IPTABLES

by Sudiman bin Suhaili, Politeknik Mukah

In this activity, you are going to take a look at how iptables works. You can allow, drop,
and modify the traffic that leaving in and out of a system. You will configure your firewall by
adding a few rules.

Notes/ Requirements:
i. All virtual machines (VMs) will be implemented in the virtual networking environment
on the VM VirtualBox platform.
ii. Your host machine (your PC/Windows) may need Internet access during this practical
activities, to allow VMs access the updates and install the packages. All VMs may need
to be active (or run) during the connections and network services testing.
iii. Refer the Figure 1 to understand your network environment for this practical activities.

Figure 1: Network diagram.

1
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Part A: Setup VMs and Network
Step A1 Create two (2) new NAT Networks in the VirtualBox Manager as following
details:

Table A1-1: NAT Network details.

NAT Network #1
Network Name: 192.168.1.0
Network CIDR: 192.168.1.0/24
Network Options: No DCHP (uncheck Supports DHCP)

NAT Network #2
Network Name: 192.168.2.0
Network CIDR: 192.168.2.0/24
Network Options: No DCHP (uncheck Supports DHCP)

Figure A1-1: NAT Network with network address 192.168.1.0/24.

Step A2 Create three (3) new VMs that follow the following specifications:

Table A2-1: VM specifications.

Virtual Machine #1
VM Name: R1
Memory: 1024MB (can be reduced if necessary)
Hard Disk: 30GB
Network Adapter 1: Attached to NAT Network (192.168.1.0)
Network Adapter 2: Attached to NAT Network (192.168.2.0)
Operating System: Ubuntu Server 18.04
Virtual Machine #2
VM Name: PC1
Memory: 1024MB (can be reduced if necessary)

2
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
 Hard Disk: 30GB
Network Adapter 1: Attached to NAT Network (192.168.1.0)
Operating System: Ubuntu Server 18.04
Virtual Machine #3
VM Name: PC2
Memory: 1024MB (can be reduced if necessary)
Hard Disk: 30GB
Network Adapter 1: Attached to NAT Network (192.168.2.0)
Operating System: Ubuntu Server 18.04

Step A3 Install Ubuntu Server 18.04 on each VM with the following username &
hostname:

Table A3-1: Ubuntu configuration on the VMs.

Virtual Machine #1
Hostname: r1
Username: administrator
Password: adminpass
Virtual Machine #2
Hostname: pc1
Username: user1
Password: user1pass
Virtual Machine #3
Hostname: pc2
Username: user2
Password: user2pass

Tips: If you want to change the hostname after the installation, use one of the
following methods:
a. Add the new hostname in the /etc/hostname file, or
b. Run command sudo hostnamectl set-hostname
[yourhostname]
Both methods require you to set the parameter preserve_hostname:
true in the /etc/cloud/cloud.cfg. You may need to reboot the machine
after the changes.

Step A4 Configure each of network interface with the following details:

3
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Table A4-1: Network interfaces setup.
Virtual Machine #1
Interface 1: enp0s3
IP Address: 192.168.1.254
Subnet Mask: 255.255.255.0 or /24
Gateway: 192.168.1.1
Nameserver: 192.168.1.1
Interface 2: enp0s8
IP Address: 192.168.2.254
Subnet Mask: 255.255.255.0 or /24
Gateway: 192.168.2.1
Nameserver: 192.168.2.1
Virtual Machine #2
Interface 1: enp0s3
IP Address: 192.168.1.25
Subnet Mask: 255.255.255.0 or /24
Gateway: 192.168.1.254
Nameserver: 192.168.1.1
Virtual Machine #3
Interface 1: enp0s3
IP Address: 192.168.2.52
Subnet Mask: 255.255.255.0 or /24
Gateway: 192.168.2.254
Nameserver: 192.168.2.1

Tips: To create the second network adapter on R1, go to the machine’s Network
settings. Choose the Adapter 2 tab, check Enable Network Adapter.
Change your settings as depicted in Figure A4-1 (do not change the original
settings under Advanced).

4
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Figure A4-1: The settings of the second network adapter on R1.

Tips Before you are going to edit the interface configuration file under
/etc/netplan, you need to ensure the name of interfaces given by your
system. Type command ip -a to know all interfaces with their IP
address assigned.

Figure A4-2: The output of ifconfig -a shows there are two interfaces named enp0s3 and
enp0s8, respectively.

5
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Part B: Change Default Route or Default Gateway
Note: Make sure all network interfaces are properly configured.

Step B1 On PC1, type command ip route to show the current routing table for PC1.

Figure B1-1: The routing table for PC1.

