Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due
03CIT4059 Information Security Fundamentals
Lab 02
This worksheet contains 1 part.
Question 1 : # lab_659ABD10: Linux host-based firewall configuration
Objective:
‧ Experience the installation and usage of a host‑based firewall.
‧ Use host‑based firewall to protect information security.
‧ Review the knowledge learnt in the Access Control, Network Security and Operating System Security lectures.
Introduction:
Most of the modern operating systems now bundle some firewall software. iptables is one of the them used in the Linux operating system.
There are other softwares avaialbe on Linux platform as well such as nftables .
These firewall softwares are using “Packet filtering” technology which looks at the con‑tent of each network packet and do filtering based on source/destination IP addresss, port number and the protocol being used.
Environment:
‧ Lab PC installed with VirtualBox.
Lab Topology:
The virtual environment is created as follows.
Figure 1: lab02_00_01
Steps:
Pre-requisite:
1. Start VirtualBox
2. Download the VM, Ununtu-22.04.ova from the the Lab network drive.
3. Import the VM into the VirtualBox by File > Import Appliance ⋯ and then select the VM downloaded in the dialog
4. Start the VM after the import is successful.
5. Login the VM ( Ubuntu ) by the following credential.
Username linux
Password linux
6. You will see the Ubuntu Desktop as follows.
Task 1: Setup the virtual environment
The following commands are run in VirtualBox VM.
1. Open a Terminal in the VM. Run the following git command to clone the repository to your VM.
git clone https://github.com/edugarrickhkct/03cit4059-lab_659ABD10.git
2. Run the following command in the Command Prompt to setup the topology.
cd 03cit4059-lab_659ABD10
sudo docker-compose up -d
3. In the lab02-firewall-1 , you will see as follows.
+] Running 5/5
Network lab02_lan2
Created 0.0s
Network lab02_lan1
Created 0.0s
Container lab02-firewall-1 Started 0.9s
Container lab02-linux-1 Started 0.6s
Container lab02-linux-2 Started 0.8s
When you run the command, docker-compose is downloading the corresponding im‑ ages and creating the virtual environment as shown in the Topology section.
4. In the lab02-firewall-1 , run the command below to verify if the virtual system is running properly.
sudo docker ps
5. You will see the following output if the virtual system is ok.
Task 2: Enable the host-based firewall
1. Login to the lab02-firewall-1 , the Linux machine installed with a host‑based firewall, by Docker Dashboard or the following command. sudo docker exec -it lab02-firewall-1 /bin/bash
2. Start the host‑based firewall by the following command.
systemctl start iptables
systemctl : A utility allows adminstrator to manage background services such
as sshd
enable : Enable the service
start : Start the service
3. You can verify the status of the host‑based firewall by the following command.
systemctl status iptables
® status : Show the status of a service
4. You will see the following output if the host‑based firewall is started successfully. iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset:
disabl>
↪
Active: active (exited) since Sat 2023-04-01 12:00:25 UTC; 4s ago
Process: 137 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited,
status=0/S>
↪
Main PID: 137 (code=exited, status=0/SUCCESS)
Apr 01 12:00:25 50f98917044a systemd[1]: Starting IPv4 firewall with iptables...
Apr 01 12:00:25 50f98917044a iptables.init[137]: iptables: Applying firewall rules: [
OK ]
↪
Apr 01 12:00:25 50f98917044a systemd[1]: Started IPv4 firewall with iptables.
Task 3: Show the host-based firewall status
1. You can check the host‑based firewall rules by the following command.
iptables -L --line-numbers
®
-L : Show all rules in a chain
--line-numbers : Show the rules with line number
2. You will see the following output.
7Chain INPUT (policy ACCEPT)
num target prot opt source
destination
1 ACCEPT all
--
anywhere
anywhere
state
RELATED,ESTABLISHED
↪
2 ACCEPT icmp --
anywhere
anywhere
3 ACCEPT all
--
anywhere
anywhere
4 ACCEPT tcp
--
anywhere
anywhere
state NEW tcp
dpt:ssh
↪
5 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain FORWARD (policy ACCEPT)
num target prot opt source
destination
1 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain OUTPUT (policy ACCEPT)
