INFA 620 Laboratory 4: Configuring a Firewal

In this exercise you will be working with firewalld(see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use and configure the rules for filtering traffic.  firewalld provides higher-level command line and graphical interfaces over Iptables to ease the pain of configuring the firewall features provided by Linux. For this lab exercise, we will only be using the high-level command line interface.  firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4 and IPv6. There is a separation of the runtime and permanent configuration options.   For this lab exercise, we will be using two machines, one machine will behave like an Enterprise and the other machine will behave like machines outside an enterprise. We will call this machine as External, external to the enterprise. The firewall, as part of the enterprise will control traffic both coming into the enterprise and going out of the enterprise (to External). NIXENT01 (Enterprise) is a CentOS 7 machine.CentOS is a Linux distribution that attempts to provide a free, enterprise-class, community-supported computing platform. Firewalld will be running on this host. NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.   Although there are only two machines, we are going to pretend that the Enterprise has three machines (three IP addresses) and each machine has certain services running on those machines, as follows:   NIXENT01 (Enterprise) Service Associated IP Address domain, telnet 192.168.10.10 http, https 192.168.10.20 ftp, imap2, imaps, pop3, pop3s, urd 192.168.10.30   Similarly, we are going to emulate three machines on the External machine with three IP addresses, each running only certain services as follows:   NIXEXT01 (External) Service Associated IP Address domain, telnet 192.168.10.210 http, https 192.168.10.220 ftp, imap, imaps, pop3, pop3s, urd 192.168.10.230     The instructions to use the remote UMUC machine in the DaaS environment is provided in the Accessing Remote DaaS Lab under Course Content. Allocating the Lab Machines Once you open the Lab Broker using the instructions given in the UMUC Digital Lab Access Instructions found under Accessing Remote DaaS Lab under Course Content, you will see a new window open. Each of your courses that have labs will be listed here in the Lab Broker page.   1.    Look for “INFA 620” and select “Nodes.” 2.    Select “Allocate Lab” *this should take no more than 1 minute.* *Please Note*Allocated lab resources expire in 7 days. If a lab expires, work done within the lab machine will be lost. Connecting to the Lab Machines 1.    Within the Lab Broker interface, view the current allocated nodes for INFA 620 2.    Use the “Connect” button to initiate a connection to each of the two machines: 3.    When prompted, enter the course credentials: a.    Username: StudentFirst b.    Password: Cyb3rl@b 4.    Proceed with the connection. You will need to re-enter the above credentials.   Network Traffic Simulation Script The Network traffic Simulation script allows users to test pathways to lab resource machines by using the terminal to initiate test packets. The script takes 2 input variables (IP address and service) and uses this information to initiate a test. The script is implemented using bash shell. The script accepts a target IP (-t) and any service name (-s) available in /etc/services. The script can be run on either machine to generate traffic for the other machine,   To run the script: 1.    Open a Terminal window. 2.    Enter command “sudo /usr/local/sbin/traffic_test -t(target IP)-s (service)” a.    Target IP and Service are taken from the Enterprise and External Tables above b.    Http example: “sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http” (This will be run on External since we are generating traffic to reach192.168.10.20 ) 3.    Input the Password for the StudentFirst User: Cyb3rl@b 4.    The script will then run a 5 packet test and display the results.   The firewall is initially set up to Deny by Default. So, no traffic will be admitted in either direction until we explicitly change the firewall rules. Filtering Incoming Traffic We will show by one example how to configure the http traffic coming into 192.168.10.20. Before we do that, let us verify, no http is coming in: Initial State Test (You are generating traffic from External to reach Enterprise.) EXAMPLE: Incoming traffic to Enterprise on http port not allowed StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http [sudo] password for StudentFirst: HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes   — 192.168.10.20 hping statistic — 5 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms StudentFirst@infa620-nixext01:~$ Let us add an incoming traffic rule to the firewall to allow http traffic to 192.168.10.20 Adding inbound rules to daaslab zone (Firewall rules are always added  from the Enterprise machine)   [StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –zone=daaslab –add-rich-rule=’rule family=’ipv4′ destination address=’192.168.10.20/32′ port  protocol=’tcp’ port=’80’ accept’ [StudentFirst@infa620-nixent01 ~]$ password for StudentFirst: Success   You can verify whether a rule was added as follows: [StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd–zone=daaslab –list-rich-rules rule family=’ipv4′ destination address=’192.168.10.20/32′ port port=’80’ protocol=’tcp’ accept [StudentFirst@infa620-nixent01 ~]$ Test the effect of the new rule added: EXAMPLE: Incoming traffic to Enterprise on http port is now allowed StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http [sudo] password for StudentFirst: HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=3.8 ms len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.7 ms len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=3.6 ms len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=3.5 ms   — 192.168.10.20 hping statistic — 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 3.5/3.7/3.9 ms StudentFirst@infa620-nixext01:~$ As you can see, the inbound http traffic to 192.168.10.20 has been enabled.   