http://linuxcourse.rutgers.edu/lessons/Security/fw-script.sh
chmod 755 fw-script.sh
./fw-script.sh

Check the iptables rules again,

   /sbin/iptables -n -L

You should see the new active rules.

Try pinging your desktop private virtual IP address from smbhost:

ping 192.168.122.1

Try pinging smbhost VM from the desktop:

ping 192.168.122.42

To enable ping, you need to add the following rules to your fw-script.sh (you can include them somwhere after the default policy)

# Echo - uncomment to allow your system to be pinged.
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 11 -j ACCEPT

After the script is modified, you need to run the script,

./fw-script.sh

Try to ssh to some host located outside of the lab, for example, eden or dsv.
Try running apt-get update command.
Both SSH and apt-get would hang up because the iptable rules don't allow initiating outbound TCP connections with remote hosts and their returm from outside of the local virtual private network, 192.168.122.0/24.
To enable return TCP-connections from the outside of the subnet, change "-s 192.168.122.0/24" and "-d 192.168.122.0/24" for "-s 0/0" and "-d 0/0" in the rules for "Accept local-network return traffic..." in the script.
The new rules should look as follows:

$IPT -A INPUT -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT 
$IPT -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state INVALID -d 0/0 -j ACCEPT

After the script is modified, you need to run the script,

./fw-script.sh

Try ssh to the host and apt-get command again. They should run fine.

Fundamentals of Linux security
How systems get compromised
Trojan script exercise
Stack overflow
Package upgrades and verification
Open Ports List exercise
Closing Ports
TCP Wrappers exercise
IP filtering firewalls (iptables)
Building iptables rules
Simple iptables script
NAT table
NAT script
Exercises with iptables
Port scanning exercises
GNU Privacy Guard
GPG exercises
Logs
System Integrity checks
GNUtar exercises
References
Take me to the Course Website