num target prot opt source
destination
Task 4: Add firewall rules
1. Login lab02-linux-1
sudo docker exec -it lab02-linux-1 /bin/bash
2. In lab02-linux-1 , ssh to lab02-firewall-1 by the following command.
ssh lab02-firewall-1
3. You should be able to ssh from lab02-firewall-1 and will see the output as follows.
[root@2fac61810975 /]# ssh lab02-firewall-1
root@lab02-firewall-1's password:
4. In , repeat step 1 and step 2 in lab02-linux-2 for comparison.
5. In , add a new firewall rule which drops all the traffic from lab02‑linux‑1. The com‑mand is as follows.
iptables -I INPUT 1 -s 192.168.1.3 -j DROP
®-I INPUT 1 : Insert the new rule to chain “INPUT” at position 1
-s 192.168.1.3 : This rule applies on the packet whose source IP is 192.168.1.3
-j DROP : if condition matches, jump to target DROP ‑ means drop the packet
7. In , run the following command to verify if new rule is effective.
iptables -L --line-numbers
8. You will see the following output.
Chain INPUT (policy ACCEPT)
num target prot opt source
destination
1 DROP
all
--
lab02-linux-1.lab02_lan1 anywhere
2 ACCEPT all
--
anywhere
anywhere
state
RELATED,ESTABLISHED
↪
3 ACCEPT icmp --
anywhere
anywhere
4 ACCEPT all
--
anywhere
anywhere
5 ACCEPT tcp
--
anywhere
anywhere
state NEW tcp
dpt:ssh
↪
6 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain FORWARD (policy ACCEPT)
num target prot opt source
destination
1 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain OUTPUT (policy ACCEPT)
num target prot opt source
destination
9. In lab02-linux-1
, ssh to lab02-firewall-1 again by the following command.
ssh lab02-firewall-1
10. Now, you will see nothing happening as follows.
[root@2fac61810975 /]# ssh lab02-firewall-1
11. In
For comparison, try ssh in lab02-linux-2 to lab02-firwall-1 and see if any
different. Please describe the difference in the worksheet Task 4: Answer 1.
12.
Add another new firewall rule which rejects all the traffic from lab02‑linux‑1. The
command is as follows.
iptables -I INPUT 1 -s 192.168.1.3 -j REJECT
®
```-j REJECT```: if condition matches, jump to target REJECT - means
reply to sender with rejection
913.
Run the following command and verify if new rule is effective.
iptables -L --line-numbers
14. You will see the following output.
Chain INPUT (policy ACCEPT)
num target prot opt source
destination
1 REJECT all
--
lab02-linux-1.lab02_lan1 anywhere
reject-with
icmp-port-unreachable
↪
2 DROP
all
--
lab02-linux-1.lab02_lan1 anywhere
3 ACCEPT all
--
anywhere
anywhere
state
RELATED,ESTABLISHED
↪
4 ACCEPT icmp --
anywhere
anywhere
5 ACCEPT all
--
anywhere
anywhere
6 ACCEPT tcp
--
anywhere
anywhere
state NEW tcp
dpt:ssh
↪
7 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain FORWARD (policy ACCEPT)
num target prot opt source
destination
1 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain OUTPUT (policy ACCEPT)
num target prot opt source
destination
15.
In lab02-linux-1 , ssh to lab02-firewall-1 again by the following command.
ssh lab02-firewall-1
16. You will see a rejection as the follows. Please paste the result in Task 4: Answer 2.
[root@2fac61810975 /]# ssh lab02-firewall-1
ssh: connect to host lab02-firewall-1 port 22: Connection refused
17. Repeat step 7 in lab02-linux-2 for comparison.
Task 5: Remove the firewall rules
1.
You can delete any firewall rule as well. Let’s delete the first and second rule by
the following command.
iptables -D INPUT 1
iptables -D INPUT 1
10®
-D INPUT 1 : Delete the first rule in the chain “INPUT”
2.
Run the following command to verify if new rule is effective.
iptables -L --line-numbers
3. You will see the following output.
Chain INPUT (policy ACCEPT)
num target prot opt source
destination
1 ACCEPT all
--
anywhere
anywhere
state
RELATED,ESTABLISHED
↪
2 ACCEPT icmp --
anywhere
anywhere
3 ACCEPT all
--
anywhere
anywhere
4 ACCEPT tcp
--
anywhere
anywhere
state NEW tcp
dpt:ssh
↪
5 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain FORWARD (policy ACCEPT)
num target prot opt source
destination
1 REJECT all
--
anywhere
anywhere
reject-with
icmp-host-prohibited
↪
Chain OUTPUT (policy ACCEPT)
num target prot opt source
destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
4.
In lab02-linux-1 , ssh to lab02-firewall-1 by the following command.
ssh lab02-firewall-1
5. You should be able to ssh to lab02-firewall-1 and will see the output as follows.
[root@2fac61810975 /]# ssh lab02-firewall-1
root@lab02-firewall-1's password:
Task 6: Add firewall rule (2)
1.
In lab02-linux-1 , ssh to lab02-firewall-1 by the following command.
ssh lab02-firewall-1
2. You should be able to ssh from lab02-firewall-1 and will see the output as follows.
11[root@2fac61810975 /]# ssh lab02-firewall-1
root@lab02-firewall-1's password:
3.
Add a new firewall rule which drops all the traffic from lab02‑linux‑1. The command
is as follows.
iptables -A INPUT -s 192.168.1.3 -j DROP
®
-A INPUT : Append the new rule to chain “INPUT”
-s 192.168.1.3 : This rule applies on the packet whose source IP is 192.168.1.3
-j DROP : if condition matches, jump to target DROP ‑ means drop the packet
5.
Run the following command to verify if new rule is effective.
iptables -L --line-numbers
6. Please paste the result of step 4 to the worksheet Task 6: Answer 1
7.
In lab02-linux-1 , ssh to lab02-firewall-1 by the following command.
ssh lab02-firewall-1
8. We can ssh successfully to the lab02-firewall-1 . Would you know the reason?
Please answer in the worksheet Task 6: Answer 2
9. What kind of the access control model the host‑based firewall is using? Please select
one correct answer from the list below and put the answer in the worksheet Task 6:
Answer 3.
‧ Discretionary Access Control (DAC)
‧ Rule‑Based Access Control
‧ Role‑Based Access Control
‧ Attribute‑Based Access Control
‧ Mandatory Access Control (MAC)
Task 7: Port scanning
1.
In lab02-linux-1 , install the utility called nmap by the following command.
yum install nmap -y
12®
yum : A software management utility in Linux
install nmap -y : Install software nmap and auto answer the question, if any,
with “yes” during the installation
2. You will see the following output during the installation.
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: mirror-hk.koddos.net
* extras: mirror-hk.koddos.net
* updates: mirror-hk.koddos.net
base
| 3.6 kB 00:00
extras
| 2.9 kB 00:00
updates
| 2.9 kB 00:00
updates/7/x86_64/primary_db
|
20 MB 00:02
3.
After the utility installed, you can do a port‑scanning on lab02-firewall-1 by the following command in lab02-linux-1
nmap lab02-firewall-1
4. You will see the following output.
Starting Nmap 6.40 ( http://nmap.org ) at 2023-04-01 15:12 UTC
Nmap scan report for lab02-firewall-1 (192.168.1.2)
Host is up (0.000062s latency).
rDNS record for 192.168.1.2: lab02-firewall-1.lab02_lan1
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:C0:A8:01:02 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 15.24 seconds
5.In lab02-firwall-1 , add the firewall rule as follows.
iptables -I INPUT 1 -s 192.168.1.3 -j DROP
6.In lab02-linux-1 , run the port scan again as follows.
nmap lab02-firewall-1
7. You will see the following output.
Starting Nmap 6.40 ( http://nmap.org ) at 2023-04-01 15:13 UTC
Nmap scan report for lab02-firewall-1 (192.168.1.2)
Host is up (0.000056s latency).
rDNS record for 192.168.1.2: lab02-firewall-1.lab02_lan1
All 1000 scanned ports on lab02-firewall-1 (192.168.1.2) are filtered
MAC Address: 02:42:C0:A8:01:02 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds
8. Please describe the difference between the nmap result in step 4 and 7 and put your answer in Task 7: Answer 1 of the worksheet.
—End—