LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-12-2018, 09:24 AM   #1
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 330
Blog Entries: 1

Rep: Reputation: 161Reputation: 161
confining kerberos to a single network interface


Hi LQ,

I am trying to set up a kerberos server in a visualised environment just for practice. I am following the steps from here

I was doing some background study on Kerberos and found a link where it was recommended to enable kerberos on a server with a single NIC.

Now my VMs have multiple NICs. Is there any way I can confine kerberos to listen to a specific NIC (ens4)?

My NICs -
Code:
[root@Cent-Pro ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:34:a2:77 brd ff:ff:ff:ff:ff:ff
    inet 10.10.100.3/24 brd 10.10.100.255 scope global ens4
       valid_lft forever preferred_lft forever
    inet6 fe80::eebd:2f4f:40e7:8afd/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:08:31:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.103/24 brd 192.168.122.255 scope global dynamic eth1
       valid_lft 2561sec preferred_lft 2561sec
    inet6 fe80::6eaf:c96a:9f7d:f778/64 scope link 
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 52:54:00:1b:8f:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.1/24 brd 192.168.124.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
    link/ether 52:54:00:1b:8f:ac brd ff:ff:ff:ff:ff:ff
[root@Cent-Pro ~]# nmcli con show
NAME                UUID                                  TYPE            DEVICE 
Wired connection 1  7cc55106-d5fa-390d-8fd4-9751acad75c1  802-3-ethernet  eth1   
ens4                f2afb056-ad47-4aa5-81df-2c3c4b11fe55  802-3-ethernet  ens4   
virbr0              06e8f8a5-e5d8-4a49-a809-2072bfa22237  bridge          virbr0 
eth0                5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  802-3-ethernet  --
I understand that I may be able to achieve this by putting ens4 on a specific firewall zone and opening the port only for that zone. Would this be possible ?

I have searched already in LQ, but didn't get any results. It'd be great if somebody could point me to right direction.

Last edited by Honest Abe; 05-12-2018 at 09:33 AM. Reason: typo
 
Old 05-12-2018, 10:29 AM   #2
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 330

Original Poster
Blog Entries: 1

Rep: Reputation: 161Reputation: 161
I have made a custom firewall service to open kerberos ports.

Quote:
[root@Cent-Pro services]# pwd;cat kerberos.xml
/etc/firewalld/services
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kerberos-services</short>
<description>Open 88 for kerberos and 749 for kadmin</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="749"/>
</service>
I thought this should be easy to configure to get close to implementing my idea -

Quote:
Originally Posted by Honest Abe View Post
I understand that I may be able to achieve this by putting ens4 on a specific firewall zone and opening the port only for that zone. Would this be possible ?
I am getting this error when I am trying to remove an interface from firewalld zone.

Code:
[root@Cent-Pro zones]# firewall-cmd --get-active-zones 
public
  interfaces: ens4 eth1
[root@Cent-Pro zones]# firewall-cmd --permanent --zone=public --remove-interface=eth1
The interface is under control of NetworkManager and already bound to the default zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@Cent-Pro zones]# firewall-cmd --permanent --zone=public --remove-interface=ens4
The interface is under control of NetworkManager and already bound to the default zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@Cent-Pro zones]# firewall-cmd --reload
success
[root@Cent-Pro zones]# firewall-cmd --get-active-zones 
public
  interfaces: ens4 eth1
I have also searched in man pages of nmcli, but can't seem to find a way to remove an interface from a firewall zone.

For now, my only workaround is to connect to this KDC server over my preferred network (10.10.100.0/24). But that doesn't stop KDC from listening to other interfaces. . Suggestions ?
 
Old 05-15-2018, 02:38 AM   #3
Honest Abe
Member
 
Registered: May 2018
Distribution: CentOS 7, OpenSUSE 15
Posts: 330

Original Poster
Blog Entries: 1

Rep: Reputation: 161Reputation: 161
The workaround is in effect. But is there any way I can stop kerberos listening to other interfaces ?

Also, there have been a lot of views, but no help .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing A Single IP Through A Single Interface Tenuous Linux - Networking 2 11-14-2014 08:27 PM
RHEL: Linux Bond / Team Multiple Network Interfaces (NIC) Into a Single Interface SBN Linux - Networking 12 12-02-2011 11:53 PM
vsFTP - confining a user to one directory? arashi256 Linux - Software 4 06-15-2008 11:21 AM
Noobie Kerberos / single signon question. charlweed Linux - Security 2 01-02-2008 11:56 AM
Single Login with LDAP and Kerberos edgood1 Linux - Software 0 02-27-2006 07:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration