INFA 620Laboratory 4: Configuring a Firewall
In this exercise you will be working with firewalld (see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use and configure the rules for filtering traffic. firewalld provides higher-level command line and graphical interfaces over Iptables to ease the pain of configuring the firewall features provided by Linux. For this lab exercise, we will only be using only the high-level command line interface. firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4 and IPv6. There is a separation of the runtime and permanent configuration options.
For this lab exercise, we will be using two machines, one machine will behave like an Enterprise and the other machine will behave like machines outside an enterprise. We will call this machine as External, external to the enterprise. The firewall, as part of the enterprise will control traffic both coming into the enterprise and going out of the enterprise (to External).
NIXENT01 (Enterprise) is a CentOS 7 machine.CentOS is a Linux distribution that attempts to provide a free, enterprise-class, community-supported computing platform. Firewalld will be running on this host.
NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. You have already used this machine for Lab2 and Lab 3 in analyzing packets using Wireshark. (Wireshark is available as part of Kali distribution.)
Although there are only two machines, we are going to pretend that the Enterprise has three machines (three IP addresses) and each machine has certain services running on those machines, as follows:
NIXENT01 (Enterprise)
Service
Associated IP Address
domain, telnet
192.168.10.10
http, https
192.168.10.20
ftp, imap2, imaps, pop3, pop3s, urd
192.168.10.30
Similarly, we are going to emulate three machines on the External machine with three IP addresses, each running only certain services as follows:
NIXEXT01 (External)
Service
Associated IP Address
domain, telnet
192.168.10.210
http, https
192.168.10.220
ftp, imap, imaps, pop3, pop3s, urd
192.168.10.230
The instructions to use the remote UMUC machine in the DaaS environment is provided in the Accessing Remote DaaS Lab under Course Content.
Allocating the Lab Machines
Once you open the Lab Broker using the instructions given in ...
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
1. INFA 620Laboratory 4: Configuring a Firewall
In this exercise you will be working with firewalld (see
https://www.linode.com/docs/security/firewalls/introduction-to-
firewalld-on-centos), a front-end to controlling Iptables.
Iptables is a flexible firewall utility built for Linux operating
systems (see https://www.howtogeek.com/177621/the-
beginners-guide-to-iptables-the-linux-firewall/). It is too low
level, however, and, as such, hard to use and configure the rules
for filtering traffic. firewalld provides higher-level command
line and graphical interfaces over Iptables to ease the pain of
configuring the firewall features provided by Linux. For this lab
exercise, we will only be using only the high-level command
line interface. firewalld provides a dynamically managed
firewall with support for network/firewall “zones” to assign a
level of trust to a network and its associated connections,
interfaces or sources. It has support for IPv4 and IPv6. There is
a separation of the runtime and permanent configuration
options.
For this lab exercise, we will be using two machines, one
machine will behave like an Enterprise and the other machine
will behave like machines outside an enterprise. We will call
this machine as External, external to the enterprise. The
firewall, as part of the enterprise will control traffic both
coming into the enterprise and going out of the enterprise (to
External).
NIXENT01 (Enterprise) is a CentOS 7 machine.CentOS is a
Linux distribution that attempts to provide a free, enterprise-
class, community-supported computing platform. Firewalld will
be running on this host.
2. NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-
based Linux distribution aimed at advanced Penetration Testing
and Security Auditing. Kali contains several hundred tools
which are geared towards various information security tasks,
such as Penetration Testing, Security research, Computer
Forensics and Reverse Engineering. You have already used this
machine for Lab2 and Lab 3 in analyzing packets using
Wireshark. (Wireshark is available as part of Kali distribution.)
Although there are only two machines, we are going to pretend
that the Enterprise has three machines (three IP addresses) and
each machine has certain services running on those machines, as
follows:
NIXENT01 (Enterprise)
Service
Associated IP Address
domain, telnet
192.168.10.10
http, https
192.168.10.20
ftp, imap2, imaps, pop3, pop3s, urd
192.168.10.30
Similarly, we are going to emulate three machines on the
External machine with three IP addresses, each running only
certain services as follows:
NIXEXT01 (External)
Service
Associated IP Address
domain, telnet
192.168.10.210
http, https
192.168.10.220
ftp, imap, imaps, pop3, pop3s, urd
3. 192.168.10.230
The instructions to use the remote UMUC machine in the DaaS
environment is provided in the Accessing Remote DaaS Lab
under Course Content.
