mergeee!!

DMZ.sh

@@ -7,10 +7,10 @@ routerIp=23.214.219.254
 mask25=255.255.255.128
 
 dns=23.214.219.130
-mail=23.214.219.132
+mail=23.214.219.134
 vpn_gw=23.214.219.133
-www=23.214.219.134
-smtp=23.214.219.135
+www=23.214.219.132
+smtp=23.214.219.131
 
 dnsPort=53
 mailPort=888
@@ -21,16 +21,17 @@ sudo yum install iptables-services -y
 sudo systemctl stop firewalld
 sudo systemctl disable firewalld
 sudo systemctl mask firewalld
+sudo systemctl enable iptables
 
 sudo iptables -F
 sudo ifconfig enp0s8 $ip netmask $mask25
 sudo ip route add 192.168.10.0/24 via $routerIp
-
+sudo route add default gw $routerIp
 # alias dos ips
 sudo ip addr add $dns dev enp0s8
 sudo ip addr add $mail dev enp0s8
 sudo ip addr add $vpn_gw dev enp0s8
-sudo ip addr add $ww dev enp0s8
+sudo ip addr add $www dev enp0s8
 sudo ip addr add $smtp dev enp0s8
 
 # netcart

INTERNAL.sh

@@ -14,10 +14,11 @@ sudo yum install iptables-services -y
 sudo systemctl stop firewalld
 sudo systemctl disable firewalld
 sudo systemctl mask firewalld
+sudo systemctl enable iptables
 sudo iptables -F
 sudo ifconfig enp0s8 $ip netmask $mask24
 sudo ip route add 23.214.219.128/25 via $routerIp
-
+sudo route add default gw $routerIp
 # aliasing
 sudo ip addr add $ftp dev enp0s8
 sudo ip addr add $datastore dev enp0s8

INTERNET.sh

@@ -0,0 +1,15 @@
+ip=87.248.214.98
+dns2=87.248.214.99
+eden=87.248.214.100
+mask24=255.255.255.0
+routerIp=87.248.214.97
+sudo yum install iptables-services -y
+sudo systemctl stop firewalld
+sudo systemctl disable firewalld
+sudo systemctl mask firewalld
+sudo systemctl enable iptables
+sudo iptables -F
+sudo ifconfig enp0s8 $dns2 netmask $mask24
+sudo route add default gw $routerIp
+#sudo ip addr add $dns2 dev enp0s8
+sudo ip addr add $eden dev enp0s8

ROUTER.sh

@@ -1,41 +1,33 @@
-# NETWORKS:
-# DMZ: 23.214.219.128/25
-# Internal: 192.168.10.0/24
-# 
-# MACHINES:
-# DNS2: 192.137.16.75
-# EDEN 193.138.212.1
-dns2="192.137.16.75"
-eden="193.138.212.1"
+#!/bin/bash
+
+dns2="87.248.214.99"
+eden="87.248.214.100"
 
-# ==============================
 # Router 1
-# INTERFACES:
-# - Internet: 87.248.214.97
-# - DMZ: 23.214.219.254
-# - Internal: 192.168.10.254
-# ==============================
+dmzIP="23.214.219.254"
+internalIP="192.168.10.254"
+externalIP="87.248.214.97"
 
-# ==============================
 # DMZ /25
-# IP:
-# - dns : 23.214.219.130
-# - smtp : 23.214.219.131
-# - www : 23.214.219.132
-# - vpn-gw: 23.214.219.133
-# ==============================
+dns="23.214.219.130"
+smtp="23.214.219.131"
+www="23.214.219.132"
+vpn_gw="23.214.219.133"
+mail="23.214.219.134"
 
-# ==============================
 # Internal
-# IP:
-# ftp: 192.168.10.1
-# datastore : 192.168.10.2
-# DHCP Client : 192.168.10.3-5
-# ==============================
+ftp="192.168.10.2"
+datastore="192.168.10.3"
+dhcpClient="192.168.10.4"
 
