zNetGuardian Solution Walkthrough

Visual Solutions to Configuring iptables rules using Net Guardian Architect (OPTIONAL) - Lab # 1, due on Nov. 29 !

1 Part 1: The Iptables Command

Challenge #1: Default Policies

Set INPUT/OUTPUT to ACCEPT and FORWARD to DROP.

Script View (Architect)

In the View Script tab, find section 3. zNetGuardian defaults to specific security policies.

# 3. Set Default Policies $IPT -P INPUT ACCEPT # Changed from DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT

Challenge #2 & #3: Listing Tables

These are runtime operational commands, not configuration rules. You run these directly in the terminal.

Terminal / Console
# Challenge 2: List Filter table of INPUT chain iptables -t filter -vnL INPUT # Challenge 3: List NAT table iptables -t nat -vnL

Challenge #4: Flushing

The Architect automatically handles flushing at the start of every generated script to ensure a clean slate.

Script View (Architect)
# 2. Flush Existing Rules $IPT -F $IPT -X $IPT -t nat -F

Challenge #5: Dropping Specific Traffic (SSH)

Drop incoming packets to port 22 (SSH).

Designer View (Rule Builder)
Source
Destination
Proto/Port
Action
Chain (Auto)
ANY
Self (Router)
TCP / 22
DROP
INPUT
Generated Code:
iptables -I INPUT -p tcp --dport 22 -j DROP

2 Part 2: Basic Matches

Challenge #1: Filter by IP

Drop incoming from 100.0.0.1 & 1.2.3.4. Drop outgoing to 80.0.0.1.

Designer View Rules
Rule 1
100.0.0.1
Self
ALL / Any
DROP
Rule 2
1.2.3.4
Self
ALL / Any
DROP
Rule 3
Self
80.0.0.1
ALL / Any
DROP

Challenge #2 & #3: Drop LinuxQuestions (Web)

Drop traffic to www.linuxquestions.org on ports 80/443. (Covers both Output and Forward).

Designer View Rules
Output
Self
www.linuxquestions.org
TCP / 80,443
DROP
Forward
LAN Subnet
www.linuxquestions.org
TCP / 80,443
DROP
Bash Output:
iptables -A OUTPUT -p tcp --dport 80 -d www.linuxquestions.org -j DROP iptables -A FORWARD -p tcp --dport 443 -d www.linuxquestions.org -j DROP

Challenge #4: Drop Subnet

Drop incoming packets from 27.103.0.0/16.

Rule Configuration
27.103.0.0/16
Self
DROP

Challenge #5: Enforce DNS

Drop DNS (UDP/53) traffic NOT destined for 8.8.8.8.

Advanced Rule Logic
Condition: ! -d 8.8.8.8
Rule
LAN
NOT 8.8.8.8
UDP / 53
DROP

Challenge #6: Allow Loopback

zNetGuardian includes this automatically in the "Base Chain Rules".

Script View (Base Rules)
# 5. Base Chain Rules # Allow Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT

Challenge #7: Interface Specific SSH

Allow SSH from LAN (enp0s8), Drop from WAN (enp0s3).

Interface Definitions
Interface 1
enp0s8 (LAN)
Interface 2
enp0s3 (WAN)
Rules
Safe
LAN (enp0s8)
Self
TCP / 22
ACCEPT
Block
WAN (enp0s3)
Self
TCP / 22
DROP