Question

You are to create and apply a firewall rule set on your Ubuntu server and each rule should be commented.

Make sure to use variables for the IP addresses in your firewall. It's good practice and if I have to test one or more of your rules, I can replace the address in the variable.

For any packets you REJECT or DENY, those should be logged. That means you'll need to modify the rule so that if the rule matches a DENY or REJECT a packet, that alert is written out to a log file.

Your firewall should implement the following policies. The policies below are not in the order which they should be applied; put these rules in a reasonable order.

   6) Allow ftp for the Ubuntu box ONLY (DENY Mint).

   7) DENY all telnet connections from either Mint or Ubuntu.

     Note: I realize the default INPUT policy effectively has this outcome, but I want a written rule for #7 as well

   8) Allow ssh to the server for Mint box ONLY (DENY Ubuntu box).

   9) Allow web access (Apache) for the Mint box ONLY (DENY Ubuntu box).

10) Default incoming policy should be DENY.

11) Default outgoing policy should be ALLOW.

12) Default forward policy should be DENY.

13) Firewall should flush previously run rules.

Note that for deny rules, you will have to decide to use either REJECT or DROP and I want a commentjustifying why you chose to use REJECT or DROP

Test your Rules

Setup your logging, then attempt to test the following:

• Accessing the FTP service from Ubuntu and Mint
• Accessing the telnet service from Ubuntu and Mint
• Accessing the ssh service from Ubuntu and Mint
• Accessing the Apache test page (web) from Ubuntu and Mint

Based on your firewall rules, some of your connections should be allowed and others denied. If logging is setup correctly, the denied packets will show up as being denied.

Hint for Logging:

These rules have been used for logging, but that doesn’t mean you would use these exact rules; tailor your rules so they fit the assignment. In this instance, you would want to log any of the rules above that have a DENY in the description.

Logging Video

Useful sites on logging with rsyslog:

http://blog.stalkr.net/2009/10/logging-iptables-messages-with-rsyslog.html

https://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/

http://www.thegeekstuff.com/2012/08/iptables-log-packets/

Further Hints:

Add to /etc/rsyslog.d/50-default.conf

• “kern.warning                   -/var/log/iptables.log”

Restart rsyslog service (done every time you change the conf file)

• “sudo service rsyslog restart”

To create iptables.log (if it doesn’t exist):

• “sudo touch /var/log/iptables.log”
• “sudo chown syslog:adm /var/log/iptables.log”
• "sudo chmod 640 /var/log/iptables.log"

Add to bottom of your firewall ruleset:

• iptables -N LOGGING
• iptables -A INPUT -j LOGGING
• iptables -A OUTPUT -j LOGGING
• iptables -A LOGGING -j LOG --log-prefix "Dropped Packets: " --log-level 4
• iptables -A LOGGING -j DROP

In the logs, I only want to see the logs relevant to those packets you have dropped/rejected rather than everything You can extract just the dropped packets from iptables.log using the following (Do for all service packets to be dropped):

• “grep “DPT=23” /var/log/iptables.log > ~/telnet.log”
• “grep “DPT=21” /var/log/iptables.log > ~/ftp.log”
• “grep “DPT=22” /var/log/iptables.log > ~/ssh.log”
• Etc

Place all of those logs in a single file:

• “cat telnet.log ftp.log ssh.log > ~/firstname.lastname.iptables.log”

Answer 1