Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


Configuring iptables firewall

Exercises
Make sure iptables have been installed on smbhost VM:
dpkg -l | grep iptables

Check the iptables rules on smbhost:
/sbin/iptables -n -L 

On smbhost, download the iptables script from fw-script.sh, make it executable, then run:
wget http://linuxcourse.rutgers.edu/lessons/Security/fw-script.sh
chmod 755 fw-script.sh
./fw-script.sh
Check the iptables rules again,
   /sbin/iptables -n -L
You should see the new active rules.

Try pinging your desktop private virtual IP address from smbhost:
ping 192.168.122.1
Try pinging smbhost VM from the desktop:
ping 192.168.122.42


To enable ping, you need to add the following rules to your fw-script.sh (you can include them somwhere after the default policy)
# Echo - uncomment to allow your system to be pinged.
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.122.0/24 --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.122.0/24 --icmp-type 11 -j ACCEPT
After the script is modified, you need to run the script,
./fw-script.sh

Try to ssh to some host located outside of the lab, for example, eden or dsv.
Try running apt-get update command.
Both SSH and apt-get would hang up because the iptable rules don't allow initiating outbound TCP connections with remote hosts and their returm from outside of the local virtual private network, 192.168.122.0/24.
To enable return TCP-connections from the outside of the subnet, change "-s 192.168.122.0/24" and "-d 192.168.122.0/24" for "-s 0/0" and "-d 0/0" in the rules for "Accept local-network return traffic..." in the script.
The new rules should look as follows:
$IPT -A INPUT -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT 
$IPT -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state INVALID -d 0/0 -j ACCEPT
After the script is modified, you need to run the script,
./fw-script.sh
Try ssh to the host and apt-get command again. They should run fine.


Take me to the Course Website