Can You Secure a Corporate Network? Prove It. π₯
Most security tutorials hold your hand. This one doesn't.
I've created a corporate network firewall challenge that tests if you actually understand firewalls - not just copy-paste commands.
The scenario: You're the security engineer. The network is live. Configure the firewall or the company is vulnerable.
No solutions. No step-by-step. Just requirements and a ruleset validator.
Sound intimidating? Good. That's the point.
What You're Building
π Your deliverable: A complete iptables ruleset saved to a file (challenge4-ruleset.txt)
You'll configure a 3-zone corporate firewall protecting:
- Internet β Server Farm (web, mail, database, DNS servers)
- Corporate LAN β Server Farm (employee access)
- Corporate LAN β Internet (browsing, updates)
18 specific requirements covering:
- β Access control (who can reach what?)
- β Security logging (with rate limiting)
- β Anti-spoofing protection
- β Stateful connection tracking
- β Network segmentation
What you must create:
- A bash script with iptables commands (
challenge4-solution.sh) - A saved ruleset file from iptables-save (
challenge4-ruleset.txt) - Upload the ruleset file to Claude/ChatGPT for AI grading
Why This Challenge Is Different
Most firewall tutorials:
- Give you the commands
- Explain each line
- Hold your hand through setup
- Test nothing
This challenge:
- Gives you requirements, not commands
- You figure out the implementation
- Clear success criteria (pass/fail)
- Tests real-world scenarios
It's designed like a take-home security interview.
What You'll Learn
By completing this challenge, you'll master:
1. Stateful Firewalls
# You'll implement connection tracking:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Understanding WHY this rule comes first separates beginners from professionals.
2. Network Segmentation
Internet β Can access Web/Mail servers only
Employees β Can access internal portal, NOT database directly
IT Admin β SSH access to all servers
Web Server β Database access, Employees CAN'T reach DB directly
This is how real companies protect sensitive data.
3. Security Logging (Without Breaking Your Disk)
# Rate-limited logging prevents log flooding attacks:
iptables -A FORWARD -m limit --limit 5/min --limit-burst 10 -j LOG
You'll learn when to log, when to rate-limit, and why both matter.
4. Anti-Spoofing Protection
# Block packets claiming to be from your network but arriving on wrong interface:
iptables -A FORWARD -i eth1 ! -s 192.168.10.0/24 -j DROP
This defends against IP spoofing attacks.
The Challenge Structure
Part 1: Basic Setup
- Set default policies
- Configure stateful connection tracking
- Drop invalid packets
Part 2: Internet β Server Farm
- Allow HTTP/HTTPS to web server only
- Allow SMTP to mail server only
- Block everything else (with logging)
Part 3: Corporate LAN β Server Farm
- Employees access web portal and email
- IT Admin gets SSH to all servers
- Web server can query database
- Everyone else blocked
Part 4: Corporate LAN β Internet
- Employees browse web, use DNS
- Internet can't reach corporate LAN directly
Part 5: Security Hardening
- Anti-spoofing rules
- Connection rate limiting
- Comprehensive logging
Total: 18 specific requirements you must implement correctly.
How Hard Is It?
Beginner? You'll struggle (that's the point). But the requirements are crystal clear, and you'll learn by debugging.
Intermediate? You'll finish in 45-60 minutes if you know iptables basics.
Expert? Prove it. Complete it perfectly on first try.
Everyone: You'll have a realistic corporate firewall ruleset for your portfolio.
The Challenge Workflow
1. Write iptables script β 2. Save ruleset file β 3. Upload to AI β 4. Get graded
(30-60 min) (iptables-save) (Claude) (Score/100)
β
Fix & retry
until 95+/100
You MUST create an actual file with your iptables rules - this isn't a reading exercise!
How to Complete This Challenge
β οΈ IMPORTANT: You must create an actual iptables ruleset file, not just read the requirements!
The challenge has 7 clear steps:
Step 1: Get the Challenge
β Star the repo for the complete requirements:
π GitHub: AppSec-Exercises/Challenge-4-Corporate-Firewall
git clone https://github.com/fosres/AppSec-Exercises.git
cd AppSec-Exercises/Week-3-Firewalls
cat Challenge_4_Corporate_Network_Firewall.md
Step 2: Read All 18 Requirements
The challenge document includes:
- β Network topology diagram (3 zones: Internet, Corporate LAN, Server Farm)
- β 18 numbered requirements (what to allow/block)
- β Clear specifications for rate limiting
- β Clear specifications for logging
- β Success criteria checklist
Read everything before writing a single command!