Allocating the Lab Machines
Once you open the Lab Broker using the instructions given in
the UMUC Digital Lab Access Instructions found under
Accessing Remote DaaS Lab under Course Content, you will see
a new window open. Each of your courses that have labs will
be listed here in the Lab Broker page.
1. Look for “INFA 620” and select “Nodes.”
2. Select “Allocate Lab” *this should take no more than 1
minute.*
*Please Note*Allocated lab resources expire in 7 days. If a lab
expires, work done within the lab machine.Connecting to the
Lab Machines
1. Within the Lab Broker interface, view the current allocated
nodes for INFA 620
2. Use the “Connect” button to initiate a connection to each of
the two machines:
3. When prompted, enter the course credentials:
a. Username: StudentFirst
b. Password: [email protected]
4. Proceed with the connection. You will need to re-enter the
above credentials.
Network Traffic Simulation Script
The Network traffic Simulation script allows users to test
pathways to lab resource machines by using the terminal to
initiate test packets. The script takes 2 input variables (IP
address and service) and uses this information to initiate a test.
The script is implemented using bash shell. The script accepts a
target IP (-t) and any service name (-s) available in
/etc/services. The script can be run on either machine to
generate traffic for the other machine,
4. To run the script:
1. Open a Terminal window.
2. Enter command “sudo /usr/local/sbin/traffic_test -t(target
IP)-s (service)”
a. Target IP and Service are taken from the Enterprise and
External Tables above
b. Http example: “sudo /usr/local/sbin/traffic_test -t
192.168.10.20 -s http” (This will be run on External since we
are generating traffic to reach192.168.10.20 )
3. Input the Password for the StudentFirst User:
[email protected]
4. The script will then run a 5 packet test and display the
results.
The firewall is initially is set up to Deny by Default. So, no
traffic will be admitted in either direction until we explicitly
change the firewall rules.Filtering Incoming Traffic
We will show by one example how to configure the http traffic
coming into 192.168.10.20. Before we do that, let us verify, no
http is coming in:
Initial State Test (You are generating traffic from External to
reach Enterprise.)
EXAMPLE: Incoming traffic to Enterprise on http port not
allowed
[email protected]:~$ sudo /usr/local/sbin/traffic_test -t
192.168.10.20 -s http
[sudo] password for StudentFirst:
HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40
headers + 0 data bytes
--- 192.168.10.20 hping statistic ---
5 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[email protected]:~$
5. Let us add an incoming traffic rule to the firewall to allow http
traffic to 192.168.10.20
Adding inbound rules to daaslab zone (Firewall rules are always
added from the Enterprise machine)
[[email protected] ~]$ sudo firewall-cmd --zone=daaslab --add-
rich-rule='rule family="ipv4" destination
address="192.168.10.20/32" port protocol="tcp" port="80"
accept’
[[email protected] ~]$ password for StudentFirst:
Success
You can verify whether a rule was added as follows:
[[email protected] ~]$ sudo firewall-cmd --zone=daaslab --list-
rich-rules
rule family="ipv4" destination address="192.168.10.20/32" port
port="80" protocol="tcp" accept
[[email protected] ~]$
Test the effect of the new rule added:
EXAMPLE: Incoming traffic to Enterprise on http port is now
allowed
[email protected]:~$ sudo /usr/local/sbin/traffic_test -t
192.168.10.20 -s http
[sudo] password for StudentFirst:
HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40
headers + 0 data bytes
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA
seq=0 win=29200 rtt=3.9 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA
seq=1 win=29200 rtt=3.8 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA
seq=2 win=29200 rtt=3.7 ms
len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA
seq=3 win=29200 rtt=3.6 ms
6. len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA
seq=4 win=29200 rtt=3.5 ms
--- 192.168.10.20 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.5/3.7/3.9 ms
[email protected]:~$
As you can see, the inbound http traffic to 192.168.10.20 has
been enabled.
On your own now, configure rules to allow the following nine
services (45 Points):
https to 192.168.10.20
domain and telnet to 192.168.10.1 0
ftp, imap2, imaps, pop3, pop3s, and urd to 192.168.10.30
Domain is often known as DNS (Domain Name Service). You
should be able to google port numbers for various services.
