LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-26-2010, 06:43 AM   #1
nothing_pt
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Rep: Reputation: 0
Logging/Blocking LAN traffic


Hello,

Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)

I would like to know if there is a way to block access from that machines to others in the network.
I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.

Thanks in advance,
Nuno Santos
 
Old 04-26-2010, 07:18 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
which machines are you trying to block and from where ?
 
Old 04-26-2010, 08:13 AM   #3
nothing_pt
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by smoker View Post
which machines are you trying to block and from where ?
I want to block the linux machines inside our network from acessing other machines on our network except those they must access (2 or 3 machines).

The problem is that our clients connect to those CentOS machines through VPN and they have access to all of our network. I want to limit them to only the machines they have to connect for working.

Thanks again
 
Old 04-26-2010, 08:17 AM   #4
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS
Posts: 373

Rep: Reputation: 38
DMZ?
 
Old 04-26-2010, 08:30 AM   #5
nothing_pt
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by frndrfoe View Post
DMZ?
No, i don't think it's possible for now. All because they need to work inside our network and with machines(mainly printers) that we work with too. We can't isolate the resources.

They connect to those CentOS machines, and they need to connect to more machines inside of our network (mainly printers and one or two more computers). But, since they connect through VPN they have an internal ip and can access all network.

Ahh, and our network is workgroup based, not domain. Maybe that'll change in the upcoming months but i don't know when.

Thanks,
Nuno Santos
 
Old 04-26-2010, 08:52 AM   #6
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.


iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT


xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?

Last edited by smoker; 04-26-2010 at 08:56 AM.
 
Old 04-26-2010, 09:02 AM   #7
nothing_pt
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by smoker View Post
Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.


iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT


xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?
Thanks, i will try that.

Last edited by nothing_pt; 04-26-2010 at 09:02 AM. Reason: forgot to answer question
 
Old 04-26-2010, 09:16 AM   #8
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
I would have put a source ip in there as well, I forgot before.

as in
iptables -A OUTPUT -o eth0 -p all -s localhost -j REJECT

or

iptables -A OUTPUT -o eth0 -p all -s 192.168.1.0/24 -j REJECT
 
  


Reply

Tags
blocking, lan, logging, traffic


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES: Forward from VPN to LAN, Need traffic to appear as if its coming from LAN. a2brute Linux - Networking 3 11-17-2008 11:53 AM
Blocking all traffic from a particular IP rookiepaul Linux - Security 7 03-25-2006 03:14 AM
iptables blocking traffic JJX Linux - Networking 4 11-07-2005 05:36 AM
Blocking traffic fugzi Linux - Networking 2 12-04-2004 03:31 PM
firewall traffic blocking help jaylee Linux - Security 8 06-30-2003 10:44 AM


All times are GMT -5. The time now is 01:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration