Skip to main content

Firewall - iptables

Lab Setup

  • We will be using a virtual machine in the faculty's cloud.
  • When creating a virtual machine in the Launch Instance window:
    • Name your VM using the following convention: scgc_lab<no>_<username>, where <no> is the lab number and <username> is your institutional account.
    • Select Boot from image in Instance Boot Source section
    • Select SCGC Template in Image Name section
    • Select a flavor that is at least m1.large.
  • The username for connecting to the VM is student.
  • For the following exercises, the resources can be found in the laboratory archive:
$ cd work/
$ wget https://repository.grid.pub.ro/cs/scgc/laboratoare/lab-iptables-security.zip
$ unzip lab-iptables-security.zip
$ bash runvm.sh
warning

Also run the following commands in you current shell.

$ source ~/.bashrc
$ prepare_lab

Topology

TopologyTopology

info

For all the exercises we will use the above topology.

Encrypted and unencrypted traffic

The traffic generated by services is classified into encrypted traffic and clear traffic. Clear (unencrypted) traffic can be interpreted and understood if captured. Encrypted traffic cannot be interpreted in the absence of the encryption key; only the transmitter and receiver know the key in order to communicate.

We propose to analyze, from the point of view of traffic encryption, the following protocols/services:

  • telnet (TCP port 23)
  • SSH (TCP port 22)
  • FTP (TCP port 21)

We will use tcpdump, a utility with which we can capture packets passing through a specific server, to display the transmitted data (password). We will use the laboratory topology and connect from the red station to the green station via the host station.

To start the capture process, log in as root on the host station and run the command

root@host:~# tcpdump -vvv -A -i usernet

For telnet communication, run the command

root@red:~# telnet green

After running the command, you have established a telnet connection from the red station to the green station via the host station. At the prompt generated by the command

  • use the username student and the password student
  • run the ls command
  • run the exit command to close the connection

Observe on the host station the capture of the credentials (username and password) transmitted via telnet between the red and green stations ⇒ the telnet traffic between the two stations was unencrypted traffic and was captured on the host station.

For FTP communication, run the command

root@red:~# ftp green

After running the command, you have established an FTP connection from the red station to the green station via the host station. At the prompt generated by the command:

  • use the username student and the password student
  • run the ls command
  • run the quit command to close the connection

Observe on the host station the capture of the credentials (username and password) transmitted via FTP between the red and green stations ⇒ the FTP traffic between the two stations was unencrypted traffic and was captured on the host station.

For communication via SSH, run the command

root@red:~# ssh -l student green

After running the command, you have established an SSH connection from the red station to the green station via the host station. In the remote shell session opened:

  • run the ls command
  • run the exit command to close the connection.

Notice that on the host station, tcpdump does not display information in the clear, the SSH traffic between the two stations being encrypted and transmitted in a binary format.

On the host station, to stop the tcpdump command, use the Ctrl+c key combination.

Telnet and FTP traffic is unencrypted, while SSH traffic is encrypted.

Blocking unencrypted services

A brief introduction to iptables (click to expand)

iptables is a Linux utility that also provides a software firewall. iptables uses kernel support to intercept network packets at various points in their passage through the kernel and perform actions on them. Such actions are:

  • accepting the packet (ACCEPT)
  • rejecting the packet (REJECT)
  • dropping the packet (DROP), similar to rejecting but no rejection notification is sent to the origin of the original packet.

The iptables command means working with kernel-level filtering rules. Typically, the following will be specified:

  • the type of operation on the rule (add, delete, replace, insert)
  • the point in the kernel where the packet must be found for the rule to be applied
  • the rule itself

Example with explanation:

iptables -A FORWARD -d green -p tcp --dport telnet -j REJECT
  • -A: add rule (append, add to the end of the rule list);
  • FORWARD: the rule is applied to packets that will be routed; other variants are INPUT (packets received directly by the system) and OUTPUT (packets leaving the system);
  • -d green: packets that have the green station address as their destination are selected;
  • -p tcp: the selected packets are TCP packets;
  • --dport telnet: the destination TCP port is the specific port for the telnet protocol (i.e. port 23, identified from the /etc/services file)
  • -j REJECT: the packet is rejected

In the iptables filter table we will therefore have a list of rules that are traversed sequentially. The -A FORWARD part identifies the chain of rules, the -d green -p tcp --dport telnet part is the match part (which packets match the rule), and the -j REJECT part is the action part (what the rule does with the packet).

As you noticed in the previous point, traffic for the telnet and FTP protocols is clear, unencrypted traffic, and the credentials of a specific account and the commands run can be easily found.

We propose to block access from the red station to the green station for these services, configuring the router between the two stations, i.e. the host station. Basically we will configure firewall options on the host station using the iptables utility.

Authenticate as root on the host station. To block access to the telnet service (port 23) intended for the green station, run the command below on the host station. The command adds the appropriate iptables rule.

root@host:~# iptables -A FORWARD -d green -p tcp --dport telnet -j REJECT

To verify the addition of the above rule, run the command on the host station

root@host:~# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target      prot opt ​​source       destination
REJECT      tcp  --  anywhere     green             tcp dpt:telnet reject-with icmp-port-unreachable

To display information about the processed packets and the interfaces used, run this command on the host station

root@host:~# iptables -L FORWARD -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target   prot opt ​​in   out     source      destination
   0     0 REJECT   tcp  --  any  any     anywhere    green             tcp dpt:telnet reject-with icmp-port-unreachable

To display information in numeric format (for host names and port names), run on the host station command

root@host:~# iptables -L FORWARD -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target   prot opt ​​in   out     source      destination
   0     0 REJECT   tcp  --  *    *       0.0.0.0/0   192.168.2.2   tcp dpt:23 reject-with icmp-port-unreachable

From now on we recommend using these options (-v -n) for listing iptables rules.

To verify that telnet traffic to green is blocked, run the command

telnet green

You will see a message like

Trying 192.168.2.2...
telnet: Unable to connect to remote host: Connection refused

meaning that the connection is being attempted but the connection is rejected. To see that the blocking rule worked, run the command

root@host:~# iptables -L FORWARD -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target      prot opt ​​in   out     source      destination
    2   120 REJECT      tcp  --  *    *       0.0.0.0/0   192.168.2.2   tcp dpt:23 reject-with icmp-port-unreachable

Notice, in the output of the command, that there are now values ​​other than 0 in the pkts and bytes columns, a sign that there were packets processed by this rule, therefore blocked.

To verify that other connections (other than telnet) from red to green continue to work, run the following commands on the red station.

ftp green
ssh -l student green

We also want to block the other unencrypted service, FTP. Add a similar iptables rule to block, on the host station, FTP traffic destined for the green station. After adding the rule, use iptables -L FORWARD -n -v to validate the addition of the rule.

For this rule, you can pass argument 21 to the --dport option or even the ftp name. The association between port (number) and protocol (name) is found in the /etc/services file.

From the red station, verify that FTP traffic to the green station is blocked using the command

ftp green

Block SSH

We intend for the green station to not be accessible via SSH. To do this, add an iptables rule on the host station that will block traffic related to the SSH service (port 22).

Verify that the iptables rule has been added and then verify that SSH traffic to the green station is blocked from the red station.

Allow SSH traffic

At this point, SSH traffic to the green station is blocked.

We want to allow SSH traffic from the red station to the green station. Add a corresponding rule on the host station.

After adding the rule, try to make an SSH connection from the red station to the green station. Notice that the connection is not established.

Display the list of iptables rules on the host station. Why did the connection fail? Note the order of the displayed rules; they are run sequentially.

To solve the problem, delete the previously entered iptables rule and insert the rule on the host station. To insert, use the -I option of the iptables command. Verify that the SSH connection between red and green will now be established.

To delete a rule you can use the -D option.

To insert a rule use the -I option followed by the chain name (INPUT, OUTPUT or FORWARD), followed by the index of the position where you want to place the rule (1, 2, 3, …) and then followed by the rule specification.

Deleting added rules

To allow all traffic to the green station, delete all iptables rules from the FORWARD chain on the host station. Use the -F (flush) option of the iptables command. Basically we return to the initial configuration, without iptables rules on the host station. Use the iptables -L FORWARD -n -v command to validate the deletion of the rules from the FORWARD chain.

After deleting the rules, check the operation of the telnet, FTP, SSH services by connecting from the red to the green station.

Traffic Captures

tcpdump is a Linux command line utility that captures and analyzes network packets at the interface level. It is often used for troubleshooting or as a security tool. It is versatile, offers filters, and can be used in a variety of cases. Being a command line utility, it is most often used on systems that do not have a GUI, to collect data, which can then be moved and viewed with Wireshark.

Among the tcpdump options, we have:

  • -i: the interface to listen on
  • -p: destination port: filter by the destination port of the packets
  • -v: verbosity level
  • -w: the file to save the data to

To use a graphical application, you need to capture the traffic generated to red in a file and then copy the file to the physical machine, to analyze it with Wireshark.

The steps to follow are:

  • Start tcpdump on the usernet interface on the host with the option to save the output to a file.
  • Generate traffic to red from any of the other machines. You can use any kind of traffic (e.g. ping / ssh / telnet).
  • Use scp to copy the output file from the host machine to fep.grid.pub.ro and then to the local machine.

Open the file with Wireshark.

What kind of packets did you analyze?