Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I just completed my first custom firewall, and will the help of an excellent PDF, I must say I'm quite impressed. But unfortunatly my next task is not covered in my firewal bible. I want to be able to completely restrict all the internal users from seeing each other, no pings, no tcp, nothing. How do I do this? Is it with IPTABLES? and if so how?
I want to be able to completely restrict all the internal users from seeing each other, no pings, no tcp, nothing.
What's the purpose is of doing that?
K, so Ill explain it a bit further. I DONT want to have users in ONE subnet to be able to see each other with pings tcp udp, nothing. Now, I already figured out that this is NOT going to happen in the same subnet. So what I did was created around 200 virtual networks and assigned each user their own subnet ie:
192.168.1.3
192.168.2.3
192.168.3.3
192.168.4.3
and then told iptables that no virtual ethernet cards (eth1:1 eth1:2 eth1:3) could talk to each other. but every one could talk to eth1 (the router) and the router could talk to every one.
oh, and dude, the pdf i found is killer, its a 896 page pdf document on securing your linux box, its just nuts the iptables stuff is around page 196
heres the link
its dope man, just dope!, oh hey, if anyone's got an idea on how to exploit my multiple subnet network to see other users (aside from manually configuring your ip, or if you have an idea on how to curcumvent this) LEMME KNOW!!!
I am no expert on any of this and was wondering how you created the virtual ethernet cards? Are you using VMWare or something like that to create the virtual ethernet cards? I use VMWare on my home computer by the way.
It seems to me that much the same thing could be accomplished on a real router. You could use a subnet mask that creates the smallest possible size subnets and then place everyone on a seperate subnet. For instance, suppose you have a class C address with a subnet mask of 255.255.255.254. If I am not mistaken you would then have 252 useable networks with 2 useable IP addresses per subnet. Of course, to communicate between each subnet they would need to go through a router. The router could use access control lists to control access to each port in either direction.
VLANs would also accomplish much the same thing. I assume you are using an ethernet network with a star topology. Suppose you replaced your hubs or switches with switches that support the creation of VLANs. You could then create very small VLANs with only one or several users per VLAN. To communicate between each VLANs you would need to go through a router. The access control list on the router could be used to control things. If both the switch and the router support trunking you would only need one cable between each switch and the router. By the way packets to not leak between VLANs.
I am not a network administrator or anything like that so what I have just suggested may or may not be practical or correct. I hope I am not way over my head on this subject. I do not know enough about security to know how to exploit any of these.
UnSpawn: dude! i want to make a network where no one can ping/connect/see nothing anyone else. and Rick485 you pretty much hit the nail on the head, thats exactly what i'm doing, with the exception of the switch to support vlans im just making virtual ethernet card with redhat-config-network ie eth1 192.168.1.1 eth1:1 192.168.2.1 eth1:2 192.168.3.1 and so on. then on each subnet there is a 192.168.x.3 address for the client. then the firewall is configed so that eth1 can see all subnets but all subnet can ONLY see eth1
I'm still with unSpawn with this -- otis, you've mentioned what you want, but the key question is why is this so important if everyone's on the same network?
I mean, what's the point of networking in this instance?
why is this so important if everyone's on the same network?
Because i dont want them to see each other! I've said this three times now. I don't want to sound like a dink, but read the posts! I figure that if I put everybody on a diffefent subnet , and then restrict subnet access through the firewall, then they wont be able to see each other.
Originally posted by Poetics I'm still with unSpawn with this -- otis, you've mentioned what you want, but the key question is why is this so important if everyone's on the same network?
I mean, what's the point of networking in this instance?
Precisely. I thought the main idea behind having a network is to have the computers be able to communicate with each other. But, I can see how this would be used in some instances. For example, you have the router acting as a gateway to XXXX(internet, other wan), and you are doing some rather high security stuff on these computers, and want them only to be able to access XXXX, and not communicate between each other. That would really be the only point of having it anyways, because if they aren't needing to get out elsewhere, why not just have them as stand alone machines?
Who knows, maybe this dude is just one of those people who does things not because he needs to, but because he thinks he can, or simply wants to see if it can be done. Anyhow, I think it would be a waste of well, just about everything to even attempt this, but hey if that's his thing, let him run with it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.