CS 4740/6740 - Network Security

Lab: Firewall

In this lab, you will setup a firewall on your Linux router to limit access to both your users and attackers. Your main tool will be iptables.

Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)

1. Introduction

Before learning about iptables, it is important to understand the purpose of a firewall, the difference is between a stateful and stateless firewall, and the protocol layers at which firewalls operate. You must research this if you have never worked with firewalls before or don't feel comfortable with all of these concepts.

The native Linux firewalling software is part of the netfilter project. The bulk of this software is compiled as a part of the kernel, but filter rules can be added and removed via the iptables command. Recent versions of the Linux kernel (2.4+) support stateful packet inspection, allowing one to configure a stateful firewall. Read the man page on the iptables command and become familiar with the options. In addition, these articles on iptables basics and iptables tutorial may help. There are many other tutorials available online as well.

One of the most basic functions of a firewall is the mitigation of spoofing attacks. Since routers and firewalls sit in a unique position on the network, they are ideal for limiting the types of spoofing possible. Specifically, one can configure a firewall to allow packets from a network segment only if those packets have a source address which falls within the designated network IP range. In addition, when receiving traffic from the internet, where almost any source IP is allowed, one can drop packets which contain source IPs belonging to segments within a trusted network.

Before beginning this lab, please complete these steps:

1. A set of shell scripts have been provided to get you started building a proper firewall. These scripts are installed on your system in the directory /etc/iptables. Become familiar with these scripts. In particular, pay attention to the way /etc/iptables/start.sh defines ethernet interfaces through the variables OUTSIDE_IF and TRUSTED_IF and how it kicks off all the other scripts. Also, review the structure of the /etc/iptables/ipv4/filter.sh script, as this is the primary place you'll be making changes.

2. Make a backup copy of the /etc/iptables directory. Hint: see the tar command.

2. Configuring Iptables

Check the contents of the /etc/iptables/ipv4/start.sh script:

1. Check that the TRUSTED and OUTSIDE_IP variables are correct based on the network settings you discovered during the introduction lab. See the script for details.

Open the script /etc/iptables/ipv4/filter.sh and make these changes:

1. Change the FORWARD chain's default policy to DROP. Remove the FORWARD chain ACCEPT rule. Also, add a rule to the end of the FORWARD chain which sends all traffic to the logdrop chain.

2. Add a rule at the top of the FORWARD chain which sends all packets coming from the TRUSTED network to the trusted-outside chain for further evaluation.

3. Add a rule as the second item in the FORWARD chain which sends all packets coming in from non-TRUSTED networks to the TRUSTED network to the outside-trusted chain for further evaluation.

NOTE: The rules which jump to trusted-outside and outside-trusted must not allow obviously spoofed traffic. In particular, an external attacker should not be able to send packets in on the OUTSIDE_IF interface with a TRUSTED address. Also, you should not allow your TRUSTED users to send packets from something other than a TRUSTED IP address.

Add rules to the outside-trusted chain such that the following kinds of traffic are allowed:

• All ICMP traffic.

• TCP packets with the SYN flag set, which are headed to destination ports: 21, 22, 23, 25, 80, 135, 137, 138, 139, 443, 445, and 3389.

• All packets which are members of ESTABLISHED connections. (Hint: -m state)

Next, add a rule at the end of that chain which sends all traffic to the logdrop chain.

3. Testing the Firewall

Carefully review your firewall rules to be sure you didn't make any typos. Once you are reasonably confident you have it right, run the /etc/iptables/start.sh script to install the rules. If you see the script spit out any error messages, it is likely because of improper usage of the iptables command, or due to syntax errors in the shell script itself. Fix any of these before continuing, and re-run the /etc/iptables/start.sh script each time to flush and re-load all rules.

You should now test to make sure your Windows server's can access the network. Try pinging a system on the 10.0.0.0/24 network (besides your own machine) from your Windows server. Since you allowed all ICMP earlier, this should route just fine still. If not, then log messages at /var/log/syslog may assist you in finding out what is going wrong.

4. Stronger ICMP rules

Take a look at the Smurf Amplifier Registry (SAR). Set up rules in your outside-trusted chain before your ICMP allow-all rule to block all ICMP echo-reply packets from these networks.

5. Automatic Startup

Once you are SURE you are satisfied with your firewall rules, add the /etc/iptables/start.sh script to your boot-up sequence, calling it from /etc/rc.local

NOTE: The firewall rules you just setup are not complete, and this should not be considered a "secure" firewall. This lab is merely intended to help you learn how to use iptables. Be sure to consider the INPUT chain and what traffic you actually need to have allowed if you use this firewall as a basis for the competition.

Report

For this lab, your team must submit a report with the following information:

1. All of the files modified in /etc/iptables/.

2. Why does the File Transfer Protocol (FTP) pose a problem for firewalls? If you had blocked all traffic on your firewall, what iptables commands would you use to allow outgoing FTP connections from your router?

3. The standard port for RDP on Windows is 3389/TCP. Suppose you change the port for RDP on your Windows server to 13889/TCP. How could you use iptables to allow any packets from the outside network destined for your Windows server at port 3389/TCP to be forwarded to your Windows server at port 13889/TCP instead? What iptables commands would use? Hint: see the NAT table in iptables.

Grading

Your grade for this lab will be composed of:

• 80% - The modified firewall files.

• 20% - The rest of the questions.