INFA 620 Laboratory 4: Configuring a Firewall
- University of Maryland University College / Other
- 02 Apr 2018
- Price: $50
- Other / Other
INFA 620
Laboratory
4: Configuring a Firewall
In this exercise you will be working with firewalld (see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a
flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use
and configure the rules for filtering traffic.
firewalld provides higher-level command line and graphical interfaces
over Iptables to ease the pain of configuring the firewall features provided by
Linux. For this lab exercise, we will only be using the high-level command line
interface. firewalld provides a
dynamically managed firewall with support for network/firewall “zones” to
assign a level of trust to a network and its associated connections, interfaces
or sources. It has support for IPv4 and IPv6. There is a separation of the
runtime and permanent configuration options.
For this lab exercise, we will be using two
machines, one machine will behave like an Enterprise and the other machine will
behave like machines outside an enterprise. We will call this machine as External, external to the enterprise.
The firewall, as part of the enterprise will control traffic both coming into
the enterprise and going out of the enterprise (to External).
NIXENT01 (Enterprise) is a CentOS 7 machine. CentOS is a Linux distribution that attempts to provide a free,
enterprise-class, community-supported computing platform. Firewalld will be
running on this host.
NIXEXT01 (External) is Kali Linux. Kali
Linux is a Debian-based Linux distribution aimed at advanced Penetration
Testing and Security Auditing. Kali contains several hundred tools which are
geared towards various information security tasks, such as Penetration Testing,
Security research, Computer Forensics and Reverse Engineering.
Although there are only two machines, we
are going to pretend that the Enterprise has three machines (three IP
addresses) and each machine has certain services running on those machines, as
follows:
NIXENT01 (Enterprise)
|
Service |
Associated IP Address |
|
domain, telnet |
192.168.10.10 |
|
http, https |
192.168.10.20 |
|
ftp, imap2, imaps, pop3,
pop3s, urd |
192.168.10.30 |
Similarly, we are going to
emulate three machines on the External machine with three IP addresses, each
running only certain services as follows:
NIXEXT01 (External)
|
Service |
Associated IP Address |
|
domain, telnet |
192.168.10.210 |
|
http, https |
192.168.10.220 |
|
ftp, imap, imaps, pop3,
pop3s, urd |
192.168.10.230 |
The
instructions to use the remote UMUC machine in the DaaS environment is provided
in the Accessing Remote DaaS Lab under
Course Content.
Allocating the Lab Machines
Once you open the Lab Broker
using the instructions given in the UMUC Digital Lab Access Instructions found
under Accessing Remote DaaS Lab under Course Content, you will see a new window open. Each of your
courses that have labs will be listed here in the Lab Broker page.
1. Look for “INFA 620” and select “Nodes.”
2. Select “Allocate Lab” *this should take no more than 1 minute.*
*Please Note* Allocated lab resources expire in 7
days. If a lab expires, work done within the lab machine will be lost.
Connecting to the Lab Machines
1. Within the Lab Broker interface, view the current allocated nodes
for INFA 620
2. Use the “Connect” button to initiate a connection to each of
the two machines:
3. When prompted, enter the course credentials:
a. Username: StudentFirst
b. Password: Cyb3rl@b
4. Proceed with the connection. You will need to re-enter the
above credentials.
Network Traffic
Simulation Script
The Network traffic Simulation script
allows users to test pathways to lab resource machines by using the terminal to
initiate test packets. The script takes 2 input variables (IP address and
service) and uses this information to initiate a test. The script is
implemented using bash shell. The script accepts a target IP (-t) and any
service name (-s) available in /etc/services.
The script can be run on either machine to generate traffic for the other
machine,
To run the script:
1. Open a Terminal window.
2. Enter command “sudo /usr/local/sbin/traffic_test -t (target
IP) -s
(service)”
a. Target IP and Service are taken from the Enterprise and
External Tables above
b. Http example: “sudo
/usr/local/sbin/traffic_test -t 192.168.10.20 -s http” (This will be run on
External since we are generating traffic to reach192.168.10.20 )
3. Input the Password for the StudentFirst User: Cyb3rl@b
4. The script will then run a 5 packet test and display the
results.
The firewall is initially set up to Deny by Default. So, no traffic will be admitted in either
direction until we explicitly change the firewall rules.
Filtering
Incoming Traffic
We will show by one example how to configure the http traffic coming into 192.168.10.20.
Before we do that, let us verify, no http is coming in:
Initial State Test (You are generating traffic from External
to reach Enterprise.)
|
EXAMPLE: Incoming traffic to Enterprise on http port not allowed |
|
StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http [sudo]
password for StudentFirst: HPING
192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes ---
192.168.10.20 hping statistic --- 5
packets transmitted, 0 packets received, 100% packet loss round-trip
min/avg/max = 0.0/0.0/0.0 ms StudentFirst@infa620-nixext01:~$ |
Let us add an incoming traffic rule to the firewall to allow
http traffic to 192.168.10.20
|
Adding inbound rules to daaslab zone (Firewall rules are always
added from the Enterprise machine) |
|
|
|
[StudentFirst@infa620-nixent01 ~]$ sudo
firewall-cmd --zone=daaslab --add-rich-rule='rule family="ipv4"
destination address="192.168.10.20/32" port protocol="tcp"
port="80" accept’ [StudentFirst@infa620-nixent01 ~]$ password for
StudentFirst: Success You can verify whether a rule was added as follows: [StudentFirst@infa620-nixent01 ~]$ sudo
firewall-cmd --zone=daaslab --list-rich-rules rule family="ipv4" destination
address="192.168.10.20/32" port port="80"
protocol="tcp" accept [StudentFirst@infa620-nixent01 ~]$ |
Test the effect of the new rule added:
|
EXAMPLE: Incoming traffic to Enterprise on http port is now allowed |
|
StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http [sudo]
password for StudentFirst: HPING
192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes len=44
ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms len=44
ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=3.8 ms len=44
ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.7 ms len=44
ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=3.6 ms len=44
ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=3.5 ms ---
192.168.10.20 hping statistic --- 5
packets transmitted, 5 packets received, 0% packet loss round-trip
min/avg/max = 3.5/3.7/3.9 ms StudentFirst@infa620-nixext01:~$ |
As you can
see, the inbound http traffic to 192.168.10.20 has been enabled.
On your
own now, configure rules to allow the following nine services (45 Points):
https to 192.168.10.20
domain and telnet to 192.168.10.1 0
ftp, imap2, imaps, pop3, pop3s, and urd to
192.168.10.30
Domain is
often known as DNS (Domain Name Service). You should be able to google port
numbers for various services.
Before you
configure, first make sure, using the test script given, these traffic types
are not allowed to the respective hosts.
After configuring them, make sure they are allowed to the respective hosts.
Also, verify that the rules were added using sudo firewall-cmd --zone=daaslab --list-rich-rules. There should be one
rule for each service added. If you have done correctly, this is what will be
listed:
rule family="ipv4" destination
address="192.168.10.20/32" port port="80"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.20/32" port port="443"
protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.10/32"
port port="23" protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.10/32" port port="53"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="20"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="21"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="143"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="993"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="110"
protocol="tcp" accept
rule family="ipv4" destination
address="192.168.10.30/32" port port="995"
protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32"
port port="465" protocol="tcp" accept
Outgoing Traffic
Initial State Test
|
Outgoing traffic to External on http port not allowed (You are generating
traffic from Enterprise to reach External.) |
|
[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test
-t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S
set, 40 headers + 0 data bytes [send_ip] sendto: Operation not permitted [StudentFirst@infa620-nixent01 ~]$ |
Adding an outgoing traffic rules to the firewall
|
Adding outbound rules |
|
Via the Terminal |
|
[StudentFirst@infa620-nixent01 ~]$ sudo
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport
80 -j ACCEPT success [StudentFirst@infa620-nixent01 ~]$ |
Outbound Rules Test
|
Outgoing traffic to External on http port allowed |
|
[StudentFirst@infa620-nixent01 ~]$ sudo
/usr/local/sbin/traffic_test -t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S
set, 40 headers + 0 data bytes len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80
flags=SA seq=0 win=29200 rtt=1.9 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80
flags=SA seq=1 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80
flags=SA seq=2 win=29200 rtt=3.8 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80
flags=SA seq=3 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80
flags=SA seq=4 win=29200 rtt=2.0 ms --- 192.168.10.220 hping statistic --- 5 packets transmitted, 5 packets received, 0%
packet loss round-trip min/avg/max = 1.9/2.3/3.8 ms [StudentFirst@infa620-nixent01 ~]$ |
On your
own now, configure rules to allow the following nine services (45 Points):
https to 192.168.10.220
domain and telnet to 192.168.10.210
ftp, imap2, imaps, pop3, pop3s and urd
to 192.168.10.230
Before you
configure, first make sure using the test script these traffic types are not
allowed to the respective hosts. After configuring them, make sure they are
allowed to the respective hosts.
