Exercises

You have a Fedora Core 2 system that is to function as a Web proxy server. Client machines are on the 192.168.1/24 network. The Internet connection is via a router on the 172.20.5/24 network. Your proxy server has two network interfaces: eth0 is 192.168.1.100 and eth1 is 172.20.5.17 . Both interfaces use a subnet mask of 255.255.255.0 (24-bits). Assume that the network routes and proxy services ( squid and named ) are correctly configured.

1. Design firewall rules (using iptables ) to implement the following requirements.

   1. No incoming connections are allowed on the 172.20.5.17 interface.

   2. The only permitted outgoing connections on the 172.20.5.17 interface are for DNS, FTP, HTTP, and HTTPS traffic from the proxy server.

   3. Two machines (IP addresses 192.168.1.201 and 192.168.1.155 ) are to be allowed to connect using SSH.

   4. All other machines in the 192.168.1/24 network are allowed to connect on port 3128 only (the port that the Squid Web proxy server is listening on) and port 53 (for DNS queries).

   5. Allow ICMP traffic.

   6. All other connections (incoming or outgoing) must be blocked.

   7. Log attempts by machines on the 192.168.1/24 network to use Telnet or FTP to access the proxy server.

2. Make sure your rules will be applied each time the system boots.

3. After your proxy server has been running for a while, a new requirement is identified. Machines on the 192.168.1/24 network need to be able to make PPTP connections to an external VPN server with an IP address of 10.1.3.97 . Update the iptables rules to satisfy this requirement. (Assume that IP forwarding is enabled on your proxy server).