Question

Answer these follwong questiong in great detail for a cyber secuirty/computer science class.

1. Consider the following firewall rule, and describe what this permits or denies:

sudo /sbin/iptables -A INPUT --dport 23 -j DROP

2.If a service is allowed in one place and denied in another, what is the outcome? (For example, a service is listed in both hosts.allow and hosts.deny) Explain.

3.If a rule for a service does not exist in either one of the files hosts.deny or hosts.allow, what happens? Explain.

4.Is the order of the rules important? If you deny something within the IP network layer (iptables), but permit something within the TCP transport layer (TCP Wrappers) that uses the IP network layer that you just denied, will your TCP traffic be permitted? Why or why not?

5.What are three modes of SELinux? Explain their basic functionality.

6. Suppose the domain hackers.com is denied for all services in the hosts.deny, and the hosts.allow file has the rule

ALL: ALL.

Will TCP Wrappers allow hackers.com access anyway? Why or why not?

7.What iptables command would you use to allow all the traffic from the loopback?
(You may need to search online for the answer to this.)

8. What switch could you use in addition to the L switch to view the network port configuration for the iptables?

9. What mode would you use when first enabling SELinux?

What mode would you use for normal activities and how would you change it to that mode?

Answer 1

1. sudo /sbin/iptables -A INPUT --dport 23 -j DROP is a firewall rule on to deny or drop incoming traffic to destination port 23. Port 23 is used for Telnet which is used for communicating using unencrypted text.

2. A service is first checked in hosts.allow. If it is present there, service is allowed. Later, hosts.deny is checked. If the same service appears in hosts.deny, it is ignored. The service remains allowed.

3. If a rule for a service is not present in hosts.allow or hosts.deny then by default the service is allowed.

4. The order of the rules is important. Ip network layer rules are checked first. If something is denied at the ip network layer itself, there is no point in alowing TCP traffic. Hence even if the same is allowed in TCP wrappers, it will continue to be denied as per the ip network layer rule.

5. SELinux has 3 modes :-

a. Permissive - Enforcing mode may deny some actions. These actions are logged in Permissive mode. The Permissive mode itself will not deny these actions. It only logs.

b. Enforcing - The SELinux has policy rules and that will be enforced in Enforcing mode. This means, actions will be denied based on the policy rules.

c. Disabled - The SELinux policy rules will not be applied. For file operations, the Discretionary Acess Control rules which includes file permissions, will be checked.

6. As explained in question 2, hosts.allow is checked first. Since ALL : ALL indicates allow all, even if it is denied in hosts.deny, it will be ignored.

7. Loopback tests connection to itself. For allowing input the command is :

sudo /sbin/iptables -A INPUT -i lo -j ACCEPT

and for allowing output the command is :

sudo /sbin/iptables -A OUTPUT -o lo -j ACCEPT

8. # iptables - L is the command used to see the loaded network port configurations. This gives only a basic overview with limited information. For detailed overview with information like interfaces applying to each of the rules, the matching number of packets and bytes corresponding to each rule, etc. the command

# iptables -L -v

can be used.

9. Enforcing mode can be used if the entire security policy of SELinux is to be applied and can be applied to the system. However, there may be issues when trying to debug or troubleshoot. In that case, the enforcing mode can be changed to permissive, which will log all actions to be denied but will not deny. The command to change the mode to permissive is :-

# setenforce permissive

Alternatively # setenforce 0 can be used where 0 stands for permissive mode ( 1 stands for enforcing mode ).