CIS 458 Lab 7: iptables

This lab assignment should be done alone. While you may discuss with other students, your work should be your own.

Objective: The purpose of this lab is to gain experience working with iptables: the firewall built into linux.

What to turn in: Answers to the questions below.

iptables should already be installed on the SEED virtual machiens. To see a list of current firewall rules, run (as root) iptables -L. You should see 3 sets of rules, all empty. The INPUT chain is used to filter incoming packets destined for this machine, the FORWARD chain is used to fitler packets this machine is forwarding, and the OUTPUT chain is used to filter outgoing packets originating at this machine.

Try to SSH from your eos machine to your SEED VM. You should be able to do it. Disconnect your ssh session, and change the default INPUT policy using the command iptables -P INPUT DROP.

  1. Try to ssh to the VM again. What happens? Why?

If you try to connect to the VM in any other way you will get similar results, but we want to allow some traffic. Lets make an exception for SSH traffic. We can do this with the command iptables -A INPUT -p tcp --dport 22 -j ACCEPT. Verify that SSH to your VM now works, but other traffic is still blocked.

  1. Explain the firewall rule that the above command is creating

Find the address of your eos computer on the virtual network. Add a rule to deny all traffic from that source (you can specify a souce in a rule with -s).

  1. What rule did you add?
  2. Is your SSH traffic still getting through?

Reverse the order of your two rules. You can delete rules with iptables -D

  1. Now does SSH traffic work?
  2. Explain your observations. Can you make any conclusions about what order iptables applies rules in?

Lets practice creating some more rules.

  1. Create a rule to allow ICMP ping traffic. What command did you use? How did you verify this rule works?
  2. Create a rule to allow any traffic on the lo interface. What command did you use? How did you verify this rule works?

You may notice that you can no longer browse the web from inside your VM. You can fix this with the rule iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT. This allows iptables to account for connection state.

iptables has other advanced capabiities such as rate limiting. Investigate how to set a rate limit in iptables. Create rules to limit NEW SSH connections to one from each source IP address per minute.

  1. What rule did you create?
  2. Explain why such a rule would be useful on a real system