Week 3 Firewall Challenge

Source: Dev.to

The Scenario

You’re the security engineer. The network is live. Configure the firewall or the company is vulnerable.

No solutions. No step‑by‑step. Just requirements and a ruleset validator.

Sound intimidating? Good. That’s the point.

What You’re Building

📝 Your deliverable: A complete iptables ruleset saved to a file (challenge4-ruleset.txt)

You’ll configure a 3‑zone corporate firewall protecting:

• Internet ↔ Server Farm (web, mail, database, DNS servers)
• Corporate LAN ↔ Server Farm (employee access)
• Corporate LAN ↔ Internet (browsing, updates)

There are 18 specific requirements covering:

• ✅ Access control (who can reach what?)
• ✅ Security logging (with rate limiting)
• ✅ Anti‑spoofing protection
• ✅ Stateful connection tracking
• ✅ Network segmentation

What You Must Create

• A bash script with iptables commands (challenge4-solution.sh)
• A saved ruleset file from iptables-save (challenge4-ruleset.txt)
• Upload the ruleset file to Claude/ChatGPT for AI grading

Why This Challenge Is Different

Most firewall tutorials:

• Give you the commands
• Explain each line
• Hold your hand through setup
• Test nothing

This challenge:

• Gives you requirements, not commands
• You figure out the implementation
• Clear success criteria (pass/fail)
• Tests real‑world scenarios

It’s designed like a take‑home security interview.

What You’ll Learn

1. Stateful Firewalls

# Implement connection tracking
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Understanding why this rule comes first separates beginners from professionals.

2. Network Segmentation

• Internet → Can access Web/Mail servers only
• Employees → Can access internal portal, NOT database directly
• IT Admin → SSH access to all servers
• Web Server → Database access, Employees CAN’T reach DB directly

3. Security Logging (Without Breaking Your Disk)

# Rate‑limited logging prevents log‑flooding attacks
iptables -A FORWARD -m limit --limit 5/min --limit-burst 10 -j LOG

You’ll learn when to log, when to rate‑limit, and why both matter.

4. Anti‑Spoofing Protection

# Block packets claiming to be from your network but arriving on the wrong interface
iptables -A FORWARD -i eth1 ! -s 192.168.10.0/24 -j DROP

This defends against IP spoofing attacks.

The Challenge Structure

Part 1: Basic Setup

• Set default policies
• Configure stateful connection tracking
• Drop invalid packets

Part 2: Internet ↔ Server Farm

• Allow HTTP/HTTPS to the web server only
• Allow SMTP to the mail server only
• Block everything else (with logging)

Part 3: Corporate LAN ↔ Server Farm

• Employees access web portal and email
• IT Admin gets SSH to all servers
• Web server can query database
• Everyone else blocked

Part 4: Corporate LAN ↔ Internet

• Employees browse the web, use DNS
• Internet can’t reach Corporate LAN directly

Part 5: Security Hardening

• Anti‑spoofing rules
• Connection rate limiting
• Comprehensive logging

Total: 18 specific requirements you must implement correctly.

How Hard Is It?

• Beginner? You’ll struggle (that’s the point).
• Intermediate? Finish in 45–60 minutes if you know iptables basics.
• Expert? Prove it. Complete it perfectly on the first try.

Everyone ends up with a realistic corporate firewall ruleset for their portfolio.

The Challenge Workflow

1. Write iptables script → 2. Save ruleset file → 3. Upload to AI → 4. Get graded
   (30‑60 min)                (iptables‑save)          (Claude)          (Score/100)
                                                                      ↓
                                                               Fix & retry
                                                               until 95+/100

You MUST create an actual file with your iptables rules – this isn’t a reading exercise!

How to Complete This Challenge

⚠️ IMPORTANT

You must create an actual iptables ruleset file, not just read the requirements!

The challenge has 7 clear steps:

Step 1: Get the Challenge

git clone https://github.com/fosres/AppSec-Exercises.git
cd AppSec-Exercises/Week-3-Firewalls
cat Challenge_4_Corporate_Network_Firewall.md

Step 2: Read All 18 Requirements

The challenge document includes:

• ✅ Network topology diagram (3 zones: Internet, Corporate LAN, Server Farm)
• ✅ 18 numbered requirements (what to allow/block)
• ✅ Clear specifications for rate limiting
• ✅ Clear specifications for logging
• ✅ Success‑criteria checklist

Read everything before writing a single command!

Note: A working solution exists here, but try it yourself first! You’ll learn much more from struggling than from copying.

Step 3: Write Your iptables Script

# Create your solution file
vim challenge4-solution.sh

Add the necessary iptables commands, make the script executable, and test it on a suitable Linux host.

Step 4: Save the Ruleset

sudo iptables-save > challenge4-ruleset.txt

Step 5: Upload for AI Grading

Submit challenge4-ruleset.txt to Claude/ChatGPT (or the provided validator) and review the feedback.

Step 6: Iterate

Fix any issues reported by the validator, re‑save the ruleset, and re‑upload until you achieve a passing score (≥ 95/100).

Step 7: Document Your Work

Add comments to challenge4-solution.sh explaining each rule and why it satisfies the corresponding requirement. This will be valuable for future reference and for showcasing your solution in a portfolio.

Corporate Network Firewall – Challenge 4

Template to start with

#!/bin/bash
# Challenge 4: Corporate Network Firewall
# Your Name - Date

# Flush existing rules
sudo iptables -F
sudo iptables -X

# Set default policies
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# ============================================
# PART 1: BASIC SETUP
# ============================================

# Rule 1: Allow established connections
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Rule 2: Drop invalid packets
sudo iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

# ============================================
# PART 2: ANTI‑SPOOFING
# ============================================

# Rule 3: Block spoofed packets on eth1
# TODO: Implement this

# ============================================
# CONTINUE WITH ALL 18 REQUIREMENTS...
# ============================================

echo "Firewall configured successfully!"

Your job: Implement all 18 requirements as iptables rules in the script above.

Step 4 – Test Your Script (Optional)

If you have a VM or lab environment:

# Make executable
chmod +x challenge4-solution.sh

# Run it
sudo ./challenge4-solution.sh

# Verify rules loaded
sudo iptables -L FORWARD -v -n

Tip: If you don’t have a lab, you can skip to Step 5.

Step 5 – Save Your Ruleset to a File

This is REQUIRED for grading.

If you ran the script

# Save the active iptables rules
sudo iptables-save > challenge4-ruleset.txt

If you don’t have a lab

1. Manually create the ruleset file by extracting only the iptables commands from your script.
2. Remove sudo and echo lines, keeping just the iptables commands.
3. The format should match the output of iptables-save.

Example challenge4-ruleset.txt

# Generated by iptables-save v1.8.9
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD ! -s 192.168.10.0/24 -i eth1 -j LOG --log-prefix "LAN-SPOOF: "
-A FORWARD ! -s 192.168.10.0/24 -i eth1 -j DROP
# ... rest of your rules ...
COMMIT
# Completed on [date]

This file is what you’ll submit for grading!

Step 6 – Get AI‑Powered Grading

Upload your ruleset to Claude or ChatGPT for instant feedback.

1. Go to the appropriate AI interface.
2. Copy/paste the following prompt:

I completed the Corporate Network Firewall Challenge (Challenge 4). 
Please grade my iptables ruleset against all 18 requirements.

Challenge requirements:
[Paste the entire Challenge_4_Corporate_Network_Firewall.md file here]

My iptables ruleset:
[Paste your challenge4-ruleset.txt file here]

Please provide:
1. Score out of 100
2. Which requirements I passed/failed
3. Specific issues with my rules
4. Security problems or best‑practice violations
5. Suggestions for improvement

The AI will:

• ✅ Check all 18 requirements systematically
• ✅ Verify rule ordering is correct
• ✅ Identify security issues
• ✅ Confirm rate‑limiting and logging are applied correctly
• ✅ Give a detailed score breakdown and improvement suggestions

Example grading output

Score: 85/100

✅ Requirement 1: ESTABLISHED connections (PASS)
✅ Requirement 2: INVALID drop (PASS)
❌ Requirement 4: Missing rate limiting on LOG rule (FAIL)
⚠️  Requirement 7: Using entire subnet instead of specific IP (SECURITY ISSUE)
...

