trying to hide a server

patcito · 02-14-2007, 09:21 AM

Hey all,
I have a server(bill) connected to the internet through eth0 (public ip 212.34.228.48/28). This same server is connected through eth1 to another server(bob) (ip 192.168.1.1) which acts like a router to other computers in the network.
I want to make sure that server bob is not visible to the users accessing bill through the internet. Any idea what kind of rules I should set in my firewall on bill using iptables or ipforward?

thanx in advance

Pat

mgmax · 02-14-2007, 02:23 PM

An easy solution would be a NAT routing just like a ADSL router does, but I'm sorry I have absolutely no experience with linux and firewalling. As this should be a standart case, you might look for tutorials for this.

Max

MQMan · 02-15-2007, 09:25 PM

Don't setup any port forwarding. Without that, nothing connecting to bill can see bob.

Set your firewall up on bill to protect bill.

Cheers.

patcito · 02-17-2007, 10:13 PM

Quote:

Originally Posted by MQMan

Don't setup any port forwarding. Without that, nothing connecting to bill can see bob.

Set your firewall up on bill to protect bill.

ok and in that case could you give the kind of commands you would use please.

btmiller · 02-18-2007, 12:35 AM

Read up on iptables -- there are a number of good guides and howtos available on the net for it. In this case, what you want to do is have a rule on bill that rejects all packets bound to the internal 192.168.1.0/24 subnet that are not part of existing connections initiated from within. This is easy to do with the state module (-m state on the iptables command line). But it's hard to work up a complete configuration with the relatively limited information you have provided, so I'd suggest working through an iptables tutorial to try to set your own up and post back here for help if you can't seem to get it going.

patcito · 02-18-2007, 02:57 PM

ok here is the pic of the network, the router I want to hide from the internet is the one at the centre (192.168.1.1) connected to all the other routers and to the firewall.
http://p80.free.fr/net.jpg

MQMan · 02-20-2007, 02:47 AM

Is the "firewall" shown in your diagram a separate server, or is it a firewall running on the 192.168.1.1 server, as that makes a huge difference.

You implied in your 1st post, that bill and bob were different servers, but in that diagram, they appear to be different interfaces in the same server.

Cheers.

Notwerk · 02-20-2007, 06:18 AM

If i understand the diagram correctly, then (bill) is your firewall and (bob) is the gateway for the 192.168.1.0/24 network. In that case, you're in the uber-cool position to double NAT the 192.168.1.0/24 network making access to it from outside very difficult.

The main idea is to run yet another firewall on (bob) and the 2 firewalls work together like this:

1. BILL
Set the FILTER table policies to DROP by default

FILTER-IN:
allow loopback device
allow traffic coming from (bob_ip)
allow RELATED and ESTABLISHED traffic

FILTER-FORWARD:
allow RELATED and ESTABLISHED traffic
allow traffic coming from (bob_ip)

FILTER-OUT:
allow loopback device
allow traffic going to (bob_ip)
allow traffic going out eth0

NAT-POSTROUTING
MASQUERADE all traffic coming from (bob_ip) and going out eth0

2. BOB
Set the FILTER table policies to DROP by default

FILTER-IN:
allow loopback device
allow traffic coming from (LAN_ip_range) network
allow RELATED and ESTABLISHED traffic

FILTER-FORWARD:
allow RELATED and ESTABLISHED traffic
allow traffic coming from (LAN_ip_range) network

FILTER-OUT:
allow loopback device
allow traffic going to (bill_ip)

NAT-POSTROUTING
MASQUERADE all traffic coming from (LAN_ip_range) and going to (bill_ip)