Laboratory work: firewalls (16p)

In this work you have to configure a firewall for the Server Ubuntu using iptables.

FIREWALL (8p)

Setup a firewall with separate own chains (tcp,udp,log – 1p) that

  • Allows incoming TCP to services/ports, you can figure out the ports with netstat -ltupn, (2p)
    • HTTP/HTTPS AND limits the packet rate on HTTPS to 50/s
    • SMTP
    • DNS
  • Allows incoming UDP to services/ports (1p)
    • DNS
  • Drops (2p)
    • ICMP ping echo requests
    • All broadcast traffic
  • Logs attempts to, and then drop (1p)
    • SSH with prefix “Someone tried my SSH port! “
  • Rejects (1p)
    • All other attempts with any protocol to low ports < 1024 with ICMP host unreachable

NAT (8p)

Configure the Server ubuntu with iptables to act as router for the Wireshark ubuntu.

On Server ubuntu:

  • Redirect all HTTP/HTTPS queries from the Wireshark ubuntu to the original address except redirect requests to “www.lut.fi” to “www.nsa.gov” (2p)
  • Do not redirect from the Wireshark ubuntu any SSH connections, REJECT them. (1p)
  • Direct all DNS from the Wireshark ubuntu requests to OpenDNS 208.67.222.222, 208.67.220.220 (2p)
  • All other traffic can be relayed from the Wireshark ubuntu. (1p)

On Wireshark ubuntu:

  • Change (½p)
    • the default route to be the Server ubuntu address see “man route”
    • the dns server to be the Server ubuntu, into “/etc/resolv.conf”
  • Test the HTTP/HTTPS connections with a browser, first put a fairly large file (̃e.g. 100 MB) into /var/www/private/ and download it with both protocols (½p)
    • You can create a large file with, e.g., with dd a 100MB file:
      dd if=/dev/urandom of=created_file bs=512 count=200000
  • Take a screen capture of (if traceroute is not installed, install it) (1p)
Last modified: 2014/02/05 11:43