Comments

30 Levels of NAT Firewall Lab

Posted by cooper on Apr 16, 2011 in cisco, g33k, juniper

So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:

Network Diagram

(Click for larger image)

Sample PIX 501 conf:

hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com

ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full

route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface

access-list outbound permit any any
access-group outbound in interface inside

access-list ping_acl permit icmp any any
access-group ping_acl in interface outside

Video of the Results

Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.

Tags: , , , , , , , , , , , ,

 
Comments

IPTables Template

Posted by cooper on Apr 9, 2011 in g33k, linux

So I thought I would share a good IPTables starting template, all tested on Ubuntu 10.10.


# Cooper Lees IPTables Rules
# Last Updated 20110409

# Drop by default
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
#ICMP is Good
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Only allow 4 new SSH connection per minute from a certain IP address
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --second 60 --hitcount 4 -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Handy if you have a IPv4 to IPv6 Tunnel ...
iptables -A INPUT -p 41 -s ${IPv4-Tunnel-Address} -j ACCEPT
# Handy for debuging what is getting blocked ...
iptables -A INPUT -j LOG --log-level debug --log-prefix "iptables INPUT: "
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

– Load from CLI then use iptables-save > /etc/iptables.up.rules
– In Ubuntu add to /etc/network/interfaces “pre-up iptables-restore < /etc/iptables.up.rules" on to the loopback interface

Tags: , , , , , , ,

 
Comments

Senior IT Security Consultant

Posted by cooper on Apr 9, 2011 in g33k, work

So a new chapter of my life begins next month when I change my place of work from 4.5 years of being a HPC / Unix admin @ ANSTO (http://www.ansto.gov.au) to become a senior security focused network engineer.

I will be moving to ICT Security, being based in North Sydney with a main focus on Juniper Networks security equipment and solutions. So expect to see Cooper @ more Sydney events and actually in the city. e.g. SAGE meetings etc.

Copyright © 2017 I-R-Coops Blog All rights reserved. Theme by Laptop Geek.