On your own now, configure rules to allow the following nineservices (45 Points):   https to 192.168.10.20 domain and telnet to 192.168.10.10 ftp, imap2, imaps, pop3, pop3s, and urd to 192.168.10.30   Domain is often known as DNS (Domain Name Service). You should be able to google port numbers for various services.   Before you configure, first make sure, using the test script given, these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts. Also, verify that the rules were added using sudo firewall-cmd –zone=daaslab  –list-rich-rules. There should be one rule for each service added. If you have done correctly, this is what will be listed:   rule family=’ipv4′ destination address=’192.168.10.20/32′ port port=’80’ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.20/32′ port port=’443′ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.10/32′ port port=’23’ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.10/32′ port port=’53’ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’20’ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’21’ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’143′ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’993′ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’110′ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’995′ protocol=’tcp’ accept rule family=’ipv4′ destination address=’192.168.10.30/32′ port port=’465′ protocol=’tcp’ accept   Outgoing Traffic Initial State Test Outgoing traffic to External on http port not allowed (You are generating traffic from Enterprise to reach External.) [StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes [send_ip] sendto: Operation not permitted [StudentFirst@infa620-nixent01 ~]$ Adding an outgoing traffic rules to the firewall Adding outbound rules Via the Terminal [StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –direct –add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp –dport 80 -j ACCEPT success [StudentFirst@infa620-nixent01 ~]$ Outbound Rules Test Outgoing traffic to External on http port allowed [StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=1.9 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.8 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=2.0 ms   — 192.168.10.220 hping statistic — 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.9/2.3/3.8 ms [StudentFirst@infa620-nixent01 ~]$   On your own now, configure rules to allow the following nine services (45 Points):   https to 192.168.10.220 domain and telnet to 192.168.10.210 ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230   Before you configure, first make sure using the test script these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts. Miscellaneous Tasks Making Rules Persistent (Not needed for this lab exercise) Making rules persistent [StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd –runtime-to-permanent success [StudentFirst@infa620-nixent01 ~]$    You can view the Iptables to see what rules you have added(sudo iptables -L). In the example below, the table entries that are highlighted are the ones we have just added. Viewing the IP Tables(sudo iptables -L) Viewing iptables rules (Just an example output) Chain INPUT (policy ACCEPT) target     prot opt source               destination         ACCEPT     udp  —  anywhere             anywhere             multiport dports rfe ACCEPT     all  —  anywhere             anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  —  anywhere             anywhere            INPUT_direct  all  —  anywhere             anywhere            INPUT_ZONES_SOURCE  all  —  anywhere             anywhere            INPUT_ZONES  all  —  anywhere             anywhere            DROP       all  —  anywhere             anywhere             ctstate INVALID REJECT     all  —  anywhere             anywhere             reject-with icmp-host-prohibited   Chain FORWARD (policy ACCEPT) target     prot opt source               destination         ACCEPT     all  —  anywhere             anywhere             ctstate RELATED,ESTABLISHED ACCEPT     all  —  anywhere             anywhere            FORWARD_direct  all  —  anywhere             anywhere            FORWARD_IN_ZONES_SOURCE  all  —  anywhere             anywhere            FORWARD_IN_ZONES  all  —  anywhere             anywhere            FORWARD_OUT_ZONES_SOURCE  all  —  anywhere             anywhere            FORWARD_OUT_ZONES  all  —  anywhere             anywhere            DROP       all  —  anywhere             anywhere             ctstate INVALID REJECT     all  —  anywhere             anywhere             reject-with icmp-host-prohibited   Chain OUTPUT (policy ACCEPT) target     prot opt source               destination         OUTPUT_direct  all  —  anywhere             anywhere              Chain FORWARD_IN_ZONES (1 references) target     prot opt source               destination         FWDI_daaslab  all  —  anywhere             anywhere            FWDI_trusted  all  —  anywhere             anywhere            FWDI_trusted  all  —  anywhere             anywhere              Chain FORWARD_IN_ZONES_SOURCE (1 references) target     prot opt source               destination           Chain FORWARD_OUT_ZONES (1 references) target     prot opt source               destination         FWDO_daaslab  all  —  anywhere             anywhere            FWDO_trusted  all  —  anywhere             anywhere            FWDO_trusted  all  —  anywhere             anywhere              Chain FORWARD_OUT_ZONES_SOURCE (1 references) target     prot opt source               destination           Chain FORWARD_direct (1 references) target     prot opt source               destination           Chain FWDI_daaslab (1 references) target     prot opt source               destination         FWDI_daaslab_log  all  —  anywhere             anywhere            FWDI_daaslab_deny  all  —  anywhere             anywhere            FWDI_daaslab_allow  all  —  anywhere             anywhere            DROP       all  —  anywhere             anywhere              Chain FWDI_daaslab_allow (1 references) target     prot opt source               destination           Chain FWDI_daaslab_deny (1 references) target     prot opt source               destination           Chain FWDI_daaslab_log (1 references) target     prot opt source               destination           Chain FWDI_trusted (2 references) target     