LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Logging/Blocking LAN traffic (https://www.linuxquestions.org/questions/linux-security-4/logging-blocking-lan-traffic-804245/)

nothing_pt 04-26-2010 06:43 AM
Logging/Blocking LAN traffic
 
Hello,

Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)

I would like to know if there is a way to block access from that machines to others in the network.
I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.

Thanks in advance,
Nuno Santos

smoker 04-26-2010 07:18 AM
which machines are you trying to block and from where ?

nothing_pt 04-26-2010 08:13 AM
Quote:
Originally Posted by smoker (Post 3948008)
which machines are you trying to block and from where ?
I want to block the linux machines inside our network from acessing other machines on our network except those they must access (2 or 3 machines).

The problem is that our clients connect to those CentOS machines through VPN and they have access to all of our network. I want to limit them to only the machines they have to connect for working.

Thanks again

frndrfoe 04-26-2010 08:17 AM
DMZ?

nothing_pt 04-26-2010 08:30 AM
Quote:
Originally Posted by frndrfoe (Post 3948063)
DMZ?
No, i don't think it's possible for now. All because they need to work inside our network and with machines(mainly printers) that we work with too. We can't isolate the resources.

They connect to those CentOS machines, and they need to connect to more machines inside of our network (mainly printers and one or two more computers). But, since they connect through VPN they have an internal ip and can access all network.

Ahh, and our network is workgroup based, not domain. Maybe that'll change in the upcoming months but i don't know when.

Thanks,
Nuno Santos

smoker 04-26-2010 08:52 AM
Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.


iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT


xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?

nothing_pt 04-26-2010 09:02 AM
Quote:
Originally Posted by smoker (Post 3948091)
Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.


iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT


xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?
Thanks, i will try that.

smoker 04-26-2010 09:16 AM
I would have put a source ip in there as well, I forgot before.

as in
iptables -A OUTPUT -o eth0 -p all -s localhost -j REJECT

or

iptables -A OUTPUT -o eth0 -p all -s 192.168.1.0/24 -j REJECT


All times are GMT -5. The time now is 10:00 AM.