LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2006, 06:54 PM   #1
Hunter69
LQ Newbie
 
Registered: Feb 2005
Posts: 10

Rep: Reputation: 0
Linux firewall box will it meet my needs


I administer a small windows network (Active Directory domain).

I need to install a new windows machine on the network.

I need to isolate this computer from the entire domain but it will need to use a microsoft access DB that is located on a share on the network. I am not concerned about traffic from the domain to it. I am concerned about traffic from it to the domain.

So I want to stop all network traffic from this computer to the rest of the domain.

The only thing I want to allow is:
1. Kerberos authentication
2. A folder mapped as a drive.

Is this possible utilizing a linux firewall?? I am trying to do this task for as little $$$ as possible. I can come up with an old computer and I don't mind buy a couple of good nics.

I am a newbie to linux.

Thanks for the input
Bill
 
Old 09-15-2006, 02:36 AM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Yes you can use a simple linux box with IPTables. Just deny all traffic by default and then allow:
kerberos
CIFS/SMB
DNS(udp)

possibly
NetBIOS
remote desktop

There maybe more ports depending on services and administration on your network.
--EDIT--
After thinking about it, you really don't need the udp DNS port cause you could just add static entries in the HOSTS file on the Windows box. If you want 1 less port open.

Last edited by musicman_ace; 09-15-2006 at 02:38 AM.
 
Old 09-15-2006, 02:55 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Hunter69
I administer a small windows network (Active Directory domain).

I need to install a new windows machine on the network.

I need to isolate this computer from the entire domain but it will need to use a microsoft access DB that is located on a share on the network. I am not concerned about traffic from the domain to it. I am concerned about traffic from it to the domain.

So I want to stop all network traffic from this computer to the rest of the domain.

The only thing I want to allow is:
1. Kerberos authentication
2. A folder mapped as a drive.

Is this possible utilizing a linux firewall?? I am trying to do this task for as little $$$ as possible. I can come up with an old computer and I don't mind buy a couple of good nics.

I am a newbie to linux.

Thanks for the input
Bill
yes, a linux firewall should be able to take care of this without any problems... a did a few quick greps of my /etc/services file and came-up with:
Code:
win32sux@lisa:~$ cat /etc/services | grep microsoft
microsoft-ds    445/tcp                         # Microsoft Naked CIFS
microsoft-ds    445/udp
win32sux@lisa:~$ cat /etc/services | grep netbios
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp
win32sux@lisa:~$ cat /etc/services | grep kerberos
kerberos        88/tcp          kerberos5 krb5 kerberos-sec     # Kerberos v5
kerberos        88/udp          kerberos5 krb5 kerberos-sec     # Kerberos v5
kerberos-adm    749/tcp                         # Kerberos `kadmin' (v5)
kerberos4       750/udp         kerberos-iv kdc # Kerberos (server)
kerberos4       750/tcp         kerberos-iv kdc
kerberos_master 751/udp                         # Kerberos authentication
kerberos_master 751/tcp
win32sux@lisa:~$
so it looks like these would be the kind of iptables rules you'd need (with two NICs):
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 445 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 445 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 137:139 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 137:139 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 88 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 88 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 749 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 750:751 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 750:751 -m state --state NEW -j ACCEPT
that said, i have a feeling the netbios stuff isn't really needed anymore, although i don't remember enough about windoze to be sure of that... in any case, you'd just need to eliminate the two netbios rules, to end-up with something like:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 445 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 445 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 88 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 88 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 749 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p TCP \
--dport 750:751 -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p UDP \
--dport 750:751 -m state --state NEW -j ACCEPT
a good iptables tutorial is here: http://iptables-tutorial.frozentux.n...-tutorial.html

Last edited by win32sux; 09-15-2006 at 03:01 AM.
 
Old 09-15-2006, 07:37 AM   #4
Hunter69
LQ Newbie
 
Registered: Feb 2005
Posts: 10

Original Poster
Rep: Reputation: 0
Thank you for your help, you don't how much I appreciate those that share their knowledge. What would be the best distro (I am a linux newbie, I have installed Fedora and red hat) to use, and can you suggest specs for the box?? I have read as little as a 486 but I know I can get a hold of an old 350. Anyway thanks again



Bill

Last edited by Hunter69; 09-15-2006 at 07:50 AM.
 
Old 09-15-2006, 10:59 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Hunter69
Thank you for your help, you don't how much I appreciate those that share their knowledge. What would be the best distro (I am a linux newbie, I have installed Fedora and red hat) to use, and can you suggest specs for the box?? I have read as little as a 486 but I know I can get a hold of an old 350. Anyway thanks again
any distro will do, so use the one you like the most... and yeah, a firewall is one of the lowest CPU using applications, so you should be fine with pretty much anything you can find... a 350Mhz CPU is way more than enough... and like you've heard, even a i486 box would do the trick...
 
Old 09-15-2006, 01:21 PM   #6
doublejoon
Member
 
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 370

Rep: Reputation: 44
Do you already have a M$ ISA Server? If so that will be fine to get things going quickly, then you could add Linux Firewall later for an extra layer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall being overloaded by linux box - any ideas? wdawson Linux - Networking 2 12-22-2005 08:14 PM
Linux Box w/ 2 NICs and passive firewall? rruss Linux - Networking 1 04-14-2005 08:15 AM
XP Box won't connect to internet thru RH9 Box (firewall/dhcpd), it can only ping fire Rhapsodic Linux - Networking 4 07-10-2004 03:02 PM
Howto setup two stage firewall? Linux and router-in-a-box? drdirt Linux - Security 5 01-10-2004 02:51 AM
setting up ip_masqueraiding and firewall on a old linux box fo-krite Linux - Networking 4 01-23-2003 07:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration