Lab 3 Securing Networking
Goal: To build skills with the Netfilter packet filter
Sequence 1: Applying simple packet filtering to a host
Scenario: A host (stationX) requires protection by packet filtering. This host has only one network interface, so no packet forwarding is involved.
Deliverable: Packet filter rules successfully limit connections to stationX for SSH services only.
System Setup: Install the iptables-ipv6 package. See the Appendix for more information on installing packages.
Instructions:
1. Work with a lab partner, and determine who of you has the role of stationX (192.168.0.X), and who has stationY (192.168.0.Y).
Install the iptables-ipv6package. See the Appendix for more information on installing packages.
a. [root@stationX]# yum -y install iptables-ipv6
[root@stationY]# yum -y install iptables-ipv6
2. Ensure localhost IPv6 connectivity through tcp_wrappers.
a. On both systems, add to /etc/hosts.allow:
ALL: [::1]
3. Ensure the SSH service is running on stationX.
a. [root@stationX]# service sshd status
sshd (pid 5563 5561 2536) is running...
4. Confirm exposed ports on stationX from stationY:
[root@stationY]# nmap stationX
5. Confirm stationX can establish SSH connections to stationY. Note: you may have a user account on each system, with the username of student. If so, then the password is student. Create an unprivileged user account if needed: it is strongly discouraged to login to the system as root, even using SSH.
a. [root@stationY]# ssh student@stationX
student@stationX's password:
[student@stationX]$ exit
6. On stationX, apply a new default policy of DROP on the INPUT chain of the filter table.
a. [root@stationX]# iptables -P INPUT DROP
7. From stationX, attempt an ssh connection to localhost using IPv4 (127.0.0.1). Set the ConnectTimeout option to 10, so that it only waits for ten seconds. This should eventually fail.
a. [root@stationX]# ssh -o ConnectTimeout=10 127.0.0.1
8. Now try the IPv6 address for localhost on stationX (::1). This should eventually work. Be patient, as there are other services timing out as we will discover later.
a. [root@stationX]# ssh -o ConnectTimeout=10 ::1
9. From stationY verify that you can ping the link-local IPv6 address of stationX.
Get the IPv6 address from stationX by looking at the output of the ip command (run on stationX, of course). It should provide something like the following, with the IPv6 address in bold. Note: the IPv6 address uses the interface MAC address for uniqueness, where:
fe80::2(2nd column of MAC):(3rd column)ff:fe(4th column):(5th column)(6th column)
# ip addr sh dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc
pfifo_fast qlen 1000
link/ether 00:0d:60:8e:25:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.X/24 brd 192.168.0.255 scope global eth0
inet6
fe80::20d:60ff:fe8e:25f3/64 scope link
valid_lft forever preferred_lft forever
Once you have the IPv6 address, from stationY ping stationX using ping6:
[root@stationY]# ping6 -I eth0 -c 3 fe80::20d:60ff:fe8e:25f4
Replacing fe80::20d:60ff:fe8e:25f4 with the IPv6 address of stationX.
10. Allow all incoming local connections (lo) on stationX.
a. [root@stationX]# iptables -A INPUT -i lo -j ACCEPT
11. On stationX, allow connections to the SSH service from stationY and from server1. Remember that DNS names should not be used.
a. [root@stationX]# iptables -A INPUT -s 192.168.0.Y -p tcp --dport ssh -j ACCEPT
b. [root@stationX]# iptables -A INPUT -s 192.168.0.254 -p tcp --dport ssh -j ACCEPT
12. Now view your iptables rules. This may take a minute to complete. Can you figure out what the problem might be? You may need to review the Fault Analysis slides for hints on commands that might be useful here. Once you have found the problem, fix it.
a. [root@stationX]# iptables -L
b. strace may prove useful here, as it allows us to view the files and commands that iptables may be using when it hangs.
[root@stationX]# strace iptables -L
You should find lines that include files such as /lib/libresolv.so.2 and /lib/libnss_dns.so.2 as well as a connection to the IP address of your DNS server. This appears to be a DNS problem, so we need to add entries for the DNS server:
[root@stationX]# iptables -A INPUT -s 192.168.0.254 -p udp --sport 53 -j ACCEPT
[root@stationX]# iptables -A INPUT -s 192.168.0.254 -p tcp --sport 53 -j ACCEPT
13. Allow ESTABLISHED and RELATED packets on stationX.
a. [root@stationX]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
14. From stationY, confirm that only the SSH port is exposed on stationX:
[root@stationY]# nmap -v -P0 stationX
This may take some time to complete, but give it a couple of minutes. Would merely an attempt to connect to stationX, from stationY using ssh prove that our Netfilter configuration is effective? Why? Why not?
a. We could prove that our configuration is effective in allowing ssh, but it is impossible to determine that it was actually blocking other ports from that one test.
15. Confirm that stationX can establish connections to stationY, and that stationX can still resolve host names.
a. [root@stationX]# ssh student@stationY
student@stationY's password:
[student@stationY]$ exit
b. [root@stationX]# dig stationY.example.com
16. On stationX, save your configuration and view the iptables configuration file just created.
a. [root@stationX]# service iptables save; restorecon -R /etc/sysconfig
b. [root@stationX]# cat /etc/sysconfig/iptables
c. [root@stationX]# iptables -vL --line-numbers
17. Go back through the lab and switch stations. stationX will become stationY, and stationY will become stationX. By the end of the lab, you should both have the same rules.
18. After both you and your lab partner have completed this sequence, configure a default installed set of Netfilter rules for IPv4, and disable the IPv6 Netfilter rules.
a. [root@stationX]# lokkit -q --enabled
b. [root@stationX]# service iptables restart
c. [root@stationX]# service ip6tables stop
d. [root@stationX]# chkconfig ip6tables off