Working with IP Sets and iptables

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

IP Sets can facilitate the management of a complex firewall ruleset. This exercise refreshes basic skills with the `iptables` command and begins developing an understanding of working with IP Sets. Having a working knowledge of IP sets and `iptables` is a requirement of the advanced certification exams such as the LPIC-3 303-200.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a new IP set called `clienthosts` that contains the IP and Port combinations for each client server.

Create a new IP set called clienthosts that contains the IP and Port combinations for each client server. Be sure the ipset is configured to persist a reboot.

Run the following commands:

ipset create clienthosts hash:ip,port 
ipset add clienthosts 10.0.1.100,80 
ipset add clienthosts 10.0.1.200,80
ipset save clienthosts > /etc/sysconfig/ipset
Add a new rule to the INPUT chain that accepts traffic from all IP/port combinations as source IP/destination port in the `clienthostsIP` set.

Add a new rule to the INPUT chain that accepts traffic from all IP/port combinations as source IP/destination port in the clienthostsIP set. The rule should persist a reboot.

Run the following commands:

iptables -I INPUT -m set --match-set clienthosts src,dst -j ACCEPT 
iptables-save > /etc/sysconfig/iptables

Additional Resources

Your colleague has stood up an Apache server that is designed to provide bootstrap configuration files to specific servers on the company's internal network and wants to limit which hosts that can pull files from it. They have asked you to implement a firewall solution to accomplish this. You will need to create an IP Set containing IP and Port pairs to make for easier firewall management as the number of hosts requiring access increases.

You have been provided access to config-server, which is the Apache hosts where you must configure the firewall solution. You have also been provided two additional hosts (bootstrap1 and bootstrap2) to use for testing your configuration.

Name the IP set clienthosts and add the IP of each bootstrap host along with the noted port to the IP set:

  • IP 10.0.1.100 port 80
  • IP 10.0.1.200 port 80

Be sure to save the IP set to /etc/sysconfig/ipset so it will persist a reboot.

You also must add a new rule at the beginning of the INPUT chain of the filter table so clients will be able to access the apache server. The rule should treat IPs in the clienthosts IP set as source IPs, and treat all ports paired with those IPs as destination ports. It should allow the noted source IPs paired with their destination port.

Be sure to save the new rule to /etc/sysconfig/iptables so it will persist a reboot.

Please note all necessary packages have been installed on the test server for your convince.

Summary tasks list:

  • Create a new IP set called clienthosts that contains the IP and Port combinations for each client server. Be sure the ipset is configured to persist a reboot.

  • Add a new rule to the INPUT chain that accepts traffic from all IP/port combinations as the source IP/destination port in the clienthostsIP set. The rule should persist a reboot.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!