Smart Braces
🎮 Smart Braces¶
📍 Student Union
🧝🏻♂️ Kent Tinseltooth
OK, this is starting to freak me out!
Oh sorry, I'm Kent Tinseltooth. My Smart Braces are acting up.
Do... Do you ever get the feeling you can hear things? Like, voices?
I know, I sound crazy, but ever since I got these... Oh!
Do you think you could take a look at my Smart Braces terminal?
I'll bet you can keep other students out of my head, so to speak.
It might just take a bit of Iptables work.
Iptables
Stop the inner voice!
⚡️ Solution¶
When You open the terminal, You see:
Let's review /home/elfuuser/IOTteethBraces.md
content:
cat /home/elfuuser/IOTteethBraces.md
# ElfU Research Labs - Smart Braces ### A Lightweight Linux Device for Teeth Braces ### Imagined and Created by ElfU Student Kent TinselTooth This device is embedded into one's teeth braces for easy management and monitoring of dental status. It uses FTP and HTTP for management and monitoring purposes but also has SSH for remote access. Please refer to the management documentation for this purpose. ## Proper Firewall configuration: The firewall used for this system is `iptables`. The following is an example of how to set a default policy with using `iptables`: `sudo iptables -P FORWARD DROP` The following is an example of allowing traffic from a specific IP and to a specific port: `sudo iptables -A INPUT -p tcp --dport 25 -s 172.18.5.4 -j ACCEPT` A proper configuration for the Smart Braces should be exactly: 1. Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains. 2. Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains. 3. Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22). 4. Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80. 5. Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80. 6. Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface.
Check the current iptables :
sudo iptables -L
Let's do the configuration for the Smart Braces:
-
Set the default policies to DROP for the INPUT, FORWARD, and OUTPUT chains:
sudo iptables -P FORWARD DROP sudo iptables -P INPUT DROP sudo iptables -P OUTPUT DROP
DROP
Silently ignore the packetREJECT
Reject the packet and notify the sender-P
Set the policy for the chain to the given target -
Create a rule to ACCEPT all connections that are ESTABLISHED,RELATED on the INPUT and the OUTPUT chains:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ACCEPT
Let the packet through-A
Append one or more rules to the end of the selected chain
-m
Specify extended packet matching modules--ctstate
Match the state of a packet-j
Specify the target of the rule -
Create a rule to ACCEPT only remote source IP address 172.19.0.225 to access the local SSH server (on port 22):
sudo iptables -A INPUT -s 172.19.0.225 -p tcp --dport 22 -j ACCEPT
-s
Specify a source IP address-p
Specify the protocol of the rule or of the packet to check--dport
Match destination port or port range -
Create a rule to ACCEPT any source IP to the local TCP services on ports 21 and 80:
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-
Create a rule to ACCEPT all OUTPUT traffic with a destination TCP port of 80:
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
-
Create a rule applied to the INPUT chain to ACCEPT all traffic from the lo interface
sudo iptables -A INPUT -i lo -j ACCEPT
-i
Specify an interface via which a packet was received
We can combine all the commands in one line:
sudo iptables -P FORWARD DROP; sudo iptables -P INPUT DROP; sudo iptables -P OUTPUT DROP; sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ; sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; sudo iptables -A INPUT -s 172.19.0.225 -p tcp --dport 22 -j ACCEPT; sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT; sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT; sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT; sudo iptables -A INPUT -i lo -j ACCEPT;
You have completed the Smart Braces challenge! 🎉
🧝🏻♂️ Kent Tinseltooth
Oh thank you! It's so nice to be back in my own head again. Er, alone.
🎓 What you've learned¶
- iptables rules