-sudo ifconfig enp0s8 23.214.219.254 netmask 255.255.255.128
-sudo ifconfig enp0s9 192.168.10.254 netmask 255.255.255.0
-sudo ifconfig enp0s3 87.248.214.97 netmask 255.255.255.0
+# Interfaces
+dmzIF="enp0s8"
+internalIF="enp0s9"
+externalIF="enp0s10"
+
+sudo ifconfig $dmzIF $dmzIP netmask 255.255.255.128
+sudo ifconfig $internalIF $internalIP netmask 255.255.255.0
+sudo ifconfig $externalIF $externalIP netmask 255.255.255.0
 
 sudo yum install iptables-services -y
 sudo systemctl stop firewalld
@@ -51,36 +43,64 @@ iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 sudo iptables -A INPUT -i lo -j ACCEPT
 sudo iptables -A OUTPUT -o lo -j ACCEPT
-sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
-#DNS name resolution requests sent to outside servers and want a response:TODO:INPUT
-sudo iptables -A FORWARD -i enp0s3 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
-#SSH connections to the router system that originate from the inside and want an answer:TODO:INPUT
-sudo iptables -A FORWARD -i enp0s3 -o enp0s9 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
-sudo iptables -A FORWARD -i enp0s3 -d 23.214.219.133 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#sudo iptables -t nat -A POSTROUTING -i $internalIF -o enp0s3 -j MASQUERADE #SUS
+sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
+
+#DNS name resolution requests sent to outside servers and want a response:
+sudo iptables -A INPUT -i $externalIF -p udp --dport 53 -j ACCEPT
+
+#SSH connections to the router system that originate from the inside and want an answer:
+sudo iptables -A INPUT -i $internalIF -p tcp --dport 22 -j ACCEPT
+sudo iptables -A INPUT -i $dmzIF -s $vpn_gw -p tcp --dport 22 -j ACCEPT
+
 #The dns server should be able to resolve names using the internet (and others???)
-sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
+sudo iptables -I INPUT -j NFQUEUE --queue-bypass
+sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p udp --dport 53 -j ACCEPT
+
 #The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $dns -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
+
 #The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
-sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -d 193.137.16.75 -p tcp --dport 53 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -d 23.214.219.130 -p tcp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i $dmzIF -o $externalIF -s $dns -p tcp --dport 53 -j ACCEPT
+
 #SMTP connections to the smtp server and returns
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $smtp -p tcp --dport 587 -j ACCEPT 
+#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
 #POP and IMAP connections to the www server
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT 
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 143 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $mail -p tcp --dport 110 -j ACCEPT
+
+#HTTP and HTTPS connectins
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $www -p tcp --dport 443 -j ACCEPT
+
 #OpenVPN connections to the vpn-gw server
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $dmzIF -d $vpn_gw -p udp --dport 1194 -j ACCEPT 
+#sudo iptables -A FORWARD -i $dmzIF -o $internalIF -p udp --dport 1194 -j ACCEPT
+
 #VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.10.1 -p tcp --dport ftp -j ACCEPT
-sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.10.2 -j ACCEPT
-sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -j ACCEPT
-# Apartir daqui foi só para testar se as conecções funcionavam
-sudo iptables -A FORWARD -i enp0s8 -s 23.214.219.130 -p tcp --sport 22 
-# Unsure these will work
-sudo iptables -A FORWARD -i enp0s9 -d 23.214.219.131
+sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $ftp -j ACCEPT 
+sudo iptables -A FORWARD -i $dmzIF -o $internalIF -s $vpn_gw -d $datastore -j ACCEPT 
+
+#FTP da internet WORRIED ???
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $ftp -p tcp --dport 21 -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
+
+#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
+sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination $datastore
+sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination $datastore
+sudo iptables -t nat -A PREROUTING -i $externalIF -p tcp --dport 21 -j DNAT --to-destination $ftp
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
+sudo iptables -A FORWARD -i $externalIF -o $internalIF -d $datastore -s $eden -p tcp --dport 22 -j ACCEPT
+
+#$internalIF to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
+sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $externalIF -j SNAT --to-source $externalIP
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p udp --dport 53 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
+sudo iptables -A FORWARD -i $internalIF -o $externalIF -p tcp --dport 21 -j ACCEPT

relatorio.aux

@@ -5,10 +5,9 @@
 \babel@aux{portuguese}{}
 \@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{2}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {2}Firewall}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}External Network}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}Conclusion}{2}{}\protected@file@percent }
-\gdef \@abspage@last{2}
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Tests utilizados}{5}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusion}{5}{}\protected@file@percent }
+\gdef \@abspage@last{5}

relatorio.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17)  16 MAR 2026 16:24
+This is pdfTeX, Version 3.141592653-2.6-1.40.27 (TeX Live 2026/dev/Arch Linux) (preloaded format=pdflatex 2026.1.17)  22 MAR 2026 22:27
 entering extended mode
  \write18 enabled.
  %&-line parsing enabled.
@@ -89,52 +89,80 @@ LaTeX Info: Redefining \textulc on input line 49.
 LaTeX Info: Redefining \oldstylenums on input line 163.
 LaTeX Info: Redefining \textsw on input line 173.
 )
+(/usr/share/texmf-dist/tex/latex/listings/listings.sty
+\lst@mode=\count273
+\lst@gtempboxa=\box52
+\lst@token=\toks19
+\lst@length=\count274
+\lst@currlwidth=\dimen143
+\lst@column=\count275
+\lst@pos=\count276
+\lst@lostspace=\dimen144
+\lst@width=\dimen145
+\lst@newlines=\count277
+\lst@lineno=\count278
+\lst@maxwidth=\dimen146
+
+(/usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
+File: lstpatch.sty 2024/09/23 1.10c (Carsten Heinz)
+)
+(/usr/share/texmf-dist/tex/latex/listings/lstmisc.sty
+File: lstmisc.sty 2024/09/23 1.10c (Carsten Heinz)
+\c@lstnumber=\count279
+\lst@skipnumbers=\count280
+\lst@framebox=\box53
+)
+(/usr/share/texmf-dist/tex/latex/listings/listings.cfg
+File: listings.cfg 2024/09/23 1.10c listings configuration
+))
+Package: listings 2024/09/23 1.10c (Carsten Heinz)
 LaTeX Font Info:    Trying to load font information for OT1+EBGaramond-LF on in
-put line 11.
+put line 28.
 
 (/usr/share/texmf-dist/tex/latex/ebgaramond/OT1EBGaramond-LF.fd
 File: OT1EBGaramond-LF.fd 2023/03/19 (autoinst) Font definitions for OT1/EBGara
 mond-LF.
 )
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 12.0pt on input line 11.
+(Font)              scaled to size 12.0pt on input line 28.
 
 (/usr/share/texmf-dist/tex/latex/l3backend/l3backend-pdftex.def
 File: l3backend-pdftex.def 2024-05-08 L3 backend support: PDF output (pdfTeX)
-\l__color_backend_stack_int=\count273
-\l__pdf_internal_box=\box52
+\l__color_backend_stack_int=\count281
+\l__pdf_internal_box=\box54
 )
 (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
 \openout1 = `relatorio.aux'.
 
-LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 11.
-LaTeX Font Info:    ... okay on input line 11.
-\c@mv@tabular=\count274
-\c@mv@boldtabular=\count275
+LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for TS1/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 28.
+LaTeX Font Info:    ... okay on input line 28.
+\c@mv@tabular=\count282
+\c@mv@boldtabular=\count283
+\c@lstlisting=\count284
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 20.74pt on input line 12.
+(Font)              scaled to size 20.74pt on input line 29.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 14.4pt on input line 12.
+(Font)              scaled to size 14.4pt on input line 29.
 LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <14.4> on input line 12.
+(Font)              <14.4> on input line 29.
 LaTeX Font Info:    External font `cmex10' loaded for size
-(Font)              <7> on input line 12.
+(Font)              <7> on input line 29.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
-(Font)              scaled to size 17.28pt on input line 13.
+(Font)              scaled to size 17.28pt on input line 30.
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
-(Font)              scaled to size 17.28pt on input line 13.
+(Font)              scaled to size 17.28pt on input line 30.
 
 (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.toc
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
@@ -155,31 +183,62 @@ LaTeX Font Info:    External font `cmex10' loaded for size
 
 {/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fonts
 /enc/dvips/ebgaramond/ebg_dacnth.enc}]
+(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
+File: lstlang1.sty 2024/09/23 1.10c listings language file
+)
+(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
+File: lstlang1.sty 2024/09/23 1.10c listings language file
+)
+LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/m/n' will be
+(Font)              scaled to size 10.0pt on input line 37.
+
+Overfull \hbox (7.49481pt too wide) in paragraph at lines 42--44
+\OT1/EBGaramond-LF/m/n/12 As tr[]es re-des tem va-rios servi[]os, o DMZ tem dns
+(23.214.219.130), mail(23.214.219.134),
+ []
+
 LaTeX Font Info:    Font shape `OT1/EBGaramond-LF/b/n' will be
-(Font)              scaled to size 14.4pt on input line 19.
+(Font)              scaled to size 14.4pt on input line 45.
 
 
-[2] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
+[2]
+
+[3]
+LaTeX Font Info:    Font shape `OT1/cmtt/bx/n' in size <10> not available
+(Font)              Font shape `OT1/cmtt/m/n' tried instead on input line 93.
+
+
+[4{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-ts1.enc}]
+Overfull \hbox (23.24622pt too wide) in paragraph at lines 125--126
+\OT1/EBGaramond-LF/m/n/12 Ao realizar-mos este pro-jeto apren-de-mos so-bre a c
+ria[][]ao de sce-na-rios em VMs, a configura[][]ao
+ []
+
+
+
+[5] (/home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/relatorio.aux)
  ***********
 LaTeX2e <2024-11-01> patch level 2
 L3 programming layer <2025-01-18>
  ***********
  ) 
 Here is how much of TeX's memory you used:
- 2577 strings out of 474546
- 48289 string characters out of 5749982
- 436453 words of memory out of 5000000
- 25628 multiletter control sequences out of 15000+600000
- 572213 words of font info for 55 fonts, out of 8000000 for 9000
+ 4439 strings out of 474546
+ 72779 string characters out of 5749982
+ 968296 words of memory out of 5000000
+ 27469 multiletter control sequences out of 15000+600000
+ 573916 words of font info for 59 fonts, out of 8000000 for 9000
  352 hyphenation exceptions out of 8191
- 57i,7n,65p,220b,231s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 57i,7n,99p,546b,1693s stack positions out of 10000i,1000n,20000p,200000b,200000s
 </usr/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Bold.pfb></us
-r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb>
+r/share/texmf-dist/fonts/type1/public/ebgaramond/EBGaramond-Regular.pfb></usr/s
+hare/texmf-dist/fonts/type1/public/amsfonts/cm/cmtt10.pfb></usr/share/texmf-dis
+t/fonts/type1/public/cm-super/sftt1000.pfb>
 Output written on /home/vasco/EngenhariaInformatica/3ano/sem2/fsi/trabalho/rela
-torio.pdf (2 pages, 42851 bytes).
+torio.pdf (5 pages, 78451 bytes).
 PDF statistics:
- 22 PDF objects out of 1000 (max. 8388607)
- 13 compressed objects within 1 object stream
+ 42 PDF objects out of 1000 (max. 8388607)
+ 26 compressed objects within 1 object stream
  0 named destinations out of 1000 (max. 500000)
  1 words of extra memory for PDF output out of 10000 (max. 10000000)
 

relatorio.tex

@@ -1,10 +1,27 @@
 \documentclass[12pt,a4paper]{article}
 \usepackage[portuguese]{babel}
 \usepackage[lining]{ebgaramond}
+\usepackage{listings}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,         
+    breaklines=true,                 
+    captionpos=b,                    
+    keepspaces=true,                 
+    numbers=left,                    
+    numbersep=5pt,                  
+    showspaces=false,                
+    showstringspaces=false,
+    showtabs=false,                  
+    tabsize=2
+}
+
+\lstset{style=mystyle}
 