prot opt source               destination         FWDI_trusted_log  all  —  anywhere             anywhere            FWDI_trusted_deny  all  —  anywhere             anywhere            FWDI_trusted_allow  all  —  anywhere             anywhere            ACCEPT     all  —  anywhere             anywhere              Chain FWDI_trusted_allow (1 references) target     prot opt source               destination           Chain FWDI_trusted_deny (1 references) target     prot opt source               destination           Chain FWDI_trusted_log (1 references) target     prot opt source               destination           Chain FWDO_daaslab (1 references) target     prot opt source               destination         FWDO_daaslab_log  all  —  anywhere             anywhere            FWDO_daaslab_deny  all  —  anywhere             anywhere            FWDO_daaslab_allow  all  —  anywhere             anywhere            DROP       all  —  anywhere             anywhere              Chain FWDO_daaslab_allow (1 references) target     prot opt source               destination           Chain FWDO_daaslab_deny (1 references) target     prot opt source               destination           Chain FWDO_daaslab_log (1 references) target     prot opt source               destination           Chain FWDO_trusted (2 references) target     prot opt source               destination         FWDO_trusted_log  all  —  anywhere             anywhere            FWDO_trusted_deny  all  —  anywhere             anywhere            FWDO_trusted_allow  all  —  anywhere             anywhere            ACCEPT     all  —  anywhere             anywhere              Chain FWDO_trusted_allow (1 references) target     prot opt source               destination           Chain FWDO_trusted_deny (1 references) target     prot opt source               destination           Chain FWDO_trusted_log (1 references) target     prot opt source               destination           Chain INPUT_ZONES (1 references) target     prot opt source               destination         IN_daaslab  all  —  anywhere             anywhere            IN_trusted  all  —  anywhere             anywhere             IN_trusted  all  —  anywhere             anywhere              Chain INPUT_ZONES_SOURCE (1 references) target     prot opt source               destination           Chain INPUT_direct (1 references) target     prot opt source               destination           Chain IN_daaslab (1 references) target     prot opt source               destination         IN_daaslab_log  all  —  anywhere             anywhere            IN_daaslab_deny  all  —  anywhere             anywhere            IN_daaslab_allow  all  —  anywhere             anywhere            DROP       all  —  anywhere             anywhere              Chain IN_daaslab_allow (1 references) target     prot opt source               destination         ACCEPT     tcp  —  anywhere             ip-192-168-10-20.ec2.internal  tcp dpt:http ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-20.ec2.internal  tcp dpt:https ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-10.ec2.internal  tcp dpt:telnet ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-10.ec2.internal  tcp dpt:domain ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:ftp-data ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:ftp ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:imap ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:imaps ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:pop3 ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:pop3s ctstate NEW ACCEPT     tcp  —  anywhere             ip-192-168-10-30.ec2.internal  tcp dpt:urd ctstate NEW   Chain IN_daaslab_deny (1 references) target     prot opt source               destination           Chain IN_daaslab_log (1 references) target     prot opt source               destination           Chain IN_trusted (2 references) target     prot opt source               destination         IN_trusted_log  all  —  anywhere             anywhere            IN_trusted_deny  all  —  anywhere             anywhere            IN_trusted_allow  all  —  anywhere             anywhere            ACCEPT     all  —  anywhere             anywhere              Chain IN_trusted_allow (1 references) target     prot opt source               destination           Chain IN_trusted_deny (1 references) target     prot opt source               destination           Chain IN_trusted_log (1 references) target     prot opt source               destination           Chain OUTPUT_direct (1 references) target     prot opt source               destination         ACCEPT     all  —  anywhere             anywhere             ctstate RELATED,ESTABLISHED ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:http ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:https ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:telnet ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:domain ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:ftp-data ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:imap ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:pop3 ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:pop3s ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:urd ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:ftp ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:imaps REJECT     all  —  anywhere             anywhere             reject-with icmp-host-prohibited [StudentFirst@infa620-nixent01 ~]$    Export the IP Tables, as illustrated below (for submission) Exporting iptables rules [StudentFirst@infa620-nixent01 ~]$ sudo iptables-save > ~/Desktop/iptables_rules-July17-17.txt [sudo] password for StudentFirst: [StudentFirst@infa620-nixent01 ~]$   Transfer this file, iptables_rules-July17-17.txt,first to the workspsace Desktop. From there, you can email the file using  the Chrome browser to yourself and then submit it to the Lab 4 folder in the classroom.   (10 Points) Also, provide a short summary of your experience of using DaaS for this Lab (Difficulties you have encountered, what worked, what did not work, etc.)

Looking for this or a Similar Assignment? Click below to Place your Order

Open chat
%d bloggers like this: