This assignment introduces you to some firewalling basics. It includes packet filtering using linux iptables/netfilter. You will first setup a router which will work as a firewall between the other two machines. The firewall will then be extended with a web proxy.

Material

Please note that you may render your virtual machine unreachable if you are not careful. If in doubt, please have a look at iptables-apply man pages because it can revert such sloppy changes automatically.

Preparation

You will need all three virtual machines for this exercise. Lab1 functions as a router/firewall between Lab2 and Lab3, which are in different subnetworks.

The eth0 interface allows access to the virtual machines. Be careful not to modify it or block access to it.

Please remember to take back ups of the folders you have modified on the virtual machines.

1. Set up the network

On Lab1, give the eth1 and eth2 interfaces addresses from the 192.168.X.0/24 address space using ifconfig(8). The addresses must be in different subnets.

On Lab2 and Lab3, add addresses to the eth1 interfaces so that Lab2 is in the same subnet as Lab1's eth1 and Lab3 in the same subnet as Lab1's eth2. Add the necessary net routes to allow the machines to reach each other. Do not change the default gateway or you will lose your connection to the machines. Use route(8) with the switch -net.

Add aliases for the addresses in the /etc/hosts file on each machine.

Enable forwarding and arp proxying on Lab1 for the eth1 and eth2 interfaces. Use the following sysctl(8) commands:
sysctl -w net.ipv4.conf.eth1.forwarding=1
sysctl -w net.ipv4.conf.eth2.forwarding=1
sysctl -w net.ipv4.conf.eth1.proxy_arp=1
sysctl -w net.ipv4.conf.eth2.proxy_arp=1

Check that there is no firewall at this point (iptables -L), and test that routing works by using traceroute(8) from Lab2 to Lab3.

1.1

List all commands you used to create the router setup, and briefly explain what they do. Show the results of the traceroute as well.

2 p

2. Implement packet filtering on the router

First, scan Lab3 from Lab2 and vice versa with nmap(1) to see what services they are running. Try to gather as much information on the machine as feasible, including information about software versions and the operating system.

Set up an iptables(8) policy to disallow traffic through the router by default. Change rules only for the FORWARD chain!

Add rules to allow ping(8) from Lab2 on the eth1 interface and replies to Lab2. Use ethernet device based filtering to identify the machine.

Once this is working, expand the ruleset to allow ssh connections to and from Lab2. Also allow browsing the web and transferring files via ftp from Lab2. Set up a web server (e.g. httpd(8)) and an ftp server (e.g. proftpd(8)) on Lab3 for testing. Use as restricting a ruleset as possible while allowing for full functionality. You will probably need the "ip_conntrack_ftp" kernel module for FTP filtering. Load it with modprobe(8).

Finally, rescan Lab3 from Lab2 and vice versa.

2.1	List the services that were found scanning the machines with and without the firewall active. How accurately did the scanner detect the properties of the machine and its services?	2 p
2.2	List the commands used to implement the ruleset with explanations.	6 p
2.3	Create a few test cases to verify your ruleset. Run the tests and provide minimal, but sufficient snippets of iptables' or tcpdump's logs to support your test results.	2 p
2.4	Explain the difference between netfilter/iptables' DROP and REJECT targets. Test both of them, and explain your findings.	2 p

3. Implementing a web proxy

In addition to packet filtering, a proxy can be used to control traffic. In this step, you will set up a web proxy and force all http traffic to go through the proxy, where more detailed rules can be applied.

Connect from Lab2 to the http server running on Lab3 and capture the headers of the response.

On Lab1, configure a squid(8) web proxy to serve only requests from Lab2 as a transparent proxy.

Configure the firewall on Lab1 to send all TCP traffic from Lab2 bound for port 80 to the squid proxy.

Connect to the http server on Lab3 again and capture the headers of the response.

Finally, configure the proxy not to serve pages from Lab3 and attempt to retrieve the front page.

3.1	List the commands you used to send the traffic to the proxy with explanations.	2 p
3.2	Show and explain the changes you made to the squid.conf.	3 p
3.3	List the differences in "before and after" headers of the http query to the other machine. What has changed?	1 p

4.

Extra points for an excellent demo, or in-depth mastery of the topic or software

3p