Using a tool (webmin) to create iptables
rules
In this exercise you will use one of the several front-end tools that
generate iptables commands per your instruction and build a firewall from them.
Clearing and examining any existing firewall
During this exercise at any point you can clear local firewall rules as follows:
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
And you can examine them with:
iptables -nL
Make use of these when you find yourself uncertain about the state of your
firewall, or blocked by it.
Download, install, and run webmin
Download webmin from www.webmin.com. You will probably prefer to use the available rpm version. Install it. Webmin is not a regular binary executable program but a mini, special purpose web server that runs by default on port 10000. (It's implemented as a set of perl scripts; when you "netstat -pant" while webmin is running it shows perl to be listening on port 10000.) Once you have webmin installed and running, connect to it by using a GUI browser at https://127.0.0.1:10000. Gain entry using your linux root account and password, which webmin adopts by default. Choose Networking, then Linux firewall. Creating a firewall through this graphic interface results in entries in the file /etc/sysconfig/iptables. As you enter rules via webmin, periodically examine that file by cat-ing it in a terminal window.
Experiment with webmin to build a prescribed firewall
Use webmin to create a firewall equivalent to the one that would result from
running these commands:
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 22 -s 0.0.0.0/0 -d 192.168.4.1/32 –j ACCEPT
iptables -A INPUT -i lo –j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 --dport 1024:65535 -s 192.168.4.1/32 -d 0.0.0.0/0 –j ACCEPT
iptables -A OUTPUT -o lo –j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Figure out how to manipulate the interface to generate each of the above rules.
Along the way, watch what's showing up in /etc/sysconfig/iptables.
Be careful. You are using the special built-in "lo" loopback interface (because you are using address 127.0.0.1). Even though it's local, the lo interface exercises the network mechanism. So if you block it, webmin will be unable to continue because as a network program it depends on free flow of packets through the network between itself and the browser. You will fall into this trap if you specify the default policies first and, before specifying the other rules, apply the firewall. That's the reason for the 2 rules above involving the lo interface. They trump the policies, which are DROP for both input and output, applying ACCEPT instead for everything on the lo interface. If you did cut yourself off, you could simply switch from browser to terminal and use iptables at the shell prompt to remove your rules and reset your policies then return to webmin for another try. Why does this work? Because the shell doesn't use the network. If there is a river, a road running along side it, and a dam, the dam blocks river traffic but has nothing to do with road traffic.
Test your firewall
The function of this particular firewall is to let outside machines interact with yours only through port 22. If you're running sshd on that port, as is usual, this means you are confining outsiders to interacting with your machine exclusively through ssh. Have another student try to ssh into your machine. It should work. But have them try any other network interaction that would otherwise work (ping, client3/server3, etc), and those should all fail.