Miscellaneous
Tasks
Making Rules Persistent (Not needed for this lab exercise)
|
Making rules persistent |
|
[StudentFirst@infa620-nixent01 ~]$ sudo
firewall-cmd --runtime-to-permanent success [StudentFirst@infa620-nixent01 ~]$ |
You can view the Iptables to see what rules
you have added (sudo iptables -L). In the example below, the table entries that
are highlighted are the ones we have just added.
Viewing the IP Tables (sudo iptables -L)
|
Viewing iptables rules (Just an example output) |
|
Chain INPUT (policy ACCEPT) target
prot opt source
destination ACCEPT
udp -- anywhere anywhere multiport dports rfe ACCEPT
all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT
all -- anywhere anywhere INPUT_direct
all -- anywhere anywhere INPUT_ZONES_SOURCE
all -- anywhere anywhere INPUT_ZONES
all -- anywhere anywhere DROP
all -- anywhere anywhere ctstate INVALID REJECT
all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target
prot opt source
destination ACCEPT
all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT
all -- anywhere anywhere FORWARD_direct
all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all
-- anywhere anywhere FORWARD_IN_ZONES
all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all
-- anywhere anywhere FORWARD_OUT_ZONES
all -- anywhere anywhere DROP
all -- anywhere anywhere ctstate INVALID REJECT
all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target
prot opt source
destination OUTPUT_direct
all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target
prot opt source
destination FWDI_daaslab
all -- anywhere anywhere FWDI_trusted
all -- anywhere anywhere FWDI_trusted
all -- anywhere anywhere Chain FORWARD_IN_ZONES_SOURCE (1 references) target
prot opt source
destination Chain FORWARD_OUT_ZONES (1 references) target
prot opt source
destination FWDO_daaslab
all -- anywhere anywhere FWDO_trusted
all -- anywhere anywhere FWDO_trusted
all -- anywhere anywhere Chain FORWARD_OUT_ZONES_SOURCE (1 references) target
prot opt source
destination Chain FORWARD_direct (1 references) target
prot opt source
destination Chain FWDI_daaslab (1 references) target
prot opt source
destination FWDI_daaslab_log
all -- anywhere anywhere FWDI_daaslab_deny
all -- anywhere anywhere FWDI_daaslab_allow
all -- anywhere anywhere DROP
all -- anywhere anywhere Chain FWDI_daaslab_allow (1 references) target
prot opt source destination Chain FWDI_daaslab_deny (1 references) target
prot opt source
destination Chain FWDI_daaslab_log (1 references) target
prot opt source
destination Chain FWDI_trusted (2 references) target
prot opt source
destination FWDI_trusted_log
all -- anywhere anywhere FWDI_trusted_deny
all -- anywhere anywhere FWDI_trusted_allow
all -- anywhere anywhere ACCEPT
all -- anywhere anywhere Chain FWDI_trusted_allow (1 references) target
prot opt source
destination Chain FWDI_trusted_deny (1 references) target
prot opt source
destination Chain FWDI_trusted_log (1 references) target
prot opt source
destination Chain FWDO_daaslab (1 references) target
prot opt source
destination FWDO_daaslab_log
all -- anywhere anywhere FWDO_daaslab_deny
all -- anywhere anywhere FWDO_daaslab_allow
all -- anywhere anywhere DROP all
-- anywhere anywhere Chain FWDO_daaslab_allow (1 references) target
prot opt source
destination Chain FWDO_daaslab_deny (1 references) target
prot opt source
destination Chain FWDO_daaslab_log (1 references) target
prot opt source
destination Chain FWDO_trusted (2 references) target
prot opt source
destination FWDO_trusted_log
all -- anywhere anywhere FWDO_trusted_deny
all -- anywhere anywhere FWDO_trusted_allow
all -- anywhere anywhere ACCEPT
all -- anywhere anywhere Chain FWDO_trusted_allow (1 references) target
prot opt source
destination Chain FWDO_trusted_deny (1 references) target
prot opt source
destination Chain FWDO_trusted_log (1 references) target
prot opt source
destination Chain INPUT_ZONES (1 references) target
prot opt source
destination IN_daaslab
all -- anywhere anywhere IN_trusted
all -- anywhere anywhere IN_trusted
all -- anywhere anywhere Chain INPUT_ZONES_SOURCE (1 references) target
prot opt source
destination Chain INPUT_direct (1 references) target
prot opt source
destination Chain IN_daaslab (1 references) target
prot opt source
destination IN_daaslab_log
all -- anywhere anywhere IN_daaslab_deny
all -- anywhere anywhere IN_daaslab_allow
all -- anywhere anywhere DROP
all -- anywhere anywhere Chain
IN_daaslab_allow (1 references) target prot opt source destination ACCEPT tcp
-- anywhere
ip-192-168-10-20.ec2.internal
tcp dpt:http ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-20.ec2.internal
tcp dpt:https ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-10.ec2.internal
tcp dpt:telnet ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-10.ec2.internal
tcp dpt:domain ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-30.ec2.internal
tcp dpt:ftp-data ctstate NEW ACCEPT tcp
-- anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-30.ec2.internal
tcp dpt:imap ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-30.ec2.internal
tcp dpt:imaps ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-30.ec2.internal
tcp dpt:pop3 ctstate NEW ACCEPT tcp
-- anywhere
ip-192-168-10-30.ec2.internal
tcp dpt:pop3s ctstate NEW ACCEPT tcp
-- anywhere ip-192-168-10-30.ec2.internal tcp dpt:urd ctstate NEW Chain IN_daaslab_deny (1 references) target
prot opt source
destination Chain IN_daaslab_log (1 references) target
prot opt source
destination Chain IN_trusted (2 references) target
prot opt source
destination IN_trusted_log
all -- anywhere anywhere IN_trusted_deny
all -- anywhere anywhere IN_trusted_allow
all -- anywhere anywhere ACCEPT
all -- anywhere anywhere Chain IN_trusted_allow (1 references) target
prot opt source
destination Chain IN_trusted_deny (1 references) target
prot opt source
destination Chain IN_trusted_log (1 references) target
prot opt source
destination Chain
OUTPUT_direct (1 references) target prot opt source destination ACCEPT all
-- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp
-- anywhere anywhere tcp dpt:http ACCEPT tcp
-- anywhere anywhere tcp dpt:https ACCEPT tcp
-- anywhere anywhere tcp dpt:telnet ACCEPT tcp
-- anywhere anywhere tcp dpt:domain ACCEPT tcp
-- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp
-- anywhere anywhere tcp dpt:imap ACCEPT tcp
-- anywhere anywhere tcp dpt:pop3 ACCEPT tcp
-- anywhere anywhere tcp dpt:pop3s ACCEPT tcp
-- anywhere anywhere tcp dpt:urd ACCEPT tcp
-- anywhere anywhere tcp dpt:ftp ACCEPT tcp
-- anywhere anywhere tcp dpt:imaps REJECT
all -- anywhere anywhere reject-with icmp-host-prohibited [StudentFirst@infa620-nixent01
~]$ |
Export the IP Tables,
as illustrated below (for submission)
|
Exporting iptables rules |
|
[StudentFirst@infa620-nixent01 ~]$ sudo
iptables-save > ~/Desktop/iptables_rules-July17-17.txt [sudo] password for StudentFirst: [StudentFirst@infa620-nixent01 ~]$ |
Transfer this file, iptables_rules-July17-17.txt, first to the workspsace Desktop. From there,
you can email the file using the Chrome
browser to yourself and then submit it to the Lab 4 folder in the classroom.
(10 Points) Also, provide a
short summary of your experience of using DaaS for this Lab (Difficulties you
have encountered, what worked, what did not work, etc.)
USA 
India