• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
See pages 3 and 4 for questions to be answered and turned in ...
 

See pages 3 and 4 for questions to be answered and turned in ...

on

  • 218 views

 

Statistics

Views

Total Views
218
Views on SlideShare
218
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    See pages 3 and 4 for questions to be answered and turned in ... See pages 3 and 4 for questions to be answered and turned in ... Document Transcript

    • CIS 373 – Network Design and Implementation See pages 3 and 4 for questions to be answered and turned in. Turn in individual Assignment 10 responses. Due date is Wednesday, 10 Nov at class time. See page 5 for teams, racks, etc. Objective: The purpose of this exercise is for you to use the Linux iptables tool to implement a very simple firewall. Overview: In Linux, a convenient way to implement packet filtering is to use the iptables tool. It talks to the Linux kernel and tells it what packets to filter and what packets to allow. It does this by inserting and deleting rules from the kernel's packet filtering table. On the ITL Linux boxes, the default filter tables allow any packet to be received (the INPUT rule set), forwarded (the FORWARD rule set), or output (the OUTPUT rule set). You can see the default forwarding rules by entering this command: iptables –list (you must be the root user to use iptables). Procedure: 1. Set up your three computers into two isolated networks so that only the firewall connects them. You can use a switch for one of these networks and a hub for the other; alternatively you can use two hubs. Refer to the diagram below. 2. Boot up your three computers (this may take a few minutes), log in as root (password is itl) and set them up as follows: eth0 eth0 eth1 Enterprise's eth0 Internet Intranet Computer A (somewhere Computer B (firewall): set eth0 up Computer C (protected on the Internet): set eth0 as 150.160.100.100/16 and eth1 up by firewall): set eth0 up up as 150.160.10.10/16 as 192.168.2.2/24 as 192.168.2.1/24 d) Now, set up the routing tables in Computer C and Computer A. For Computer C, the route command to allow it to find Computer A is: route add –net 150.160.0.0 netmask 255.255.0.0 gw 192.168.2.2 eth0 For computer A, the route command to allow it to find Computer C is: route add –net 192.168.2.0 netmask 255.255.255.0 gw 150.160.100.100 eth0 e) Finally, set the forwarding flag in the firewall: echo 1 > /proc/sys/net/ipv4/ip_forward f) At this point, you should be able to ping from Computer C to Computers B and A, and from Computer A to Computers B and C. In addition, you should be able to ftp from Computer C to Computers B and A and from Computer A to Computers B and C (try it: use lxuser/itl as the user name and password). You should also be able to open a telnet session from Computer C to Computers B and A and from Computer A to Computers B and C (try that also). Make sure these are all successful. Page 1
    • 2. Now you will be working with iptables on the firewall only. a) Issue this command: iptables -–append INPUT –-source 150.160.10.10 –-proto icmp –-jump REJECT This tells the firewall to REJECT all icmp requests coming to the firewall itself from Computer A. b) Test this by trying to ping Computer B from Computer A. You should get a "Destination Port Unreachable" response. c) You should still be able to ping from Computer A to Computer C. You should also be able to ping to Computer B from Computer C. d) Remove the ability to ping from Computer A to Computer C: iptables –-append FORWARD –-source 150.160.10.10 –-proto icmp –-jump REJECT This tells the firewall to REJECT all icmp requests coming to the firewall from 150.160.10.10 and needing to be forwarded to any other network. e) Test this by trying to ping from Computer A to Computer C. f) You should still be able to ping Computer A from Computer C! (but you will see 100% packet loss) g) Refine the firewall rule as follows: i) iptables –delete FORWARD –-source 150.160.10.10 –-proto icmp –-jump REJECT ii) iptables –-append FORWARD –-source 150.160.10.10 –-proto icmp –-icmp- type echo-request –-jump REJECT Note: command should wrap – don’t use return until entire command is entered. Alternatively, use a backslash () to continue command on next line. iii) Now try to ping from Computer C to Computer A. You should see no packet loss. h) Let's turn off the access to ftp on the protected computer: iptables –-append FORWARD –-source 150.160.10.10 –-proto tcp –-dport 21 –-jump REJECT This tells the firewall to REJECT any request for a tcp connection (recall that ftp opens a tcp connection) to port 21 (the port where the ftp server is listening). i) Confirm by trying to ftp from Computer A to Computer C. You should get a "Connection refused" message. Also confirm that you can still ftp from Computer C to Computer A. j) telnet servers listen on port 23. On the firewall, enter an iptables command that protects Computer C so that Computer A cannot open a telnet session on Computer C. k) Demonstrate your firewall now. Turn in written answers to the questions for steps with text in bold font. Use the next two pages as the template for answering. Page 2
    • Questions to answer for Step 2 c) You should still be able to ping from Computer A to Computer C. Why is this still possible? You should also be able to ping to Computer B from Computer C. Why is this still possible? What firewall rule might have been used to prevent any pinging to [not through] Computer B? Develop an explanation about why the enterprise might not want to use this more restrictive rule. Develop an alternative explanation about why the enterprise might want to use this more restrictive rule. Would the rule you propose prevent Computer C from pinging Computer A? Explain your answer. e) Test this by trying to ping from Computer A to Computer C. What response do you get? Page 3
    • f) You should still be able to ping Computer A from Computer C! (but you will see 100% packet loss) Explain why you are seeing the 100% packet loss. g) Refine the firewall rule as follows: i) iptables –delete FORWARD –-source 150.160.10.10 –-proto icmp –-jump REJECT Explain what this command does. ii) iptables –-append FORWARD –-source 150.160.10.10 –-proto icmp –icmp-tpe echo-request –-jump REJECT Explain in what way(s), if any, this is different from the rule you used at step 2d). Has the protection against pinging from Computer C (the big bad Internet) to Computer C (on your protected network) been lost? Explain why or why not. Page 4
    • Group Student CIS 373 – Network Design 0 Nielsen Mark Wednesday 3 Nov 0 Lee 0 Smith Groups 0 through 3 at 5 pm; groups 4 1 Stapleton through 7 at 6 pm. 1 Epperson 1 Harris You are welcome to trade among 2 Geddes yourselves. 2 Mendes Groups 0 and 4 use any three ITL 2 Woods computers in the range numbered 1 3 Hall through 6 and Rack 1. 3 Gough 3 Close Groups 1 and 5 use any three ITL 4 Nielsen Mike computers in the range numbered 7 4 Amoussou through 12 and Rack 2. 4 Heysek Groups 2 and 6 use any three ITL 5 Williams computers in the range numbered 13 5 Dorado through 18 and Rack 3. 5 Brown 6 Yuga Groups 3 and 7 use any three ITL 6 Freedman computers in the range numbered 6 Spendlove numbered 19 through 25 and Rack 4. 7 Lagrange 7 Ricker 7 Couston Page 5