Note: A working solution exists here, but try it yourself first! You'll learn much more from struggling through it than copying.
Step 3: Write Your iptables Script
Create a bash script with your firewall rules:
# Create your solution file
vim challenge4-solution.sh
Template to start with:
#!/bin/bash
# Challenge 4: Corporate Network Firewall
# Your Name - Date
# Flush existing rules
sudo iptables -F
sudo iptables -X
# Set default policies
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# ============================================
# PART 1: BASIC SETUP
# ============================================
# Rule 1: Allow established connections
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Rule 2: Drop invalid packets
sudo iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
# ============================================
# PART 2: ANTI-SPOOFING
# ============================================
# Rule 3: Block spoofed packets on eth1
# TODO: Implement this
# ============================================
# CONTINUE WITH ALL 18 REQUIREMENTS...
# ============================================
echo "Firewall configured successfully!"
Your job: Implement all 18 requirements as iptables rules.
Step 4: Test Your Script (Optional)
If you have a VM/lab environment:
# Make executable
chmod +x challenge4-solution.sh
# Run it
sudo ./challenge4-solution.sh
# Verify rules loaded
sudo iptables -L FORWARD -v -n
Don't have a lab? That's fine! Skip to Step 5.
Step 5: Save Your Ruleset to a File
This is REQUIRED for grading:
If you ran the script:
# Save the active iptables rules
sudo iptables-save > challenge4-ruleset.txt
If you don't have a lab:
# Manually create the ruleset file by extracting just the iptables commands
# Remove "sudo" and "echo" lines, keep only the iptables commands
# Format should match iptables-save output
Your challenge4-ruleset.txt should look like this:
# Generated by iptables-save v1.8.9
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD ! -s 192.168.10.0/24 -i eth1 -j LOG --log-prefix "LAN-SPOOF: "
-A FORWARD ! -s 192.168.10.0/24 -i eth1 -j DROP
# ... rest of your rules ...
COMMIT
# Completed on [date]
This file is what you'll submit for grading!
Step 6: Get AI-Powered Grading
Upload your ruleset to Claude or ChatGPT for instant feedback:
Copy/paste this prompt:
I completed the Corporate Network Firewall Challenge (Challenge 4).
Please grade my iptables ruleset against all 18 requirements.
Challenge requirements:
[Paste the entire Challenge_4_Corporate_Network_Firewall.md file here]
My iptables ruleset:
[Paste your challenge4-ruleset.txt file here]
Please provide:
1. Score out of 100
2. Which requirements I passed/failed
3. Specific issues with my rules
4. Security problems or best practice violations
5. Suggestions for improvement
Be detailed and thorough in your grading.
The AI will:
- β Check all 18 requirements systematically
- β Verify rule ordering is correct
- β Identify security issues
- β Check rate limiting is applied correctly
- β Verify logging is implemented properly
- β Give you a detailed score breakdown
- β Suggest specific fixes
Example grading output:
Score: 85/100
β
Requirement 1: ESTABLISHED connections (PASS)
β
Requirement 2: INVALID drop (PASS)
β Requirement 4: Missing rate limiting on LOG rule (FAIL)
β οΈ Requirement 7: Using entire subnet instead of specific IP (SECURITY ISSUE)
...
Issues found:
1. Line 12: LOG rule missing -m limit (will flood logs during attack)
2. Line 24: -d 192.168.20.0/24 too broad (should be 192.168.20.10)
Your score: 85/100 - Fix these issues for 100/100!
Step 7: Iterate Until Perfect
If your score is below 95/100:
- Read the AI's feedback carefully
- Fix the specific issues identified
- Update your script
- Save the new ruleset:
sudo iptables-save > challenge4-ruleset.txt - Re-submit for grading
Keep iterating until you achieve 95-100/100!
That's when you know you've mastered it.
Why You Should Star the Repo β
This isn't just a blog post - it's an entire hands-on curriculum:
The repo includes:
- β Challenge 1: Basic Linux firewall (beginner)
- β Challenge 2: Multi-interface DMZ setup (intermediate)
- β Challenge 3: PCI-DSS compliant firewall (advanced)
- β Challenge 4: Corporate network (this one!)
- π More challenges coming: VPN integration, cloud firewalls, Kubernetes network policies
Plus:
- Clear, unambiguous requirements (no frustrating guesswork)
- Real-world scenarios (not toy examples)
- Interview-prep focused (these are actual take-home questions)
- Community solutions (learn from others' approaches)
Star it to:
- β Bookmark for later
- β Support open-source security education
- β Get notified of new challenges
- β Show appreciation (it's free!)
Common Mistakes (Don't Peek Until You Try!)
β οΈ Seriously, attempt the challenge BEFORE reading these!
Click to reveal common pitfalls...
Mistake 1: Forgetting ESTABLISHED connections
# Wrong: Each direction needs explicit rules
# Right: One ESTABLISHED rule handles return traffic
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Mistake 2: Wrong rule order
# Wrong: DROP before ALLOW
-A FORWARD -i eth0 -o eth1 -j DROP # Blocks everything!
-A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT # Never reached
# Right: ALLOW before DROP
-A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j DROP
Mistake 3: Forgetting rate limiting on LOG rules
# Wrong: Attackers can flood your logs
-A FORWARD -j LOG
# Right: Rate-limited logging
-A FORWARD -m limit --limit 5/min --limit-burst 10 -j LOG
Mistake 4: Too broad destination IPs
# Wrong: Allows access to entire server network
-A FORWARD -d 192.168.20.0/24 -p tcp --dport 3306 -j ACCEPT
# Right: Only specific database server
-A FORWARD -d 192.168.20.30 -p tcp --dport 3306 -j ACCEPT
Still stuck? Check out a working solution to see one correct approach.
Want to See a Working Solution?
β οΈ WARNING: Try the challenge yourself FIRST before looking at solutions!
You'll learn 10x more by struggling through it than by copying someone else's work.
But if you're stuck, or want to compare your approach:
π View my solution (100/100 score)
How to use this solution:
- β Complete the challenge yourself first (seriously!)
- β Get your ruleset graded by AI
- β Compare your approach to mine
- β Learn from the differences
Remember: There are multiple valid ways to solve this. My solution is ONE approach that scores 100/100, but yours might be different and equally valid!
Use it for:
- Checking your logic after you've attempted it
- Understanding alternative approaches
- Verifying your rule ordering
- Learning advanced techniques
Don't use it for:
- β Copying without understanding
- β Skipping the learning process
- β Submitting as your own work
The goal is mastery, not completion. π―
After You Complete This...
You'll be able to:
- β Configure enterprise-style firewalls from scratch
- β Explain stateful vs stateless filtering
- β Design multi-zone network architectures
- β Implement security logging without breaking things
- β Ace firewall questions in security interviews
Add to your resume:
"Configured enterprise-style corporate firewall with 3-zone segmentation, stateful filtering, anti-spoofing protection, and comprehensive security logging"
Add to your portfolio:
Link to your GitHub solution (if you share it)
Use in interviews:
"I completed a corporate firewall challenge that tested 18 real-world requirements including network segmentation, rate-limited logging, and anti-spoofing. Here's my approach..."
The Community
After completing the challenge:
-
Compare with my solution (optional)
- See my 100/100 scoring ruleset
- Learn alternative approaches
- Understand different techniques
-
Share your solution (optional)
- Create a GitHub Gist
- Write a blog post about your approach
- Help others in the discussion
-
Give feedback
- Was anything unclear?
- Should requirements be more/less detailed?
- What other challenges would you like?
-
Star the repo β
- Support the project
- Get notified of new challenges
- Help others discover it
Ready? Here's Your Mission π―
The challenge workflow:
- β Star the repo (get the requirements)
- π Read all 18 requirements carefully
- π» Write your iptables script (all 18 requirements as rules)
- πΎ Save your ruleset to
challenge4-ruleset.txtusingiptables-save - π€ Upload to Claude/ChatGPT for instant AI grading
- π Fix issues and re-submit until you hit 95-100/100
- π Add to your portfolio!
You MUST create an actual iptables ruleset file - no shortcuts!
Start the challenge β Get the requirements
Stuck or want to compare? View a working solution (try it yourself first!)
About This Series
This is part of my 48-week Security Engineering curriculum focused on hands-on skills that actually matter in interviews.
Other challenges in the repo:
- Challenge 1: Basic Linux firewall
- Challenge 2: DMZ architecture
- Challenge 3: PCI-DSS compliance
- Challenge 4: Corporate network (this one)
Coming soon:
- VPN integration challenges
- Cloud firewall scenarios (AWS Security Groups)
- Kubernetes network policies
- Zero-trust architecture
Follow me for more security engineering content!
Found this useful? β Star the repo and help others discover it!
Questions? Drop them in the comments below. π
P.S. - If you complete this challenge, you're better prepared than 80% of security engineering candidates. No joke.
Top comments (0)