[SOLVED] Ece404 introduction to computer security: homework 09

Iptables is an IPv4 packet filtering and network address translation tool used to set up, maintain, and inspect the tables of IP packet filter rules in a Linux kernel. Your learning objectives for this homework are as follows: 1. Understand the overall organization of the Linux based iptables tool 2. Write your own iptables rules based on specific, real-world requirements As always, please read the homework document in its entirety before coming to office hours with your questions. The teaching staff have spent a long time writing the assignment to cover many common questions you might have. 2 Getting Ready for This Homework Before embarking on this homework, it is advised that you familiarize yourself with the relevant material discussed in Prof. Kak’s Lecture 18 Notes. Nonetheless, you might find the following review material on iptables helpful when writing your own firewall rules. In its simplest form, iptables is a Linux firewall program that monitors network traffic to and from a server (your local machine in this case) using a set of tables. Each of these tables consist of a set of rules typically called chains, to which incoming and outgoing packets are subject to. When a data packet matches a particular rule, it is given a target. This target can be another chain, or one of the following special values: • ACCEPT – allows the packet to pass through the firewall • DROP – prohibits the packet from entering, with no indication to the sender that the connection failed. • REJECT – prohibits the packet from entering, and sends an error message to the source indicating that the connection failed. 1 • RETURN – stops the packet from further traversal through the chain and tells it to go back to the previous chain. Defining new rules with iptables boils down to appending a new rule to a specified chain. Shown below is how one might use iptables to add new rules. 1 sudo iptables -t < table > -A < chain > -i < in interface > -o < out interface > -p < protocol > -s < source > – dport < port no . > -j < target > • -t – specifies which table you would like to append a new rule in • -A – specifies which chain in the table you would like to append a new rule to • -i – specifies the network interface incoming packets are received on (eth0, lo, ppp0, etc) • -o – specifies the network interface that packets that are to be sent on • -p – specifies the network protocol where your filtering process takes place (tcp, udp, icmp, sctp, icmpv6, all, etc.) • -s – specifies the address from which traffic comes from (can be symbolic or numerical) • -dport – specifies the destination pot number (22, 80, 8000, etc.) • -j – specifies the target (another chain or one of the four previously mentioned special values) Note *** The information provided to you in this section is just the tip of the iceberg when it comes to interacting with iptables. The requirements for the programming portion of the assignment will draw on additional knowledge found in Lecture 18 as well as the official Linux manual found here [1]. 3 Programming Assignment Before making any changes to your current firewall, it is important to save the current state of it. Shown in the code listing below is how you could accomplish this. DO NOT SKIP THIS STEP!!! 2 1 # this saves the current state of your firewall into a file 2 # called MyFirewall . bk 3 iptables – save > MyFirewall . bk 4 5 # this restores your firewall from file MyFirewall . bk 6 iptables – restore < MyFirewall . bk Design a firewall for your Linux machine using the iptables packet filtering modules. It is likely that iptables came pre-installed with the Linux distribution you are using. Otherwise, you may need to upgrade it to get iptables to work. If you don’t have a Linux environment on your PC, you can try setting up a virtual machine using software such as VirtualBox or VMware. Write a set of iptables rules (as a shell script titled firewall404.sh) to do the following: 1. Flush and delete all previously defined rules and chains 2. Write a rule that only accepts packets that originate from f1.com. 3. For all outgoing packets, change their source IP address to your own machine’s IP address (Hint: Refer to the MASQUERADE target in the nat table). 4. Write a rule to protect yourself against indiscriminate and nonstop scanning of ports on your machine. 5. Write a rule to protect yourself from a SYN-flood Attack by limiting the number of incoming ’new connection’ requests to 1 per second once your machine has reached 500 requests. 6. Write a rule to allow full loopback access on your machine i.e. access using localhost (Hint: You will need two rules, one for the INPUT chain and one the OUTPUT chain on the FILTER table. The interface is ’lo’.) 7. Write a port forwarding rule that routes all traffic arriving on port 8888 to port 25565. Make sure you specify the correct table and chain. Subsequently, the target for the rule should be DNAT. 8. Write a rule that only allows outgoing ssh connections to engineering.purdue.edu. You will need two rules, one for the INPUT chain and one for the OUTPUT chain and one the FILTER table. Make 3 sure to specify the correct options for the –state suboption for both rules. 9. Drop any other packets if they are not caught by the above rules. To run your script, you will have to include a shebang line at the beginning of the file for .sh (this program is almost always located in /bin/sh). Your script should be able to run without error. You will also need superuser privileges to edit any of the packet-filtering tables. 4 Submission Instructions • For this homework you will be submitting a zip file titled hw09 .zip, which consists of: – A pdf titled hw09 .pdf containing: ∗ For each requirement in section 3, your solution as well as an in depth explanation of your solution. In depth to the point where a beginner (who only has basic knowledge of iptables can follow along. ∗ Output (e.g. screenshots) of your updated firewall after running firewall404.sh. The command for this is sudo iptables -L – The file firewall404.sh containing your iptable commands References [1] iptables:administration tool for IPv4 packet filtering and NAT. URL administration tool for IPv4 packet filtering and NAT.