In Figure B-1.1, PC1 has two different default gateway lines:

 default via 192.168.1.1 dev enp0s3
 default via 192.168.1.254 dev enp0s3

Virtualbox give the first gateway (192.168.1.1) by default, while the second
gateway is assigned manually in your network interface configuration file.
Figure B-1.2 illustrates the default gateway lines belong to PC1 in your
network.

Figure B1-2: The default gateway lines for PC1.

For the purpose of this activity, you need to remove the first gateway to
ensure that PC1 only uses gateway 192.168.1.254 to communicate with
outside.

Tips You can add a new default gateway with the ip route add command ( e.g.,
sudo ip route add default via 192.168.1.1 dev enp0s3 to add back
the previous gateway to PC1).

Step B2 On PC1, type command sudo ip route del default via 192.168.1.1
dev enp0s3 to remove gateway 192.168.1.1 from the routing table.

6
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Step B3 On PC1, type command ip route to check that the gateway 192.168.1.1
has been removed from the routing table.

Figure B3-1: PC1 only has a default gawetay via addres 192.168.1.254.

Step B4 You will configure the default gateway for PC2 in the same way as in steps
B1 and B2. PC2 is on a different network than PC1. So, be careful not to use
the wrong address for the default gateway configuration.

Figure B4-1: PC2 also one gateway via addres 192.168.2.254.

From Figure B3-1 and Figure B4-1, R1 will become as a router, a device that
connects two networks.

7
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Step B5 On R1, type command ip route to show the current routing table for the
machine. Do not change any default gateway that exists in R1.

Figure B5-1: The routing table for R1.

Step B6 On R1, edit /etc/sysctl.conf file and make sure the

net.ipv4.ip_forward variable is set to true as follows:

Figure B6-1: The value of net.ipv4.ip_forward variable in the /etc/sysctl.conf file.

You now enable packet forwarding in the R1. Packet forwarding means
allowing packets to travel from one network to another through its two
network interfaces.

Figure B6.2: R1 allows communication between two networks.

Step B7 Reboot the R1 machine.

Step B8 Test that you can ping from the R1 to the two other machines (PC1 and PC2),
and from those two machines to the R1. Then, ping between the two
networks.

Figure B8-1: R1 ping PC1.

8
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Figure B8-2: R1 ping PC2.

Figure B8-3: PC1 ping R1.

Figure B8-4: PC2 ping R1.

Figure B8-5: PC1 ping PC2.

Figure B8-6: PC2 ping PC1.

9
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Part C: SSH Service Installation and Testing
Note: R1 requires Internet access for updates and install packages.

Step C1 On R1, type command sudo apt update to update your software
repository.

Step C2 On R1, type command sudo apt upgrade to upgrade all software in your
system.

Step C3 On R1, type command sudo apt install openssh-server to install SSH
server in the machine.

Step C4 After the installation, type command sudo systemctl status ssh on the
R1 to check the current status of SSH service.

Figure C4-1: Status “Active: active (running)” indicates that SSH service running and
working properly.

Step C3 On PC1, type command ssh [email protected] to login R1

as user administrator. After providing the correct password, from PC1 you
will be able to access R1 as user administrator.

Type command exit to quit, and you will back to your command prompt.

Step C4 You also can remote login to R1 from PC2. Type command ssh
[email protected]. Type command exit to quit.

Note: At this moment, there is only user administrator on R1. Therefore, you can
only remote login to R1 as administrator.

10
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Part D: Firewall Setup and Testing
Note: This section introduces some simple firewall rules and how to configure them
with iptables. You will focus on filter table for packet filtering.

Note: filter is the default table for iptables. Therefore, if you do not define your
table, you will be using filter table. filter table has INPUT, OUTPUT and
FORWARD chains.

Step D1 On R1, type command iptables -nL to list the filter table and all its
rules.

Figure D1-1: No rules in the filter table, allowing all traffic by default.

Step D2 On R1, set the default policy for all three chains to drop everything. Perform
the following commands:

Step D2.1 Type sudo iptables -P INPUT DROP and press Enter.

Step D2.2 Type sudo iptables -P FORWARD DROP and press Enter.

Step D2.3 Type sudo iptables -P OUTPUT DROP and press Enter.

Note: Ignore the output "sudo: unable to resolve host r1: Resourse
temporarily unavailable " if it is present at your command prompt.

Step D3 On R1, type command iptables -nL. You will see the following output:

Figure D3-1: All three chains drop everything by default.

Step D4 Repeat step B8.

11
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
 You should have noticed that you lost all the packets transmitted, indicating
that you were unable to communicate with any machine.

Figure D4-1: PC1 lost all packets when INPUT chain drops any traffic in R1.

Figure D4-2: PC1 unable to ping PC2 because the FORWARD chain drop any traffic in R1.

Step D4 Repeat steps C3 and C4.

Since the INPUT table drops all traffic on the table filter in R1, you will not
be able to log in to R1 via PC1 or PC2 remotely.

Note: The loopback interface, also referred to as lo, is what a computer uses to
forward network connections to itself. For example, if you run ping localhost
or ping 127.0.0.1, your server will ping itself using the loopback. The loopback
interface is also used if you configure your application server to connect to a
database server with a “localhost” address. As such, you will want to be
sure that your firewall is allowing these connections.

Step D5 On R1, run these commands to accept all traffic on the loopback interface:

Step D5.1 Type sudo iptables -A INPUT -i lo -j ACCEPT and hit Enter.

Step D5.2 Type sudo iptables -A OUTPUT -o lo -j ACCEPT and hit Enter.

Note: You are adding the first rule in the INPUT chain, the -i flag specifies the input
interface. For the OUTPUT chain, you will need to use the -o flag, which stands
for output interface.

Step D6 On R1, type command iptables -nL. You will see the following output:

12
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Figure D6-1: iptables allows all traffic on R1 loopback interface.

Note: As network traffic generally needs to be two ways incoming and outgoing to
work appropriately. It is typical to create a firewall rule that allows established
and related incoming traffic so that the server will allow return traffic to
outgoing connections. iptables is a stateful firewall, and it provides a
connection tracking module named “conntrack” for this purpose.

Step D7 On R1, type command sudo iptables -A INPUT -m conntrack --

ctstate ESTABLISHED,RELATED -j ACCEPT to allow established and
related incoming connections.

Step D8 On R1, type command sudo iptables -A OUTPUT -m conntrack --

ctstate ESTABLISHED -j ACCEPT to allow established and related
incoming connections.

Step D9 On R1, type command iptables -nL to see the new rules added.

Figure D9-1: Rules for the connection tracking module.

Tip: In addition, it is generally a good idea to drop any package in the INVALID
state. You can place it just below the position where you placed the above
rule:
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Step D9 On R1, you are allowing all traffic from one network to another through its two
network interfaces using the following commands:

13
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
 Step D9.1 Type sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -j
ACCEPT and hit Enter.

Step D9.2 Type sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -j

ACCEPTand hit Enter.

Step D10 On R1, type command iptables -nvL for more verbose output.

Figure D9-1: iptables allows packet forwarding in R1.

Step D11 On PC1 and PC2, perform a ping to test the connections between them.

Note that you successfully send all packets between PC1 and PC2, indicating
that both machines can communicate via R1.

Step D12 On R1, perform a ping to test the connections between them.

Note that you successfully send all packets between PC1 and PC2.

Both machines can transmit any kind of traffic between each other via R1.
However, both PC1 and PC2 still unable to ping any R1 network interfaces
(192.168.1.254 and 192.168.2.254).

Step D13 On R1, perform a ping to test the connections between them.

Note that you successfully send all packets between PC1 and PC2.

Both machines can transmit any kind of traffic between each other via R1.
However, both PC1 and PC2 still unable to ping any R1 network interfaces
(192.168.1.254 and 192.168.2.254).

14
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Step D13 On R1, you are going to allow the entire 192.168.1.0/24 subnet to ping R1. In
your command, specify the source as follows:

Step D13.1 Type sudo iptables -A INPUT -p icmp --icmp-type any -s

192.168.1.0/24 -j ACCEPT and hit Enter.

Step D13.2 Type sudo iptables -A OUTPUT -p icmp --icmp-type any -d

192.168.1.0/24 -j ACCEPT and hit Enter.

Step D14 On R1, type command iptables -nL to see the new rules added.

Figure D14-1: iptables allows any machine from network 192.168.1.0/24 to ping R1.

Step D15 Go to PC1, perform a ping to both network interfaces on R1 (192.168.1.254

and 192.168.2.254).

You should now be able to ping between PC1 and R1.

Step D16 You are going only to allow PC1 to establish an SSH connection to R1. On
R1, type the following commands:

Step D16.1 Type sudo iptables -A INPUT -p tcp -s

192.168.1.25 --dport 22 -j ACCEPT and hit Enter.

Step D16.2 Type sudo iptables -A OUTPUT -p tcp -d

192.168.1.25 --sport 22 -j ACCEPT and hit Enter.

Step D17 On R1, type command iptables -nL to list all rules in your firewall.

15
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.
Figure D17-1: iptables rules in the filter table.

Step D18 Go to PC1, type command ssh [email protected] to login

R1 as user administrator. After providing the correct password, from PC1
you will be able to access R1 as user administrator.

Type command exit to quit, and you will back to your command prompt.

Step D19 Back to R1, type command sudo iptables-save > firewall.rules to
save your firewall rules to a file firewall.rules in your home directory.

Tips: After you reboot R1, type command sudo iptables-restore <
firewall.rules to restore your firewall settings.

End.

16
Sudiman bin Suhaili © 2020 revised. Politeknik Mukah.