 \title{Practical Assignment \#1}
 \author{
-    João Neto -- \\[1em]
+    João Neto -- 2023234004\\[1em]
     Vasco Alves -- 2022228207
 }
 
@@ -14,16 +31,96 @@
 \newpage
 
 \section{Introduction}
+O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
 
+\begin{lstlisting}[language=bash]
+Rede,Interface,Gama IP
+DMZ,enp0s8,23.214.219.128/25
+Internal,enp0s9,192.168.10.0/24
+Internet,enp0s10,87.248.214.0/24
+\end{lstlisting}
+As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
+Para facilitar a recriação deste sistema foi criado 4 ficheiros .sh (um para cada rede e o router), e disponibilizamos os ficheiros suricata.rules e suricata.yaml, para o suricata que estiver ligado ao Router.  Os ficheiros .sh vão ter comandos para configurar o sistema para este exercicio.
 \section{Firewall}
-Sigmasigmaboy123
-\subsection{Packet fileter with NAT}
-\subsection{Packet filtering without NAT}
-\subsection{External Network}
-\subsection{Internal Network}
+\subsection{Packet fileter without NAT}
+O policy que foi escolhido foi:
+\begin{lstlisting}[language=bash]
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+\end{lstlisting}
+Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
+Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A INPUT -i enp0s10 -p udp --dport 53 -j ACCEPT
+sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
+sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
+\end{lstlisting}
+Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
+\end{lstlisting}
+Inicialmente as implementações de respostas a forward eram especificas para cada regra isto é por exemplo:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -o enp0s8 -i enp0s10 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+\end{lstlisting}
+No entanto isso facilmente originava confusão entre nós, então decimos utilizar estas duas regras:
+\begin{lstlisting}[language=bash]
+sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+\end{lstlisting}
+Neste cenario o uso destas regras faz sentido, mas pode existir outros cenarios no futuro que não queremos uma resposta, e nesse caso temos de criar as regras necessarias.
+\subsection{Packet filtering with NAT}
+Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que querer aceder a rede interna para não terem acesso ao edereço ip e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
+\begin{lstlisting}[language=bash]
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
+sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
+sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
+sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT 
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
+\end{lstlisting}
 
 \section{Intrusion Detection}
+As regras que utilizamos para o suricata foram estas:
+\begin{lstlisting}[language=bash]
+drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
+drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
+drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
+drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
+\end{lstlisting}
+A primeira é para port scaning, a segunda e a terceira é para o caso de SQL injection, e a ultima é para XSS atacks.
+Também atualizamos o iptables para passar para o suricata os pacotes para analizar e bloquear com:
+\begin{lstlisting}[language=bash]
+sudo iptables -I FORWARD -j NFQUEUE --queue-bypass
+sudo iptables -I INPUT -j NFQUEUE --queue-bypass
+\end{lstlisting}
+
+\section{Tests utilizados}
+Netcat foi utilizado para maior parte dos testes excepto para FTP, em que devido ás suas caracteristicas especificas, utilizamos os serviços para ter a certeza que funcionava com a nossa configuração. Utilizamos estes comandos curl para testar se eram bloqueados:
+\begin{lstlisting}[language=bash]
+curl -i "http://23.214.219.132/index.php?id=1%20union%20select%201,2,3"
+curl -i "http://23.214.219.132/login.php?user='or%201=1"
+curl -i "http://23.214.219.132/search.php?q=<script>alert('XSS')</script>"
+\end{lstlisting}
 
 \section{Conclusion}
-
+Ao realizar-mos este projeto aprendemos sobre a criação de scenarios em VMs, a configuração de uma firewall utilizando IPTables e a configuração de um IDS/IPS system utilizando Suricata
 \end{document}

relatorio.toc

@@ -1,9 +1,8 @@
 \babel@toc {portuguese}{}\relax 
 \contentsline {section}{\numberline {1}Introduction}{2}{}%
 \contentsline {section}{\numberline {2}Firewall}{2}{}%
-\contentsline {subsection}{\numberline {2.1}Packet fileter with NAT}{2}{}%
-\contentsline {subsection}{\numberline {2.2}Packet filtering without NAT}{2}{}%
-\contentsline {subsection}{\numberline {2.3}External Network}{2}{}%
-\contentsline {subsection}{\numberline {2.4}Internal Network}{2}{}%
-\contentsline {section}{\numberline {3}Intrusion Detection}{2}{}%
-\contentsline {section}{\numberline {4}Conclusion}{2}{}%
+\contentsline {subsection}{\numberline {2.1}Packet fileter without NAT}{2}{}%
+\contentsline {subsection}{\numberline {2.2}Packet filtering with NAT}{3}{}%
+\contentsline {section}{\numberline {3}Intrusion Detection}{4}{}%
+\contentsline {section}{\numberline {4}Tests utilizados}{5}{}%
+\contentsline {section}{\numberline {5}Conclusion}{5}{}%

