Due Date: April 20th, 2007.
In this assignment, you will develop Linux iptables firewall rules
for your Playpen to control access to a couple of network services:
ICMP ping and a generic network client/server
netcat. We will provide a server script for you to run
in your Playpen. This script defines what ports and services your
Playpen VM will export, but you will need to write the Linux iptables
rules to protect your Playpen according to the directions below.
Follow these instructions:
Get the project tarball from here. The project tarball
contains: (1) a bash script that runs the Playpen services that you
are to have open at evaluation time (see below), called
p4-server; (2) a bash script that runs the test
requests that will be submitted to your Playpen VM, called the
p4-client; (3) some test files that will be sent by the
p4-client to the
p4-server at test time;
and (4) some sample output in
client.127.0.0.1.forIP.out where IP is the IP address
of the test client systems 75 and 76 (discussed further below).
Unpack the tarfile in your Playpen. Note that there is no code to build (it is all scripts), but you may need to set execute permissions on your scripts. Otherwise, you should be ready to run.
To run the
|base-port|. This opens three ports with |base-port| as the
initial one running the netcat program
nc listening for
To test iptables rules, you will run the
|ipaddr| |base-port|. The client will perform ping
requests and netcat requests to the specified IP address (first
argument). The base-port should be the same between the client and
The client will write output to a file
where IP is the IP address provided in the call to
p4-client. This file will contain the results of the
run. Without any iptables rules specified, all the
ping requests should be delivered, and all the
files should be accepted by the netcat server in (basically) no
elapsed time. When you do the testing (see below), you can compare
the output that you get to the test output files (see Testing
You will need to write Linux iptables rules to achieve the goals stated below. These rules should be collected into a single script (e.g., bash) that you run each time you load the rules. This script will be the submission. The iptables rules should enforce the following requirements:
Prevent all UDP communication from 22.214.171.124 and 126.96.36.199 to your system. Others are permissible.
Restrict ICMP (ping) packets from reaching your system unless they originate from the IP address 188.8.131.52 (referred to as '75' below) or 184.108.40.206 ('76' below).
Set message size limits on ICMP messages of 1000 bytes from 75 and 10000 bytes from 76. To limit length, you must use the iptables match specifier for length as indicated in the supplementary slides (presented on 4/10).
Run two instances of the server script provided.
./p4-server 3750 supports 75 and
3760 supports 76.
automatically open 3 ports on each invocation. 75 will use 3
ports 3750, 3751, and 3752 to submit 3 requests to your server.
76 will use 3 other ports 3760, 3761, and 3762.
Write iptables rules to ensure that the 220.127.116.11 client is the only client that can connect to ports 3750, 3751, and 3752. Similarly, 18.104.22.168 is the only client that can connect to ports 3760, 3761, and 3762. We will also test from IP addresses other than these.
Write packet string matching rules to prevent 75 from sending a packet that contains a substring "exe" and to prevent 76 from sending a packet that contains a substring "com." These will use the match specifier for strings as indicated in the supplementary slides (presented on 4/10).
Prevent all other communication from 22.214.171.124 and 126.96.36.199. Make sure that your rule to achieve this does not block communication from other systems (e.g., to SSH into your Playpen)!
In designing your iptables rules, you should be aware of two things: (1) do not rewrite rules that may prevent you from logging into the system (via SSH) and (2) be economical in the number of rules that you need. First, do not write any rules that refer to SSH (an incorrect one may lock you out). Second, your rule base should be as small as necessary to get the job done. We won't grade on minimality, but an excessive number of rules will be a deduction.
When you have completed the iptables rule script, email it to the course professor by 5:00pm on the 20th. Furthermore, your two p4-servers (started as described above) must be running at 5:00pm on the 20th as well. We will run through all of your systems to test their handling of the above requirements. Failure to have the servers running at this time may result in a failing grade for this assignment.
Testing: To test whether your iptables rules are
correct, run the
p4-server on your Playpen and invoke the
./p4-client 127.0.0.1 |base-port| where the
base-port is 3750 for testing 75 rules and 3760 for testing 76 rules
(both sets will need to loaded when we evaluate your project). To
determine whether the rules are correct compare the output of the
corresponding expected output files,
client.127.0.0.1.for75.out for 75 and
client.127.0.0.1.for76.out for 76. The ping results
should show the same number of ping messages delivered, and the nc
results should show send delays for the same files (3 seconds
approximately for those blocked, and instantaneous for those allowed).
killpids is provided to kill programs
with a matching substring (e.g.,
./killpids nc will kill
nc programs running). This may be helpful to cleanup
leftover processes (I am sure that there is a more elegant way to do
this, but my bash programming is rusty).
You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.
The main help is web information on Linux iptables (e.g., netfilter.org and RedHat). The iptables man page has the most exhaustive information, however. There is also help via examples if you can devise the appropriate Google incantation.