Scribd
Upload
24 views4 pages

Exp 7

The document outlines an experiment aimed at configuring a firewall and setting up basic packet forwarding using iptables on a Linux system. It details the setup of network interfaces, the creation of NAT rules, and the enabling of packet forwarding, along with practical exercises and questions related to firewall management. The conclusion emphasizes the successful demonstration of configuring a Linux-based router and the understanding gained in network security and traffic control.

Uploaded by

Disha Deshmukh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views4 pages

Exp 7

The document outlines an experiment aimed at configuring a firewall and setting up basic packet forwarding using iptables on a Linux system. It details the setup of network interfaces, the creation of NAT rules, and the enabling of packet forwarding, along with practical exercises and questions related to firewall management. The conclusion emphasizes the successful demonstration of configuring a Linux-based router and the understanding gained in network security and traffic control.

Uploaded by

Disha Deshmukh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

BHARATIYA VIDYA BHAVAN’S

SARDAR PATEL INSTITUTE OF TECHNOLOGY


Bhavan’s Campus, Munshi Nagar, Andheri (West), Mumbai – 400058-India
Department of Computer Engineering

Name Kavya Doshi

UID no. 2023300051

Experiment No. 7

AIM: Configuring firewall

Program 1

PROBLEM Basic Packet Forwarding


STATEMENT : In this exercise you will learn how to set up a basic packet forwarding rule.
The rule you set up will allow your system to serve as a router to your
partner system.
Your system will route all traffic that originates from your partner’s system
to the internet or to your own default gateway. This is what is known as IP
masquerading or NAT (Network address translation).
To be pedantic, IP masquerading and NAT-ing are actually slightly
different beasts and are usually used for accomplishing different things. We
won’t dwell too much on the specific differences in the following exercises.
This exercise will assume the following, so please make adjustments to suit
your particular setup:
ServerXY
i. Your system has two network cards - eth0 and eth1.
ii. The 1st interface eth0, will be regarded as the external interface (or
facing the internet)
iii. The 2nd interface eth1, will be regarded as the internal interface (or
facing the LAN)
iv. Interface eth0 has an IP address of 172.16.0.z
v. Interface eth1 has an IP address of 10.0.0.z with a netmask of 255.0.0.0
vi. That you successfully completed “Lab 2” and understood the basic
concepts therein.
ServerPR
The following assumptions are made about your partner’s system.
i. It has only one NIC card - eth0
ii. eth0 has the IP address - 10.0.0.y with a netmask of 255.0.0.0
iii. The default router or gateway for serverPR is 10.0.0.z (i.e. the IP
address for serverXY’s eth1)
BHARATIYA VIDYA BHAVAN’S
SARDAR PATEL INSTITUTE OF TECHNOLOGY
Bhavan’s Campus, Munshi Nagar, Andheri (West), Mumbai – 400058-India
Department of Computer Engineering

iv. That you successfully completed “Lab 2” and understood the basic
concepts therein.
Cable your network to look like the setup illustrated below:
Our usual icons for serverXY and serverPR has been replaced above with
the icons of a router.

PROGRAM: To create the forwarding rule


1. Ensure you that your network is as cabled physically as illustrated above.
2. Assign all the interfaces their appropriate IP address, netmask, and
gateway settings.
3. Flush all the iptables rules that you have loaded currently.

Note
Flushing the tables is not always essential or compulsory. You may have
noticed at the beginning of some of the exercises completed thus far, we
have specified that you flush existing tables. This to ensure that you start
with a clean slate and that you don't have any errant rules hiding somewhere
in your tables that might make things not work correctly. Normally you
could have hundreds of rules loaded at the same time, serving different
functions.
4. Ask your partner at serverPR to try pinging 172.16.0.100
(hq.example.org) , this should fail because you are now serving as
serverPR’s default gateway and you have not yet enabled any routing on
your system yet.
5. As root on serverXY type:
6. [root@serverXY root]# *iptables --table nat -A POSTROUTING -o eth0
-j MASQUERADE*
7. Now repeat step 4 again.

Question
Were you successful?
8. The above should have failed. You also need to enable packet forwarding
in your running kernel. Type:
9. [root@serverXY root]# *echo 1 > /proc/sys/net/ipv4/ip_forward*
10. To make the above change to the kernel permanent between reboots,
create the entry below in your “/etc/sysctl.conf” file:
11. net.ipv4.ip_forward = 0

To save iptables rules


BHARATIYA VIDYA BHAVAN’S
SARDAR PATEL INSTITUTE OF TECHNOLOGY
Bhavan’s Campus, Munshi Nagar, Andheri (West), Mumbai – 400058-India
Department of Computer Engineering

Thus far, all the iptables rules and chains that you've been creating have
been ephemeral or non-permanent. This means that if you had to reboot
your system at any point, all the rules and changes you made will be lost.
To prevent this, you need a mechanism for writing or saving the temporary
run-time iptables rules to the system, so that they will always be available
on system reboots.
1. Use the iptables-save command to save all your changes to the
/etc/sysconfig/iptables file. Type:
2. [root@serverXY root]# *iptables-save > /etc/sysconfig/iptables*

RESULT:

Program 2

QUESTIONS AND 1. What option is needed to get a more verbose version of this
ANSWERS: command iptables -L -t nat?
a. Use the -v option.
2. What is the command to display the rules under the OUTPUT
chain?
a. iptables -L OUTPUT
3. What port does the ftp service “normally” listen on?
a. Port 21
BHARATIYA VIDYA BHAVAN’S
SARDAR PATEL INSTITUTE OF TECHNOLOGY
Bhavan’s Campus, Munshi Nagar, Andheri (West), Mumbai – 400058-India
Department of Computer Engineering

4. What is the command to create a chain called “mynat-chain” under


the nat table?
a. iptables -t nat -N mynat-chain
5. Research online and list the names of some easier to use tools or
applications that can be used to manage the firewall sub-system on
Linux based systems.
a. UFW
b. Firewalld
c. Shorewall
d. iptables-persistent
e. nftables and its front-ends
6. Create an iptables rule to block http traffic from hq.example.org to
your local machine. What is the well-known port that web servers
listen on? Write down the complete command to achieve this?
Convert or translate the command you wrote down above into its
plain-speak equivalent.
a. Port 80 for HTTP
b. iptables -A INPUT -s hq.example.org -p tcp --dport 80 -j
DROP
i. -A INPUT: Append a rule to the INPUT chain.
ii. -s hq.example.org: Match packets originating from
hq.example.org.
iii. -p tcp: Match TCP protocol.
iv. --dport 80: Match packets destined for port 80.
v. -j DROP: Drop (block) those packets.

CONCLUSION: This experiment successfully demonstrated the configuration of a Linux-


based router using iptables to set up basic packet forwarding and NAT. By
carefully assigning IP addresses, enabling packet forwarding, and creating
specific firewall rules—including custom chains and blocking rules—we
were able to control the flow of network traffic between the internal and
external interfaces. Additionally, the exercise provided practical insights
into using verbose options and managing iptables rules effectively. Overall,
this hands-on approach has deepened our understanding of network
security, firewall management, and the practical implementation of NAT on
Linux systems.

You might also like