Note: I only need the last 3 sub-questions ( e, f and g) 3. Firewall Design (55pts) Design a
firewall for your Linux machine using the iptables packet filtering mod- It is likely that iptables
came pre-installed with the Linux distribution you are using. In the event you are using an old
version of the Linux kernel, you may need to upgrade it for iptables to work. Your homework
consists of writing iptables rules to do the following: (a) Place no restriction on outbound
packets. (b) Allow for ssH access (port 22) to your machine from only the fiu.edu domain. (c)
Assuming you are running an HTTPD server on your machine that can make available your
entire horne directory to the outside world, write a rule that allows only a single IP address in the
internet to access your machine for the HTTP service. (d) Permit Auth/Ident (port 113) that is
used by some services like SMTP and (e) Aocept the ICMP Echo requests (as used by ping)
ooming from the outside. Respond back with TcP RST or ICMP unreachable for incoming
requests blocked ports. (g) Block all input packats from the enn.com domain and respond back
with destination unreachable error message for all incoming SYN packets from the cnn.com
domain.
Solution
(e) Echo Request:
Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the
target host and waiting for an ICMP echo reply. It measures the round-trip time from
transmission to reception, reporting errors and packet loss.
Ping is a computer network administration software utility used to test the reachability of a host
on an Internet Protocol (IP) network.
Packet InterNet Gopher, is a computer network administration utility used to test the reachability
of a host on an Internet Protocol (IP) network and to measure the total round-trip time for
messages sent from the originating host to a destination computer and back.
Ping operates by sending Internet Control Message Protocol (ICMP) Echo Request packets to the
target host and waiting for an ICMP Echo Reply. The program reports errors, packet loss, and a
statistical summary of the results, typically including the minimum, maximum, the mean round-
trip times, and standard deviation of the mean.
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, like routers, to send error messages and operational
information indicating, for example, that a requested service is not available or that a host or
router could not be reached. ICMP differs from transport protocols such as TCPand UDP in that
it is not typically used to exchange data between systems, nor is it regularly employed by end-
user network applications (with the exception of some diagnostic tools like ping and traceroute).
The Internet Control Message Protocol (ICMP) has many messages that are identified by a
“type” field. You need to use 0 and 8 ICMP code types.
=> Zero (0) is for echo-reply
=> Eight (8) is for echo-request.
To .
Note I only need the last 3 sub-questions ( e, f and g) 3. Firew.pdf
1. Note: I only need the last 3 sub-questions ( e, f and g) 3. Firewall Design (55pts) Design a
firewall for your Linux machine using the iptables packet filtering mod- It is likely that iptables
came pre-installed with the Linux distribution you are using. In the event you are using an old
version of the Linux kernel, you may need to upgrade it for iptables to work. Your homework
consists of writing iptables rules to do the following: (a) Place no restriction on outbound
packets. (b) Allow for ssH access (port 22) to your machine from only the fiu.edu domain. (c)
Assuming you are running an HTTPD server on your machine that can make available your
entire horne directory to the outside world, write a rule that allows only a single IP address in the
internet to access your machine for the HTTP service. (d) Permit Auth/Ident (port 113) that is
used by some services like SMTP and (e) Aocept the ICMP Echo requests (as used by ping)
ooming from the outside. Respond back with TcP RST or ICMP unreachable for incoming
requests blocked ports. (g) Block all input packats from the enn.com domain and respond back
with destination unreachable error message for all incoming SYN packets from the cnn.com
domain.
Solution
(e) Echo Request:
Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the
target host and waiting for an ICMP echo reply. It measures the round-trip time from
transmission to reception, reporting errors and packet loss.
Ping is a computer network administration software utility used to test the reachability of a host
on an Internet Protocol (IP) network.
Packet InterNet Gopher, is a computer network administration utility used to test the reachability
of a host on an Internet Protocol (IP) network and to measure the total round-trip time for
messages sent from the originating host to a destination computer and back.
Ping operates by sending Internet Control Message Protocol (ICMP) Echo Request packets to the
target host and waiting for an ICMP Echo Reply. The program reports errors, packet loss, and a
statistical summary of the results, typically including the minimum, maximum, the mean round-
trip times, and standard deviation of the mean.
The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol
suite. It is used by network devices, like routers, to send error messages and operational
information indicating, for example, that a requested service is not available or that a host or
router could not be reached. ICMP differs from transport protocols such as TCPand UDP in that
2. it is not typically used to exchange data between systems, nor is it regularly employed by end-
user network applications (with the exception of some diagnostic tools like ping and traceroute).
The Internet Control Message Protocol (ICMP) has many messages that are identified by a
“type” field. You need to use 0 and 8 ICMP code types.
=> Zero (0) is for echo-reply
=> Eight (8) is for echo-request.
To enable ICMP ping incoming client request use following iptables rule.
Enable or allow ICMP ping incoming client request
Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to
drop all INPUT and OUTPUT packets)
SERVER_IP="202.54.10.20"
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
Task: Allow or enable outgoing ping request
To enable ICMP ping outgoing request use following iptables rule:
SERVER_IP="202.54.10.20"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --sta
(f)
ICMP Destination Unreachable messages are handled by the encapsulator depending upon their
Code field. The model suggested here allows the tunnel to "extend" a network to include non-
local (e.g., mobile) nodes. Thus, if the original destination in the unencapsulated datagram is on
the same network as the encapsulator, certain Destination Unreachable Code values may be
modified to conform to the suggested model.
(g)
Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
#: Block Outgoing IP Address
3. To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
# host -t a cyberciti.biz
