Network Security-

Assignment
Iptable Firewall

Student Name: ---------

Student No: ------------------

TABLE OF CONTENT

Executive Summary.....................................................................................................3

1
Firewall design...................................................Error: Reference source not found4
1.What is a firewall…………………………………………………………………...5
2. Requirements of the firewall........................Error: Reference source not found5
3. Implementation of the firewall.....................Error: Reference source not found6
Testing of firewall.........................................................................................................7
1. ICMP Test………………………………………………………………………….8
2. HTTP Test………………………………………………………………………….8
3. VSFTPTest.…………………………………………………..…………….………8
4. SSH Test……………………………………………………………………………9
Attacks...........................................................................................................................9
1. Ping flooding...........................................................................................................10
2. SYN flood................................................................................................................11
3 Port scan using nmap..............................................................................................12
4. Port scan using SYN SET......................................................................................12
Conclusion…………………………………………………………………………...14
References……………………………………………………………...……………15

EXECUTIVE SUMMARY

The purpose of this report is to build a firewall and demonstrate it’s use in mitigating
attacks on a computer network. Network security is a priority of every network. Most
common solutions used for network security are antivirus software’s and firewalls.
Firewalls are good tools to make a security-based network. One of the open source

2
firewall is iptables. Iptables are freely available with standard Linux distribution and
they help system administrators to configure the net filters, tables, chains and rules to
make a secure access based network.
Here I have made use of VMware Workstation with Red Hat Linux to build my
network environment. I have tried to secure the network by using iptables based
firewall to protect the network. In the latter part I have testified its working. At the
end I have launched some major attacks to demonstrate that this firewall would be
able to protect the network from some major attacks and at the same time it will
provide access to major services which were the basic requirements for this network.

NETWORK DESIGN

3
 External Host
(Attacker)[XP O.S.]

100.100.100.2 / 24

eth2

eth1

192.168.1.2 / 24
Firewall

eth0

192.168.2.2 / 24 Sever Farm

Firewall Interfaces

eth0 192.168.2.1 / 24
Internal LAN
eth1 192.168.1.1 / 24

eth2 100.100.100.1 / 24

To simulate the network I have made use of three Red Hat hosts and one host machine
which is the remote machine or can be considered the external machine. There are
three separate networks: 100.100.100.0/24, 192.168.1.0/24, 192.168.2.0/24. Network
100.100.100.0/24 is used as outer network and is connected to the host machine.
192.168.2.0/24 is the company’s internal network and network 192.168.1.0/24 is used
for placing a server, which is running some basic services like HTTP, SSH AND
VSFTP that is the requirement of this company’s network.
Firewall will be used on the gateway host to provide security to internal network.
Routing function on Red Hat Linux gateway can be enabled using the following
command.

echo 1 > /proc/sys/net/ipv4/ip_forward

FIREWALL DESIGN

What is a firewall?

Definition:
A system designed to prevent unauthorized access to or from a private network.
Firewalls can be implemented in both hardware and software, or a combination of
both. Firewalls are frequently used to prevent unauthorized Internet users from

4
accessing private networks connected to the Internet, especially intranets. All
messages entering or leaving the intranet pass through the firewall, which examines
each message and blocks those that do not meet the specified security criteria.
(Wikipedia, n.d.)

Requirements of the firewall

To secure the network, we must fulfill these requirements of the security policy.

• Server provides HTTP, SSH and TFTP service to external and internal
network.

• Internal networks can request any kind of services, which are provided by
external network.

• Allow internal network devices to ping external network.

• Block the ping from external network to internal networks, just allow ping
reply from outside.

• Internal and external hosts are allowed to access their gateway.

• Block ping flooding and SYN flooding from all the networks.

• Internal networks can access each other without any restriction.

• Network scanning is not permitted.

• Legitimate hosts in external network can login to the gateway by using SSH.

Implementation of the firewall

At the beginning we shall delete all the default rules in iptables and flush all the
entries from the table. I have created a script for this process.

Flush.sh

echo "Flushing the Firewall"

5
iptables -F

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

The above commands will set the default policy to Drop everything except the
OUTPUT chain.

Now the next step is to stop pings from outside network to inside network, and
also the rules should be set in such a manner that they should deny the possible
attack of ping flooding at the same time. This can be accomplished by making
icmp_p chain, that will deny the ICMP request from outside as well as limit

the number of requests allowed per second from the internal network to the
internal server.The rules applied are as follows:

echo " icmp rules "

iptables -N icmp_one

iptables -A icmp_one -s 100.100.100.0/24 -d 192.168.0.0/16 -p icmp --icmp-

type 8 -j DROP

iptables -A icmp_one -p icmp --icmp-type 8 -m limit --limit 10/minute -j

ACCEPT

iptables -A icmp_one -p icmp --icmp-type 8 -j DROP

iptables -A icmp_one -p icmp -j ACCEPT

In a similar manner bad_tcp packets will be activated when the server receives a
TCP packet. Here to the maximum of 5 packets will be allowed per minute, the
rest shall be dropped.

echo "Bad tcp chain,used to stop syn attack"

iptables -N bad_tcp

iptables -A bad_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state

NEW -j REJECT --reject-with tcp-reset

iptables -A bad_tcp -p tcp --syn -m limit --limit 5/min -j ACCEPT

iptables -A bad_tcp -p tcp --syn -m state --state NEW -j LOG --log-prefix

"Stealth_Attack_Syn"

6
 iptables -A bad_tcp -p tcp --syn -m state --state NEW -j DROP

The below mentioned chain is the allowed chain which will contain all the
allowed tcp packets

echo "Allowed Chain"

iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A allowed -p TCP -j DROP

The tcp_chain gives us information of the services which we can run from the
internal and the external network. Additional services can be easily incorporated
in this structure. Here tcp port 22(ssh) and port 80(http) are allowed.

echo "TCP Chain"

iptables -N tcp_p
iptables -A tcp_p -p TCP --dport 22 -j allowed
iptables -A tcp_p -p TCP --dport 80 -j allowed

Similarly the Udp_chain will control the udp services that we shall implement on
the servers. Here udp port 69(tftp) is allowed.

echo "UDP chain"

iptables -N udp_p
iptables -A udp_p -p UDP --destination-port 21 -j ACCEPT

The below mentioned rules are implemented on the input chains.

echo "Input Chain"

iptables -A INPUT -p icmp -j icmp_p
iptables -A INPUT -p tcp -j bad_tcp
iptables -A INPUT -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A INPUT -p tcp -j tcp_p
iptables -A INPUT -p udp -j udp_p
iptables -A INPUT -j DROP

This will allow all the packets from 192.168.0.0/16 subnet whose states are either
ESTABLISHED or RELATED. Rest of the packets from other destinations shall be
dropped.

echo "Forward Chain"

iptables -A FORWARD -p icmp -j icmp_p

7
iptables -A FORWARD -p tcp -j bad_tcp
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j tcp_p
iptables -A FORWARD -p udp -j udp_p
iptables -A FORWARD -j DROP

The below mentioned rules are implemented on the output chains.

echo "Output Chain"

iptables -A OUTPUT -p tcp -j bad_tcp
iptables -A OUTPUT -j ACCEPT

More and more services can be added to the tcp and udp chain according to their
compatibility, thus the issue of scalability can be taken care of.

TESTING OF THE FIREWALL

ICMP TEST
ICMP traffic should only be allowed from the internal network, so all the external
hosts cannot send ICMP packets to the server. This is shown below, when
attacker(100.100.100.5) pings server(192.168.1.2).No response from server because
packets are dropped.

HTTP TEST
For testing purpose, the HTTP service is opened on a server. The below mentioned
command will help to start the HTTP service.

Service httpd start

8
And start the thttpd service.
The figure below shows the whole process.

VSFTP TEST
Here there is a ftp service called vsftp. Firstly you need to create a directory to hold
the files to be retrieved from and sent to the ftp server. The directory is /home/ftp.
The figure below shows that the vsftp service has been started on the internal server
with the help of vsftp command. Below get nana.txt command is used to get a file
named nana.txt from 192.168.1.2.

9
SSH TEST

To start the ssh server run

Service sshd start

The ssh service is started on the internal as well as the external server.

1
ATTACKS

PING FLOODING

A ping flood is a simple denial-of-service attack where the attacker overwhelms the
victim with ICMP Echo Request (ping) packets. It only succeeds if the attacker has
more bandwidth than the victim. (Wikipedia, n.d.). Ping flooding can be harmful for
the network because it may contain large loaded icmp request, which may use whole
processing of GATEWAY or SERVER to make it unavailable for eligible users.

There are 2 variants of ping flood attack that I have incorporated.

Type: 1

I shall create a ping flood attack from the internal machine (192.168.2.1) to the server
(192.168.1.2).For this purpose I shall use the following command.

ping –f 192.168.1.2

The figure below shows the attacks done on the machine before and after
implementing the firewall. In the first part once the attack is carried out it shows 0%
packet loss and once the firewall is applied and the attack is carried out it shows 90%
packet loss. This is a proof that the firewall has been incorporated in a proper manner.

Type:2

We can launch ping flooding by using HPING command as well and by using HPING
you can add an extra payload to ping as well and can reset any flags as your choice to
make it worse. Like use -I u1000 to create pings per 1000 micro seconds.

1
Hping 192.168.1.2 –i u 1000

To mitigate this kind of attack I will allow only one ping request per second to a host.
This way I can mitigate the possible ping flooding that can occur. If the possible
number of icmp requests are more then one per second , gateway will just discard the
packet.
The figure below shows the delay in response when the Hping attack is implemented.
In the figure its seen that when server (192.168.1.2) is sent a ping then the last column
time shows values like 0.4 or 0.3 milliseconds, but when the Hping attack is carried
out it shows a delayed time period of 16.8 milliseconds( yellow marker).

SYN FLOOD

SYN flooding is a method that the user of a hostile client program can use to conduct
a denial-of-service (DOS) attack on a computer server. The hostile client repeatedly
sends SYN (synchronization) packets to every port on the server, using fake IP
addresses.(Whatis.com)
The firewall drops any external request packets whose destination port are not 22
(SSH) and 80 (HTTP). For the internal network, the firewall uses the same
mechanism as preventing ping flood, which restricts request packet once a minute. If
the number of incoming packets is exceeded, the firewall will drop packets and log
with “Stealth Attack _Syn” prefix. I use the command: hping2 –S to launch the SYN
flood attack.
User either of the following commands:
nmap -sT 192.168.1.2
The figure below shows the state of the firewall once this attack is implemented. Logs
with “Stealth Attack_Syn” can be seen.

1
PORT SCANING USING NMAP

Use nmap to scan the server IP address. It can detect the ports, which are exposed to
the network, and as well as it can check whether the host is running or not. To secure
the SERVER and internal network, the firewall has to close the unnecessary ports
exposed to the outside. According to the result, we can see that only port 22 (SSH)
and port 80 (HTTP) are exposed on the server; for the intranet host, there is no
available port to the external network.

nmap –sT 192.168.1.2

PORT SCANNING USING SYN SET

Since Port scanning using nmap is disabled, there is one more way to do port scan.
Attacker can use SYN FLOODING as tool to port scan. Command below can be used
to do port scanning purpose using a packet with SYN BIT set and continuously
appending the destination port.

1
Hping -S 192.168.1.2 –p ++20 -I u1000
Or
nmap –p “1-1024” 192.168.1.2

This will send syn set bit packet to each port appending 21 to the server and what it
got back is only replies from open ports on the server.

This can be denied by disabling SYS FLOODING to the server.

CONCLUSION

This assignment made my understanding of firewalls and iptables clearer. I tried to

provide the three basic services to the network SSH, HTTP and VSFTP. It also
implemented some basic protection, such as ping flood, SYN flood, port scanning.
This assignment also enlightened me on how various attacks can be laid through the
network and how firewall helps mitigate these attacks. Firewalls are an important
security appliance for today’s networks and even though many expert computer users
can still manage to break through a firewall, it continues to be an important tool in
mitigating attacks and keeping the network and information safe from malicious
attackers.

1
REFERENCES

• Andreasson, O. 2006, Iptables Tutorial 1.2.2, retrieved from http://iptables-

tutorial.frozentux.net/iptables-tutorial.html on October 16 2008

• Harrison P., 2007, Linux Firewalls Using iptables, retrieved from

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch
14_:_Linux_Firewalls_Using_iptables on October 20 2008

• Fingerprinting port 80 attacks A look into web server, and web application
attack signatures: Part Two, 2007, cgisecurity.net retrieved from
http://www.cgisecurity.net/papers/fingerprinting-2.shtml on October 22 2008
• Russel. R, 2002,Linux 2.4 Packet Filtering HOWTO , retrieved from
http://www.netfilter.org/documentation/HOWTO//packet-filtering-
HOWTO.html on October 24 2008

• Wikipedia, Retrieved on October 23 2008 from www.wikipedia.com