-
Notifications
You must be signed in to change notification settings - Fork 1
Firewall
Toby Lin edited this page Nov 10, 2021
·
13 revisions
Provide students with a mandatory firewall that protects the overall infrastructure.
- Always run the firewall provided.
- You may make the firewall rules more restrictive but not more permissive.
- For example, you can block all FTP traffic but not allow FTP traffic without the traffic first traversing through the tcp_flood chain which rate limits the number of new TCP connections per minute
Your system must have the br_netfilter module in order to enable packet filtering between bridge interfaces, if it's not enabled, you may see the following message when running the baseline firewall script:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
To enable the kernel module, run:
modprobe br_netfilter
Then enable it via sysctl:
sysctl -w net.bridge.bridge-nf-call-iptables=1
Otherwise, iptables will not receive packets from bridge interfaces. This is what will allow you to control traffic between containers.
- View the firewall rules
- Check out debugging firewall rules
Run firewall_rules.sh located in the folder /root/Honeypot_Project/firewall/