CT320: Network and System Administration

Fall 2019

Iptables Example

Show Lecture.IptablesExample as a slide show.

CT320 Iptables Example

iptables Example

The networking lab, CSB 315, has a strict firewall between it and the rest of the CS Department network.

This is implemented via the iptables command.

Variables

The script starts with a number of variable definitions:

# CS Dept Back-Bone
CSNET_IF="em1"			# local interface

# Security Lab
SLAB_IF="p7p1"			# local interface
SLAB_IP="192.168.110.1"		# local IP address
SLAB_AR="192.168.110.0/24"	# address range

UNPRIVPORTS="1024:65535"	# unprivileged port range

SSH_PORT="22"
DNS_PORT="53"
HTTP_PORT="80"
SNMP_PORT="161"
HTTPS_PORT="443"

Ping

# Allow pings from the Security Classroom to acushla
iptables -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT \
         -A INPUT   -i $SLAB_IF              -s $SLAB_AR -d $SLAB_IP

# Allow pings from acushla to the Security Classroom
iptables -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT \
         -A OUTPUT              -o $SLAB_IF         	 -d $SLAB_AR

# Allow pings from the Security Classroom to beyond the firewall
iptables -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT \
         -A FORWARD -i $SLAB_IF -o $CSNET_IF -s $SLAB_AR

DNS

# Allow Security Clasroom machines to access DNS outside

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p udp -s $SLAB_AR \
	 --sport $UNPRIVPORTS --dport $DNS_PORT -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p tcp -s $SLAB_AR \
	 --sport $UNPRIVPORTS --dport $DNS_PORT -m state --state NEW -j ACCEPT

http

# Allow Security Classroom machines to access outside http services

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p tcp -s $SLAB_AR \
         --sport $UNPRIVPORTS --dport $HTTP_PORT -m state --state NEW -j ACCEPT

# Allow Security Classroom machines to access outside https services

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p tcp -s $SLAB_AR \
         --sport $UNPRIVPORTS --dport $HTTPS_PORT -m state --state NEW -j ACCEPT

SNMP

# Allow Security Classroom machines to access outside SNMP services

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p tcp -s $SLAB_AR \
	 --sport $UNPRIVPORTS --dport $SNMP_PORT -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $SLAB_IF -o $CSNET_IF -p udp -s $SLAB_AR \
	 --sport $UNPRIVPORTS --dport $SNMP_PORT -m state --state NEW -j ACCEPT

ssh

# Allow Security Classroom machines to ssh access acushla

iptables -A INPUT -i $SLAB_IF -p tcp -s $SLAB_AR --sport $UNPRIVPORTS \
         --dport $SSH_PORT -m state --state NEW -j ACCEPT