Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disable communcation/services between eth0 and eth1

Posted on 2004-04-22
6
Medium Priority
?
619 Views
Last Modified: 2008-01-16
I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including services). For example, if I connected to the machine via SSH on eth1 I do not want to able to connected to any machines located on the private network, eth0. However if I am sitting at the console I want to be able to connect to machines on both networks (eth0 and eth1).
0
Comment
Question by:commport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10890657
Is this system acting as a gateway for the private LAN? If it isn't setting a default stance of DENY for the FORWARD chain would stop someone from connecting through the box to a machine on the private LAN. That would have effect on some one opening an SSH session the this system and than starting another connection to an inside machine. While that can be blocked it would also prevent you from accessing machines on the local LAN while logged in to the console. In both cases you are running something on the system and using that to connect. That process neither knows nor cares where the user is.
0
 

Author Comment

by:commport
ID: 10892171
This system is not acting as a gateway. It is providing an NFS mount that is available on both networks(eth0 and eth1). The exact thing I am trying to prevent is using SSH to get to this machine and then using SSH from there to connect to an internal machine. I already had the FORWARD table set to DROP and ip forwarding is turned off.
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 300 total points
ID: 10892292
You could try the following :

$IPTABLES -A OUTPUT -p tcp --destination-port 22  -m state --state NEW  -j DENY

This would prevent non root users to initiate an ssh session FROM this box. But a root user can always tamper with the tables.
It's not big protection, but it's already something.
0
Vim Reference Guide

Vim is a powerful text editor favored by many sysadmins and developers - here are some commands that you'll want to keep in your back pocket!

 
LVL 40

Expert Comment

by:jlevie
ID: 10892833
The conflict is that you want to be able to reach either network from a console login, but prevent anyone from leapfroging through the box. You really can't have it both ways. Once somone is logged onto the box they can do whatever you can do from a console login.
0
 
LVL 4

Expert Comment

by:bobgunzel
ID: 10897491
It should be possible to chroot the sshd service in such a way that ssh itself is not accessible.

Bob Gunzel
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10897649
Bob: This would not help much for administration !

There's not much you can do. Except restricting who can log on this box.
You could also simply chmod 700 /bin/ssh. This way, only root would have access to it.
But a clever user could simply upload another ssh client.

One thing you could do (even if it's a bit complex), is :

- Add iptables authentication mechanism
- Only allow authenticated (on a one-time basis) ssh rule on OUTPUT.

It can be tempered with by a root user, but would restrict the standard ones.

The best way however, is not to allow any unauthorized user to ssh into the box.
0

Featured Post

Quiz: What Do These Organizations Have In Common?

Hint: Their teams ended up taking quizzes, too.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question