Homework answers / question archive / Please see attachment "Lab-03" for instructions

Please see attachment "Lab-03" for instructions

Computer Science

Share With

Please see attachment "Lab-03" for instructions. See "Sample Lab-03 Report" for clarification if needed.

LAB-03: IPTables and Honeypots

Section-A: IPTables

The Linux kernel comes with a packet filtering framework named net-filter. It allows you to allow, drop and modify traffic leaving in and out of a system. A tool, iptables builds upon this functionality to provide a powerful firewall, which you can configure by adding rules. In addition, other programs such as fail2ban also use iptables to block attackers. In this lab, we’re going to take a look at how iptables works. We’re also going to look at a few examples, which will help you write your own rules.

1. How does iptables work?

iptables is just a command-line interface to the packet filtering functionality in net-filter. However, to keep this lab simple, we won’t make a distinction between iptables and net-filter in this article, and simply refer to the entire thing as “iptables”.

The packet filtering mechanism provided by iptables is organized into three different kinds of structures: tables, chains and targets. Simply put, a table is something that allows you to process packets in specific ways. The default table is the filter table, although there are other tables too. Again, these tables have chains attached to them. These chains allow you to inspect traffic at various points, such as when they just arrive on the network interface or just before they’re handed over to a process. You can add rules to them match specific packets — such as TCP packets going to port 80 — and associate it with a target. A target decides the fate of a packet, such as allowing or rejecting it.

When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default policy of the chain tells it to. The default policy is also a target. By default, all chains have a default policy of allowing packets. Now, we’re going to take a deeper look into each of these structures.

1. 1. Tables

As we’ve mentioned previously, tables allow you to do very specific things with packets. On a modern Linux distributions, there are four tables:

• • • The filter table: This is the default and perhaps the most widely used table. It is used to make

decisions about whether a packet should be allowed to reach its destination.

• • • The mangle table: This table allows you to alter packet headers in various ways, such as changing TTL values.
    • The nat table: This table allows you to route packets to different hosts on NAT (Network Address Translation) networks by changing the source and destination addresses of packets. It is often used to allow access to services that can’t be accessed directly, because they’re on a NAT network.

1. 3. Targets

 

As we’ve mentioned before, chains allow you to filter traffic by adding rules to them. So for example, you could add a rule on the filter table’s INPUT chain to match traffic on port 22. But what would you do after matching them? That’s what targets are for — they decide the fate of a packet.

 

Some targets are terminating, which means that they decide the matched packet’s fate immediately. The packet won’t be matched against any other rules. The most commonly used terminating targets are:

• • • ACCEPT: This causes iptables to accept the packet.
    • DROP: iptables drops the packet. To anyone trying to connect to your system, it would appear like the system didn’t even exist.
    • REJECT: iptables “rejects” the packet. It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.

On the other hand, there are non-terminating targets, which keep matching other rules even if a match was found. An example of this is the built-in LOG target. When a matching packet is received, it logs about it in the kernel logs. However, iptables keeps matching it with rest of the rules too.

Sometimes, you may have a complex set of rules to execute once you’ve matched a packet. To simplify things, you can create a custom chain. Then, you can jump to this chain from one of the custom chains. Now that we know about the theory behind iptables, we’ll look at some examples.

 

2. A note regarding iptables commands

 

 

you can add sudo in front of every iptables command.

You also need to execute all iptables commands as root. You can launch a root shell by typing   in su -c and then typing in your root password and then run the commands in this lab. Alternatively,

There are two versions of the Internet Protocol — IPv4 and IPv6. These protocols have some differences and are handled differently in the kernel. Thus, iptables provides different commands for these protocols — iptables for IPv4 and ip6tables for IPv6. However, the options accepted by these commands doesn’t vary too much. We’ve discussed these differences later in the appropriate sections in this lab.

 

3. For the scope of this iptables lab, we are going to work with one of the default tables called

filter. Filters table has three chains (sets of rules).

INPUT – This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.

FORWARD – This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.

OUTPUT – This chain is used to filter packets that are going out from your server.

Step 1 – Installing Iptables Linux Firewall

***When creating virtual box, please use name “Thao” when command is display showing name***

1. Installing Iptables

Iptables comes pre-installed in almost all of the Linux distributions. But if you don’t have it installed on Ubuntu/Debian system use:

sudo apt-get update

sudo apt-get install iptables

2. Checking current Iptables status

With this command, you can check the status of your current Iptables configuration. Here -L option is used to list all the rules and -v option is for a more tedious list. Please note that these options are case sensitive.

sudo iptables -L -v

Example output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source             destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source             destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source             destination

This is the output of the above command. Here, all three chains are set to default ACCEPT policy. There are currently no rules for any of the chains. To make this Iptables LAB more practical, we will modify the INPUT chain to filter the incoming traffic