Application Security/Netfilter configuration failed

KodeKloud Engineer
#1

I had an assignment today that required me to block a port on stbkp01 on which Apache HTTP was running (8082) and allow all connections to another port on which Nginx was running (8096). After inserting two rules in the Netfilter ‘filter’ table’s INPUT chain to block both TCP and UDP on the port Apache was running on (since those are the two protocols that use ephemeral ports) I marked the exercise as finished but was told I had failed the exercise.

KodeKloud_screenshot_040720
KodeKloud_screenshot_0407201920×1200 326 KB

No filter table INPUT rules were required to allow connections to the Nginx port given the default policy for the INPUT chain was set to ACCEPT (see attached screenshot). When I submitted the assignment and was told I had failed it mentioned the fact that there were no INPUT chain rules for the Nginx port, however those weren’t required given the chain’s default policy of ACCEPT.

I might suggest if you want to have these kinds of assignments you might want to be more specific about what exactly you want to see in the Netfilter config (i.e., create the appropriate INPUT rules regardless of the filter INPUT chain’s default policy) or appropriately set the default policy to DROP so that the rules are required.

#2

I would ask to be credited with the points for this assignment (which I was judged to have failed) or please point out where my logic above isn’t correct.

Thank you in advance. :slight_smile:

#3

Did you make sure the rules were permanent ??

service iptables save

#4

Did you make sure the rules were permanent ??
service iptables save

If you look at my screenshot I believe you’ll see that I did.

#5

I think you make a good point about the default policy ACCEPT, still I add the ACCEPT rule though

sudo iptables -A INPUT -p tcp --dport 8096 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

This is another helpful command
service iptables status

Good luck !

#6

I think the way it was “graded” they obviously expected some ACCEPT rules as you mention; however, given the default policy is ACCEPT those rules aren’t needed. If they expected the rules to be there for the assignment to be graded as “Successful” then the default policy should have been set to DROP. That would have required the rules to be there for it to work. As the assignment was stated and as the default Filter table policy was set they were not required to be there for it to work, hence my point. :slight_smile: