Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I heard iptables doesnt support ip aliases in an easy way, i didnt go further because i use shorewall and shorewall can handle well aliases, so i went for it
Somehow i read this:
Quote:
Sometimes multiple IP addresses are used because there are multiple subnetworks configured on a LAN segment. This technique does not provide for any security between the subnetworks if the users of the systems have administrative privileges because in that case, the users can simply manipulate their system's routing table to bypass your firewall/router. Nevertheless, there are cases where you simply want to consider the LAN segment itself as a zone and allow your firewall/router to route between the two subnetworks.
Now i have a setup where in eth0 i have both 192.168.0.x and 192.168.1.x subnets
I guess that a 192.168.1.1 device could add a route to 192.168.2.0 subnet and somewhat bypass all rules set in the 192.168.2 subnet to the firewall or to the net or the the other 192.168.1 subnet, right??
to sum up, instead of having as gw the .2.254 firewall address which is filtered, i would change it to the 1.254 and pass it???
i guess that is all the problem right?? can you confirm it? i dont want to let any backdoor open while setting up aliases with shorewall
I heard iptables doesnt support ip aliases in an easy way
Where'd you hear that? I've dealt with IP aliases before and don't recall any issues.
But yeah, someone with admin privileges for a host on your network will be able to set any IP configuration and/or MAC address he/she desires on that host, hence the warning about doing filtering on the same segment. Of course, if there's something preventing you from using a dedicated NIC for each network, then you don't really have much of a choice.
But yeah, someone with admin privileges for a host on your network will be able to set any IP configuration and/or MAC address he/she desires on that host, hence the warning about doing filtering on the same segment. Of course, if there's something preventing you from using a dedicated NIC for each network, then you don't really have much of a choice.
Well i do understand that you can change your ip address and your route table to bypass the firewall just by setting your ip in the unfiltered network.
I can detect if a host changes its ip, but i cant detect if someones just change its route table.
I also dont understand how changing your route table is enough to bypass it...
If you're an admin of a box, you can give it any IP configuration you please. This implies the ability to configure the gateway address. Hence, if the box is on a segment with multiple gateways, you can make it use whichever of the gateways you want. In other words, this sort of network security measure is reliant upon the hosts not being owned, and that's where the warning comes from. OTOH, on firewalls where you've got networks properly isolated from each other, the firewall is able to filter traffic between segments regardless of what IP configuration tweaks are done to the hosts (and regardless of whether they are owned or not).
If you're an admin of a box, you can give it any IP configuration you please. This implies the ability to configure the gateway address. Hence, if the box is on a segment with multiple gateways, you can make it use whichever of the gateways you want. In other words, this sort of network security measure is reliant upon the hosts not being owned, and that's where the warning comes from. OTOH, on firewalls where you've got networks properly isolated from each other, the firewall is able to filter traffic between segments regardless of what IP configuration tweaks are done to the hosts (and regardless of whether they are owned or not).
ok, i start to see the light at the end of the tunnel...
So a smart user could either change its ip AND ROUTE, or adding another virtual interface and adding a new entry in its routing table, right?
anyways, that user's journey is still limited to the rules set "from" and "to" in both subnets, either the real or the aliased one, right?
thanks for your time and patience, but security owns me..
anyways, that user's journey is still limited to the rules set "from" and "to" in both subnets, either the real or the aliased one, right?
Only for traffic headed toward another network segment. He/she will be free to attack all hosts on all of your subnets if they're on the same segment, regardless of your firewall rules. If you really want to firewall the two subnets from each other, put each in its own segment (use a dedicated NIC on the firewall for each).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.