Issues found:
1. LOG rule missing -m limit (will flood logs during attack)
2. -d 192.168.20.0/24 too broad (should be 192.168.20.10)

Your score: 85/100 – Fix these issues for 100/100!

Step 7 – Iterate Until Perfect

If your score is below 95/100:

1. Read the AI’s feedback carefully.
2. Fix the specific issues identified.
3. Update your script.
4. Save the new ruleset: sudo iptables-save > challenge4-ruleset.txt
5. Re‑submit for grading.

Repeat until you achieve 95‑100/100 – that’s when you know you’ve mastered it.

Why You Should Star the Repo ⭐

This isn’t just a blog post – it’s an entire hands‑on curriculum.

The repo includes:

• ✅ Challenge 1: Basic Linux firewall (beginner)
• ✅ Challenge 2: Multi‑interface DMZ setup (intermediate)
• ✅ Challenge 3: PCI‑DSS compliant firewall (advanced)
• ✅ Challenge 4: Corporate network (this one!)
• 🔜 More challenges coming: VPN integration, cloud firewalls, Kubernetes network policies

Benefits of starring:

• ✅ Bookmark for later
• ✅ Support open‑source security education
• ✅ Get notified of new challenges
• ✅ Show appreciation (it’s free!)

👉 Star the repo now →

Common Mistakes (Don’t Peek Until You Try!)

⚠️ Seriously, attempt the challenge BEFORE reading these!

Mistake 1: Forgetting ESTABLISHED connections

# Wrong: Each direction needs explicit rules
# Right: One ESTABLISHED rule handles return traffic
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Mistake 2: Wrong rule order

# Wrong: DROP before ALLOW
-A FORWARD -i eth0 -o eth1 -j DROP               # Blocks everything!
-A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT   # Never reached

# Right: ALLOW before DROP
-A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j DROP

Mistake 3: Forgetting rate limiting on LOG rules

# Wrong: Attackers can flood your logs
-A FORWARD -j LOG

# Right: Rate‑limited logging
-A FORWARD -m limit --limit 5/min --limit-burst 10 -j LOG

Mistake 4: Too broad destination IPs

# Wrong: Allows access to entire server network
-A FORWARD -d 192.168.20.0/24 -p tcp --dport 3306 -j ACCEPT

# Right: Only specific database server
-A FORWARD -d 192.168.20.30 -p tcp --dport 3306 -j ACCEPT

⚠️ WARNING: Try the challenge yourself FIRST before looking at solutions.
You’ll learn 10× more by struggling through it than by copying someone else’s work.

Working solution (reference only)

👉 View solution (100/100 score)

Remember: multiple valid approaches exist. The linked solution is one way to score 100/100; your own solution may differ and be equally valid.

After You Complete This…

Skills you’ll gain

• Configure enterprise‑style firewalls from scratch.
• Explain stateful vs. stateless filtering.
• Design multi‑zone network architectures.
• Implement security logging without breaking things.
• Ace firewall questions in security interviews.

Resume bullet

“Configured enterprise‑style corporate firewall with 3‑zone segmentation, stateful filtering, anti‑spoofing protection, and comprehensive security logging.”

Portfolio tip

• Link to your GitHub solution (if you share it).
• Mention it in interviews: “I completed a corporate firewall challenge that tested 18 real‑world requirements including network segmentation, rate‑limited logging, and anti‑spoofing.”

The Community

After completing the challenge

• Compare with my solution (optional) – see the 100/100 ruleset, learn alternative approaches.
• Share your solution (optional) – create a GitHub Gist, write a blog post, help others in the discussion.
• Give feedback – Was anything unclear? Should requirements be more/less detailed? What other challenges would you like?
• Star the repo ⭐ – support the project, get notified of new challenges, help others discover it.

Ready? Here’s Your Mission 🎯

1. ⭐ Star the repo (to get the requirements).
2. 📖 Read all 18 requirements carefully.
3. 💻 Write your iptables script (all 18 requirements as rules).
4. 💾 Save your ruleset to challenge4-ruleset.txt using iptables-save.
5. 🤖 Upload to Claude/ChatGPT for instant AI grading.
6. 🔁 Fix issues and re‑submit until you achieve a score of 95 +/100.