CSE497b - Project #4 - Linux iptables

Due Date: April 20th, 2007.

In this assignment, you will develop Linux iptables firewall rules for your Playpen to control access to a couple of network services: ICMP ping and a generic network client/server netcat. We will provide a server script for you to run in your Playpen. This script defines what ports and services your Playpen VM will export, but you will need to write the Linux iptables rules to protect your Playpen according to the directions below.

In addition to the server script, we will also provide a test client script and expected output in a project tarball, so that you can write rules and test whether they are doing what is expected. Note that you do not have access to VMs 75 and 76, so the test programs are designed to test your rules from localhost (127.0.0.1) on your Playpen. The idea is to treat the client on localhost as a remote party on IP address 127.0.0.1 and write/test the iptables rules for that IP address. You then will change the source IP address to the targets prior to deploying. Note that this assignment is mainly about system configuration, but you can run into some issues (e.g., locking yourself out of your Playpen) and getting the rules to let the tests run. It is advised to start early to get used to working on the Playpen and writing/testing the firewall rules.

Follow these instructions:

Get the project tarball from here. The project tarball contains: (1) a bash script that runs the Playpen services that you are to have open at evaluation time (see below), called p4-server; (2) a bash script that runs the test requests that will be submitted to your Playpen VM, called the p4-client; (3) some test files that will be sent by the p4-client to the p4-server at test time; and (4) some sample output in client.127.0.0.1.forIP.out where IP is the IP address of the test client systems 75 and 76 (discussed further below).
Unpack the tarfile in your Playpen. Note that there is no code to build (it is all scripts), but you may need to set execute permissions on your scripts. Otherwise, you should be ready to run.
To run the p4-server type ./p4-server |base-port|. This opens three ports with |base-port| as the initial one running the netcat program nc listening for requests.
To test iptables rules, you will run the ./p4-client |ipaddr| |base-port|. The client will perform ping requests and netcat requests to the specified IP address (first argument). The base-port should be the same between the client and server.
The client will write output to a file client.IP.out where IP is the IP address provided in the call to p4-client. This file will contain the results of the run. Without any iptables rules specified, all the ping requests should be delivered, and all the files should be accepted by the netcat server in (basically) no elapsed time. When you do the testing (see below), you can compare the output that you get to the test output files (see Testing below).
You will need to write Linux iptables rules to achieve the goals stated below. These rules should be collected into a single script (e.g., bash) that you run each time you load the rules. This script will be the submission. The iptables rules should enforce the following requirements:
- Prevent all UDP communication from 130.203.83.75 and 130.203.83.76 to your system. Others are permissible.
- Restrict ICMP (ping) packets from reaching your system unless they originate from the IP address 130.203.83.75 (referred to as '75' below) or 130.203.83.76 ('76' below).
- Set message size limits on ICMP messages of 1000 bytes from 75 and 10000 bytes from 76. To limit length, you must use the iptables match specifier for length as indicated in the supplementary slides (presented on 4/10).
- Run two instances of the server script provided. ./p4-server 3750 supports 75 and ./p4-server 3760 supports 76. p4-server will automatically open 3 ports on each invocation. 75 will use 3 ports 3750, 3751, and 3752 to submit 3 requests to your server. 76 will use 3 other ports 3760, 3761, and 3762.
- Write iptables rules to ensure that the 130.203.83.75 client is the only client that can connect to ports 3750, 3751, and 3752. Similarly, 130.203.83.76 is the only client that can connect to ports 3760, 3761, and 3762. We will also test from IP addresses other than these.
- Write packet string matching rules to prevent 75 from sending a packet that contains a substring "exe" and to prevent 76 from sending a packet that contains a substring "com." These will use the match specifier for strings as indicated in the supplementary slides (presented on 4/10).
- Prevent all other communication from 130.203.83.75 and 130.203.83.76. Make sure that your rule to achieve this does not block communication from other systems (e.g., to SSH into your Playpen)!
In designing your iptables rules, you should be aware of two things: (1) do not rewrite rules that may prevent you from logging into the system (via SSH) and (2) be economical in the number of rules that you need. First, do not write any rules that refer to SSH (an incorrect one may lock you out). Second, your rule base should be as small as necessary to get the job done. We won't grade on minimality, but an excessive number of rules will be a deduction.
When you have completed the iptables rule script, email it to the course professor by 5:00pm on the 20th. Furthermore, your two p4-servers (started as described above) must be running at 5:00pm on the 20th as well. We will run through all of your systems to test their handling of the above requirements. Failure to have the servers running at this time may result in a failing grade for this assignment.

Notes

Testing: To test whether your iptables rules are correct, run the p4-server on your Playpen and invoke the client via ./p4-client 127.0.0.1 |base-port| where the base-port is 3750 for testing 75 rules and 3760 for testing 76 rules (both sets will need to loaded when we evaluate your project). To determine whether the rules are correct compare the output of the corresponding expected output files, client.127.0.0.1.for75.out for 75 and client.127.0.0.1.for76.out for 76. The ping results should show the same number of ping messages delivered, and the nc results should show send delays for the same files (3 seconds approximately for those blocked, and instantaneous for those allowed).
The script killpids is provided to kill programs with a matching substring (e.g., ./killpids nc will kill all nc programs running). This may be helpful to cleanup leftover processes (I am sure that there is a more elegant way to do this, but my bash programming is rusty).
You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.

Documentation

The main help is web information on Linux iptables (e.g., netfilter.org and RedHat). The iptables man page has the most exhaustive information, however. There is also help via examples if you can devise the appropriate Google incantation.

Trent Jaeger

Last modified: Apr 11 06:43:07 EST 2007