Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The networks you mentioned are RFC1918 private IP space. They are not routable across the 'net. In order for inbound traffic to reach you, some externally-facing device must be providing NAT/PAT.
So, don't provide NAT/PAT, and keep your border devices and hosts secure.
If you have more questions, please describe your network more thoroughly.
You can open it up to your internal subnets, but remember that in doing so you'll also be allowing the internal IP for your NAT device (for the sake of argument, let's call it 192.168.0.1). You might consider allowing stateful traffic, but dropping inbound requests from 192.168.0.1.
Im running Centos 5.4 with a sftp server, and I´d like to allow all 172.16.0.x ip and 192.168.0.x ip and block everything else.
Does someone have a good way to do this with IPTables or any other opensource FW?
That could be done like (example):
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -s 172.16.0.0/24 -m state NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -s 192.168.0.0/24 -m state NEW -j ACCEPT
Change the destination port number to whichever you've got your daemon listening on. Also, keep in mind that if someone cracks a host on your LAN (and obtains root privileges) they can spoof any IP.
Quote:
Originally Posted by anomie
You can open it up to your internal subnets, but remember that in doing so you'll also be allowing the internal IP for your NAT device (for the sake of argument, let's call it 192.168.0.1). You might consider allowing stateful traffic, but dropping inbound requests from 192.168.0.1.
Could you elaborate as to the reason you'd be blocking the router's IP? Just curious.
Last edited by win32sux; 07-19-2010 at 06:48 PM.
Reason: Removed unnecessary iptables command.
The NAT device should never be making unsolicited connections attempts to any of the internal hosts. (All inbound traffic should be part of a stateful session.)
The NAT device should never be making unsolicited connections attempts to any of the internal hosts.
I agree. And in your diagram, this sort of thing can be effectively enforced, given the bridged firewall you placed there. If you remove the bridged firewall, however, things get a bit difficult, as a bad guy which manages to own the router will be able to use any IP or MAC he/she wishes. This may or may not be a concern in this case, but it's something I think the OP should keep in mind.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.