secret branch

DMZ.sh

@@ -7,10 +7,10 @@ routerIp=23.214.219.254
 mask25=255.255.255.128
 
 dns=23.214.219.130
-mail=23.214.219.134
+mail=23.214.219.131
-vpn_gw=23.214.219.133
+vpn_gw=23.214.219.132
-www=23.214.219.132
+www=23.214.219.133
-smtp=23.214.219.131
+smtp=23.214.219.134
 
 dnsPort=53
 mailPort=888
@@ -26,7 +26,7 @@ sudo systemctl enable iptables
 sudo iptables -F
 sudo ifconfig enp0s8 $ip netmask $mask25
 sudo ip route add 192.168.10.0/24 via $routerIp
-sudo route add default gw $routerIp
+sudo add default gw $routerIp
 # alias dos ips
 sudo ip addr add $dns dev enp0s8
 sudo ip addr add $mail dev enp0s8

INTERNET.sh

@@ -9,7 +9,7 @@ sudo systemctl disable firewalld
 sudo systemctl mask firewalld
 sudo systemctl enable iptables
 sudo iptables -F
-sudo ifconfig enp0s8 $dns2 netmask $mask24
+sudo ifconfig enp0s8 $dn2 netmask $mask24
 sudo route add default gw $routerIp
-#sudo ip addr add $dns2 dev enp0s8
+sudo ip addr add $dns2 dev enp0s8
 sudo ip addr add $eden dev enp0s8

ROUTER.sh

@@ -1,99 +1,69 @@
-# NETWORKS:
+IF_DMZ="enp0s8"
-# DMZ: 23.214.219.128/25
+IF_INT="enp0s9"
-# Internal: 192.168.10.0/24
+IF_EXT="enp0s10"
-# 
+NET_DMZ="23.214.219.128/25"   
-# MACHINES:
+NET_INT="192.168.10.0/24"    
-# DNS2: 192.137.16.75
+IP_EXT_FW="87.248.214.97"     
-# EDEN 193.138.212.1
+IP_DMZ_FW="23.214.219.254"    
-dns2="87.248.214.99"
+IP_INT_FW="192.168.10.254"    
-eden="87.248.214.100"
+IP_DMZ_DNS="23.214.219.130"
+IP_DMZ_SMTP="23.214.219.131"
+IP_DMZ_WWW="23.214.219.132"
+IP_DMZ_VPN_GW="23.214.219.133"
+IP_DMZ_MAIL="23.214.219.134"
+IP_INT_FTP="192.168.10.2"
+IP_INT_DATASTORE="192.168.10.3"
+IP_DNS2="193.137.16.75"       
+IP_EDEN="193.136.212.1"       
 
-# ==============================
+sudo yum install epel-release -y
-# Router 1
+sudo yum install suricata -y  
-# INTERFACES:
+sudo suricata-update
-# - Internet: 87.248.214.97
-# - DMZ: 23.214.219.254
-# - Internal: 192.168.10.254
-# ==============================
 
-# ==============================
+sudo ifconfig $IF_DMZ $IP_DMZ_FW netmask 255.255.255.128
-# DMZ /25
+sudo ifconfig $IF_INT $IP_INT_FW netmask 255.255.255.0
-# IP:
+sudo ifconfig $IF_EXT $IP_EXT_FW netmask 255.255.255.0
-# - dns : 23.214.219.130
-# - smtp : 23.214.219.131
-# - www : 23.214.219.132
-# - vpn-gw: 23.214.219.133
-# - mail: 23.214.219.134
-# ==============================
 
