Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-13-2006, 06:54 PM
|
#1
|
LQ Newbie
Registered: Feb 2005
Posts: 10
Rep:
|
Linux firewall box will it meet my needs
I administer a small windows network (Active Directory domain).
I need to install a new windows machine on the network.
I need to isolate this computer from the entire domain but it will need to use a microsoft access DB that is located on a share on the network. I am not concerned about traffic from the domain to it. I am concerned about traffic from it to the domain.
So I want to stop all network traffic from this computer to the rest of the domain.
The only thing I want to allow is:
1. Kerberos authentication
2. A folder mapped as a drive.
Is this possible utilizing a linux firewall?? I am trying to do this task for as little $$$ as possible. I can come up with an old computer and I don't mind buy a couple of good nics.
I am a newbie to linux.
Thanks for the input
Bill
|
|
|
09-15-2006, 02:36 AM
|
#2
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
Yes you can use a simple linux box with IPTables. Just deny all traffic by default and then allow:
kerberos
CIFS/SMB
DNS(udp)
possibly
NetBIOS
remote desktop
There maybe more ports depending on services and administration on your network.
--EDIT--
After thinking about it, you really don't need the udp DNS port cause you could just add static entries in the HOSTS file on the Windows box. If you want 1 less port open.
Last edited by musicman_ace; 09-15-2006 at 02:38 AM.
|
|
|
09-15-2006, 02:55 AM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Hunter69
I administer a small windows network (Active Directory domain).
I need to install a new windows machine on the network.
I need to isolate this computer from the entire domain but it will need to use a microsoft access DB that is located on a share on the network. I am not concerned about traffic from the domain to it. I am concerned about traffic from it to the domain.
So I want to stop all network traffic from this computer to the rest of the domain.
The only thing I want to allow is:
1. Kerberos authentication
2. A folder mapped as a drive.
Is this possible utilizing a linux firewall?? I am trying to do this task for as little $$$ as possible. I can come up with an old computer and I don't mind buy a couple of good nics.
I am a newbie to linux.
Thanks for the input
Bill
|
yes, a linux firewall should be able to take care of this without any problems... a did a few quick greps of my /etc/services file and came-up with:
Code:
win32sux@lisa:~$ cat /etc/services | grep microsoft
microsoft-ds 445/tcp # Microsoft Naked CIFS
microsoft-ds 445/udp
win32sux@lisa:~$ cat /etc/services | grep netbios
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
win32sux@lisa:~$ cat /etc/services | grep kerberos
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos4 750/udp kerberos-iv kdc # Kerberos (server)
kerberos4 750/tcp kerberos-iv kdc
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp
win32sux@lisa:~$
so it looks like these would be the kind of iptables rules you'd need (with two NICs):
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 445 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 445 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 137:139 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 137:139 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 88 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 88 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 749 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 750:751 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 750:751 -m state --state NEW -j ACCEPT
that said, i have a feeling the netbios stuff isn't really needed anymore, although i don't remember enough about windoze to be sure of that... in any case, you'd just need to eliminate the two netbios rules, to end-up with something like:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 445 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 445 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 88 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 88 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 749 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 750:751 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 750:751 -m state --state NEW -j ACCEPT
a good iptables tutorial is here: http://iptables-tutorial.frozentux.n...-tutorial.html
Last edited by win32sux; 09-15-2006 at 03:01 AM.
|
|
|
09-15-2006, 07:37 AM
|
#4
|
LQ Newbie
Registered: Feb 2005
Posts: 10
Original Poster
Rep:
|
Thank you for your help, you don't how much I appreciate those that share their knowledge. What would be the best distro (I am a linux newbie, I have installed Fedora and red hat) to use, and can you suggest specs for the box?? I have read as little as a 486 but I know I can get a hold of an old 350. Anyway thanks again
Bill
Last edited by Hunter69; 09-15-2006 at 07:50 AM.
|
|
|
09-15-2006, 10:59 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Hunter69
Thank you for your help, you don't how much I appreciate those that share their knowledge. What would be the best distro (I am a linux newbie, I have installed Fedora and red hat) to use, and can you suggest specs for the box?? I have read as little as a 486 but I know I can get a hold of an old 350. Anyway thanks again
|
any distro will do, so use the one you like the most... and yeah, a firewall is one of the lowest CPU using applications, so you should be fine with pretty much anything you can find... a 350Mhz CPU is way more than enough... and like you've heard, even a i486 box would do the trick...
|
|
|
09-15-2006, 01:21 PM
|
#6
|
Member
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 370
Rep:
|
Do you already have a M$ ISA Server? If so that will be fine to get things going quickly, then you could add Linux Firewall later for an extra layer
|
|
|
All times are GMT -5. The time now is 06:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|