Lesson 12

Date: 4/12/2017
Basics of Linux Security
Linux System Administration

Configuring iptables firewall

Make sure iptables have been installed on smbhost VM:
dpkg -l | grep iptables

Check the iptables rules on smbhost:
/sbin/iptables -n -L 

On smbhost, download the iptables script from fw-script.sh, make it executable, then run:
wget http://linuxcourse.rutgers.edu/lessons/Security/fw-script.sh
chmod 755 fw-script.sh
Check the iptables rules again,
   /sbin/iptables -n -L
You should see the new active rules.

Try pinging your desktop private virtual IP address from smbhost:
Try pinging smbhost VM from the desktop:

To enable ping, you need to add the following rules to your fw-script.sh (you can include them somwhere after the default policy)
# Echo - uncomment to allow your system to be pinged.
$IPT -A INPUT -p icmp -s --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp -s --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -s --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp -d --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp -d --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp -d --icmp-type 11 -j ACCEPT
After the script is modified, you need to run the script,

Try to ssh to some host located outside of the lab, for example, engsoft.
Try running apt-get update command.
Both SSH and apt-get would hang up because the iptable rules don't allow initiating outbound TCP connections with remote hosts and their returm from outside of the local virtual private network,
To enable return TCP-connections from the outside of the subnet, change "-s" and "-d" for "-s 0/0" and "-d 0/0" in the rules for "Accept local-network return traffic..." in the script.
The new rules should look as follows:
$IPT -A INPUT -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED -s 0/0 -j ACCEPT 
$IPT -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state INVALID -d 0/0 -j ACCEPT
After the script is modified, you need to run the script,
Try ssh to the host and apt-get command again. They should run fine.

Take me to the Course Website