# Lab 7: Iptables/Firewalling
## *Kseniya Evdokimova*
---
## **Questions to answer:**
#### 1. Set your interface on VM as bridged connection and restart interface (interface with network adapter BRIDGED ADAPTER). Install iptables with apt (if you dont have it). Check existing rules and display them.
To enable bridged networking, open the Settings dialog of a virtual machine, go to the Network page and select Bridged Network in the drop-down list for the Attached To field. Select a host interface from the list at the bottom of the page, which contains the physical network interfaces of your systems.
To list the current rules that are configured for iptables:
`sudo iptables -L`
To complete this task, the commands from the last lab should be executed:
-The first command, ip link add, is creating a bridge named br0.
-The second and third: two ip link set commands add the two Ethernet interfaces, device1 and device2, to the new bridge resulting in a connection between these two interfaces.
-The 5th command will list our interfaces connected to the bridge.
-The 6th line will show that virtual bridge (switch) has both MAC addresses in its table.
As the `devices` we should use such as we get from `ip link`.
#### 2.
Working with INPUT and OUTPUT chains:
- add a rule1 that blocks ping packets coming into the VM (your server with installed iptables).
To block without any messages use DROP as Jump to target.
`iptables -A INPUT -p icmp --icmp-type echo-request -j DROP`
`iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP`
I also could have used the command `iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT`
to block PING to your server with an error message.
- delete the rule1, and then add rule2 that blocks ping packets coming out of the VM - outgoing traffic, you can block specific range of ip (for examples you can block specific IP range. The range that used your host machine).
The way to delete iptables rules is by its chain and line number:
Then run the iptables -D command followed by the chain and rule number:
Actually, I've added 3 rules, so I will delete all of them.
Now let's add a rule that blocks ping packets coming out of the VM - outgoing traffic with specified ip:
- To test each of the above rules, try to ping VM and observe whether it is successful or not.
To ping first install guest additions through VBoxManage:
`wget http://download.virtualbox.org/virtualbox/5.0.12/Oracle_VM_VirtualBox_Extension_Pack-5.0.12.vbox-extpack
sudo VBoxManage extpack install ./Oracle_VM_VirtualBox_Extension_Pack-5.0.12.vbox-extpack
`
And then :
`VBoxManage guestproperty enumerate "kseniya-VirtualBox"`
In the first case it will not be possible, since it dissalows the incoming pings. At the second case it will be possible:
#### 3. Install web server on your VM (if you dont have it). Add a rule to the firewall that prevents loading you web server’s IP from the host machine in the browser. Test it by trying to load web page from the VM in your host machine’s web browser (http://IP_address_of_your_vm).
To install apache:
To ensure in this:
The rule to the firewall that prevents loading you web server’s IP from the host machine in the browser:
Test:
I will then clear all the rules for the next task:
#### 4. Create firewall rules that opens ports for SMTP, DNS, POP3 and SSH connections in your VM and blocking others ports (for you to be able to work with mentioned services).
Hint: to test some of the services you can use netcat utility
The rules:
And for the test:
Sign in with Wallet
Connect another wallet