Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Week 07 - Firewall
Summary
* John the Ripper - "a tool to find weak passwords of your users".
* 22 - Security
Tasks
Readings
We will build a VM that will house our Firewall hence well call
it our Gateway VM.
Assessment
1. Run the "chage" list command for your username. Briefly discuss
any obvious problems with using the default password aging
configuration. What values would you recommend for a normal user
working in a large company?
2. Run an "nmap -sT" scan of your server, from your server. Then
run an "nmap" scan of your host computer (i.e. the one running
VirtualBox). You will have to find its IP address first. You may
have to use "nmap -PN". Try "-sT" first and read the response,
often nmap will prompt you with alternate scan settings.
Describe the nmap flags available, including the ones used above
and discuss the information obtained from the output of your scan.
Include a screenshot of your nmap commands output.
We will use the internal server userv1 that was created last week.
Make sure the Internal Network in userv1 and Gateway both have the
same name in VirtualBox. Configure the system so all of the
internal traffic goes via the gateway.
How to submit:
#!/bin/sh
#
# FILE: startfw
#
# PURPOSE: Clear and set NAT, port forward and firewall iptables rules.
#
# AUTHOR: Myles Greber
# DATE: 23-02-2012
# VERISON: 0.2
#
# USAGE: startfw
#
# MODIFIED: 23-02-2012
# Renamed script startfw from buildfw. Added configurable
# gateway IP address variable ${GATEWAY_IP}.
#
# NOTES: This script assumes the following configuration:
# gateway:
# eth0 - ${GATEWAY_IP} - external (dhcp) - defined below.
# eth1 - 192.168.12.254 - internal (static)
# internal server:
# eth0 - 192.168.12.1 (static)
#
################################################################################
# Allow all connections through the firewall that originate from within.
iptables -A FORWARD -i eth1 -p ALL -j ACCEPT
# Allow incoming responses to internal host requests.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh (22), http (80) and https (443) connections through to the internal server (userv1).
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 443 -j ACCEPT
# Allow ssh (22), http (80) and https (443) connections through NAT (port forward) to internal server (userv1).
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 22 -j DNAT --to 192.168.12.1:22
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 80 -j DNAT --to 192.168.12.1:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 443 -j DNAT --to 192.168.12.1:443
# Allow ssh (22) connections to the gateway from the internal network.
iptables -A INPUT -i eth1 -d 192.168.12.254 -p tcp --dport 22 -j ACCEPT
# Allow SSH connections to the external IP address of the gateway for testing.
#iptables -A INPUT -i eth0 -d ${GATEWAY_IP} -p tcp --dport 22 -j ACCEPT
# Enable logging.
iptables -A INPUT -i eth0 -j LOG
iptables -A FORWARD -i eth0 -j LOG