Lesson 11

Date: 4/14/2010

Basics of Linux Security

Linux for Engineering and IT Applications

Configuring iptables firewall
Make sure iptables has been installed:

dpkg -l | grep iptables

Check iptables rules:

/sbin/iptables -n -L

Copy the iptables script from fw-script.sh, make it executable, then run. Check the rules running again the same command,

   /sbin/iptables -n -L

You should see new active chains.

Try to ping your node. Try to ssh to your node. If you succeed, try to ping your desktop machine.

To enable ping, you need to add the following rules to your fw-script.sh (you can include them somwhere after the default policy)

# Echo - uncomment to allow your system to be pinged.
$IPT -A INPUT -p icmp -s 192.168.5.0/24 --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.5.0/24 --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -s 192.168.5.0/24 --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.5.0/24 --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.5.0/24 --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT -p icmp -d 192.168.5.0/24 --icmp-type 11 -j ACCEPT

After the script is modified, you need to run it, ./fw-script.sh

Try to ssh somwhere outside of the subnet, for example, engsoft or eden. To enable return TCP-connections from the outside of the subnet, change "-s 192.168.5.0/24" and "-d 192.168.5.0/24" for "-s 0/0" and "-d 0/0" in the rules for "Accept local-network return traffic..." in the script. Restart the script and try ssh to outside hosts.

How systems get compromised
Cracking passwords
Trojan script
Stack overflow
Package upgrades and verification
Open Ports List
Closing Ports List
TCP Wrappers
IP filtering firewalls (iptables)
Building iptables rules
Simple iptables script
NAT table
NAT script
Exercises with iptables
Port scanning
GNU Privacy Guard
GPG exercises
Logs
Log Analysis
System Integrity checks
GNUtar exercises
Tripwire exercises
References
Take me to the Course Website