Before you configure, first make sure, using the test script
given, these traffic types are not allowed to the respective
hosts. After configuring them, make sure they are allowed to the
respective hosts. Also, verify that the rules were added using
sudo firewall-cmd --zone=daaslab --list-rich-rules. There
should be one rule for each service added. If you have done
correctly, this is what will be listed:
rule family="ipv4" destination address="192.168.10.20/32" port
port="80" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.20/32" port
port="443" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.10/32" port
port="23" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.10/32" port
port="53" protocol="tcp" accept
7. rule family="ipv4" destination address="192.168.10.30/32" port
port="20" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="21" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="143" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="993" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="110" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="995" protocol="tcp" accept
rule family="ipv4" destination address="192.168.10.30/32" port
port="465" protocol="tcp" accept
Outgoing Traffic
Initial State Test
Outgoing traffic to External on http port not allowed (You are
generating traffic from Enterprise to reach External.)
[[email protected] ~]$ sudo /usr/local/sbin/traffic_test -t
192.168.10.220 -s http
[sudo] password for StudentFirst:
HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40
headers + 0 data bytes
[send_ip] sendto: Operation not permitted
[[email protected] ~]$
Adding an outgoing traffic rules to the firewall
Adding outbound rules
Via the Terminal
[[email protected] ~]$ sudo firewall-cmd --direct --add-rule
ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
success
[[email protected] ~]$
Outbound Rules Test
8. Outgoing traffic to External on http port allowed
[[email protected] ~]$ sudo /usr/local/sbin/traffic_test -t
192.168.10.220 -s http
[sudo] password for StudentFirst:
HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40
headers + 0 data bytes
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA
seq=0 win=29200 rtt=1.9 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA
seq=1 win=29200 rtt=2.0 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA
seq=2 win=29200 rtt=3.8 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA
seq=3 win=29200 rtt=2.0 ms
len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA
seq=4 win=29200 rtt=2.0 ms
--- 192.168.10.220 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.9/2.3/3.8 ms
[[email protected] ~]$
On your own now, configure rules to allow the following nine
services (45 Points):
https to 192.168.10.220
domain and telnet to 192.168.10.210
ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230
Before you configure, first make sure using the test script these
traffic types are not allowed to the respective hosts. After
configuring them, make sure they are allowed to the respective
hosts.
Miscellaneous Tasks
9. Making Rules Persistent (Not needed for this lab exercise)
Making rules persistent
[[email protected] ~]$ sudo firewall-cmd --runtime-to-
permanent
success
[[email protected] ~]$
You can view the Iptables to see what rules you have added. In
the example below, the table entries that are highlighted are the
ones we have just added.
Viewing the IP Tables
Viewing iptables rules (Just an example output)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
multiport dports rfe
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate
INVALID
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere
anywhere
10. FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere
anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate
INVALID
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_daaslab all -- anywhere anywhere
FWDI_trusted all -- anywhere anywhere
FWDI_trusted all -- anywhere anywhere
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_daaslab all -- anywhere anywhere
FWDO_trusted all -- anywhere anywhere
FWDO_trusted all -- anywhere anywhere
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_daaslab (1 references)
target prot opt source destination
11. FWDI_daaslab_log all -- anywhere anywhere
FWDI_daaslab_deny all -- anywhere anywhere
FWDI_daaslab_allow all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FWDI_daaslab_allow (1 references)
target prot opt source destination
Chain FWDI_daaslab_deny (1 references)
target prot opt source destination
Chain FWDI_daaslab_log (1 references)
target prot opt source destination
Chain FWDI_trusted (2 references)
target prot opt source destination
FWDI_trusted_log all -- anywhere anywhere
FWDI_trusted_deny all -- anywhere anywhere
FWDI_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_daaslab (1 references)
target prot opt source destination
FWDO_daaslab_log all -- anywhere anywhere
FWDO_daaslab_deny all -- anywhere anywhere
FWDO_daaslab_allow all -- anywhere anywhere
DROP all -- anywhere anywhere
15. ACCEPT tcp -- anywhere anywhere tcp
dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp
dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp
dpt:urd
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp
dpt:imaps
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited
[[email protected] ~]$
Export the IP Tables, as illustrated below (for submission)
Exporting iptables rules
[[email protected] ~]$ sudo iptables-save >
~/Desktop/iptables_rules-May17-17.txt
[sudo] password for StudentFirst:
[[email protected] ~]$
Transfer this file, iptables_rules-May17-17.txt, first to the
workspsace Desktop. From there, you can email the file using
the Chrome browser to yourself and then submit it to the Lab 4
folder in the classroom.
(10 Points) Also, provide a short summary of your experience of
using DaaS for this Lab (Difficulties you have encountered,
what worked, what did not work, etc.)
1