needsolutions

Laboratory 4: Configuring a Firewall

 

INFA 620

Laboratory 4: Configuring a Firewall

In this exercise you will be working with firewalld (see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use and configure the rules for filtering traffic.  firewalld provides higher-level command line and graphical interfaces over Iptables to ease the pain of configuring the firewall features provided by Linux. For this lab exercise, we will only be using only the high-level command line interface.  firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4 and IPv6. There is a separation of the runtime and permanent configuration options.

 

For this lab exercise, we will be using two machines, one machine will behave like an Enterprise and the other machine will behave like machines outside an enterprise. We will these machines as External, external to the enterprise. The firewall, as part of the enterprise will control traffic both coming into the enterprise and going out of the enterprise (to External).

NIXENT01 (Enterprise) is a CentOS 7 machine. CentOS is a Linux distribution that attempts to provide a free, enterprise-class, community-supported computing platform. Firewalld will be running on this host.  

NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. You have already used this machine for Lab2 and Lab 3 in analyzing packets using Wireshark. (Wireshark is available as part of Kali distribution.)

 

Although there are only two machines, we are going to pretend that the Enterprise has three machines (three IP addresses) and each machine has certain services running on those machines, as follows:

 

NIXENT01 (Enterprise)

Service

Associated IP Address

domain, telnet

192.168.10.10

http, https

192.168.10.20

ftp, imap2, imaps, pop3, pop3s, urd

192.168.10.30

 

Similarly, we are going to emulate three machines on the External machine with three IP addresses, each running only certain services as follows:

 

NIXEXT01 (External)

Service

Associated IP Address

domain, telnet

192.168.10.210

http, https

192.168.10.220

ftp, imap, imaps, pop3, pop3s, urd

192.168.10.230

 

 

The instructions to use the remote UMUC machine in the DaaS environment is provided in the Accessing Remote DaaS Lab under Course Content. Allocating the Lab Machines.

 

  1. Once Lab Broker is available, open the “UMUC Labs” link on the desktop.
  2. Look for “INFA 620” and select “Nodes.”
  3. Select “Allocate Lab” *this should take no more than 1 minute.*

*Please Note* Allocated lab resources expire in 7 days. If a lab expires, work done within the lab machine.

Connecting to the Lab Machines

  1. Within the Lab Broker interface, view the current allocated nodes for INFA 620
  2. Use the “Connect” button to initiate a connection to each of the two machines:
  3. When prompted, enter the course credentials:
    1. Username: StudentFirst
    2. Password: Cyb3rl@b
  4. Proceed with the connection. You will need to re-enter the above credentials.

 

Network Traffic Simulation Script

The Network traffic Simulation script allows users to test pathways to lab resource machines by using the terminal to initiate test packets. The script takes 2 input variables (IP address and service) and uses this information to initiate a test. The script is implemented using bash shell. The script accepts a target IP (-t) and any service name (-s) available in /etc/services

 

To run the script:

  1. Open Terminal window.
  2. Enter command “sudo /usr/local/sbin/traffic_test -t (target IP) -s (service)”
    1. Target IP and Service are taken from the Enterprise and External Tables above
    2. Http example: “sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http
  3. Input the Password for the StudentFirst User: Cyb3rl@b
  4. The script will then run a 5 packet test and display the results.

 

The firewall is initially is set up to Deny by Default. So, no traffic will be admitted in either direction until we explicitly change the firewall rules.

Filtering Incoming Traffic

We will show by one example how to configure the http traffic coming into 192.168.10.20. Before we do that, let us verify, no http is coming in:

Initial State Test (You are generating traffic from External to reach Enterprise.)

EXAMPLE: Incoming traffic to Enterprise on http port not allowed

StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes

 

--- 192.168.10.20 hping statistic ---

5 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

StudentFirst@infa620-nixext01:~$

Let us add an incoming traffic rule to the firewall to allow http traffic to 192.168.10.20

Adding inbound rules to daaslab zone

 

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --zone=daaslab --add-rich-rule='rule family="ipv4" destination address="192.168.10.20/32" port  protocol="tcp" port="80" accept’

[StudentFirst@infa620-nixent01 ~]$ password for StudentFirst:

Success

 

You can verify whether a rule was added as follows:

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --zone=daaslab --list-rich-rules

rule family="ipv4" destination address="192.168.10.20/32" port port="80" protocol="tcp" accept

[StudentFirst@infa620-nixent01 ~]$

Test the effect of the new rule added:

EXAMPLE: Incoming traffic to Enterprise on http port is now allowed

StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=3.8 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.7 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=3.6 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=3.5 ms

 

--- 192.168.10.20 hping statistic ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 3.5/3.7/3.9 ms

StudentFirst@infa620-nixext01:~$

As you can see, the inbound http traffic to 192.168.10.20 has been enabled.

 

On your own now, configure rules to allow the following nine services (45 Points):

 

https to 192.168.10.20

domain and telnet to 192.168.10.1  0

ftp, imap2, imaps, pop3, pop3s, and urd   to 192.168.10.30

 

Domain is often known as DNS (Domain Name Service). You should be able to google port numbers for various services.

 

Before you configure, first make sure, using the test script given, these traffic types are not allowed to the respective  hosts. After configuring them, make sure they are allowed to the respective hosts. Also, verify that the rules were added using sudo firewall-cmd --zone=daaslab  --list-rich-rules. There should be one rule for each service added. If you have done correctly, this is what will be listed:

 

rule family="ipv4" destination address="192.168.10.20/32" port port="80" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.20/32" port port="443" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.10/32" port port="23" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.10/32" port port="53" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="20" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="21" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="143" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="993" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="110" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="995" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="465" protocol="tcp" accept

 

Outgoing Traffic

Initial State Test

Outgoing traffic to External on http port not allowed (You are generating traffic from Enterprise to reach External.)

[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes

[send_ip] sendto: Operation not permitted

[StudentFirst@infa620-nixent01 ~]$

Adding an outgoing traffic rules to the firewall

Adding outbound rules

Via the Terminal

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT

success

[StudentFirst@infa620-nixent01 ~]$

Outbound Rules Test

Outgoing traffic to External on http port allowed

[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=1.9 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=2.0 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.8 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=2.0 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=2.0 ms

 

--- 192.168.10.220 hping statistic ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 1.9/2.3/3.8 ms

[StudentFirst@infa620-nixent01 ~]$

 

On your own now, configure rules to allow the following nine services (45 Points):

 

https to 192.168.10.220

domain and telnet to 192.168.10.210

ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230

 

Before you configure, first make sure using the test script these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts.

Miscellaneous Tasks

Making Rules Persistent (Not needed for this lab exercise)

Making rules persistent

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --runtime-to-permanent

success

[StudentFirst@infa620-nixent01 ~]$

 

 You can view the Iptables to see what rules you have added. In the example below, the table entries that are highlighted are the ones we have just added.

Viewing the IP Tables

Viewing iptables rules (Just an example output)

Chain INPUT (policy ACCEPT)

target     prot opt source               destination        

ACCEPT     udp  --  anywhere             anywhere             multiport dports rfe

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere           

INPUT_direct  all  --  anywhere             anywhere           

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere           

INPUT_ZONES  all  --  anywhere             anywhere           

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere           

FORWARD_direct  all  --  anywhere             anywhere           

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere           

FORWARD_IN_ZONES  all  --  anywhere             anywhere           

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere           

FORWARD_OUT_ZONES  all  --  anywhere             anywhere           

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination        

OUTPUT_direct  all  --  anywhere             anywhere           

 

Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination        

FWDI_daaslab  all  --  anywhere             anywhere           

FWDI_trusted  all  --  anywhere             anywhere           

FWDI_trusted  all  --  anywhere             anywhere           

 

Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination        

 

Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination        

FWDO_daaslab  all  --  anywhere             anywhere           

FWDO_trusted  all  --  anywhere             anywhere           

FWDO_trusted  all  --  anywhere             anywhere           

 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination        

 

Chain FORWARD_direct (1 references)

target     prot opt source               destination        

 

Chain FWDI_daaslab (1 references)

target     prot opt source               destination        

FWDI_daaslab_log  all  --  anywhere             anywhere           

FWDI_daaslab_deny  all  --  anywhere             anywhere           

FWDI_daaslab_allow  all  --  anywhere             anywhere           

DROP       all  --  anywhere             anywhere           

 

Chain FWDI_daaslab_allow (1 references)

target     prot opt source               destination        

 

Chain FWDI_daaslab_deny (1 references)

target     prot opt source               destination        

 

Chain FWDI_daaslab_log (1 references)

target     prot opt source               destination        

 

Chain FWDI_trusted (2 references)

target     prot opt source               destination        

FWDI_trusted_log  all  --  anywhere             anywhere           

FWDI_trusted_deny  all  --  anywhere             anywhere           

FWDI_trusted_allow  all  --  anywhere             anywhere           

ACCEPT     all  --  anywhere             anywhere           

 

Chain FWDI_trusted_allow (1 references)

target     prot opt source               destination        

 

Chain FWDI_trusted_deny (1 references)

target     prot opt source               destination        

 

Chain FWDI_trusted_log (1 references)

target     prot opt source               destination        

 

Chain FWDO_daaslab (1 references)

target     prot opt source               destination        

FWDO_daaslab_log  all  --  anywhere             anywhere           

FWDO_daaslab_deny  all  --  anywhere             anywhere           

FWDO_daaslab_allow  all  --  anywhere             anywhere           

DROP       all  --  anywhere             anywhere           

 

Chain FWDO_daaslab_allow (1 references)

target     prot opt source               destination        

 