-# ==============================
-# Internal
-# IP:
-# ftp: 192.168.10.2
-# datastore : 192.168.10.3
-# DHCP Client : 192.168.10.4-5
-# ==============================
-
-sudo ifconfig enp0s8 23.214.219.254 netmask 255.255.255.128
-sudo ifconfig enp0s9 192.168.10.254 netmask 255.255.255.0
-sudo ifconfig enp0s10 87.248.214.97 netmask 255.255.255.0
-
-sudo yum install iptables-services -y
-sudo systemctl stop firewalld
-sudo systemctl disable firewalld
-sudo systemctl mask firewalld
-sudo systemctl enable iptables
 sudo iptables -F
 sudo iptables -t nat -F
 sudo iptables -t mangle -F
 sudo sysctl -w net.ipv4.ip_forward=1
-iptables -P INPUT DROP
+
-iptables -P FORWARD DROP
+sudo iptables -P INPUT DROP      
-iptables -P OUTPUT ACCEPT
+sudo iptables -P FORWARD DROP    
+sudo iptables -P OUTPUT ACCEPT
+
+sudo modprobe nf_conntrack_ftp
+sudo modprobe nf_nat_ftp
+
+sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
 sudo iptables -A INPUT -i lo -j ACCEPT
-sudo iptables -A OUTPUT -o lo -j ACCEPT
+sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-#sudo iptables -t nat -A POSTROUTING -i enp0s9 -o enp0s3 -j MASQUERADE #SUS
+sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
-sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
+sudo iptables -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT
-#DNS name resolution requests sent to outside servers and want a response:
+sudo iptables -A INPUT -i $IF_DMZ -s $IP_DMZ_VPN_GW -p tcp --dport 22 -j ACCEPT
-sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT
+
-#SSH connections to the router system that originate from the inside and want an answer:
+sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
+sudo iptables -A FORWARD -p udp -d $IP_DMZ_DNS --dport 53 -j ACCEPT
-sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
+
-#The dns server should be able to resolve names using the internet (and others???)
+sudo iptables -A FORWARD -s $IP_DMZ_DNS -d $IP_DNS2 -p tcp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -s $IP_DNS2 -d $IP_DMZ_DNS -p tcp --dport 53 -j ACCEPT
-#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
+
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -p tcp -d $IP_DMZ_SMTP --dport 25 -j ACCEPT   
-sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
+sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 110 -j ACCEPT  
-#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
+sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 143 -j ACCEPT  
-sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -p tcp -d $IP_DMZ_WWW -m multiport --dports 80,443 -j ACCEPT 
-#SMTP connections to the smtp server and returns
+sudo iptables -A FORWARD -p udp -d $IP_DMZ_VPN_GW --dport 1194 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT 
+
-#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -i $IF_DMZ -s $IP_DMZ_VPN_GW -d $NET_INT -j ACCEPT
-#POP and IMAP connections to the www server
+
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT 
+sudo iptables -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j SNAT --to-source $IP_EXT_FW
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
+sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
-#HTTP and HTTPS connectins
+sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p tcp -m multiport --dports 80,443,22,21 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT 
+
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
+sudo iptables -t nat -A PREROUTING -i $IF_EXT -d $IP_EXT_FW -p tcp --dport 21 -j DNAT --to-destination $IP_INT_FTP
-#OpenVPN connections to the vpn-gw server
+sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_FTP -p tcp --dport 21 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT 
+
-#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT
+sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_EDEN -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
-#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
+sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_DNS2 -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT 
+sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_DATASTORE -p tcp --dport 22 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT 
-#FTP da internet WORRIED ???
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
-#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
-sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
-sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
-sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
-#enp0s9 to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
-sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT

relatorio.tex

@@ -4,7 +4,7 @@
 
 \title{Practical Assignment \#1}
 \author{
-    João Neto -- 2023234004\\[1em]
+    João Neto -- \\[1em]
     Vasco Alves -- 2022228207
 }
 
@@ -14,50 +14,16 @@
 \newpage
 
 \section{Introduction}
-O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
+
-As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
 \section{Firewall}
-\subsection{Packet fileter without NAT}
+Sigmasigmaboy123
-O policy que foi escolhido foi:
+\subsection{Packet fileter with NAT}
-iptables -P INPUT DROP
+\subsection{Packet filtering without NAT}
-iptables -P FORWARD DROP
-iptables -P OUTPUT ACCEPT
-Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
-Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
-sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT
-sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
-sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
-Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
-sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
-\subsection{Packet filtering with NAT}
-Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que quer aceder a rede interna e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
-sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
-sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
-sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
 \subsection{External Network}
 \subsection{Internal Network}
 
 \section{Intrusion Detection}
-Suricata rules:
-drop tcp (dollar)EXTERNAL-NET any -> (dollar)HOME-NET any (msg:"ET"; flags:S; threshold:type both, track by-src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
-drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
-drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
-drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
 
 \section{Conclusion}
-Fuck we learned alot
+
 \end{document}

suricata.rules

@@ -1,5 +0,0 @@
-drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
-drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
-drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
-drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
-