Fill This Form To Receive Instant Help
Fill This Form To Receive Instant Help
Homework answers / question archive / Please see attachment "Lab-03" for instructions
Please see attachment "Lab-03" for instructions. See "Sample Lab-03 Report" for clarification if needed.
LAB-03: IPTables and Honeypots
The Linux kernel comes with a packet filtering framework named net-filter. It allows you to allow, drop and modify traffic leaving in and out of a system. A tool, iptables builds upon this functionality to provide a powerful firewall, which you can configure by adding rules. In addition, other programs such as fail2ban also use iptables to block attackers. In this lab, we’re going to take a look at how iptables works. We’re also going to look at a few examples, which will help you write your own rules.
iptables is just a command-line interface to the packet filtering functionality in net-filter. However, to keep this lab simple, we won’t make a distinction between iptables and net-filter in this article, and simply refer to the entire thing as “iptables”.
The packet filtering mechanism provided by iptables is organized into three different kinds of structures: tables, chains and targets. Simply put, a table is something that allows you to process packets in specific ways. The default table is the filter table, although there are other tables too. Again, these tables have chains attached to them. These chains allow you to inspect traffic at various points, such as when they just arrive on the network interface or just before they’re handed over to a process. You can add rules to them match specific packets — such as TCP packets going to port 80 — and associate it with a target. A target decides the fate of a packet, such as allowing or rejecting it.
When a packet arrives (or leaves, depending on the chain), iptables matches it against rules in these chains one-by-one. When it finds a match, it jumps onto the target and performs the action associated with it. If it doesn’t find a match with any of the rules, it simply does what the default policy of the chain tells it to. The default policy is also a target. By default, all chains have a default policy of allowing packets. Now, we’re going to take a deeper look into each of these structures.
As we’ve mentioned previously, tables allow you to do very specific things with packets. On a modern Linux distributions, there are four tables:
decisions about whether a packet should be allowed to reach its destination.
In addition, some kernels also have a security table. It is used by SELinux to implement policies based on SELinux security contexts.
Now, each of these tables are composed of a few default chains. These chains allow you to filter packets at various points. The list of chains iptables provides are:
The diagram below shows the flow of packets through the chains in various tables:
As we’ve mentioned before, chains allow you to filter traffic by adding rules to them. So for example, you could add a rule on the filter table’s INPUT chain to match traffic on port 22. But what would you do after matching them? That’s what targets are for — they decide the fate of a packet.
Some targets are terminating, which means that they decide the matched packet’s fate immediately. The packet won’t be matched against any other rules. The most commonly used terminating targets are:
On the other hand, there are non-terminating targets, which keep matching other rules even if a match was found. An example of this is the built-in LOG target. When a matching packet is received, it logs about it in the kernel logs. However, iptables keeps matching it with rest of the rules too.
Sometimes, you may have a complex set of rules to execute once you’ve matched a packet. To simplify things, you can create a custom chain. Then, you can jump to this chain from one of the custom chains. Now that we know about the theory behind iptables, we’ll look at some examples.
|
you can add sudo in front of every iptables command. |
|
You also need to execute all iptables commands as root. You can launch a root shell by typing in su -c and then typing in your root password and then run the commands in this lab. Alternatively, |
There are two versions of the Internet Protocol — IPv4 and IPv6. These protocols have some differences and are handled differently in the kernel. Thus, iptables provides different commands for these protocols — iptables for IPv4 and ip6tables for IPv6. However, the options accepted by these commands doesn’t vary too much. We’ve discussed these differences later in the appropriate sections in this lab.
filter. Filters table has three chains (sets of rules).
INPUT – This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.
FORWARD – This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.
OUTPUT – This chain is used to filter packets that are going out from your server.
Step 1 – Installing Iptables Linux Firewall
Iptables comes pre-installed in almost all of the Linux distributions. But if you don’t have it installed on Ubuntu/Debian system use:
sudo apt-get update
sudo apt-get install iptables
With this command, you can check the status of your current Iptables configuration. Here -L option is used to list all the rules and -v option is for a more tedious list. Please note that these options are case sensitive.
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
This is the output of the above command. Here, all three chains are set to default ACCEPT policy. There are currently no rules for any of the chains. To make this Iptables LAB more practical, we will modify the INPUT chain to filter the incoming traffic
