T-110.5200 Laboratory Works on Information Security (4 cr)
Lab 3: Firewall
Description of the exercise
This assignment introduces you to some firewalling basics. It includes packet filtering using linux iptables/netfilter. You will first setup a router which will work as a firewall between the other two machines. The firewall will then be extended with a web proxy.
Material
- route manual page
- iptables manual page
- Netfilter documentation
- Squid Documentation Project
- ViSolve Squid Support
Preparation
Please save all your answers and other notes on computers other than the lab computers.
You need all the three virtual machines. One as a router/firewall and the two other machines in their own subnetworks. The virtual machines have several network interfaces connected to different networks. The eth0 interfaces on the virtual machines allow you to access the machines so don't make modifications on their part, and make sure you don't block traffic to the eth0 interfaces. Virtual machine 1 has two additional network interfaces (eth1 and eth2) so we'll use it as the firewall. You can use either machine 2 or machine 3 as the filtered machine. Machine 2's eth1 interface is connected to machine 1's eth1 and machine 3's eth1 interface is connected to machine 1's eth2.
1. Setup the router
First you will create a router between the second and the third machine to control the traffic going in and out of the filtered machine through eth1.
Give the eth1 and eth2 interfaces of the machines IP addresses from the 192.168.X.Y address space using ifconfig(8). Put machine 2 and machine 3 to different subnets.
Give the interfaces hostnames, such as Lab2, Lab3, Router-2 and Router-3, in the /etc/hosts file.
On machines 2 and 3, add necessary net routes between the machines through the eth1 interfaces of the machines. Do not change the default gateway or you will lose your connection to the machines. Use route(8) with the switch -net.
Enable forwarding and arp proxying on the server for the eth1 and eth2 interfaces.
Use the following sysctl(8) commands:
sysctl -w net.ipv4.conf.eth1.forwarding=1
sysctl -w net.ipv4.conf.eth2.forwarding=1
sysctl -w net.ipv4.conf.eth1.proxy_arp=1
sysctl -w net.ipv4.conf.eth2.proxy_arp=1
Check that there is no firewall at this point (service iptables stop), and test that routing works by using ping(8). You should be able to ping the other machines.
| 1.1 | List all commands you used to create the router setup, and briefly explain what they do. List the results of the pinging as well. |
2 p |
2. Implement packet filtering on the router
Start by scanning the filtered machine with nmap(1) from the other non-router machine to to see what services are running there. Try to gather as much information on the machine as feasible, including information about software versions and the operating system.
Setup an iptables(8) policy to disallow traffic through the router by default. Change rules only for the FORWARD chain! Then set rules to only allow ping(8) from the filtered machine. Allow packets to get through only on the interface connected to the filtered machine (-i eth1 or -i -eth2). Use ethernet device based filtering, don't use IP addresses. You can also use iptables' logging features as deemed necessary, the logs can be read with dmesg(8) or from /var/log/messages. See also syslogd(8).
Once working, further open up your ruleset to allow ssh connections to and from the filtered machine and make it possible to "browse" the web, using e.g. lynx(1), and transfer files with ftp from the filtered machine. You can set up a web server, e.g. httpd(8), and an ftp server, e.g. proftpd(8), on the other machine for testing. Use yum(8) to install the previous. Remember to allow connections from machines to which a successfull connection has been created from the filtered machine. Use as restricting a ruleset as reasonable, but remember to open the DNS port for testing purposes or you have to use IP addresses. You probably need "ip_conntrack_ftp" kernel module with FTP
filtering, so remember to load it with modprobe(8).
Finally rescan the filtered machine to verify that your ruleset is working as expected.
| 2.1 | List services that were found scanning the filtered machine without the firewall blocking and with your set of rules active. How accurately did the scanner detect the properties of the machine and its services? | 2 p |
| 2.2 | List the commands used to implement the ruleset with explanations. | 5 p |
| 2.3 | Create a few test cases to verify your ruleset. Run the tests and provide minimal, but sufficient snippets of iptables' or tcpdump's logs to support your test results. | 5 p |
| 2.4 | Explain the difference between netfilter/iptables' DROP and REJECT targets. Test both of them, and explain your findings. | 4 p |
3. Implementing a web proxy
In addition to packet filtering, a proxy can be used to control traffic. Next you will set up a web proxy and force all http traffic to go through the proxy, where more detailed rules can be applied.
Capture the http headers you receive from the other machine for "before and after" comparison.
On the router machine, configure a squid(8) web proxy to only serve the filtered machine, and start the proxy. Notice that there are several configuration options you'll need to change for transparent proxying to work correctly. Before you change the configuration file, make a backup copy with suffix .orig.
Configure your router to send all tcp traffic from the filtered machine to port 80, to your squid proxy.
Try browsing the web (or in this case what the other machine is serving) from the filtered machine. Again, capture the http headers you receive from the other machine.
Configure your squid(8) proxy to disallow access to the other machine's pages.
| 3.1 | List the commands you used to send the traffic to the proxy with explanations. | 2 p |
| 3.2 |
Provide a unified diff of your squid.conf -file to the original. Use command 'diff -u file file.orig' to get the differences. Explain the changes you made. | 6 p |
| 3.3 |
List the differences in "before and after" headers of the http query to the other machine. What has changed? | 2 p |
4. Improving this assignment (Optional)
| 4.1 | How would you improve this assignment? You can suggest something to be done or asked in the exercise, or something to be left out. Please report any errors and typos, and also let us know if you did not understand some question. Was the assignment too easy or too hard? Estimate also how much time did you spend on this assignment. | 2 p |