All PCs behind router with one eth0 each. Shorewall ACCEPTetho:192.168.1.0/24 - bad ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
All PCs behind router with one eth0 each. Shorewall ACCEPTetho:192.168.1.0/24 - bad ?
I have a d link router connected to a cable modem. Behind the router are several computers each with a single ethernet interface eth0. Therefore my internal (LAN) and external (internet) interface is the same. I want to protect the machines from the internet but not from each other so I thought adding rules to accept connections from their respective fw from eth0:192.168.1.0/24 should be adequate. Come to think of it, all traffic from the internet comes through the router first and then to the PC. Does this mean that they are tagged with the address of the router (192.168.1.1) and hence will be part of eth0:192.168.1.0/24. If so, then I did not protect the PC from connections from the internet. Or is my configuration correct? Thanks.
The router is doing NAT for the PC's so you should be OK. The internet will not relay any traffic to 192.168 address because they are reserved for private lans.
Also check the router as it probably has a builtin firewall you can further use to protect yourself.
Sorry I didn't really explain that very well, I was in a hurry.
The router gets the IP from your ISP. It also knows which port each PC is on and what that PC's internal IP is. The PC's should have their default gateway set to the routers internal IP. If PC-1 wants to talk to PC-2 then the router sends the packets to the correct PC. If PC-1 wants to visit yahoo.com then the router will send the request via the ISP. When yahoo.com returns the request the router will know which PC made the request and will send the reply to it. yahoo.com will not reply to the 192.168.X.X IP, it will reply to the IP of the router and the router will change it to the correct 192.168.X.X IP.
I hope this helps, but I feel like I'm just blabbering now.
Thanks for your reply. Essentially, an ACCEPT policy then is ok since the router excludes any inbound connection not requested by any machines in the internal lan. Any unrequested inbound connection is dropped at the router.
I agree, your router's firewall should be sufficient in most cases.
Just know that if someone is really determined, they're gonna get in. That's why it's very important to make sure each computer is properly configured with good passwords, permissions and minimal services running in a priviledged mode (running as root). Most major distros of Linux have a way of setting your security settings to some level, anywhere from just standard security (equivalent to decent NT-based security, not too hard to hack, but at least it causes a little frustration for the hacker because his first attempt doesnt work, so he needs two or three possible exploits) up through paranoia levels of security for those of us who don't want the NSA to be able to hack our machines. Where you place your security needs depends on what is on your systems and how much you are willing to be inconvenienced.
For example, my NT systems have medium security, but the Linux authorization server that holds their profiles, user data and other important files, is set to the highest security levels possible w/o denying those NT systems access to it.
Don't ever become complacent about security, though. Just because the NAT is sufficient in most cases, doesn't mean some script kiddie won't find a way to get a trojan horse onto your Linux system and hack you from the inside out (which most NATs provide no protection whatsoever against). That's what IP Chains, IP Tables and personal firewalls are for.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.