Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Router1 : 192.168.1.1 and Public IP
Router2 : 192.168.2.1
LAN 1 192.168.1.X
LAN 2 192.168.2.X
And my server X is 192.168.1.35
I'm trying to protect Server X with IP tables, but I'm not sure of what IP must have. my firewall ... so I can protect even from internal users.
My Firewall must have an IP public and one private, because I want that outsiders can connect to serverX.
I hope you can help me
Thanks in advance.
Spookyly
You basically place firewalls where you want particular flows of data to stop. So to block/filter connections from the Internet enable the firewall on router 1. To allow data to flow freely inside your network, but restrict connections to or from ServerX configure the firewall on ServerX. To restrict connections in or out of 192.168.2.0, configure firewalling on router 2.
Do you have 4 routers?
Are the two routers on the network with ServerX NAT routers? You could put the Server in between the two routers on one of the interfaces and have the second interface plugged into lan1's switch. For the DMZ interface, make sure that the firewall closes down all ports that internet users are supposed to use.
Well, It's more clear now, but still I'm very confused.... let me explain de case:
For Router1 I have one IP and 5 more I want that serverX be accesible to the internet with one IP private so my other users (from de LAN1, LAN2, LAN3, LAN4,etc) can connect, and my users from the outside can connect to serverX, using one public ip...
What I did is:
My Firewall has 2 NIC
eth0: public IP
eth1: private one doing nat (192.168.8.1)
so the logic thing it's that my serverX be 192.168.8.35... righ?...
but for the moment I can't change the address of serverX.... It's possible without changing the address protect serverX? and this could be accesible from the internet with th public IP?
If it's there anything wrong please let me know....
Thanks in advance...
Spookyly
In my opinion, it would be better having 2 nics on Server X. This makes it easier setting up the serverx firewall then having one nic with 2 ip addresses. Ideally, the server would be in the DMZ, i.e. between two routers, and you would use a separate server for internal lan users. If your internet side is normal internet users, even better would be to have it hosted by a third party so that internet users aren't going to your outside router at all.
In the second and last option I mentioned, the server would have as little as possible installed. Only the services needed are provided. This leaves fewer targets to attack and may even mean a leaner faster machine.
Otherwise, having the server with 2 nic cards, make sure that one has a different network address or subnet address then the other. Even if both are private IP's. The SuSE firewall2 program is set up so that you put a NIC into a zone. Either inside zone, outside zone, or DMZ. Then determine the rules for each zone. For server X, the outer router would be connected to the outside zone NIC of server X and the inside zone would be connected to the switch with the inside router. The disadvantage to doing this is that if ServerX where compromised, it would provide a bypass of your 2nd router. That is why I mentioned that having a bastion host just for the internet service and a separate server for the LAN users.
There are a number of books on securing Linux. I would also recommend the book "Firewalls and Internet Security: RepelLing the Wily Hacker" ISBN: 0-201-63466-x.
I hope I haven't made this too complicated to understand or made too many omissions. Security is an on going process and not something that is simply switched on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.