Chain FWDO_daaslab_deny (1 references)

target     prot opt source               destination        

 

Chain FWDO_daaslab_log (1 references)

target     prot opt source               destination        

 

Chain FWDO_trusted (2 references)

target     prot opt source               destination        

FWDO_trusted_log  all  --  anywhere             anywhere           

FWDO_trusted_deny  all  --  anywhere             anywhere           

FWDO_trusted_allow  all  --  anywhere             anywhere           

ACCEPT     all  --  anywhere             anywhere           

 

Chain FWDO_trusted_allow (1 references)

target     prot opt source               destination        

 

Chain FWDO_trusted_deny (1 references)

target     prot opt source               destination        

 

Chain FWDO_trusted_log (1 references)

target     prot opt source               destination        

 

Chain INPUT_ZONES (1 references)

target     prot opt source               destination        

IN_daaslab  all  --  anywhere             anywhere           

IN_trusted  all  --  anywhere             anywhere           

IN_trusted  all  --  anywhere             anywhere           

 

Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination        

 

Chain INPUT_direct (1 references)

target     prot opt source               destination        

 

Chain IN_daaslab (1 references)

target     prot opt source               destination        

IN_daaslab_log  all  --  anywhere             anywhere           

IN_daaslab_deny  all  --  anywhere             anywhere           

IN_daaslab_allow  all  --  anywhere             anywhere           

DROP       all  --  anywhere             anywhere           

 

Chain IN_daaslab_allow (1 references)

target     prot opt source               destination        

ACCEPT     tcp  --  anywhere             ip-192-168-10-20.ec2.internal  tcp dpt:http ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-20.ec2.internal  tcp dpt:https ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-10.ec2.internal  tcp dpt:telnet ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-10.ec2.internal  tcp dpt:domain ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:ftp-data ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:ftp ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:imap ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:imaps ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:pop3 ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:pop3s ctstate NEW

ACCEPT     tcp  --  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:urd ctstate NEW

 

Chain IN_daaslab_deny (1 references)

target     prot opt source               destination        

 

Chain IN_daaslab_log (1 references)

target     prot opt source               destination        

 

Chain IN_trusted (2 references)

target     prot opt source               destination        

IN_trusted_log  all  --  anywhere             anywhere           

IN_trusted_deny  all  --  anywhere             anywhere           

IN_trusted_allow  all  --  anywhere             anywhere           

ACCEPT     all  --  anywhere             anywhere           

 

Chain IN_trusted_allow (1 references)

target     prot opt source               destination        

 

Chain IN_trusted_deny (1 references)

target     prot opt source               destination        

 

Chain IN_trusted_log (1 references)

target     prot opt source               destination        

 

Chain OUTPUT_direct (1 references)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:telnet

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

 [StudentFirst@infa620-nixent01 ~]$ 

 

Export the IP Tables, as illustrated below (for submission)

Exporting iptables rules

[StudentFirst@infa620-nixent01 ~]$ sudo iptables-save > ~/Desktop/iptables_rules-May17-17.txt

[sudo] password for StudentFirst:

[StudentFirst@infa620-nixent01 ~]$

 

Transfer this file, iptables_rules-May17-17.txt,   first to the workspsace Desktop. From there, you can email the file using  the Chrome browser to yourself and then submit it to the Lab 4 folder in the classroom.

 

(10 Points) Also, provide a short summary of your experience of using DaaS for this Lab (Difficulties you have encountered, what worked, what did not work, etc.)

Answered
Other / Other
16 Nov 2017
Due Date: 16 Nov 2017

Answers (2)

  1. JustQuestionAnswer
    JustQuestionAnswer
    01 Apr 2018
    Download Answer

    INFA 620 Laboratory 4: Configuring a Firewall

    In this lab, we going to practice setting up a S ****** ******
    To see full answer buy this answer.
  2. JustQuestionAnswer
    JustQuestionAnswer
    01 Apr 2018
    Download Answer

    INFA 620 Laboratory 4: Configuring a Firewall

    In this lab, we going to practice setting up a S ****** ******
    To see full answer buy this answer.
    Answer Attachments

    1 attachments —

    • img
      INFA 620 Week 4 LAB Solution.docx

Save Time & improve Grades

  • Questions Asked
  • Experts
  • Total Answered

Start Excelling in your courses, Ask an Expert and get answers for your homework and assignments!!

Our Amazing Features

  • Plagiarism Free Work

    Our experts provide 100 % original and customized work On time Delivery

  • 24*7 Customer Support

    We provide 24*7 online customer supports via online chat or email

  • Cover All Subject

    JQA is one stop solution for all subject’s Assignment. We can provide assignment help for almost all subjects.

  • Best Industry experts

    We have 1000+ PHD and Post Graduate experts.

Report As Dispute

Share Your Feedback

Give Review : A+ A B C D F