LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-04-2006, 03:56 PM   #1
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Rep: Reputation: Disabled
Gateway security with iptables


I'm currently in the planning stages of taking one of the computers in my office and loading Ubuntu Linux on it to convert it into an Internet gateway/firewall. Because I'm new to the whole realm of computer security, I've been doing a lot of reading, and now know just enough to realize how much I don't know. My basic plan is to have two NICs on the box, eth0 (Internet facing) and eth1 (LAN facing). I plan to set up iptables rules so that no outside traffic will be accepted on any port (unless it is data from a web server responding to a http request made from the inside), and only ports 80 and 443 (http and https) will be able to send data from the inside to the net. On the eth1 side, I'll also be allowing port 20 to the Linux box for public key ssh connections. I know I am probably over-simplifying thing somewhat, and that in theory anything can be hacked given the right resources + knowledge + time, but my question is this: with these firewall tools set in place, how likely would it be for an outside attacker to do something such as install a rootkit, exploit a buffer-overflow error, etc. Please tell me what you think of this idea, and feel free to give advice.


crashsystems
 
Old 10-04-2006, 05:17 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
Enabling nat (ip masquerading) will allow network traffic on eth1 bound to the net be able to return to the correct lan machine.

Check out this link to build a firewall script by answering the questions it ask.
http://easyfwgen.morizot.net/gen/

You should be able to access port 20 or true ssh port 22 on the eth1 side with not much issue once the script using the above tool is used. Not 110 percent sure but one iptable command should be all it takes to get to work.

Get it built and up and fine tune from there.

Brian
 
Old 10-04-2006, 05:20 PM   #3
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Quote:
with these firewall tools set in place, how likely would it be for an outside attacker to do something such as install a rootkit, exploit a buffer-overflow error
I think that would depend more on the security of your publically accessable services than anything else. Make sure your apache is up to date, and watch the usual channels for security notices. I cannot make out from your post whether the webserver is available to the internet at large or not. If as you say, you have 0 open ports to the outside then yes, you will be quite secure indeed. My advice: use 'DROP' as the target rather than 'REJECT'. Then you will be effectivly stealthed to the outside world.
 
Old 10-04-2006, 05:55 PM   #4
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 278
Blog Entries: 7

Rep: Reputation: Disabled
Check out iptables at http://www.linuxguruz.com/iptables/
very informative site

Last edited by number22; 10-04-2006 at 05:58 PM.
 
Old 10-05-2006, 12:56 AM   #5
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
The netfilter documentations are a must read before starting playing with iptables !

http://netfilter.org/documentation/

You should understand tcp Flags and all for a better firewall script.

Also you may use OSSEC HIDS
http://www.ossec.net/

For ssh you may use Denyhosts:
http://denyhosts.sourceforge.net/

For apache u may try:
http://www.modsecurity.org/

and for a firewal distro you may use

http://www.ipcop.org/

or http://www.redwall-firewall.com/
 
Old 10-05-2006, 08:43 AM   #6
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: Disabled
Here is some more info on what I plan on running on the box. I don't need any services running for the outside world, so I do plan on dropping everything coming to eth0. As far as the internal network, I plan on running Samba, a DHCP server, SSH and VNC (though only tunneled through SSH). I also plan on installing tripwire + snort and running both with cron to monitor for intrusions. With this setup, how could I improve on security? Thanks to everyone who has replied so far.

crashsystems

p.s.
To secure SSH against brute force hacks on eth1, I plan on disabling password login, and using public key authentication.
 
Old 10-05-2006, 12:48 PM   #7
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Quote:
As far as the internal network, I plan on running Samba, a DHCP server, SSH and VNC (though only tunneled through SSH). I also plan on installing tripwire + snort and running both with cron to monitor for intrusions. With this setup, how could I improve on security?
Probably not much other than unplugging it from the network.

Quote:
To secure SSH against brute force hacks on eth1, I plan on disabling password login, and using public key authentication.
A good general idea, but are you saying you cannot trust users on your internal network? If not that's a whole other story, and you will have to harden your internal services with as much care as if they were facing outwards.
 
Old 10-05-2006, 01:21 PM   #8
crashsystems
Member
 
Registered: May 2006
Location: Tennessee et. al
Distribution: Debian Sid, Etch
Posts: 138

Original Poster
Rep: Reputation: Disabled
I generally trust the people who will be using the computers connected to the internal network (at least, I trust them not to do anything bad on purpose, though that says nothing of trusting them not to mess things up due to ignorance). However, there are not many computers that will be using ssh to connect to the gateway, and public key authentication is so easy to set up that I figure, why not?
 
Old 10-05-2006, 01:27 PM   #9
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Quote:
However, there are not many computers that will be using ssh to connect to the gateway, and public key authentication is so easy to set up that I figure, why not?
Oh yeah, I agree. I was just wondering if your setup was for, say, an iternet cafe or something where you have to mistrust your users to be secure. Of course, if you read a book like 'Practical Unix Security' they indoctrinate the fact that you generally can't even trust your paid employees ... eye-opening book, I recommend it if you want to really learn a lot about security.
 
  


Reply

Tags
firewall, gateway, iptables, security, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall Security / Gateway Routing colabus Linux - Networking 1 09-13-2005 11:15 PM
Firewall Security / Gateway Routing colabus Linux - Security 3 09-09-2005 06:40 PM
Linux gateway with iptables - Everybody help me, please b:z Linux - Security 1 03-30-2005 06:58 PM
gateway access security? andzerger Linux - Networking 4 02-20-2004 01:01 AM
Win XP gateway security strategy Artman Linux - Security 3 11-10-2001 10:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration