I have to make a demonstration about firewalls in my class as a student(university). It should be implemented using iptables on Linux. I am reading all the theories around them but I can't figure out a good use case to present at class. I can show how to use add rules etc., but this isn't enough.
Could I have 2 pcs in a network to show what happens when connection is blocked for example? Any other ideas?
You can use a network protocol analyzer like Wireshark to show exactly what is happening. Set up an experiment with and without a certain set of rules and compare the results from the Wireshark log files. That way you can show what happens on the network level.
If you don't want to bring more than one computer, you can use virtual machines to simulate the different hosts interacting with each other. It is a little less impressive than using real computers but works almost the same. That way you can demonstrate the use of iptables as a host based firewall (controlling the access to the machine iptables is running on with the host OS and a single virtual machine) and as a stand alone network firewall. In the second scenario you can use 3 virtual machines (or 2 VMs and the host OS), simulating a client, a server and the firewall in between. The more virtual machines, the more is possible. Add one more and create a DMZ for example. It depends on how much time you have and how deep you want to go.
At home I use iptables for my network firewall (integrated with my gateway) as well as my host firewall.
I recommend taking a look at the linux home networking iptables tutorial, ubuntu iptables tutorial and this iptables script generator.
If you can outline what you need to show for this presentation it would be easier to answer this question.
It seems that the main thing you should look into is the logging abilities of iptables. Throw up a virtual (or physical, just a bit more bulky, haha) network with 2 workstations and have them separated by a Linux machine with 2 interfaces running iptables. I'm not aware of how advanced your class is, but explain to them that the firewall divides the network into two zones, the internal and the external. Then show communication between the two networks. For instance you could set up an Apache server on both workstations and then show how the internal machine can access the external web site, but the external cannot access the other. This also depends on how you set up the firewall.
If you're not bound solely to iptables, also take a look at ufw.
You can set up one PC or virtual machine to host 2 or 3 different services (Web server, FTP server, SSH for example). This is the PC where you'll be editing the iptables rules.
First demo a different PC accessing each service and show it works (e.g., visit the web site, ftp and ssh servers).
Next, use an iptables rule to rejects access from any IP to port 80, then try to visit the website again. The connection should fail immediately. You can also show what happens when you use the drop directive instead of rejects. It makes the web browser hang. Connections to the SSH or FTP server should still work. Here are 2 rules for blocking access to port 80.
iptables -A INPUT -p tcp --dport 80 -j REJECT
iptables -A INPUT -p tcp --dport 80 -j DROP
Then you can do the same for the other services (--dport 22, --dport 21), or do it for a single ip:
iptables -A INPUT -s 192.168.1.100 -j REJECT #assuming client is at 192.168.1.100
The rules above assume that the default firewall policy is to accept any packets that don't match a rule, so you could maybe also demo adding exceptions, so "opening" ports e.g.:
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
There are far more examples you could do, but doing the client/server model should help students see what's going on when you type those commands in. See Firewall demo - iptables for other examples.
I'm not familiar whit iptables, however if you what to show how a firewall works the i suggest:
No discussion of iptables is complete without a firewall demo. To test the firewall download and run nessus against it.
Also you need to cover ipset as ipset allow iptables to efficiently handle 1000 and indeed 20000+ plus ip addresses on a block or white list. If you don't use ipset on a large block list and instead enter 1000+ iptables rules your CPU utilization will go to 100% and stay there.
Using ipset also give you the option to easily implement timeout features or counters for your block lists.
iptables -L -v -n -x
This gives you per rules statistics you can talk about.
