LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-05-2007, 03:43 PM   #1
mindjet
Member
 
Registered: Feb 2006
Posts: 43

Rep: Reputation: 15
How to Setup a Secure Perimeter


I want to setup a secure perimeter network
where I can isolate a web server
and any other public services.

It's a small network where
I’ll have a few boxes on an inner LAN
and one box on a perimeter network.

My objective is to separate the networks
so if the server was compromised they couldn't
get further into the LAN.

I've read that either installing
a second network card or assigning
two IP address' to the nic could be
a solution to this but I don't
fully understand how to configure them?
(I've got the gigabit cards and switch though)

I've been searching around for a
good solution to implement for days.

The DSL modem/router seems to have
the ability to listen on two ranges...
i.e. 192.168.0.1, 10.1.1.1
…so I’m wondering about using the
feature and giving the server an
address in a different range all
together from the rest of the boxes.

But then I’m stuck for how could I
administer it?
I prefer to use VNC but presumably
if I put it on another range it
would kill my VNC sessions, and also
I haven’t got any good ideas for how I could
copy data from TEST (on the inner LAN)
to Live (on the Perimeter) other than with
a USB disc but there has to b e a better way than that!

Oh and then there’s the MySql server,
where does it go?!
Perimeter, Inner LAN or what =)


Thanks for any help
 
Old 11-05-2007, 04:01 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Yes, you'd ideally want to have a three-interface setup. One for the WAN, one for the LAN, and one for the DMZ. Any servers you want to be accessible from the WAN would be placed on the DMZ. Using iptables to configure a setup like this is a piece of cake, you basically just do port-forwarding to the DMZ, and filter any unwanted outgoing connection attempts from the DMZ.

Last edited by win32sux; 11-05-2007 at 05:10 PM.
 
Old 11-05-2007, 04:57 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Here's some examples I put together for you:

VISUAL EXAMPLE
Code:
             62.56.xxx.xxx
                 [WAN]
                   |
                   |
           [IPTABLES ROUTER]
             /           \
            /             \
         [LAN]           [DMZ]
   192.168.1.0/24    192.168.2.0/24

IPTABLES SCRIPT EXAMPLE
Code:
#!/bin/sh


###############################################################################
### SET VARIABLES
###############################################################################

IPT="/sbin/iptables"

WAN_IFACE="eth0"

LAN_IFACE="eth1"
LAN_NET="192.168.1.0/24"

DMZ_IFACE="eth2"
DMZ_NET="192.168.2.0/24"



###############################################################################
### SET POLICIES
###############################################################################

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT



###############################################################################
### FLUSH AND DELETE EVERYTHING
###############################################################################

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw



###############################################################################
### BUILD CHAINS
###############################################################################

$IPT -N LAN2WAN
$IPT -N DMZ2WAN
$IPT -N WAN2DMZ



###############################################################################
### INPUT CHAIN
###############################################################################

# The ubiquitous INPUT rules:
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# Allow SSH from the LAN to this box:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET \
--dport 22 -m state --state NEW -j ACCEPT

# Allow SSH from the WAN (Internet) to this box:
#$IPT -A INPUT -p TCP -i $WAN_IFACE \
#--dport 22 -m state --state NEW -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "



###############################################################################
### OUTPUT CHAIN
###############################################################################

# The ubiquitous OUTPUT rules:
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Log other packets before they get sent to DROP by our policy:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "



###############################################################################
### FORWARD CHAIN
###############################################################################

# The ubiquitous FORWARD rule:
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Lets use one chain for each traffic flow:
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_NET -o $WAN_IFACE -j LAN2WAN
$IPT -A FORWARD -i $DMZ_IFACE -s $DMZ_NET -o $WAN_IFACE -j DMZ2WAN
$IPT -A FORWARD -i $WAN_IFACE -d $DMZ_NET -o $DMZ_IFACE -j WAN2DMZ

# Log other packets before they get sent to DROP by our policy:
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "



###############################################################################
### LAN2WAN CHAIN
###############################################################################

# Allow boxes on the LAN to use HTTP on the WAN:
$IPT -A LAN2WAN -p TCP --dport 80 -m state --state NEW -j ACCEPT

# Allow boxes on the LAN to use HTTPS on the WAN:
$IPT -A LAN2WAN -p TCP --dport 443 -m state --state NEW -j ACCEPT

# Allow boxes on the LAN to use DNS on the WAN:
$IPT -A LAN2WAN -p UDP --dport 53 -m state --state NEW -j ACCEPT



###############################################################################
### DMZ2WAN CHAIN
###############################################################################

# Allow 192.168.2.102 to send email:
#$IPT -A DMZ2WAN -p TCP --dport 25 -m state --state NEW -j ACCEPT



###############################################################################
### WAN2DMZ CHAIN
###############################################################################

# Allow HTTP to 192.168.2.101:
$IPT -A WAN2DMZ -p TCP --dport 80 -d 192.168.2.101 \
-m state --state NEW -j ACCEPT

# Allow HTTPS to 192.168.2.101:
$IPT -A WAN2DMZ -p TCP --dport 443 -d 192.168.2.101 \
-m state --state NEW -j ACCEPT

# Allow SMTP to 192.168.2.102:
$IPT -A WAN2DMZ -p TCP --dport 25 -d 192.168.2.102 \
-m state --state NEW -j ACCEPT



###############################################################################
### PREROUTING CHAIN
###############################################################################