rogerio.txt

@@ -0,0 +1,65 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.1
+
+mQGNBGmLZjwBDACvUK1m3UikneSbyYrP0vbHMz3Dt5u0+1+/UoFHKrcIF0TeLMmeOL6s3iRW
+JoSuB0YEmiO01BMEtUHC3Bt6/fu1TjMTLGEwo4dltw/hakvjELfpKPecIo7NAX1XCmiw7f+M
+2kTfRXGlu0F0kKc+AD+xPC0tunfpacPX/xGtquPz0xp2XbKktNkj8NoUBO7BRtwrfjBXL7ZV
+irlVofs6j7w8Ka9SRtP8GLqsW+LFDQrbsDM2exvp7u61mKvTpuafOUqkqIIrXw4aDOIxjwON
+gjunZ4k38kZADxR+uzzwNFnn15qtLNECUMpOJDPplBDg0uVRQjn1BJ44AkcdwLM3unMp9BvO
+8DKg2Q6kmd5+qu3OH+BVaqDAD+5sED/LC+QGeTIEHGNbTP3hs6dGyeCcNQnORvn5JoMImUk0
+mmV/KV+qpGhi9PSxN44Kau4fWsaWIO33w1vMSnPf/s77dBT0uLT45G/1/b1N3WbD6eKTt+iC
+/+Ovp+MmWv6Fd2fPXEvwedUAEQEAAbQeUm9nZXJpbyBDIDxyb2djb3N0YUBkZWkudWMucHQ+
+iHUEEBYKAB0WIQTzZrv2P/XfDSKZTqn605rfvJqhwQUCaZMIVAAKCRD605rfvJqhwW/8AQDq
+k4kNVJOuOjHiq+F9K7X/QFJp3+z109x/ZpVGtP6aGgD6AlzWjGubsavImEMVN9QKr7tYEOWy
+NHldePm87lnDuQSJAbMEEAEIAB0WIQSORfJtzGpnilRlTysk/REF2WdojAUCaZL1XwAKCRAk
+/REF2WdojPPkC/40CesTUAcCnvKe/UHTbn483zcW8RSsXRzQZDE4iaOZQ2jCS9uzT+SaVNy5
+J8n3PNfghq19yZeyfWZrBHQBCqFwEvYqXZ/z1Qmz8wFvtDX+B5o15kuGO28/epXR7iqx/v53
++le7VmuBR6ri2kq6uT1xzotd6NYcmZpRprnzaGvCUWtuPWhG7SHjZ1TZIJuJ5cmGG8bq/wu/
+n+fcSwa3evCUR0ErkqpcC+Z9Ll8wGuSioov5A3B9UW+QWoC68VyC53RSyanNAYI3czJu5Ltq
+qXNxOv1xC1gew8FvBuxCF/3z++h2W+E5HO02zRwtqglr5ZBr4UmI0E4s8xWq0DWBU+iLwwXq
+GVNZFiJ+fNVHW6cu4deMOMVNrGJlVmlki+GkIFanlrVOwWq2+vsJFYYvHa5zBwjRRqhK5tRk
+OOa0qD3KLsCzKpiCSNb+g7TEjHqmpB/h3/MFf5mVlIiOnGYTDWBlMwZLllpLMc/3/mFm5nfX
+ofuPGl2BHUv0kdSKSa6QiEOJAbMEEAEIAB0WIQSTCl6/mmEFADoHYKEIKzRkXO0zjQUCaZMV
+9QAKCRAIKzRkXO0zjZoDC/9fcB7uDf3QSrIGm+zO//sALNCe0FSOQ5Rn8ZzMOTn3HBI5i7ct
+dZntTZuYFLa0HHWUxHBoCSwMnP5oNG91xpRTxsYpucFkKMljSiSKPgoOGxEaJDW2rK39CbzY
+xDSa9bhnbXzLWn4laTI8n6iip95IWXuqfIqYc6jfVC3YOBg+8rJ8nAJr6CWIX/6k4bavKVQQ
+4bWeuICqUlbNRhZF1BZtCPrFbrChcB+n7CqK0EGkOoySekMr/6VzwgNmuCa2m8Gi9YqzrLLd
+AzPl0mfruNHhHLBrnM0rNMMOaR39/+0xSl6c3JcsQWmgBUM1lt0th1n/yKHJMM802IyQefhR
+aJhg++xjP61vOLuJa7pb5UWiyupstKemX+8f6X970bvYPj0OaSwy4ewgxU2D5Paqd7qonnct
+eYosMnB87ZfS67LcK6YRdqjJeThaQmFujta2hUM6ZczlqGaTsOmZ/GBxIvXGYBrcrnv4d6cj
+nSGwXKKSHD2EWSNsxfIBILkQDEotD5uJAbMEEAEIAB0WIQS/yqosJXwrVXFgqQa1WXCyNLIK
+ZQUCaZMSBAAKCRC1WXCyNLIKZeU7C/4t2QA7MGNJC+uDk4p/VMfqLFz4yoJOQmAyqI+jbJwn
+T+cu2airiE74Nt77kEHjDzyD47LSGjsFe/ynK+Ey/9SeRrzA/NBngP919LW2nSwonfAIiDZ4
+dHD/aeRVCdX6Ni6PY/dc5b5ztMEgu0XBlUtWMkrrPaTmiCQ1wX5IuxrSLwldbgA8ME2TZYh7
+XQ1LUt1n15FipmdBaXxTK5FrqqWeLLxfPdntZVMQnh2nyaqAF6aEZBRj47UrcbJEIM399G8P
+nVExdvOqcCi/CDY15BVBmx/EkWTnudta7fOQgiJiOJ3WLDXvMTEEG06I/dw+eZgGLwl7Ep/x
+zrTP65tF032dxbNy1RONOijlj+l/NuOM7pFofx6yCzmRprbydyb9uM1ysRSV0GI1YW2krFzj
+ZZosZvPB470svviF8adgIQBV5TZQCzWBY+Bc5gimpZwcWCI+ByQfRAimerOgPqz/r2jQglgP
+u4PwnChSTrfNMKyAfpHIKgXAj2ar6X3IvHCkv/OJAdgEEwEIAEIWIQQ3eZDCVL86W7QFeUkd
+N5xZDJkDjwUCaYtmPAIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQ
+HTecWQyZA49onAv9GbcIpT9a52ZfSLfoXUWAVsYrCwfPb6OG+7NwJXwUPf69gK2ZSWZLrcPl
+7gLYKkWsQ2LS9Pb+kirfENk9Xvw+DMBk0KKlvsC3dOFl4srkdvuAoWvR4x5lCKBBusjM2ByR
+kRtN68a3xhLrNIHF7uxFefMIyetCJhGl1Z4rgRzslFjsjeZqv5hs7lYBtodrKXvWOfyEvZRw
+Zpibyu3v+6YgpZKdq/YQd/DNMBgCWJZOUvKbj/XiCVQ+zKBDEZpjM56TqSyqaTs7OyTXlZGX
+WRYXbtOeEf5NFlUT57FetrSszStJKow7AlLBfPlcwFgDEEKNiLf0asfdnfHepR3MT5ULNdut
+hLniGbN8HItqY94dipc0D2l3q/REY7VrsZa3vBmWdMecCLMDLO37CzIqjUO+tIGWOFhXpH86
+ARRb3C4mi39aTk8XlAQ6nUctrQSHd+oRFKRqXznAGIHHo83L7z5XvRwZ/ehZww+h0QL4JEgm
+Jaja3SZFkqf1/yGwT1EyqfVzuQGNBGmLZjwBDAC7UT7SgI/lKTAP5fyrDXDaIsVKCPZ0K+ui
+BqR+Po765zZyuZnCd8IMaeGJZipa4Jc2HRBfb2t/4drDWChhjiMtSk2jA+Ke+z/Gg8yCskg2
+aSjhiKb4dZkCWwg0+Avca3ad8F3G+pbP/aubTH2FydrJP0dQW7sPChKPEhDH83g4ek7w3CXs
+tSLQ8f3orxxqNvDr3BuVK4Lej1zgXMhSUWcTNqFje1jUwG+V03FoHfvM67HTGmnOngu9fCX0
+QbIc0x++zJg3MvPZ+hsSnJ3EemVMc5SMH/GCwIUTufEdpkCLmjETvCFT9JaVwBtgFvsF6adq
+7JMD7wcogGMVXDqrWMONZJPhiLPK9AI57zi7a31AFJEfyMMaBT3io5KdzfM0LCkpI/VT/tsO
+tM/adnID1cFt47WjeQQ0Ed0kH4fk91/wZaMAlgYeN2TSaYjb0v4RkSIWlYz2KyZ2XPaUtYyS
+Md6CmOHchTUTJ9x/qvXD53FYjnkX309c1a9Z++76R+QU6IkAEQEAAYkBvAQYAQgAJhYhBDd5
+kMJUvzpbtAV5SR03nFkMmQOPBQJpi2Y8AhsMBQkDwmcAAAoJEB03nFkMmQOPy/EL/2NTDXEI
+6ZshBZgK1UOxIWLaKuK4LwMimz3IpfWH6E1acSV4oEn5S+kGCzCeWwbOqhjFP5YYlcN3IMJX
+KddpFVn+LiN178qJZM+WxbJdRlc3n9+F2693zGMxmNtgjJ9TDCjar8nyoxWcpKXOtjxf204T
+HZAq/r2l/NHvrqZ4KJ5RU5I1Gb43UcarxZHBHy6N1Z323Zt5UMgA3WWMeXB+r374IBg4g5/l
+WCfhytvZtwVIDDERFMqpyikhlrOzLJQgVoPHUt7PCslvAaVlz1Mkj7JkF+gwizJ+zsCIkJ2Z
+YYk5nfVtDf2xEasrZgs3XF6yhXKHIS1DyIELaLzr6UkLz0H/pwgjHGG9G6pcuMeuS4vR7MEE
+7OssNRo43LjtGT9WglRhMqjqiqAIZUM6NFZ2AQQci5tOj3nNQQHovVaPm0PcC1fv99eMsDBX
+o7LiabG3y38e2q2TzbNl7v3zTXimQKtYzoff6kGr9JnKr1pD/63qZlrTrVEq/SyMrKmWN3Aq
+Rw==
+=as3M
+-----END PGP PUBLIC KEY BLOCK-----

suricata.rules

@@ -0,0 +1,5 @@
+drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
+drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
+drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
+drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
+