ID: 0506793

Firewall Assignment
Internet Security

Zaid Almay

In addition to the documentation requirements set out above, to achieve a PASS / Dgrade you must:

Add the SNAT rule(s) necessary to allow hosts on the Internal network to access webservers on the Internet which may be represented for test purposes by a server attached to the external subnet.

R: iptables -A POSTROUTING -t nat -o eth0 -p tcp --dport 80 -j SNAT --to-source 193.63.10.6

Add any stateful filtering rule(s) necessary to allow hosts on the Internal network to access webservers on the Internet which may be represented for test purposes by a server attached to the external subnet.

iptables -A FORWARD -o eth0 -s 192.168.2.0/24 -j DROP

Add the necessary rule(s) to prevent direct access to the Internet (i.e. using routing without SNAT) from the internal network.

iptables -A FORWARD -s 192.168.2.0/24 -p tcp --dport 80 -m state state NEW,RELATED,ESTABLISHED -j ACCEPT

Add the rules to block packets entering the external interface from RFC1918 addresses.

iptables -A FORWARD -i eth0 -m iprange --src-range 192.168.0.0-192.168.255.255 -j DROP iptables -A FORWARD -i eth0 -m iprange --src-range 172.16.0.0-172.31.255.255 -j DROP iptables -A FORWARD -i eth0 -m iprange --src-range 10.0.0.0-10.255.255.255 -j DROP

Show that you can block access to 80.239.254.24 port 80 on the Internet.

iptables -A FORWARD -d 80.239.254.24 -p tcp --dport 80 -j DROP

Provide a diagram of the configuration you have used showing the firewall-attached subnets and IP address, subnet mask and default gateway settings for the interfaces on the firewall, Web servers, and test hosts.

Provide evidence of SNAT in operation in the form of output from the tcpdump utility when a Web (http) browser on an internal host requests a page from a Web server on the external network. Make sure that you capture traffic in both directions. Explain how your output proves that SNAT is in operation. Explain briefly in your own words how SNAT operates and why it is needed.
On Machine A Start the apache server using 'service httpd restart' (Note I always use restart because having more than one http daemon running can be extremely confusing) You should see a response such as httpd started OK. On Machine B Test that you can access the Webserver on machine A from a browser on machine B using 'elinks 193.63.10.10'. This simulates a client on the internal network connecting to an external Webserver. On Machine R Run tcpdump -i any on machine R On machine B Ping machine A. On machine R Examine the packets carefully and make a note of what changes SNAT makes to the outgoing and incoming packets. Note that we do not need a separate rule for the returning traffic. What happens if you try to ping from A to B? On Machine B Test that you can access the Webserver on machine A from a browser on machine B using 'elinks 193.63.10.10'. On machine R Examine the packets carefully and make a note of what changes SNAT makes to the outgoing and incoming packets. Note in particular the connection open sequence and http request and response packets.

To achieve a C-grade you must: Complete the work as for a D grade above and:

Add the DNAT rule(s) necessary to allow hosts on the Internet (which may be represented for test purposes by a client attached to the external subnet 193.69.10.0/24) to access a webserver in the DMZ

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.16.1.100 iptables -A POSTROUTING -t nat -o eth1 -p tcp --dport 80 -j SNAT --to-source 193.63.10.6

Add the necessary rule(s) to prevent direct access to the DMZ (i.e. using routing rather than DNAT) from the external network.

iptables -A FORWARD -i eth0 -d 172.16.10.100 -j DROP

Provide evidence of DNAT in operation in the form of output from the tcpdump utility when a Web (http) browser on the external network requests a page from a server in the DMZ. Make sure that you capture traffic in both directions. Explain how your output proves that DNAT is in operation. Explain briefly in your own words how DNAT operates and why it is needed.

tcpdump -i any' on machine R

Provide rate limiting on ICMP packets.

iptables -A INPUT -p icmp -m limit --limit 1/s -i eth0 -j ACCEPT iptables -A INPUT -p icmp -i eth0 -j DROP

To achieve a B-grade you must: Complete the work as for a C grade above and:

Add appropriate egress filtering on the firewall.

iptables -A OUTPUT -o eth1 -s 172.16.0.0/12 -j DROP iptables -A OUTPUT -o eth2 -s 192.168.0.0/12 -j DROP B: elinks 172.16.1.100 R: screen shot of ICMP is well

Configure a proxy server (e.g. squid) in the DMZ.

C: service squid restart

Add the SNAT rule(s) necessary to allow the proxy server (ONLY) on the DMZ to access webservers on the Internet which may be represented for test purposes by a server attached to the external subnet 193.63.10.0/24.

R: iptables -A POSTROUTING -t NAT -o eth1 -p tcp --dport 80 -j NAT --to-source 193.63.10.6 A: elinks 172.16.1.100 screen shot of ICMP is well

Add any stateful filtering rule(s) necessary to allow the proxy server in the DMZ to access webservers on the Internet which may be represented for test purposes by a server attached to the external subnet 193.69.10.0/24.

R: iptables -A FORWARD -o eth1 -s 193.63.10.0/24 -j DROP

Add the necessary rule(s) to prevent direct access to the Internet (i.e. without going through the proxy server) from the internal network for port 80 traffic.

R: iptables -A FORWARD -s 192.168.2.0/24 -p tcp --dport 80 -j REJECT

Configure the browser on the internal test host to use the proxy server in the DMZ.

C:service httpd restart

Provide a diagram of the configuration you have used showing the firewall-attached subnets and IP address, subnet mask and default gateway settings for the interfaces on the firewall, Web and proxy servers, and test hosts.

Provide output from the proxy server log file to prove that the proxy server is operating correctly

C: vi /var/log/squid/access.log

Provide evidence of SNAT in operation in the form of output from the tcpdump utility when a Web (http) browser on an internal host requests a page from a Web server on the external network through the proxy server. Make sure that you capture traffic in both directions.
elinks 172.16.1.100 screen shot of ICMP is well

Show that you can block access to www.whitehouse.com iptables -A OUTPUT -p tcp -m string --string "whitehouse.com" --algo kmp -j DROP Show that you can block access to facebook during office hours (9-5)

R: iptables -A FORWARD -d 69.171.229.15 -p tcp -m time --time start 09:00 --timestop 17:00 -j REJECT service squid start screen shot of ICMP is well http://bredsaal.dk/blocking-facebook-com-from-9-to-5-with-iptables-and-the-time-module

To achieve an A-grade you should: Complete the work as for a B-grade above and:

Create a Public key certificate for your Webserver and test the SSL connection to the Webserver providing evidence of the certificate as viewed in the browser.

Inter CERT mode: rm localhost.crt Is ca-bundle.crt make-dummy-cert Makefile service httpd restart

Generate new key: Inter private mode: rm localhost.key cd cd /etc/pki/tls Is cert.pem certs misc openssl.cnf private cd cd /etc/pki/tls/private /usr/bin/openssl genrsa -des3 1024 > /etc/pki/tls/private/localhost.key http://elearning.bolton.ac.uk/mod/resource/view.php?id=78305

Ensure that only necessary services are running or are accessible on the Webserver and that only traffic specifically required for the assignment is allowed through the firewall in any direction.

nmap 192.168.244.191

Provide evidence (eg by using nmap) that the requirements stated above have been achieved.

nmap 192.168.244.191