Cybersecurity Lab: Iptables Challenges

Lab Environment (Reference)

Subnet: 10.0.2.0/24

Router VM

Xubuntu Router

WAN (Internet): enp0s3
LAN (Gateway): enp0s8
IP Address: 10.0.2.1

Client VM

Client Machine

Interface: eth0
Gateway: 10.0.2.1
IP Address: 10.0.2.100

How to solve these challenges:

Write your solution as root (`sudo su`) on the Router VM terminal.
You can run commands directly or create a shell script (e.g., `nano task1.sh`, `chmod +x task1.sh`, `./task1.sh`).
If you get an error, read the message, refine your command, and try again.

Part 1: The Iptables Command

Challenge #1: Default Policies

filter table

Write the iptables commands that set the default POLICY to ACCEPT on INPUT and OUTPUT chains and DROP on FORWARD chain.

Tip: The -P flag sets the default Policy.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

Challenge #2: Listing Rules

filter table

Write the iptables command that lists only the filter table of the INPUT chain.

Tip: Use -vnL for verbose, numeric, list output.

iptables -t filter -vnL INPUT

Challenge #3: The NAT Table

nat table

Write the iptables commands that list the nat table.

iptables -t nat -vnL

Challenge #4: Flushing

filter table

Write the iptables command that flushes the filter table of all chains.

Tip: filter is the default table, so -t filter is optional but good practice.

iptables -F
#or
iptables -t filter -F

Challenge #5: Dropping Specific Traffic

INPUT chain

Write an iptables rule that drops all incoming packets to port 22/tcp (ssh). This should be the first rule in the chain.

Tip: Use -I (Insert) instead of -A (Append) to ensure it's the first rule.

iptables -I INPUT -p tcp --dport 22 -j DROP

Challenge #6: Reset / Delete Firewall

Dangerous

Write the iptables commands that flush all the tables of all chains and set the ACCEPT policy on all chains. This will delete any firewall configuration.

Warning: This leaves the system completely exposed!

#!/bin/bash

#1. Set the ACCEPT POLICY an all CHAINS
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#2. Flush all tables from all CHAINS
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

Part 2: Basic Matches

Challenge #1: Filter by IP

INPUT/OUTPUT

Write the iptables rules that drop all incoming packets from 100.0.0.1 and 1.2.3.4 and all outgoing packets to 80.0.0.1. These must be the first rules in the chains.

iptables -I INPUT -s 100.0.0.1 -j DROP
iptables -I INPUT -s 1.2.3.4 -j DROP

iptables -I OUTPUT -d 80.0.0.1 -j DROP

Challenge #2: Drop Specific Outgoing TCP

OUTPUT chain

Write the iptables rules that drop all outgoing generated packets of type TCP (port 80 and 443) to www.linuxquestions.org.

iptables -A OUTPUT -p tcp --dport 80 -d www.linuxquestions.org -j DROP
iptables -A OUTPUT -p tcp --dport 443 -d www.linuxquestions.org -j DROP

Challenge #3: Drop Routed Traffic

FORWARD chain

Write the iptables rules that drop all outgoing packets (routed through this machine) of type TCP (port 80 and 443) to www.linuxquestions.org.

Context: Since this machine is the Router, traffic from the LAN passing through to the internet uses the FORWARD chain.

iptables -A FORWARD -p tcp --dport 80 -d www.linuxquestions.org -j DROP
iptables -A FORWARD -p tcp --dport 443 -d www.linuxquestions.org -j DROP

Challenge #4: Drop Subnet

INPUT chain

Write an iptables rule that drops all incoming packets from network 27.103.0.0/16 (Netmask 255.255.0.0). This must be the first rule in the chain.

iptables -I INPUT -s 27.103.0.0/16 -j DROP

Challenge #5: Enforce DNS Server

FORWARD chain

The DNS Server of your LAN is set to 8.8.8.8. You don't want to allow LAN users to change this. Write a rule to drop all UDP packets to port 53 (DNS) if they are destined to any IP address other than 8.8.8.8.

Tip: Use the ! (not) operator before the destination IP.

iptables -A FORWARD -p udp --dport 53 ! -d 8.8.8.8 -j DROP

Challenge #6: Allow Loopback

lo interface

Write the iptables rules that allow all traffic on the loopback (lo) interface (both incoming and outgoing).

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Challenge #7: Interface Specific SSH

FORWARD chain

Your Linux Machine is the router.

Note for Lab: The internal LAN interface is enp0s8 and the external WAN interface is enp0s3.

Write the iptables rules that allow establishing routed incoming SSH (tcp/22) connections only from the LAN. Drop SSH connections coming from the WAN.

Note: In standard theory these are eth0/eth1, but we have adapted this solution to match your Module 0 Lab Environment (enp0s8 for LAN, enp0s3 for WAN).

iptables -A FORWARD -p tcp --dport 22 --syn -i enp0s8 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 --syn -i enp0s3 -j DROP

Part 3: Advanced Matches

Challenge #1: Help Commands

man pages

Run the iptables commands that list the help of: a) time match, b) mac match, c) limit match.

# a)
iptables -m time --help

# b) 
iptables -m mac --help

# c) 
iptables -m limit --help

Challenge #2: Stateful Firewall (Basic)

INPUT/OUTPUT

Create a firewall script for your Laptop (runs Linux). All outgoing traffic is allowed, but only the return incoming traffic is permitted. No services are running on the laptop (Drop everything else).

#!/bin/bash

iptables -F

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP

Challenge #3: Stateful Firewall (Complete)

Security Baseline

Consider Challenge #2. Enhance your script to also:

Allow loopback interface traffic
Drop INVALID packets explicitly
Flush the firewall at the start

#!/bin/bash

# Flushing rules
iptables -F

# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Drop Invalid
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Return Traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Challenge #4: Trusted Source SSH

INPUT chain

Consider Challenge #3. You start an SSH Daemon on your laptop. Add a rule to allow incoming SSH connections (tcp/22) only from your work (IP address: 100.0.0.1).

Lab Note: To verify this works in the lab, try using the Client IP 10.0.2.100 instead of 100.0.0.1.

# Allowing incoming ssh connections from 100.0.0.1
iptables -A INPUT -p tcp --dport 22 --syn -s 100.0.0.1 -j ACCEPT

Challenge #5: MAC Filtering (Router Only)

MAC Match

The Router's MAC Address is b4:6d:83:77:85:f5. Write a single rule that allows communication only with the router. Drop packets from any other host in the LAN. Do not modify the policy.

Pro Tip: In the lab, find your Gateway's real MAC using arp -a or ip neigh.

iptables -A INPUT -m mac ! --mac-source b4:6d:83:77:85:f5 -j DROP

Challenge #6: MAC Whitelist Script

Bash Loop

You have a server and 5 trusted hosts with MACs ending in f1 through f5. Write a script that allows only these 5 hosts to communicate with the server.

#!/bin/bash

## allowed MAC addreses
MAC="b4:6d:83:77:85:f1 b4:6d:83:77:85:f2 b4:6d:83:77:85:f3 b4:6d:83:77:85:f4 b4:6d:83:77:85:f5"

for M in $MAC
do
	iptables -A INPUT -m mac --mac-source $M -j ACCEPT
done

# setting the drop policy
iptables -P INPUT DROP

Challenge #7: Time-Based Web Access

Time Match

Write rules permitting outgoing web traffic (TCP 80/443) only between 10:00 and 18:00 UTC.

#!/bin/bash

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m time --timestart 10:00 --timestop 18:00 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP

Challenge #8: Weekend Access Only

Time + Weekdays

Modify Challenge #7 to allow web traffic only on the weekend (Sat, Sun) between 10:00 and 18:00 UTC.

#!/bin/bash

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 \
	-m time --timestart 10:00 --timestop 18:00 --weekdays Sat,Sun -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j DROP

Challenge #9: Limit Ping

Limit Match

Write rules that permit only 2 incoming ICMP echo-request (ping) packets per second from any IP address.

#!/bin/bash
# Accept 2 pings per second
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT
# Drop excess pings
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Challenge #10: Limit TCP Connections

Connlimit Match

Write a rule that permits only 10 NEW TCP connections from the same IP address.

#!/bin/bash
# Reject connections above 10
iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 10 -j REJECT
# Accept connections below limit (implicit if policy is ACCEPT, or add rule below)
iptables -A INPUT -p tcp --syn -j ACCEPT

Part 4: NAT & Port Forwarding

Challenge #1: Basic NAT Configuration

SNAT / Masquerade

Configure the Router VM to perform Network Address Translation (NAT) for the LAN network (10.0.2.0/24).

1. Flush the NAT table.
2. Enable IP Forwarding.
3. Apply SNAT for the entire subnet going out the external interface (enp0s3). Assume the public IP is 80.0.0.1.
(Bonus: What target would you use if the IP was dynamic?)

#!/bin/bash

# 1. Flush the nat table
iptables -t nat -F

# 2. Enable routing process (Kernel)
echo "1" > /proc/sys/net/ipv4/ip_forward

# 3. Define rules (SNAT for static IP)
# -s: Source network
# -o: Output interface (WAN)
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o enp0s3 -j SNAT --to-source 80.0.0.1

# Bonus: If dynamic IP (DHCP), use MASQUERADE:
# iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o enp0s3 -j MASQUERADE

Challenge #2: Port Forwarding (DNAT)

DNAT / PREROUTING

You have a Web Server running inside the LAN at 192.168.0.20 on port 80.
Configure the router so that all packets coming to the Router's public IP on port 80 are forwarded to the internal server.

Variants: Also redirect external port 8080 to the internal server's port 80.

Note: Port Forwarding always happens in the PREROUTING chain of the nat table.

#!/bin/bash

# Flush PREROUTING chain
iptables -t nat -F PREROUTING

# 1. Standard Port Forwarding (80 -> 80)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.20

# 2. Variant: Redirect 8080 -> 80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.20:80

# 3. Bonus: Load Balancing (Round Robin)
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.20-192.168.0.24

Lab Environment (Reference)

Xubuntu Router

Client Machine

How to solve these challenges:

Part 1: The Iptables Command

Challenge #1: Default Policies

Challenge #2: Listing Rules

Challenge #3: The NAT Table

Challenge #4: Flushing

Challenge #5: Dropping Specific Traffic

Challenge #6: Reset / Delete Firewall

Part 2: Basic Matches

Challenge #1: Filter by IP

Challenge #2: Drop Specific Outgoing TCP

Challenge #3: Drop Routed Traffic

Challenge #4: Drop Subnet

Challenge #5: Enforce DNS Server

Challenge #6: Allow Loopback

Challenge #7: Interface Specific SSH

Part 3: Advanced Matches

Challenge #1: Help Commands

Challenge #2: Stateful Firewall (Basic)

Challenge #3: Stateful Firewall (Complete)

Challenge #4: Trusted Source SSH

Challenge #5: MAC Filtering (Router Only)

Challenge #6: MAC Whitelist Script

Challenge #7: Time-Based Web Access

Challenge #8: Weekend Access Only

Challenge #9: Limit Ping

Challenge #10: Limit TCP Connections

Part 4: NAT & Port Forwarding

Challenge #1: Basic NAT Configuration

Challenge #2: Port Forwarding (DNAT)

Password Required