You are to create a firewall rule set on your Ubuntu server. Make sure to use VA

Question

You are to create a firewall rule set on your Ubuntu server. Make sure to use VARIABLES for the IP addresses in your firewall. DO NOT HARD CODE THEM. I want to be able to easily change the variables to my IPs so I can test your firewall. For any packets you REJECT or DENY, I want those LOGGED. That means you'll need to modify the rule so that if the rule matches, you DENY or REJECT a packet, that that information is written out to a log file. You'll need to include both your rule set and log file for this assignment. This firewall should implement the following policies. The policies below are in a somewhat RANDOM order, it's up to you to put these in a reasonable order:

1) Allow all loopback connections.

2) Deny any connections from any IPs other than those on your host-only based network.

3) The firewall should be STATEFUL (that's important).

4) Allow echo-requests ONLY from computers on the host-only network.

5) Allow echo-replies ONLY to computers on the host-only network.

6) Allow ftp to the server from the 'other' Linux box ONLY (DENY Windows box).

7) Allow samba to the server from the Windows box ONLY (DENY other Linux box).

8) DENY all telnet connections (Yes, telnet should be running, but I want to see a firewall rule).

9) Allow ssh to the server for BOTH Windows and 'other' Linux box.

10) Allow web access for Windows box ONLY (DENY other Linux box).

11) Default incoming policy should be DENY.

12) Default outgoing policy should be ALLOW.

13) Default forward policy should be DENY.

14) Firewall should flush previously run rules.

Note that for deny rules, you will have to decide to use either REJECT or DROP. I don't want willy-nilly use of either one, you need to justify, in a comment, WHY you chose to use REJECT or DROP ALSO, each rule should be commented, so I understand what it does (yeah, I know what it does, but I want you to get used to commenting). I will count off for any rules without a corresponding comment.

Explanation / Answer

!/bin/sh
# The high ports used mostly for connections we initiate and return
# traffic.
LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:
`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`

# Any and all addresses from anywhere.
ANYWHERE="0/0"

# Let's start clean and flush all chains to an empty state.
$IPCHAINS -F

# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that ipchains uses.
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
$IPCHAINS -P input DENY

# Accept localhost/loopback traffic.
$IPCHAINS -A input -i lo -j ACCEPT

WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d -f 1`

# Bail out with error message if no IP available! Default policy is
# already set, so all is not lost here.
[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1

# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
# the high, unprivileged ports (1024 to 4999 by default). This will
# allow return connection traffic for connections that we initiate
# to outside sources. TCP connections are opened with 'SYN' packets.
$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT

# We can't be so selective with UDP since that protocol does not
# know about SYNs.
$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT

# ICMP rules, allow the bare essential types of ICMP only.
$IPCHAINS -A input -p icmp --icmp-type echo-reply
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type destination-unreachable
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPCHAINS -A input -p icmp --icmp-type time-exceeded
   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT

$IPCHAINS -A input -l -j DENY

echo "firewall is up `date`."

end

Related Questions

Navigate

• Browse (All)
• Browse Y
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.