Computer security – Packet filtering – firewalls – iptables

Packet filtering – firewalls – iptables

The Fedora packet-filtering firewall configuration file is

/etc/sysconfig/iptables-config and /etc/sysconfig/iptables

Create a backup copy of this file so that you can restore the original version at the end of the practical session.

Note that iptables is: (1) the name of the configuration file; (2) the name of the firewall software; (3) the fundamental firewall command; and (4) the name of the iptables daemon.

Investigate the /etc/sysconfig/iptables file and modify it according to the following requirements. Note that only root can edit this configuration file.

The iptables daemon must be restarted for changes to the configuration to take effect.

Iptables was actually superceded by firewalld – but this practical focuses on the the simple use of iptables and thus firewalld will need to be switched off.

service firewalld stop            ## as root

service iptables restart              ## as root

Initially the file containing rules does not exisiting , to create a empty rule book, issue the following command ;

service iptables save             ## as root

You should now find a new file created within /etc/sysconfig/iptables

Please note : In order for any firewall rules to be applied, the service will need to be restarted via ;

service iptables restart              ## as root

Required modifications to the iptables configuration

1. Accept icmp echo-requests only, and only from a colleague’s computer of specified IP address.

2. Allow ssh connections only from a colleague’s computer of specified IP address.

3. Change the default policy so that packets are dropped (“dropped silently”) rather than being rejected with a returned message.

Questions

What is meant by “stateless filtering” and “stateful filtering”?

Which is encountered first by an incoming packet – the firewall or tcp-wrappers?

As usual, record full details of your actions and answer all questions in your logbook.

Example of a firewall configuration file (/etc/sysconfig/iptables-config) for a single system (Redhat / Fedora) that uses iptables. Note that there will be probably be differences between this particular file and the corresponding files on different installations and for different versions of the operating system. The numbers in brackets – e.g. [8] – have been added for reference and are not part of the original file.

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

[1]    :INPUT ACCEPT [0:0]

[2]    :FORWARD ACCEPT [0:0]

[3]    :OUTPUT ACCEPT [0:0]

[4]    :RH-Firewall-1-INPUT – [0:0]

[5]    -A INPUT -j RH-Firewall-1-INPUT

[6]    -A FORWARD -j RH-Firewall-1-INPUT

[7]    -A RH-Firewall-1-INPUT -i lo -j ACCEPT

[8]    -A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT

[9]    -A RH-Firewall-1-INPUT -p 50 -j ACCEPT

[10]   -A RH-Firewall-1-INPUT -p 51 -j ACCEPT

[11]   -A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

[12]   -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

[13]   -A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

[14]   COMMIT

Note that the above file is a customised Redhat / Fedora /etc/sysconfig/iptables-config file and would appear a little different if you were programming with iptables yourself. For example, you should understand that here the “iptables” command itself has been omitted: commands “-A …” should be understood to mean “iptables -A …”.

The filter table has “INPUT, “FORWARD”, and “OUTPUT” chains by default.

[5, 6]

Redhat / Fedora passes the  “INPUT” and “FORWARD” chains to its customised chain  RH-Firewall-1-INPUT.

[7]

ACCEPT everything on the lo interface – localhost, 127.0.0.1 (the internal network communications of the machine itself).

-A                            append to the chain

-i                              interface

-j                             jump to target, e.g. ACCEPT

[8]

ACCEPT protocol ICMP messages of any type. This will accept ping packets, for example.

-p                            protocol

[9,10]

ACCEPT IPv6-Crypt and IPV6-Auth protocols – encryption and authentication protocol for IPv6, as listed in /etc/protocols (protocol numbers 50, 51).

[11]

ACCEPT packets for ESTABLISHED and RELATED connections. This represents stateful inspection of packets.

-m                           match – in this case, match the state

–state                     the specification of the state, here  ESTABLISHED and RELATED

 

[12]

ACCEPT NEW connections from outside on destination port 22 – i.e. ssh. Matches to state NEW and tcp. Protocol tcp. Note that this command creates an opening in the firewall.

–dport                    destination port

 

[13]

REJECT any  packets that have continued this far and return a icmp-host-prohibited message.

Part 2

Packet “sniffing – wireshark (ethereal)

Investigate and use the software for packet “sniffing” that is called either “wireshark” or “ethereal” (the old name).

Is the software installed on your computer? If not, find a source of the software, download it, and install it. (Installation from RPM files will usually be easiest.)

Use your logbook to record all the details of the purpose and operation of wireshark (ethereal) that would be needed for you to subsequently write an introductory manual.

Use the man pages, Google, and exploration of the capabilities of the software to find all the information that you need.

Be sure that your notes for the introductory manual include the functions of the various sub-windows, the use of colouring-rules, explanations of technical terms such as “promiscuous”, “dissector”, etc. You might want to include screen-dumps in your logbook.

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.

[order_calculator]