Submited to: Dr.

Shaoquan Jiang

Submited By:
Harsh P Patel (11001547)
Mitesh Gabani (110090208)
Nidhi Patel (110089413)
Prachi Patel (110093162)

Networking and Data Security

Lab 7
1. Use the following commands on router to set the default policies for a table.
sudo iptables –P INPUT ACCEPT
sudo iptables –P OUTPUT ACCEPT
sudo iptables –P FORWARD DROP
Recall, INPUT is to check incoming packet; OUTPUT is to check outgoing packet; FORWARDING is to
check the passing packet (at router). Further, the commands assume the default table filter (-t
filter).
• On 192.168.60.6, run $ ping 10.9.0.5 and then ping 192.168.60.11. Does it succeed? Explain your
observa�on.
• Change DROP to ACCEPT, for FORWARD case. Try the pings in the above step again. Now does it
succeed?

Answer: A�er se�ng the forward chain to drop everything, ping stopped working. However, a�er
se�ng the forward chain to accept everything, ping started working again.

1|Page
2|Page
2 [blocking an IP]

• On 192.168.60.11, if we want to block packets from an ip address IP1, use command

sudo iptables -A INPUT -s IP1 -j DROP

/*this uses INPUT chain because it is incoming packet*/
On IP1, ping 192.168.60.11 and what can be observed? Explain.
• On 192.168.60.11, if we want to block packets to an ip address IP1, use command

sudo iptables -A OUTPUT -d IP1 -j DROP

/*this uses OUTPUT chain because it is outgoing packet*/
On 192.168.60.11, ping IP1 and what can be observed? Explain.

Answer: It originally intended to work on 192.168.60.11, but It accidentally worked on

192.168.60.7 instead. To my surprise, the output was the same as expected.

3|Page
3. [List all rules] do it on Router.
• You can see all the firewall rules by the following command

$ sudo iptables -L
/* again, this assume filter table (i.e., -t filter) by default*/
• You can see all the fire rules in each chain with index number. The index will be used for other
opera�on such as dele�on later.

4|Page
$ sudo iptables -L --line-number

5|Page
4 [Delete a rule] on Router, delete a rule in a chain (such as INPUT) in two steps:
first, list with index:
$ sudo iptables –L INPUT --line-number
Then, delete the rule using the index:

6|Page
$sudo iptables -D INPUT 1
Now use the method to delete the first rule in your current INPUT table and then
$ sudo iptables -L INPUT to verify whether rule 1 is deleted or not.

7|Page
5.[Delete all rules in a TABLE] On router, flush the rules in a table (e.g., filter):
$sudo iptables -t filter -F
/*again,-t filter can be omited*/
Then, run $sudo iptables -L and you will not see any rule.

8|Page
6 [Drop all incoming connec�ons, except telnet] On router, block incoming connec�ons to any
service except for telnet. To do this, we can set default policy for INPUT chain of filter Table to be
DROP and then specify a rule to accept incoming telnet connec�on.
$ sudo iptables -P INPUT DROP
$ sudo iptables -A INPUT -p tcp - -dport 23 -j ACCEPT

/* A default policy is applied only if all the rules in the chain have been executed without making a
decision (either ACCEPT or DROP or REJECT). For example, if we ssh to router, then the rule does
not ACCEPT but also not REJECT. So the default policy applies. Note: here -p stands for protocol. */
Then, ping and telnet to 192.168.60.11 (from other VM). Which succeeds (telnet or ping)?
/*a�er this problem, run $ sudo iptables -F to flush all rules in filter table and recover the default
policy: $ sudo iptables -P INPUT ACCEPT */

Answer: The ping command failed, but the telnet command was successful in connec�ng to the
dedicated IP address.

9|Page
10 | P a g e
7 [drop outgoing DNS request to 8.8.8.8] In this case, since it is outgoing packet, we add rule to
OUTPUT chain. Since it is DNS request, the des�na�on should be the DNS server, which has a port
number 53. Finally, since DNS is implemented using UDP, we use protocol UDP. Hence, we add the
following rule:
$ sudo iptables -A OUTPUT -p udp - - dport 53 -d 8.8.8.8 -j DROP
Then, try $ dig www.uwindsor.ca and dig @8.8.8.8 www.uwindsor.ca. Which succeeds?
/* delete the rule in order not to affect the following experiment */

Answer: The dig @8.8.8.8 www.uwindsor.ca worked but dig www.uwindsor.ca didn’t.

11 | P a g e
8 [block incoming ping request] You can not ping uwindsor webserver. Most likely, this is blocked
by firewall of uwindsor. Here is the way to block an incoming icmp request.
$ sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Run this on router and ping router from another VM. Do you get any reply? Explain.

Answer: the ping 10.9.0.11 failed with 100% packet loss

12 | P a g e
9. Suppose that you want to block all incoming connec�ons while you do not want your visit to
external servers to be affected. However, if you send a request to an external server, the server will
reply to you while this packet will be blocked by your firewall. To resolve this issue, you should
regard the response packet (to your request) as related to your outgoing request packet and
allowed to come in. This is achieved using the conntrack module.
$ sudo iptables -P INPUT DROP
$ sudo iptables -A INPUT -p tcp -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
Try this on router VM. Then, telnet to a VM (e.g. 192.168.60.7).
Next, telnet from the later (192.168.60.7) to router. Which telnet session directly succeeds?

Answer: The telnet connec�on from the router to the VM is successful, but the telnet connec�on
from the VM to the router is not.

13 | P a g e
10 (optional) [save your firewall rules and restore it] After you have done firewall, you want
to save your rules to a file you can run
$ sudo iptables-save >myiptables.rules
Later, you can restore your rules by running
$ sudo iptables-restore <myiptables.rules
/* to see the effect, you can flush your firewall a�er running iptables-save command and then run
iptables-restore command to see if you have restored your firewall */

14 | P a g e
15 | P a g e