Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 45: Setting Up a Firewall for Network Segmentation

by | May 5, 2025 | 0 comments

Objective

Configure a firewall to isolate different network segments and enforce security policies. Segment the network into zones like a public DMZ and a private LAN, and control traffic flow between these zones using firewall rules.

Scenario

As a network security administrator, you are tasked with segmenting the network to improve security. You will set up a firewall using iptables on a Linux machine (or a dedicated hardware firewall) to isolate a DMZ hosting a web server from the internal LAN and enforce security policies.

⚠️ Important: This exercise must be performed in a legal and controlled environment. Unauthorized configuration of network devices is illegal and unethical.

Lab Instructions

Step 1: Set Up the Network Segments

  • DMZ (Demilitarized Zone): Hosts public-facing services (e.g., web server).
  • LAN (Local Area Network): Internal devices that must be isolated from the DMZ.
  • Firewall: Controls traffic between DMZ, LAN, and the internet.

Example Network Layout:

  • DMZ Network: 192.168.10.0/24
  • LAN Network: 192.168.20.0/24
  • Firewall Interfaces:
    • eth0: Connected to the Internet
    • eth1: Connected to the DMZ
    • eth2: Connected to the LAN

Step 2: Configure the Firewall (iptables)

a. Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
  • Make it persistent:
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

b. Flush Existing Rules

sudo iptables -F
sudo iptables -X

c. Set Default Policies to Drop All Traffic

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

d. Allow Necessary Traffic

  • Allow HTTP/HTTPS from the Internet to the DMZ Web Server
sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT
  • Allow LAN to Access the Internet
sudo iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • Block DMZ from Accessing LAN
sudo iptables -A FORWARD -i eth1 -o eth2 -j DROP
  • Allow SSH from LAN to Firewall (Management Access)
sudo iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
  • Allow Established and Related Connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

e. Save the iptables Rules

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Step 3: Testing the Firewall Setup

a. Allowed Traffic Test

  • From the Internet or another network, access the DMZ web server:
curl http://<dmz-web-server-ip>
  • Expected Result: The web page should load successfully.

b. Blocked Traffic Test

  • Attempt to access the LAN from the DMZ:
ping 192.168.20.10
  • Expected Result: The request should be blocked.

c. SSH Access Test

  • From the LAN, attempt SSH access to the firewall:
ssh admin@<firewall-ip>
  • Expected Result: SSH connection should be successful.

Step 4: Discuss the Advantages of Network Segmentation

  1. Reduced Attack Surface: Limits the reach of attackers within the network.
  2. Access Control: Fine-grained control over traffic between network zones.
  3. Containment: Prevents lateral movement in case of compromise.
  4. Compliance: Helps meet regulatory security requirements.
  5. Improved Performance: Isolates traffic, reducing congestion.

Solution & Explanation

Why Network Segmentation Matters

  • Isolating different parts of the network prevents unauthorized access and limits the impact of attacks.

Key Firewall Rules Implemented

  1. Access Control: Only HTTP/HTTPS traffic is allowed to the DMZ.
  2. Network Address Translation (NAT): Enables LAN devices to access the internet.
  3. Traffic Blocking: DMZ cannot access the internal LAN.
  4. Limited Access: SSH is restricted to trusted networks.

Testing & Verification

  1. Web Access Test: Confirm that public access to the web server works.
  2. LAN Access Test: Ensure the DMZ cannot access the LAN.
  3. Firewall Management: Verify SSH is accessible only from the LAN.

View Active Rules

sudo iptables -L -v -n

Monitor Logs

sudo tail -f /var/log/syslog

Security Best Practices

  1. Principle of Least Privilege: Only allow necessary traffic.
  2. Use Stateful Firewalls: Track and manage connection states.
  3. Regular Auditing: Review firewall rules periodically.
  4. Log and Monitor Traffic: Enable logging for security visibility.
  5. Firmware and Patches: Keep firewall devices updated.

Additional Script (Optional)

Automate Basic Firewall Setup:

#!/bin/bash
# Basic Firewall Setup for Network Segmentation
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
sudo iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth2 -j DROP
sudo iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4
echo "Firewall configuration completed."

Run the script:

chmod +x firewall_setup.sh
sudo ./firewall_setup.sh

Conclusion

In this exercise, you configured a firewall using iptables to enforce network segmentation between a DMZ and a LAN. You implemented rules to control traffic flow, tested the setup, and discussed how network segmentation improves security by isolating critical assets and reducing the attack surface.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *