CSC175 Packet Filter Assignment 1 Due Wednesday 3/25 This assignment is in two parts. The first part will require you to use iptables to configure your assigned linux host according to a set of specifications, which will be tested by a really nasty hacker. The second part is a paper assignment that asks you to configure a hypothetical router/firewall. The second part should be completed individually. ---------------------------------------------------------------------------- PART I: Lab Exercise 1. First, make sure the routing table of your host can see starbase as well as other hosts in the secret network, such as: 10.1.0.0/16 dev eth0 10.2.0.0/16 via 10.1.0.60 default via 10.1.0.98 Also make sure that 10.1.0.98 is the first nameserver in your /etc/resolv.conf 2. Make sure you've enabled your machine as a router: echo 1 > /proc/sys/net/ipv4/ip_forward 3. Enable your host's web server: service httpd start. Your secure web server runs on TCP server port 443. ******* 1-3 must be completed prior to lab ********* 4. Now use iptables to configure your packet filter chains to satisfy the following restrictions (all of them together!). Use iptables-save (see man page) to save your firewall rules into the file /root/myrules. I'll be looking for this file. You can restore your firewall from this file with the iptables-restore command. You may also want to create a script to execute your rules. Read and think carefully, often a rule must be inserted into both the INPUT and FORWARD chains. Remember that the order of the rules matter. Be sure to remember to use the -i option wherever possible: this is the options that lets you determine the physical origin of packets. ************************************************************************** For each part below, write down both the iptables rules you used AND what you did to TEST if it works. ************************************************************************** By default, your system is "wide open", with the following conditions: A1. Block all icmp packets from 10.2.0.0/16 Blocl all icmp packets from 10.1.0.2 (deepdish) A2. Block all incomming UDP packets to your host on port 514 (this is the remote shell port, which allows a remote host to execute a command on your machine. It's not encrypted, which is why it's now being replaced by ssh). B. Only allow your host to route packets from 10.0.0.0/8 to other hosts on 10.0.0.0/8. That is, do not route ip packets that don't have 10.x.y.z as their destination ip, or packets that didn't originate from the secret network. Note that 10.0.0.0/8 includes both the 10.1 and 10.2 subnets C. Do not allow 10.1.0.2 (deepdish) to connect to your web server. You can test if this works by logging into deepdish as guest. Use the REJECT instead of the DROP target, so you'll get a confirmation that the connection was refused. Warning: the nasty hacker is reportedly capable of trying to spoof you! D. In 1988 a famous internet virus originated from Cornell University that used the Unix "finger" utility to break into systems. Disallow finger from anywhere except localhost. Also, don't route any finger packets. (hint: look in /etc/services for port number of finger). The finger program uses TCP. E. Do not allow any host from 10.2.0.0/16 to ssh into your host, EXCEPT 10.2.0.11 and 10.2.0.36. READ THIS CAREFULLY! The rules should only apply to 10.2.0.0/16 F. Don't let anyone spoof you by pretending to be localhost (127.0.0.0/8). Localhost packets should only come in from the virtual "lo" interface. This is another reason to use the -i option whenever possible. G. Do not allow, and do not route, any packets that tries to use any host other than 10.1.0.98 as their DNS nameserver. The DNS server port is 53. DNS can use both the tcp and udp protocols (udp by default). H. Log all connections to your web server, including illegal attempts. You can check logged connections using "dmesg" or by observing changes in the file /var/log/messages with the command tail -f /var/log/messages Be aware of how logging works: a packet that matches a -j LOG rule will still be checked against subsequent rules in the chain. Use the --log-prefix option to specify a special string to include in the log. Please be careful: you only want to log the packets that tries to initiate a connection (use the --syn match). Logging EVERY packet could eventually overload your system. I. The pattern -p tcp --syn matches all TCP initiation packets. Log all such OUTGOING --syn packets from your host to destinations other than 10.0.0.0/8 EXCEPT for www connections. J. deepdish (10.1.0.2) is going to try to get to you through some router. What does this mean? It means that you'll get a packet with -s 10.1.0.2, but whose mac address is the address of the router. deepdish should have mac source address 00:11:25:f9:dd:8a - so if you get a packet from deepdish that doesn't have this address, it must have been routed through someone else. Make sure you understand what I just said, and prevent this from happening. Can you find out who is routing deepdish packets to you? K. At an appropriate time, you will be asked to examine your /var/log/messages file and answer a few questions. So stay tuned. NOW PLEASE THINK! Just because there are X conditions above doesn't necessarily mean you'll need exactly X iptables rules. You MUST make sure that your firewall isn't more restrictive than it needs to be. -------------------------------------------------------------------------- PART II: Written Exercise (please type) THIS PART MUST BE COMPLETED INDIVIDUALLY 1. For taking CSC175 and doing everything the prof expected you to, you've been promoted to a network administrator. Assume you are maintaining a Linux router for two small subnets, 10.5.2.0/25 and 10.5.2.128/25, which together form the "super subnet" 10.5.2.0/24. You are part of the larger site 10.5.0.0/16. Assume that the router has the following routing table: 127.0.0.0/8 dev lo 10.5.2.0/25 dev eth0 10.5.2.128/25 dev eth1 10.5.1.0/24 dev eth2 default via 10.5.1.1 Furthermore, there's a web server on 10.5.3.10, port 80. The official DNS servers for the site are on 10.5.3.12 and 10.5.3.13. The official IMAP (email) server is at 10.5.1.14. The administrators of 10.5.0.0/16 are paranoid and they'll go nuts if they find anybody else running other such servers on their network! Write iptables rules to effect the following restrictions *simultaneously*. Use iptables -I (as opposed to -A) to insert the rules in precise positions. YOU ARE ALSO REQUIRED TO CREATE A NEW CHAIN FOR THIS ASSIGNMENT Assume initially the default policy of each of the three built-in chains is ACCEPT, and that each chain is empty. Remember: all conditions must be satisfied simultaneously: 1. Your router is only allowed to route packets *into* 10.5.2.0/24 (which includes both /25 subnets). That is, if a packet comes into eth2 but is not destined for 10.5.2.0/24, you shouldn't route it. Do not use a rule that's more restrictive than it needs to be! Packets from inside 10.5.2.0/24 still needs to get out, because they're using you as their default gateway! 2. Do not route any gre tunnel packets (ip protocol number 47), because we can't look at the packet underneath. 3. no icmp responses are allowed from 10.5.2.128/25 4. No machine can use a DNS server that's not one of the official ones. Furthermore, if a DNS response is found to come from an unofficial server, you should LOG the packet. 5. Connection to any imap or pop3 server other than the official one should be blocked (look in /etc/services for port numbers). These protocols use tcp. 6. You want to run a local web server on 10.5.2.130, but you fear the wrath of the higher-up admins if they found out. This server should only be allowed to serve other hosts on your two subnets (10.5.2.0/24). http is built on top of tcp. 7. You are responsible for limiting the rate of connections to the official web server (10.5.3.10) from your two subnets to 1 every second with a limit-burst of 3. If there are too many connections, they should be dropped. If you don't do this right and the web server crashes, you'll be reassigned to answering phones at the help desk from clueless end users. 8. Your router is also running a DHCP server (uses udp, port 67) that assigns IP addresses to hosts. However, you should only service requests from the two subnets of 10.5.2.0/24. 9. Finally, don't let anyone ssh into your router, except 147.4.150.54. Be careful. Read the numbers. There are a couple of subtle things to watchout for, such as which chain you put the rules in. On paper, mark clearly which condition each rule is associated with. Please submit a typed assignment.