Logging/Blocking LAN traffic

nothing_pt · 04-26-2010, 06:43 AM

Hello,

Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)

I would like to know if there is a way to block access from that machines to others in the network.
I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.

Thanks in advance,
Nuno Santos

smoker · 04-26-2010, 07:18 AM

which machines are you trying to block and from where ?

nothing_pt · 04-26-2010, 08:13 AM

Quote:

Originally Posted by smoker

which machines are you trying to block and from where ?

I want to block the linux machines inside our network from acessing other machines on our network except those they must access (2 or 3 machines).

The problem is that our clients connect to those CentOS machines through VPN and they have access to all of our network. I want to limit them to only the machines they have to connect for working.

Thanks again

frndrfoe · 04-26-2010, 08:17 AM

nothing_pt · 04-26-2010, 08:30 AM

Quote:

Originally Posted by frndrfoe

DMZ?

No, i don't think it's possible for now. All because they need to work inside our network and with machines(mainly printers) that we work with too. We can't isolate the resources.

They connect to those CentOS machines, and they need to connect to more machines inside of our network (mainly printers and one or two more computers). But, since they connect through VPN they have an internal ip and can access all network.

Ahh, and our network is workgroup based, not domain. Maybe that'll change in the upcoming months but i don't know when.

Thanks,
Nuno Santos

smoker · 04-26-2010, 08:52 AM

Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.

iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT

xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?

nothing_pt · 04-26-2010, 09:02 AM

Quote:

Originally Posted by smoker

Which internal ip addresses do they get ? If you can safely block anything coming from a local ip in the centos boxes then it should be quite straight forward.

iptables -A OUTPUT -o eth0 -p all -d xxx.xxx.xxx.xxx -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d yyy.yyy.yyy.yyy -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -d zzz.zzz.zzz.zzz -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j REJECT

xxx.xxx.xxx.xxx is an allowed destination, as is yyy and zzz.

those rules must come before the reject rule if they are to work.

Make sure the correct outgoing ethX name is used, and the correct ip addresses to allow.

The problem lies in allowing outgoing traffic back over the VPN.
Do the centos boxes have separate ethernet ports for internal and external networks ?

Thanks, i will try that.

smoker · 04-26-2010, 09:16 AM

I would have put a source ip in there as well, I forgot before.

as in
iptables -A OUTPUT -o eth0 -p all -s localhost -j REJECT

or

iptables -A OUTPUT -o eth0 -p all -s 192.168.1.0/24 -j REJECT