# Send to 192.168.2.101 on the DMZ any HTTP packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.2.101

# Send to 192.168.2.101 on the DMZ any HTTPS packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 443 \
-j DNAT --to-destination 192.168.2.101

# Send to 192.168.2.102 on the DMZ any SMTP packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 25 \
-j DNAT --to-destination 192.168.2.102



###############################################################################
### POSTROUTING CHAIN
###############################################################################

# Do IP masquerading for boxes on the LAN and DMZ:
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Notice how there is no DMZ2LAN chain - any such packets will be filtered.

Last edited by win32sux; 11-05-2007 at 08:46 PM. Reason: Fixed some chain name mistakes I made.
 
Old 11-05-2007, 05:13 PM   #4
cam34
Member
 
Registered: Aug 2003
Distribution: Fedora 22, Debian 8, Centos 6/7 for servers
Posts: 101

Rep: Reputation: 16
Wow! Great Post WIN32Sux! Thanks!
 
Old 11-06-2007, 05:58 AM   #5
mindjet
Member
 
Registered: Feb 2006
Posts: 43

Original Poster
Rep: Reputation: 15
I agree, that is a great post, thanks.

Unfortunately however I don't have a dedicated firewall box and the network looks like this:

WAN
|
DSL MODEM/FIREWALL/4 port switch (can operate on 2 ranges)
|
Gigabit Switch
|
_____________________________
| | | |
Server PC1 PC2 PC3


Is there a way I could do it with the existing kit I have (say by installing extra cards into the hosts themselves) or should I go out and buy a hardware firewall or dedicated firewall server with the cards?


Many thanks
 
Old 11-06-2007, 11:23 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Then the simplest thing would be to just have everything on the same network, and rely on the host-based firewall of the server. That is, unless your DSL router actually does have a true DMZ, which I suspect it doesn't. Maybe post the brand/model.
 
Old 11-07-2007, 06:33 PM   #7
mindjet
Member
 
Registered: Feb 2006
Posts: 43

Original Poster
Rep: Reputation: 15
I played around with the settings on the router
and i can do DHCP on 192.168.x and also have a box
on 10.1.x with static IP. So, It's separated from
the other boxes unless I put my PC on the same IP
range.
But then there's a new problem. THe boxes on 10.1.x
don't have internet access.
They have the settings in there for gateway, name server..
Do you think I need to add a static route
as the router lets me add those in?
 
Old 11-07-2007, 06:37 PM   #8
mindjet
Member
 
Registered: Feb 2006
Posts: 43

Original Poster
Rep: Reputation: 15
Quote:
That is, unless your DSL router actually does have a true DMZ, which I suspect it doesn't.
I think you're probably right.
I don't think it's a true DMZ.
The router refers to its DMZ as sending
all packets from the WAN (that don't belong
to any other app) to one PC on the LAN, hence
exposing it.
However it also has this feature to
configure two LAN side ranges for NAT.
 
Old 11-07-2007, 06:46 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by mindjet View Post
I played around with the settings on the router
and i can do DHCP on 192.168.x and also have a box
on 10.1.x with static IP. So, It's separated from
the other boxes unless I put my PC on the same IP
range.
This sounds pretty useless as far as security is concerned.

Quote:
But then there's a new problem. THe boxes on 10.1.x
don't have internet access.
They have the settings in there for gateway, name server..
Do you think I need to add a static route
as the router lets me add those in?
Honestly I don't think it's worth messing with (I'd have them on the same network unless I had a true DMZ option). That is, of course, unless I'm missing something - which I have no way to tell since I can't look at the device's specs (you haven't posted any brand/model). In the absense of a true DMZ, you'll still need to set up a host-based firewall on the server and your LAN clients regardless.

Quote:
I think you're probably right.
I don't think it's a true DMZ.
The router refers to its DMZ as sending
all packets from the WAN (that don't belong
to any other app) to one PC on the LAN, hence
exposing it.
However it also has this feature to
configure two LAN side ranges for NAT.
I see. Well, does it only provide port-forwarding options if you choose to use the "virtual DMZ" (don't know what else to call it) feature? It sounds like it lets you configure one LAN IP where it will port-forward everything to. You'd be much better-off if you were able to specify which ports to forward. Most consumer-grade routers let you do this with relative ease.

Last edited by win32sux; 11-07-2007 at 06:55 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How secure is this IPTABLES setup? jimbo7 Linux - Security 5 07-19-2007 08:32 AM
Is this setup reasonably secure? The_JinJ Linux - Newbie 3 10-04-2005 08:34 PM
setup a secure proxy darkleaf Linux - Security 2 07-13-2005 07:58 PM
Secure Mail Server Setup djkene70 Linux - Networking 3 10-14-2003 01:29 PM
Trying to setup a secure webserver pyrombca Linux - Software 0 09-02-2003 05:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration