MN502 Laboratory 8: Packet Filtering Firewalls Assessment Answer

MN502 Network Security

Laboratory 8: Packet Filtering Firewalls (IPTABLES)

Description of the laboratory exercise:

In this laboratory will explore the Linux firewall iptables. The first part of the lab will describe iptables, then basic commands, followed by some exercises.

Task 1: Running iptables

After completing all the steps in the manual for exercise one answer the following questions:

1. Write a report on your understanding on how iptables works.
2. Discuss how the computer system could be secured using iptables firewall.

Task 2: Explore the functionalities of iptables, the Linux firewall and write some rules 

After completing all the steps in the manual for exercise two answer the following questions:

1. Reject all ssh packets.
2. Allow ssh remote connections.
3.  Deny ping.
4.  Reject all traffic coming to port 80.
5. Block incoming traffic connection to your IP address of your virtual machine.
6. Allow traffic coming to port 80 (inbound) but reject traffic going out (outbound) through port 80.
7. What is the command to block the following subnet: 192.168.2.x?
8. Describe what the following rules do:
   1. iptables -A INPUT -i lo -p all -j ACCEPT
   2. iptables -A INPUT -p all -s localhost -i eth0 -j DROP
   3. iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
9. A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. This is a well-known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK. If Half-open connections bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Syn flood is common attack and it can be blocked with iptable rules.

Can you craft iptable rules that can block SYN flooding attacks? Explain your work and rationale.

1. Port knocking is a stealth method to externally open ports that, by default, the firewall keeps closed. It works by requiring connection attempts to a series of predefined closed ports. When the correct sequence of port "knocks" (connection attempts) is received, the firewall opens certain port(s) to allow a connection. The benefit is that, for a regular port scan, it may appear as the service of the port is just not available. This article shows how to use port knocking with either a daemon or with iptables only.
2. Can you create a port knocking system only with iptable commands that will open up port 22 (SSH) when the remote host “knocks” on ports 2222, 3333, 4444 within 30 seconds?
3. Can an attacker defeat the port knocking system? How?