In this exercise you will be working with firewalld(see https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos), a front-end to controlling Iptables. Iptables is a flexible firewall utility built for Linux operating systems (see https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/). It is too low level, however, and, as such, hard to use and configure the rules for filtering traffic. firewalld provides higher-level command line and graphical interfaces over Iptables to ease the pain of configuring the firewall features provided by Linux. For this lab exercise, we will only be using the high-level command line interface. firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4 and IPv6. There is a separation of the runtime and permanent configuration options.

For this lab exercise, we will be using two machines, one machine will behave like an Enterprise and the other machine will behave like machines outside an enterprise. We will call this machine as External, external to the enterprise. The firewall, as part of the enterprise will control traffic both coming into the enterprise and going out of the enterprise (to External).

NIXENT01 (Enterprise) is a CentOS 7 machine.CentOS is a Linux distribution that attempts to provide a free, enterprise-class, community-supported computing platform. Firewalld will be running on this host.

NIXEXT01 (External) is Kali Linux. Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.

Although there are only two machines, we are going to pretend that the Enterprise has three machines (three IP addresses) and each machine has certain services running on those machines, as follows:

NIXENT01 (Enterprise)

Service	Associated IP Address
domain, telnet	192.168.10.10
http, https	192.168.10.20
ftp, imap2, imaps, pop3, pop3s, urd	192.168.10.30

Similarly, we are going to emulate three machines on the External machine with three IP addresses, each running only certain services as follows:

NIXEXT01 (External)

Service	Associated IP Address
domain, telnet	192.168.10.210
http, https	192.168.10.220
ftp, imap, imaps, pop3, pop3s, urd	192.168.10.230

The instructions to use the remote UMUC machine in the DaaS environment is provided in the Accessing Remote DaaS Lab under Course Content.

Allocating the Lab Machines

Once you open the Lab Broker using the instructions given in the UMUC Digital Lab Access Instructions found under Accessing Remote DaaS Lab under Course Content, you will see a new window open. Each of your courses that have labs will be listed here in the Lab Broker page.

1. Look for “INFA 620” and select “Nodes.”

2. Select “Allocate Lab” *this should take no more than 1 minute.*

*Please Note*Allocated lab resources expire in 7 days. If a lab expires, work done within the lab machine will be lost.

Connecting to the Lab Machines

1. Within the Lab Broker interface, view the current allocated nodes for INFA 620

2. Use the “Connect” button to initiate a connection to each of the two machines:

3. When prompted, enter the course credentials:

a. Username: StudentFirst

b. Password: Cyb3rl@b

4. Proceed with the connection. You will need to re-enter the above credentials.

Network Traffic Simulation Script

The Network traffic Simulation script allows users to test pathways to lab resource machines by using the terminal to initiate test packets. The script takes 2 input variables (IP address and service) and uses this information to initiate a test. The script is implemented using bash shell. The script accepts a target IP (-t) and any service name (-s) available in /etc/services. The script can be run on either machine to generate traffic for the other machine,

To run the script:

1. Open a Terminal window.

2. Enter command “sudo /usr/local/sbin/traffic_test -t(target IP)-s (service)”

a. Target IP and Service are taken from the Enterprise and External Tables above

b. Http example: “sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http” (This will be run on External since we are generating traffic to reach192.168.10.20 )

3. Input the Password for the StudentFirst User: Cyb3rl@b

4. The script will then run a 5 packet test and display the results.

The firewall is initially set up to Deny by Default. So, no traffic will be admitted in either direction until we explicitly change the firewall rules.

Filtering Incoming Traffic

We will show by one example how to configure the http traffic coming into 192.168.10.20. Before we do that, let us verify, no http is coming in:

Initial State Test (You are generating traffic from External to reach Enterprise.)

EXAMPLE: Incoming traffic to Enterprise on http port not allowed

StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes

--- 192.168.10.20 hping statistic ---

5 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

StudentFirst@infa620-nixext01:~$

Let us add an incoming traffic rule to the firewall to allow http traffic to 192.168.10.20

Adding inbound rules to daaslab zone (Firewall rules are always added from the Enterprise machine)

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --zone=daaslab --add-rich-rule='rule family="ipv4" destination address="192.168.10.20/32" port protocol="tcp" port="80" accept’

[StudentFirst@infa620-nixent01 ~]$ password for StudentFirst:

Success

You can verify whether a rule was added as follows:

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd--zone=daaslab --list-rich-rules

rule family="ipv4" destination address="192.168.10.20/32" port port="80" protocol="tcp" accept

[StudentFirst@infa620-nixent01 ~]$

Test the effect of the new rule added:

EXAMPLE: Incoming traffic to Enterprise on http port is now allowed

StudentFirst@infa620-nixext01:~$ sudo /usr/local/sbin/traffic_test -t 192.168.10.20 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.20 (daaslab 192.168.10.20): S set, 40 headers + 0 data bytes

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=3.8 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.7 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=3.6 ms

len=44 ip=192.168.10.20 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=3.5 ms

--- 192.168.10.20 hping statistic ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 3.5/3.7/3.9 ms

StudentFirst@infa620-nixext01:~$

As you can see, the inbound http traffic to 192.168.10.20 has been enabled.

On your own now, configure rules to allow the following nineservices (45 Points):

https to 192.168.10.20

domain and telnet to 192.168.10.10

ftp, imap2, imaps, pop3, pop3s, and urd to 192.168.10.30

Domain is often known as DNS (Domain Name Service). You should be able to google port numbers for various services.

Before you configure, first make sure, using the test script given, these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts. Also, verify that the rules were added using sudo firewall-cmd --zone=daaslab --list-rich-rules. There should be one rule for each service added. If you have done correctly, this is what will be listed:

rule family="ipv4" destination address="192.168.10.20/32" port port="80" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.20/32" port port="443" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.10/32" port port="23" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.10/32" port port="53" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="20" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="21" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="143" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="993" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="110" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="995" protocol="tcp" accept

rule family="ipv4" destination address="192.168.10.30/32" port port="465" protocol="tcp" accept

Outgoing Traffic

Initial State Test

Outgoing traffic to External on http port not allowed (You are generating traffic from Enterprise to reach External.)

[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes

[send_ip] sendto: Operation not permitted

[StudentFirst@infa620-nixent01 ~]$

Adding an outgoing traffic rules to the firewall

Adding outbound rules

Via the Terminal

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT

success

[StudentFirst@infa620-nixent01 ~]$

Outbound Rules Test

Outgoing traffic to External on http port allowed

[StudentFirst@infa620-nixent01 ~]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http

[sudo] password for StudentFirst:

HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=1.9 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=2.0 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.8 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=2.0 ms

len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=2.0 ms

--- 192.168.10.220 hping statistic ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 1.9/2.3/3.8 ms

[StudentFirst@infa620-nixent01 ~]$

On your own now, configure rules to allow the following nine services (45 Points):

https to 192.168.10.220

domain and telnet to 192.168.10.210

ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230

Before you configure, first make sure using the test script these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts.

Miscellaneous Tasks

Making Rules Persistent (Not needed for this lab exercise)

Making rules persistent

[StudentFirst@infa620-nixent01 ~]$ sudo firewall-cmd --runtime-to-permanent

success

[StudentFirst@infa620-nixent01 ~]$

You can view the Iptables to see what rules you have added(sudo iptables -L). In the example below, the table entries that are highlighted are the ones we have just added.

Viewing the IP Tables(sudo iptables -L)

Viewing iptables rules (Just an example output)

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT udp -- anywhere anywhere multiport dports rfe

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere

INPUT_direct all -- anywhere anywhere

INPUT_ZONES_SOURCE all -- anywhere anywhere

INPUT_ZONES all -- anywhere anywhere

DROP all -- anywhere anywhere ctstate INVALID

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere

FORWARD_direct all -- anywhere anywhere

FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere

FORWARD_IN_ZONES all -- anywhere anywhere

FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere

FORWARD_OUT_ZONES all -- anywhere anywhere

DROP all -- anywhere anywhere ctstate INVALID

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

OUTPUT_direct all -- anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)

target prot opt source destination

FWDI_daaslab all -- anywhere anywhere

FWDI_trusted all -- anywhere anywhere

Chain FORWARD_IN_ZONES_SOURCE (1 references)

target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)

target prot opt source destination

FWDO_daaslab all -- anywhere anywhere

FWDO_trusted all -- anywhere anywhere

Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target prot opt source destination

Chain FORWARD_direct (1 references)

target prot opt source destination

Chain FWDI_daaslab (1 references)

target prot opt source destination

FWDI_daaslab_log all -- anywhere anywhere

FWDI_daaslab_deny all -- anywhere anywhere

FWDI_daaslab_allow all -- anywhere anywhere

DROP all -- anywhere anywhere

Chain FWDI_daaslab_allow (1 references)

target prot opt source destination

Chain FWDI_daaslab_deny (1 references)

target prot opt source destination

Chain FWDI_daaslab_log (1 references)

target prot opt source destination

Chain FWDI_trusted (2 references)

target prot opt source destination

FWDI_trusted_log all -- anywhere anywhere

FWDI_trusted_deny all -- anywhere anywhere

FWDI_trusted_allow all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

Chain FWDI_trusted_allow (1 references)

target prot opt source destination

Chain FWDI_trusted_deny (1 references)

target prot opt source destination

Chain FWDI_trusted_log (1 references)

target prot opt source destination

Chain FWDO_daaslab (1 references)

target prot opt source destination

FWDO_daaslab_log all -- anywhere anywhere

FWDO_daaslab_deny all -- anywhere anywhere

FWDO_daaslab_allow all -- anywhere anywhere

DROP all -- anywhere anywhere

Chain FWDO_daaslab_allow (1 references)

target prot opt source destination

Chain FWDO_daaslab_deny (1 references)

target prot opt source destination

Chain FWDO_daaslab_log (1 references)

target prot opt source destination

Chain FWDO_trusted (2 references)

target prot opt source destination

FWDO_trusted_log all -- anywhere anywhere

FWDO_trusted_deny all -- anywhere anywhere

FWDO_trusted_allow all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

Chain FWDO_trusted_allow (1 references)

target prot opt source destination

Chain FWDO_trusted_deny (1 references)

target prot opt source destination

Chain FWDO_trusted_log (1 references)

target prot opt source destination

Chain INPUT_ZONES (1 references)

target prot opt source destination

IN_daaslab all -- anywhere anywhere

IN_trusted all -- anywhere anywhere

Chain INPUT_ZONES_SOURCE (1 references)

target prot opt source destination

Chain INPUT_direct (1 references)

target prot opt source destination

Chain IN_daaslab (1 references)

target prot opt source destination

IN_daaslab_log all -- anywhere anywhere

IN_daaslab_deny all -- anywhere anywhere

IN_daaslab_allow all -- anywhere anywhere

DROP all -- anywhere anywhere

Chain IN_daaslab_allow (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere ip-192-168-10-20.ec2.internal tcp dpt:http ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-20.ec2.internal tcp dpt:https ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-10.ec2.internal tcp dpt:telnet ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-10.ec2.internal tcp dpt:domain ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp-data ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:imap ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:imaps ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3 ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3s ctstate NEW

ACCEPT tcp -- anywhere ip-192-168-10-30.ec2.internal tcp dpt:urd ctstate NEW

Chain IN_daaslab_deny (1 references)

target prot opt source destination

Chain IN_daaslab_log (1 references)

target prot opt source destination

Chain IN_trusted (2 references)

target prot opt source destination

IN_trusted_log all -- anywhere anywhere

IN_trusted_deny all -- anywhere anywhere

IN_trusted_allow all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

Chain IN_trusted_allow (1 references)

target prot opt source destination

Chain IN_trusted_deny (1 references)

target prot opt source destination

Chain IN_trusted_log (1 references)

target prot opt source destination

Chain OUTPUT_direct (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT tcp -- anywhere anywhere tcp dpt:telnet

ACCEPT tcp -- anywhere anywhere tcp dpt:domain

ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data

ACCEPT tcp -- anywhere anywhere tcp dpt:imap

ACCEPT tcp -- anywhere anywhere tcp dpt:pop3

ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s

ACCEPT tcp -- anywhere anywhere tcp dpt:urd

ACCEPT tcp -- anywhere anywhere tcp dpt:ftp

ACCEPT tcp -- anywhere anywhere tcp dpt:imaps

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

[StudentFirst@infa620-nixent01 ~]$

Export the IP Tables, as illustrated below (for submission)

Exporting iptables rules

[StudentFirst@infa620-nixent01 ~]$ sudo iptables-save > ~/Desktop/iptables_rules-July17-17.txt

[sudo] password for StudentFirst:

[StudentFirst@infa620-nixent01 ~]$

Transfer this file, iptables_rules-July17-17.txt,first to the workspsace Desktop. From there, you can email the file using the Chrome browser to yourself and then submit it to the Lab 4 folder in the classroom.

(10 Points) Also, provide a short summary of your experience of using DaaS for this Lab (Difficulties you have encountered, what worked, what did not work, etc.)

Field of study:

Computer Science

Answer

INFA 620 Laboratory 4: Configuring a Firewall

Buy this answer to view and download it immediately