Network and Internet Security

Iotocol=”tcp” accept [StudentFirst@infa620-nixent01 ]$ Test the effect of the new rule added:

rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”110″ protocol=”tcp” accept rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”995″ protocol=”tcp” accept rule family=”ipv4″ destination address=”192.168.10.30/32″ port port=”465″ protocol=”tcp” accept

Outgoing Traffic Initial State Test Outgoing traffic to External on http port not allowed (You are generating traffic from Enterprise to reach External.) [StudentFirst@infa620-nixent01 ]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes [send_ip] sendto: Operation not permitted [StudentFirst@infa620-nixent01 ]$ Adding an outgoing traffic rules to the firewall Adding outbound rules Via the Terminal [StudentFirst@infa620-nixent01 ]$ sudo firewall-cmd –direct –add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp –dport 80 -j ACCEPT success [StudentFirst@infa620-nixent01 ]$ Outbound Rules Test Outgoing traffic to External on http port allowed [StudentFirst@infa620-nixent01 ]$ sudo /usr/local/sbin/traffic_test -t 192.168.10.220 -s http [sudo] password for StudentFirst: HPING 192.168.10.220 (daaslab 192.168.10.220): S set, 40 headers + 0 data bytes len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=1.9 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=3.8 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=2.0 ms len=44 ip=192.168.10.220 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=2.0 ms

— 192.168.10.220 hping statistic — 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.9/2.3/3.8 ms [StudentFirst@infa620-nixent01 ]$

On your own now, configure rules to allow the following nine services (45 Points):

https to 192.168.10.220 domain and telnet to 192.168.10.210 ftp, imap2, imaps, pop3, pop3s and urd to 192.168.10.230

Before you configure, first make sure using the test script these traffic types are not allowed to the respective hosts. After configuring them, make sure they are allowed to the respective hosts. Miscellaneous Tasks Making Rules Persistent (Not needed for this lab exercise) Making rules persistent [StudentFirst@infa620-nixent01 ]$ sudo firewall-cmd –runtime-to-permanent success [StudentFirst@infa620-nixent01 ]$

You can view the Iptables to see what rules you have added. In the example below, the table entries that are highlighted are the ones we have just added. Viewing the IP Tables Viewing iptables rules (Just an example output) Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp — anywhere anywhere multiport dports rfe ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all — anywhere anywhere INPUT_direct all — anywhere anywhere INPUT_ZONES_SOURCE all — anywhere anywhere INPUT_ZONES all — anywhere anywhere DROP all — anywhere anywhere ctstate INVALID REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all — anywhere anywhere FORWARD_direct all — anywhere anywhere FORWARD_IN_ZONES_SOURCE all — anywhere anywhere FORWARD_IN_ZONES all — anywhere anywhere FORWARD_OUT_ZONES_SOURCE all — anywhere anywhere FORWARD_OUT_ZONES all — anywhere anywhere DROP all — anywhere anywhere ctstate INVALID REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all — anywhere anywhere

Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_daaslab all — anywhere anywhere FWDI_trusted all — anywhere anywhere FWDI_trusted all — anywhere anywhere

Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_daaslab all — anywhere anywhere FWDO_trusted all — anywhere anywhere FWDO_trusted all — anywhere anywhere

Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination

Chain FORWARD_direct (1 references) target prot opt source destination

Chain FWDI_daaslab (1 references) target prot opt source destination FWDI_daaslab_log all — anywhere anywhere FWDI_daaslab_deny all — anywhere anywhere FWDI_daaslab_allow all — anywhere anywhere DROP all — anywhere anywhere

Chain FWDI_daaslab_allow (1 references) target prot opt source destination

Chain FWDI_daaslab_deny (1 references) target prot opt source destination

Chain FWDI_daaslab_log (1 references) target prot opt source destination

Chain FWDI_trusted (2 references) target prot opt source destination FWDI_trusted_log all — anywhere anywhere FWDI_trusted_deny all — anywhere anywhere FWDI_trusted_allow all — anywhere anywhere ACCEPT all — anywhere anywhere

Chain FWDI_trusted_allow (1 references) target prot opt source destination

Chain FWDI_trusted_deny (1 references) target prot opt source destination

Chain FWDI_trusted_log (1 references) target prot opt source destination

Chain FWDO_daaslab (1 references) target prot opt source destination FWDO_daaslab_log all — anywhere anywhere FWDO_daaslab_deny all — anywhere anywhere FWDO_daaslab_allow all — anywhere anywhere DROP all — anywhere anywhere

Chain FWDO_daaslab_allow (1 references) target prot opt source destination

Chain FWDO_daaslab_deny (1 references) target prot opt source destination

Chain FWDO_daaslab_log (1 references) target prot opt source destination

Chain FWDO_trusted (2 references) target prot opt source destination FWDO_trusted_log all — anywhere anywhere FWDO_trusted_deny all — anywhere anywhere FWDO_trusted_allow all — anywhere anywhere ACCEPT all — anywhere anywhere

Chain FWDO_trusted_allow (1 references) target prot opt source destination

Chain FWDO_trusted_deny (1 references) target prot opt source destination

Chain FWDO_trusted_log (1 references) target prot opt source destination

Chain INPUT_ZONES (1 references) target prot opt source destination IN_daaslab all — anywhere anywhere IN_trusted all — anywhere anywhere IN_trusted all — anywhere anywhere

Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination

Chain INPUT_direct (1 references) target prot opt source destination

Chain IN_daaslab (1 references) target prot opt source destination IN_daaslab_log all — anywhere anywhere IN_daaslab_deny all — anywhere anywhere IN_daaslab_allow all — anywhere anywhere DROP all — anywhere anywhere

Chain IN_daaslab_allow (1 references) target prot opt source destination ACCEPT tcp — anywhere ip-192-168-10-20.ec2.internal tcp dpt:http ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-20.ec2.internal tcp dpt:https ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-10.ec2.internal tcp dpt:telnet ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-10.ec2.internal tcp dpt:domain ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp-data ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:ftp ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:imap ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:imaps ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3 ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:pop3s ctstate NEW ACCEPT tcp — anywhere ip-192-168-10-30.ec2.internal tcp dpt:urd ctstate NEW

Chain IN_daaslab_deny (1 references) target prot opt source destination

Chain IN_daaslab_log (1 references) target prot opt source destination

Chain IN_trusted (2 references) target prot opt source destination IN_trusted_log all — anywhere anywhere IN_trusted_deny all — anywhere anywhere IN_trusted_allow all — anywhere anywhere ACCEPT all — anywhere anywhere

Chain IN_trusted_allow (1 references) target prot opt source destination

Chain IN_trusted_deny (1 references) target prot opt source destination

Chain IN_trusted_log (1 references) target prot opt source destination

Chain OUTPUT_direct (1 references) target prot opt source destination ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp — anywhere anywhere tcp dpt:http ACCEPT tcp — anywhere anywhere tcp dpt:https ACCEPT tcp — anywhere anywhere tcp dpt

You may also like