LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   confining kerberos to a single network interface (https://www.linuxquestions.org/questions/linux-newbie-8/confining-kerberos-to-a-single-network-interface-4175629536/)

Honest Abe 05-12-2018 08:24 AM
confining kerberos to a single network interface
 
Hi LQ,

I am trying to set up a kerberos server in a visualised environment just for practice. I am following the steps from here

I was doing some background study on Kerberos and found a link where it was recommended to enable kerberos on a server with a single NIC.

Now my VMs have multiple NICs. Is there any way I can confine kerberos to listen to a specific NIC (ens4)?

My NICs -
Code:
[root@Cent-Pro ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:34:a2:77 brd ff:ff:ff:ff:ff:ff
    inet 10.10.100.3/24 brd 10.10.100.255 scope global ens4
      valid_lft forever preferred_lft forever
    inet6 fe80::eebd:2f4f:40e7:8afd/64 scope link
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:08:31:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.103/24 brd 192.168.122.255 scope global dynamic eth1
      valid_lft 2561sec preferred_lft 2561sec
    inet6 fe80::6eaf:c96a:9f7d:f778/64 scope link
      valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 52:54:00:1b:8f:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.1/24 brd 192.168.124.255 scope global virbr0
      valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
    link/ether 52:54:00:1b:8f:ac brd ff:ff:ff:ff:ff:ff
[root@Cent-Pro ~]# nmcli con show
NAME                UUID                                  TYPE            DEVICE
Wired connection 1  7cc55106-d5fa-390d-8fd4-9751acad75c1  802-3-ethernet  eth1 
ens4                f2afb056-ad47-4aa5-81df-2c3c4b11fe55  802-3-ethernet  ens4 
virbr0              06e8f8a5-e5d8-4a49-a809-2072bfa22237  bridge          virbr0
eth0                5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  802-3-ethernet  --
I understand that I may be able to achieve this by putting ens4 on a specific firewall zone and opening the port only for that zone. Would this be possible ?

I have searched already in LQ, but didn't get any results. It'd be great if somebody could point me to right direction.

Honest Abe 05-12-2018 09:29 AM
I have made a custom firewall service to open kerberos ports.

Quote:
[root@Cent-Pro services]# pwd;cat kerberos.xml
/etc/firewalld/services
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kerberos-services</short>
<description>Open 88 for kerberos and 749 for kadmin</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="749"/>
</service>
I thought this should be easy to configure to get close to implementing my idea -

Quote:
Originally Posted by Honest Abe (Post 5853649)
I understand that I may be able to achieve this by putting ens4 on a specific firewall zone and opening the port only for that zone. Would this be possible ?
I am getting this error when I am trying to remove an interface from firewalld zone.

Code:
[root@Cent-Pro zones]# firewall-cmd --get-active-zones
public
  interfaces: ens4 eth1
[root@Cent-Pro zones]# firewall-cmd --permanent --zone=public --remove-interface=eth1
The interface is under control of NetworkManager and already bound to the default zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@Cent-Pro zones]# firewall-cmd --permanent --zone=public --remove-interface=ens4
The interface is under control of NetworkManager and already bound to the default zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@Cent-Pro zones]# firewall-cmd --reload
success
[root@Cent-Pro zones]# firewall-cmd --get-active-zones
public
  interfaces: ens4 eth1
I have also searched in man pages of nmcli, but can't seem to find a way to remove an interface from a firewall zone.

For now, my only workaround is to connect to this KDC server over my preferred network (10.10.100.0/24). But that doesn't stop KDC from listening to other interfaces. :(. Suggestions ?

Honest Abe 05-15-2018 01:38 AM
The workaround is in effect. But is there any way I can stop kerberos listening to other interfaces ?

Also, there have been a lot of views, but no help :(.


All times are GMT -5. The time now is 12:53 AM.