Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My webserver is also my file server, because it has 3 cdroms and 40GB of HD space. The problem is, now, it's outside the firewall, so I can't use NFS (with the current iptables rules).So if I am going to use that storage, I have to FTP everything.
Here's the layout of my network:
Incomiong connection from comcast through cable modem and then netgear router
webserver is connected to netgear router
linux iptables firewall is connected to netgear router (script attached below)
internal network is connected and routes through linux firewall (3 machines on internal network)
I have port forwarding set up on the netgear router to send all port 80 requests to the webserver.
Here's my thought, and tell me if I'm trying to do something that's impossible: If the netgear router can forward all http traffic to the server, why couldn't I just point those forwarding rules (on the netgear router) to my firewall, and then have the firewall forward all port 80 requests to the webserver (which would then be inside the firewall, where I can use NFS without changing the firewall rules). The problems are these: Can iptables forward ports the same way the netgear router can (I'm pretty sure it can), if so, what rules would need to be added to make it do that, and third, will the webserver still work from the outside if port 80 is forwarded twice on the inbound connection?
I'd like to keep the firewall as locked down as possible, which is why I don't want to set up rules to let NFS through it. Can this be done?
Tom
(iptables script follows)
# Generated by iptables-save v1.2.8 on Fri Sep 3 04:51:04 2004
*filter
:INPUT DROP [154:12242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_packets
-A INPUT -i eth0 -p udp -j udp_packets
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 20:21 -j allowed
-A udp_packets -s 192.168.0.0/255.255.255.0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_packets -i eth0 -p udp -m udp --dport 135:139 -j DROP
-A udp_packets -d 255.255.255.255 -i eth0 -p udp -m udp --dport 67:68 -j DROP
COMMIT
# Completed on Fri Sep 3 04:51:04 2004
# Generated by iptables-save v1.2.8 on Fri Sep 3 04:51:04 2004
*nat
:PREROUTING ACCEPT [172:14757]
:POSTROUTING ACCEPT [5:420]
:OUTPUT ACCEPT [34:2583]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 3 04:51:04 2004
Iptables should be able to forward the traffic, but I'd be hesistant to put an NFS server outside the firewall and just forward traffic in and out of the firewall like that. There are probably more secure ways of doing it. A good starting point would be using something like ssh/scp to transfer files or even just run your vuln traffic through an encryption tunnel (like an ssh or ssl tunnel) and then only allow the network to communicated with exposed file server. Something like a VPN would work well too.
To be honest though, I think the best solution would be to get a low end PC and build a dedicated file server that you can put inside the LAN. Considering the abuse and potential for security compromise on a webserver, it's probably one of the worst places to put a fileshare server.
i may be wrong but i think from a networking perspective that would be "double natting" of your address. At the netgear it has to translate the outside IP to internal and then forward to your other box. Im not so sure the webserver would be able to find the correct route back outside the network. I could be wrong and if i missed the boat i totaly apologize. Im still a newbie
Thanks for your posts. I finally got things up and running like I wanted them, and this is what happened:
I put the webserver behind the firewall, which enabled me to use NFS freely.(I have not tried mounting an
NFS share on the firewall itself, but I really don't need to- it works on my internal workstation). I set up
port forwarding with iptables- forwarding port 80 requests through my already-established rules.
What I was asking for was, in fact, what amounts to "double-natting", which I only could have done if
the ISP had given me another address. So it works. Thanks for everybody's insights.
how to setup IP firewall in linux enterprise ws (ES) version 3 for these port?
Dear Sir:
Happy to know that you make your firewall working. i'm new to linux firewall setup and got the following needs help.
I installed the linux enterprise ws (ES) version 3 on my laptop pc, gateway solo and want to setup the IP firewall for the application i want to use in this environment. the following are the ports i want to setup, however, i don't know how to do it in linux. it will be very appreciated if someone can give me a hand.
A. In general only the following ports are required for VSP connections.
1) Port 5060 SIP messaging for TCP & UDP Both Directions
2) ICMP Ping Replies (ICMP.type 8) for UCP replies inbound only
3) Port 514 Syslog UDP Outbound only
B. The following ports are required for Management Connections
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP (not required immediately but could be handy)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.