Laboratory 4: Configuring a Firewall
Laboratory 4: Configuring a Firewall
Laboratory 4: Configuring a Firewall
Logo.Preferred2c.dark.png
INFA 620
Laboratory 4: Configuring a Firewall
In this exercise you will be working with firewalld (see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use and configure the rules for filtering traffic. firewalld provides higher-level command line and graphical interfaces over Iptables to ease the pain of configuring the firewall features provided by Linux. For this lab exercise, we will only be using only the high-level command line interface. firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4 and IPv6. There is a separation of the runtime and permanent configuration options.
For this lab exercise, we will be using two machines, one machine will behave like an Enterprise and the other machine will behave like machines outside an enterprise. We will call this machine as External, external to the enterprise. The firewall, as part of the enterprise will control traffic both coming into the enterprise and going out of the enterprise (to External).
NIXENT01 (Enterprise) is a CentOS 7 machine. CentOS is a Linux distribution that attempts to provide a free, enterprise-class, community-supported computing platform. Firewalld will be running on this host.
NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. You have already used this machine for Lab2 and Lab 3 in analyzing packets using Wireshark. (Wireshark is available as part of Kali distribution.)
Although there are only two machines, we are going to pretend that the Enterprise has three machines (three IP addresses) and each machine has certain services running on those machines, as follows:
NIXENT01 (Enterprise)
Service
Associated IP Address
domain, telnet
192.168.10.10
http, https
192.168.10.20
ftp, imap2, imaps, pop3, pop3s, urd
192.168.10.30
Similarly, we are going to emulate three machines on the External machine with three IP addresses, each running only certain services as follows:
NIXEXT01 (External)
Service
Associated IP Address
domain, telnet
192.168.10.210
http, https
192.168.10.220
ftp, imap, imaps, pop3, pop3s, urd
192.168.10.230
The instructions to use the remote UMUC machine in the DaaS environment is provided in the Accessing Remote DaaS Lab under Course Content.
Allocating the Lab Machines
Once you open the Lab Broker using the instructions given in the UMUC Digital Lab Access Instructions found under Accessing Remote DaaS Lab under Course Content, you will see a new window open. Each of your courses that have labs will be listed here in the Lab Broker page.
- Look for “INFA 620” and select “Nodes.”
- Select “Allocate Lab” this should take no more than 1 minute.
Please Note Allocated lab resources expire in 7 days. If a lab expires, work done within the lab machine.
Connecting to the Lab Machines
- Within the Lab Broker interface, view the current allocated nodes for INFA 620
- Use the “Connect” button to initiate a connection to each of the two machines:
- When prompted, enter the course credentials:
a. Username: StudentFirst
b. Password: Cyb3rl@b
- Proceed with the connection. You will need to re-enter the above credentials.
Network Traffic Simulation Script
The Network traffic Simulation script allows users to test pathways to lab resource machines by using the terminal to initiate test packets. The script takes 2 input variables (IP address and service) and uses this information to initiate a test. The script is implemented using bash shell. The script accepts a target IP (-t) and any service name (-s) available in /etc/services. The script can be run on either machine to generate traffic for the other machine,
To run the script:
- Open a Terminal window.
- Enter command “ sudo /usr/local/sbin/traffic_test -t (target IP) -s (service)”
a. Target IP and Service are taken from the Enterprise and External Tables above
b. Http example: “sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http” (This will be run on External since we are generating traffic to reach192.168.10.20 )
- Input the Password for the StudentFirst User: Cyb3rl@b
- The script will then run a 5 packet test and display the results.
The firewall is initially is set up to Deny by Default. So, no traffic will be admitted in either direction until we explicitly change the firewall rules.
Filtering Incoming Traffic
We will show by one example how to configure the http traffic coming into 192.168.10.20. Before we do that, let us verify, no http is coming in:
Initial State Test (You are generating traffic from External to reach Enterprise.)
EXAMPLE: Incoming traffic to Enterprise on http port not allowed
StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http
[sudo]
password for StudentFirst:
HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes
— 192.168.10.20 hping statistic —
5 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
StudentFirst@infa620-nixext01:~$
Let us add an incoming traffic rule to the firewall to allow http traffic to 192.168.10.20
Adding inbound rules to daaslab zone (Firewall rules are always added from the Enterprise machine)
[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –zone=daaslab –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.10.20/32″ port protocol=”tcp” port=”80″ accept’
[StudentFirst@infa620-nixent01 ~]$ password for StudentFirst:
Success
You can verify whether a rule was added as follows:
[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –zone=daaslab –list-rich-rules
rule family=”ipv4″ destination address=”192.168.10.20/32″ port port=”80″ protocol=”tcp” accept
[StudentFirst@infa620-nixent01 ~]$
Test the effect of the new rule added:
EXAMPLE: Incoming traffic to Enterprise on http port is now allowed
StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http
[sudo]
password for StudentFirst:
HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=3.8 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.7 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=3.6 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=3.5 ms
— 192.168.10.20 hping statistic —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.5/3.7/3.9 ms
StudentFirst@infa620-nixext01:~$
As you can see, the inbound http traffic to 192.168.10.20 has been enabled.
On your own now, configure rules to allow the following nine services (45 Points):
https to 192.168.10.20
domain and telnet to 192.168.10.1 0
ftp, imap2, imaps, pop3, pop3s, and urd to 192.168.10.30
Domain is often known as DNS (Domain Name Service). You should be able to google port numbers for various services.
Before you configure, first make sure, using the test script given, these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts. Also, verify that the rules were added using sudo firewall-cmd –zone=daaslab –list-rich-rules. There should be one rule for each service added. If you have done correctly, this is what will be listed:
rule family=”ipv4″ destination address=”192.168.10.20/32″ port port=”80″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.20/32″ port port=”443″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.10/32″ port port=”23″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.10/32″ port port=”53″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”20″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”21″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”143″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”993″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”110″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”995″ protocol=”tcp” accept
rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”465″ protocol=”tcp” accept
Outgoing Traffic
Initial State Test
Outgoing traffic to External on http port not allowed (You are generating traffic from Enterprise to reach External.)
[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http
[sudo]
password for StudentFirst:
HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes
[send_ip]
sendto: Operation not permitted
[StudentFirst@infa620-nixent01 ~]$
Adding an outgoing traffic rules to the firewall
Adding outbound rules
Via the Terminal
[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –direct –add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp –dport 80 -j ACCEPT
success
[StudentFirst@infa620-nixent01 ~]$
Outbound Rules Test
Outgoing traffic to External on http port allowed
[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http
[sudo]
password for StudentFirst:
HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=1.9 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=2.0 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.8 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=2.0 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=2.0 ms
— 192.168.10.220 hping statistic —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.3/3.8 ms
[StudentFirst@infa620-nixent01 ~]$
On your own now, configure rules to allow the following nine services (45 Points):
https to 192.168.10.220
domain and telnet to 192.168.10.210
ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230
Before you configure, first make sure using the test script these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts.
Miscellaneous Tasks
Making Rules Persistent (Not needed for this lab exercise)
Making rules persistent
[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –runtime-to-permanent
success
[StudentFirst@infa620-nixent01 ~]$
You can view the Iptables to see what rules you have added. In the example below, the table entries that are highlighted are the ones we have just added.
Viewing the IP Tables
Viewing iptables rules (Just an example output)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp — anywhere anywhere multiport dports rfe
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere
INPUT_direct all — anywhere anywhere
INPUT_ZONES_SOURCE all — anywhere anywhere
INPUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID
REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all — anywhere anywhere
FORWARD_direct all — anywhere anywhere
FORWARD_IN_ZONES_SOURCE all — anywhere anywhere
FORWARD_IN_ZONES all — anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all — anywhere anywhere
FORWARD_OUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID
REJECT all — anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all — anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_daaslab all — anywhere anywhere
FWDI_trusted all — anywhere anywhere
FWDI_trusted all — anywhere anywhere
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_daaslab all — anywhere anywhere
FWDO_trusted all — anywhere anywhere
FWDO_trusted all — anywhere anywhere
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_daaslab (1 references)
target prot opt source destination
FWDI_daaslab_log all — anywhere anywhere
FWDI_daaslab_deny all — anywhere anywhere
FWDI_daaslab_allow all — anywhere anywhere
DROP all — anywhere anywhere
Chain FWDI_daaslab_allow (1 references)
target prot opt source destination
Chain FWDI_daaslab_deny (1 references)
target prot opt source destination
Chain FWDI_daaslab_log (1 references)
target prot opt source destination
Chain FWDI_trusted (2 references)
target prot opt source destination
FWDI_trusted_log all — anywhere anywhere
FWDI_trusted_deny all — anywhere anywhere
FWDI_trusted_allow all — anywhere anywhere
ACCEPT all — anywhere anywhere
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_daaslab (1 references)
target prot opt source destination
FWDO_daaslab_log all — anywhere anywhere
FWDO_daaslab_deny all — anywhere anywhere
FWDO_daaslab_allow all — anywhere anywhere
DROP all — anywhere anywhere
Chain FWDO_daaslab_allow (1 references)
target prot opt source destination
Chain FWDO_daaslab_deny (1 references)
target prot opt source destination
Chain FWDO_daaslab_log (1 references)
target prot opt source destination
Chain FWDO_trusted (2 references)
target prot opt source destination
FWDO_trusted_log all — anywhere anywhere
FWDO_trusted_deny all — anywhere anywhere
FWDO_trusted_allow all — anywhere anywhere
ACCEPT all — anywhere anywhere
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_daaslab all — anywhere anywhere
IN_trusted all — anywhere anywhere
IN_trusted all — anywhere anywhere
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_daaslab (1 references)
target prot opt source destination
IN_daaslab_log all — anywhere anywhere
IN_daaslab_deny all — anywhere anywhere
IN_daaslab_allow all — anywhere anywhere
DROP all — anywhere anywhere
Chain IN_daaslab_allow (1 references)
target prot opt source destination
ACCEPT tcp — anywhere ip-192-168-10-20.ec2.internal tcp dpt:http ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-20.ec2.internal tcp dpt:https ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-10.ec2.internal tcp dpt:telnet ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-10.ec2.internal tcp dpt:domain ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp-data ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:imap ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:imaps ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3 ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3s ctstate NEW
ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:urd ctstate NEW
Chain IN_daaslab_deny (1 references)
target prot opt source destination
Chain IN_daaslab_log (1 references)
target prot opt source destination
Chain IN_trusted (2 references)
target prot opt source destination
IN_trusted_log all — anywhere anywhere
IN_trusted_deny all — anywhere anywhere
IN_trusted_allow all — anywhere anywhere
ACCEPT all — anywhere anywhere
Chain IN_trusted_allow (1 references)
target prot opt source destination
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp — anywhere anywhere tcp dpt:http
ACCEPT tcp — anywhere anywhere tcp dpt:https
ACCEPT tcp — anywhere anywhere tcp dpt:telnet
ACCEPT tcp — anywhere anywhere tcp dpt:domain
ACCEPT tcp — anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp — anywhere anywhere tcp dpt:imap
ACCEPT tcp — anywhere anywhere tcp dpt:pop3
ACCEPT tcp — anywhere anywhere tcp dpt:pop3s
ACCEPT tcp — anywhere anywhere tcp dpt:urd
ACCEPT tcp — anywhere anywhere tcp dpt:ftp
ACCEPT tcp — anywhere anywhere tcp dpt:imaps
REJECT all — anywhere anywhere reject-with icmp-host-prohibited
[StudentFirst@infa620-nixent01 ~]$
Export the IP Tables, as illustrated below (for submission)
Exporting iptables rules
[StudentFirst@infa620-nixent01 ~]$ sudo iptables-save > ~/Desktop/iptables_rules-May17-17.txt
[sudo]
password for StudentFirst:
[StudentFirst@infa620-nixent01 ~]$
Transfer this file, iptables_rules-May17-17.txt, first to the workspsace Desktop. From there, you can email the file using the Chrome browser to yourself and then submit it to the Lab 4 folder in the classroom.
(10 Points) Also, provide a short summary of your experience of using DaaS for this Lab (Difficulties you have encountered, what worked, what did not work, etc.)
1
The post Laboratory 4: Configuring a Firewall appeared first on onlineessaytutors.com.