Sign In
Get in Touch

Firewall Challenge Week 3 – DEV Community

Home
/
Blog
/
Firewall Challenge Week 3 – DEV Community

Corporate Network Firewall Challenge: Build, Prove, and Perfect Your iptables Skills

Most firewall guides tell you what to type. This #Firewall Challenge expects you to design a working policy for a real-world corporate layout and back it up with a validated ruleset. You will write a full iptables configuration for a 3-zone network, save it, and get precise AI feedback until you hit a 95-100 score. It is hands-on, portfolio-ready, and built for the #DEV community that learns by doing, week after week.

What You Will Build

You will create a stateful, segmented firewall that protects three zones:

  • Internet ↔ Server Farm: expose only what must be public

  • Corporate LAN ↔ Server Farm: enable employee and app traffic with least privilege

  • Corporate LAN ↔ Internet: allow safe outbound services

Your deliverables:

  • challenge4-solution.sh – a bash script with all iptables commands

  • challenge4-ruleset.txt – an iptables-save output of your active rules

The rules must satisfy 18 specific requirements covering access control, rate-limited security logging, anti-spoofing, stateful connection tracking, and strict network segmentation.

Why This Challenge Is Different

This is not a copy-paste tutorial. You get clear requirements and a ruleset validator. You decide the implementation and rule order. You will know you are done because the grading is pass or fail with a numeric score, detailed findings, and concrete fixes. It feels like a realistic take-home interview scenario, not a walkthrough.

Skills You Will Practice

  • Stateful filtering – let RELATED,ESTABLISHED traffic flow without redundant rules and drop INVALID packets

  • Segmentation by role – Internet can reach only web and mail, employees can reach internal apps but not the database, admins have SSH as required, and only the web tier talks to the database

  • Security logging that scales – apply rate limits such as 5 per minute with a small burst so attacks do not flood your disks

  • Anti-spoofing – block traffic claiming a local source when it arrives on the wrong interface

  • Rule specificity and order – allow before drop, narrow destinations, and keep the conntrack rule near the top

The Challenge Layout

  • Part 1: Basic setup – set default policies, accept RELATED,ESTABLISHED, and drop INVALID

  • Part 2: Internet ↔ Server Farm – permit only HTTP/HTTPS to the web server and SMTP to the mail server, log and block everything else

  • Part 3: Corporate LAN ↔ Server Farm – employees access the internal portal and email, IT admins get SSH to all servers, the web server can reach the database, employees cannot reach the database directly

  • Part 4: Corporate LAN ↔ Internet – allow safe outbound browsing and DNS for employees, deny direct inbound from the Internet to the LAN

  • Part 5: Hardening – anti-spoofing per interface, connection rate limiting where required, and consistent, rate-limited logging

How To Work Through It

  • Step 1 – Get the challenge: Clone the repository, then open the Challenge_4_Corporate_Network_Firewall.md file with all 18 requirements. Star the repo to follow updates and future #Week challenges.

  • Step 2 – Read first: Review the network diagram, success criteria, logging specs, and every requirement before writing a single command.

  • Step 3 – Write your iptables script: Create challenge4-solution.sh. Flush existing rules, set default policies, add the RELATED,ESTABLISHED accept near the top, and drop INVALID packets. Continue with interface-specific anti-spoofing and the rest of the 18 rules. Be precise with IPs and ports.

  • Step 4 – Optional test: In a lab VM, run your script and verify with iptables -L FORWARD -v -n to check counters, matches, and order.

  • Step 5 – Save your ruleset: Use iptables-save to produce challenge4-ruleset.txt. If you cannot run a lab, craft the file to match iptables-save format for the filter table and include COMMIT.

  • Step 6 – Get AI grading: Submit the requirements text and your ruleset. Request a score, pass or fail per requirement, ordering issues, logging and rate-limiting checks, and improvement suggestions.

  • Step 7 – Iterate to perfect: Apply the feedback and repeat until you reach 95-100. Document your approach and keep both files versioned.

Success Criteria And Grading

The grader verifies each requirement, your rule order, and whether your logging is rate-limited and correctly placed. It flags issues such as missing -m limit on LOG rules, broad subnets where a single host is required, or policies that block traffic before allows. Your score includes a breakdown with exact rule lines to fix.

Common Mistakes To Avoid

  • Forgetting RELATED,ESTABLISHED – this single rule enables return traffic for allowed flows; without it you will overcomplicate both directions

  • Misordered rules – a premature DROP can shadow later ALLOWs; place specific allows first, finalize with deny and logging

  • Unbounded logging – always rate-limit logging or an attack will fill disks and mask real signals

  • Overly broad destinations – restrict database or DNS rules to the exact host, not the entire subnet

Pro Tips For A Clean Ruleset

  • Put your conntrack RELATED,ESTABLISHED accept near the top of the FORWARD chain

  • Drop INVALID early to cut noise

  • Use explicit interface pairs for zone boundaries and add anti-spoofing checks per interface

  • Apply -m limit to LOG rules with a sensible rate and burst, then drop or reject as required

  • Be exact about server IPs and required ports, especially for web to database

  • Save your final policy with iptables-save so grading matches what is actually loaded

Deliverables Checklist

  • challenge4-solution.sh with all iptables commands and clear comments

  • challenge4-ruleset.txt in iptables-save format that includes default policies, the filter table, ordered rules, and COMMIT

Who Should Try It

Beginners will learn by debugging a live-style setup. Intermediates finish it in 45-60 minutes if they know iptables basics. Experts can aim to nail 100 on the first pass. It is a practical way to polish interview-ready skills and contribute to the #Community with a repeatable #Challenge you can revisit each week.

Get Started Now

Clone the repo, read the 18 requirements, write your iptables script, save the ruleset, and submit for grading. Iterate until you hit 95-100 and add the result to your portfolio. When you can design a segmented, stateful, rate-limited policy from scratch, you stand out in security interviews.

After You Finish

List on your resume that you configured an enterprise-style corporate firewall with 3-zone segmentation, stateful filtering, anti-spoofing, and rate-limited security logging. Share your approach with the dev community, compare strategies, and keep leveling up with future challenges.