Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-05-2007, 03:43 PM
|
#1
|
Member
Registered: Feb 2006
Posts: 43
Rep:
|
How to Setup a Secure Perimeter
I want to setup a secure perimeter network
where I can isolate a web server
and any other public services.
It's a small network where
I’ll have a few boxes on an inner LAN
and one box on a perimeter network.
My objective is to separate the networks
so if the server was compromised they couldn't
get further into the LAN.
I've read that either installing
a second network card or assigning
two IP address' to the nic could be
a solution to this but I don't
fully understand how to configure them?
(I've got the gigabit cards and switch though)
I've been searching around for a
good solution to implement for days.
The DSL modem/router seems to have
the ability to listen on two ranges...
i.e. 192.168.0.1, 10.1.1.1
…so I’m wondering about using the
feature and giving the server an
address in a different range all
together from the rest of the boxes.
But then I’m stuck for how could I
administer it?
I prefer to use VNC but presumably
if I put it on another range it
would kill my VNC sessions, and also
I haven’t got any good ideas for how I could
copy data from TEST (on the inner LAN)
to Live (on the Perimeter) other than with
a USB disc but there has to b e a better way than that!
Oh and then there’s the MySql server,
where does it go?!
Perimeter, Inner LAN or what =)
Thanks for any help
|
|
|
11-05-2007, 04:01 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yes, you'd ideally want to have a three-interface setup. One for the WAN, one for the LAN, and one for the DMZ. Any servers you want to be accessible from the WAN would be placed on the DMZ. Using iptables to configure a setup like this is a piece of cake, you basically just do port-forwarding to the DMZ, and filter any unwanted outgoing connection attempts from the DMZ.
Last edited by win32sux; 11-05-2007 at 05:10 PM.
|
|
|
11-05-2007, 04:57 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Here's some examples I put together for you:
VISUAL EXAMPLE
Code:
62.56.xxx.xxx
[WAN]
|
|
[IPTABLES ROUTER]
/ \
/ \
[LAN] [DMZ]
192.168.1.0/24 192.168.2.0/24
IPTABLES SCRIPT EXAMPLE
Code:
#!/bin/sh
###############################################################################
### SET VARIABLES
###############################################################################
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
LAN_NET="192.168.1.0/24"
DMZ_IFACE="eth2"
DMZ_NET="192.168.2.0/24"
###############################################################################
### SET POLICIES
###############################################################################
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
###############################################################################
### FLUSH AND DELETE EVERYTHING
###############################################################################
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
###############################################################################
### BUILD CHAINS
###############################################################################
$IPT -N LAN2WAN
$IPT -N DMZ2WAN
$IPT -N WAN2DMZ
###############################################################################
### INPUT CHAIN
###############################################################################
# The ubiquitous INPUT rules:
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Allow SSH from the LAN to this box:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET \
--dport 22 -m state --state NEW -j ACCEPT
# Allow SSH from the WAN (Internet) to this box:
#$IPT -A INPUT -p TCP -i $WAN_IFACE \
#--dport 22 -m state --state NEW -j ACCEPT
# Log other packets before they get sent to DROP by our policy:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
###############################################################################
### OUTPUT CHAIN
###############################################################################
# The ubiquitous OUTPUT rules:
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Log other packets before they get sent to DROP by our policy:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
###############################################################################
### FORWARD CHAIN
###############################################################################
# The ubiquitous FORWARD rule:
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Lets use one chain for each traffic flow:
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_NET -o $WAN_IFACE -j LAN2WAN
$IPT -A FORWARD -i $DMZ_IFACE -s $DMZ_NET -o $WAN_IFACE -j DMZ2WAN
$IPT -A FORWARD -i $WAN_IFACE -d $DMZ_NET -o $DMZ_IFACE -j WAN2DMZ
# Log other packets before they get sent to DROP by our policy:
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
###############################################################################
### LAN2WAN CHAIN
###############################################################################
# Allow boxes on the LAN to use HTTP on the WAN:
$IPT -A LAN2WAN -p TCP --dport 80 -m state --state NEW -j ACCEPT
# Allow boxes on the LAN to use HTTPS on the WAN:
$IPT -A LAN2WAN -p TCP --dport 443 -m state --state NEW -j ACCEPT
# Allow boxes on the LAN to use DNS on the WAN:
$IPT -A LAN2WAN -p UDP --dport 53 -m state --state NEW -j ACCEPT
###############################################################################
### DMZ2WAN CHAIN
###############################################################################
# Allow 192.168.2.102 to send email:
#$IPT -A DMZ2WAN -p TCP --dport 25 -m state --state NEW -j ACCEPT
###############################################################################
### WAN2DMZ CHAIN
###############################################################################
# Allow HTTP to 192.168.2.101:
$IPT -A WAN2DMZ -p TCP --dport 80 -d 192.168.2.101 \
-m state --state NEW -j ACCEPT
# Allow HTTPS to 192.168.2.101:
$IPT -A WAN2DMZ -p TCP --dport 443 -d 192.168.2.101 \
-m state --state NEW -j ACCEPT
# Allow SMTP to 192.168.2.102:
$IPT -A WAN2DMZ -p TCP --dport 25 -d 192.168.2.102 \
-m state --state NEW -j ACCEPT
###############################################################################
### PREROUTING CHAIN
###############################################################################
# Send to 192.168.2.101 on the DMZ any HTTP packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.2.101
# Send to 192.168.2.101 on the DMZ any HTTPS packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 443 \
-j DNAT --to-destination 192.168.2.101
# Send to 192.168.2.102 on the DMZ any SMTP packets which hit the WAN side:
$IPT -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 25 \
-j DNAT --to-destination 192.168.2.102
###############################################################################
### POSTROUTING CHAIN
###############################################################################
# Do IP masquerading for boxes on the LAN and DMZ:
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
Notice how there is no DMZ2LAN chain - any such packets will be filtered.
Last edited by win32sux; 11-05-2007 at 08:46 PM.
Reason: Fixed some chain name mistakes I made.
|
|
|
11-05-2007, 05:13 PM
|
#4
|
Member
Registered: Aug 2003
Distribution: Fedora 22, Debian 8, Centos 6/7 for servers
Posts: 101
Rep:
|
Wow! Great Post WIN32Sux! Thanks!
|
|
|
11-06-2007, 05:58 AM
|
#5
|
Member
Registered: Feb 2006
Posts: 43
Original Poster
Rep:
|
I agree, that is a great post, thanks.
Unfortunately however I don't have a dedicated firewall box and the network looks like this:
WAN
|
DSL MODEM/FIREWALL/4 port switch (can operate on 2 ranges)
|
Gigabit Switch
|
_____________________________
| | | |
Server PC1 PC2 PC3
Is there a way I could do it with the existing kit I have (say by installing extra cards into the hosts themselves) or should I go out and buy a hardware firewall or dedicated firewall server with the cards?
Many thanks
|
|
|
11-06-2007, 11:23 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Then the simplest thing would be to just have everything on the same network, and rely on the host-based firewall of the server. That is, unless your DSL router actually does have a true DMZ, which I suspect it doesn't. Maybe post the brand/model.
|
|
|
11-07-2007, 06:33 PM
|
#7
|
Member
Registered: Feb 2006
Posts: 43
Original Poster
Rep:
|
I played around with the settings on the router
and i can do DHCP on 192.168.x and also have a box
on 10.1.x with static IP. So, It's separated from
the other boxes unless I put my PC on the same IP
range.
But then there's a new problem. THe boxes on 10.1.x
don't have internet access.
They have the settings in there for gateway, name server..
Do you think I need to add a static route
as the router lets me add those in?
|
|
|
11-07-2007, 06:37 PM
|
#8
|
Member
Registered: Feb 2006
Posts: 43
Original Poster
Rep:
|
Quote:
That is, unless your DSL router actually does have a true DMZ, which I suspect it doesn't.
|
I think you're probably right.
I don't think it's a true DMZ.
The router refers to its DMZ as sending
all packets from the WAN (that don't belong
to any other app) to one PC on the LAN, hence
exposing it.
However it also has this feature to
configure two LAN side ranges for NAT.
|
|
|
11-07-2007, 06:46 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mindjet
I played around with the settings on the router
and i can do DHCP on 192.168.x and also have a box
on 10.1.x with static IP. So, It's separated from
the other boxes unless I put my PC on the same IP
range.
|
This sounds pretty useless as far as security is concerned.
Quote:
But then there's a new problem. THe boxes on 10.1.x
don't have internet access.
They have the settings in there for gateway, name server..
Do you think I need to add a static route
as the router lets me add those in?
|
Honestly I don't think it's worth messing with (I'd have them on the same network unless I had a true DMZ option). That is, of course, unless I'm missing something - which I have no way to tell since I can't look at the device's specs (you haven't posted any brand/model). In the absense of a true DMZ, you'll still need to set up a host-based firewall on the server and your LAN clients regardless.
Quote:
I think you're probably right.
I don't think it's a true DMZ.
The router refers to its DMZ as sending
all packets from the WAN (that don't belong
to any other app) to one PC on the LAN, hence
exposing it.
However it also has this feature to
configure two LAN side ranges for NAT.
|
I see. Well, does it only provide port-forwarding options if you choose to use the "virtual DMZ" (don't know what else to call it) feature? It sounds like it lets you configure one LAN IP where it will port-forward everything to. You'd be much better-off if you were able to specify which ports to forward. Most consumer-grade routers let you do this with relative ease.
Last edited by win32sux; 11-07-2007 at 06:55 PM.
|
|
|
All times are GMT -5. The time now is 08:46 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|