Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 621
  • Last Modified:

Disable communcation/services between eth0 and eth1

I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including services). For example, if I connected to the machine via SSH on eth1 I do not want to able to connected to any machines located on the private network, eth0. However if I am sitting at the console I want to be able to connect to machines on both networks (eth0 and eth1).
0
commport
Asked:
commport
1 Solution
 
jlevieCommented:
Is this system acting as a gateway for the private LAN? If it isn't setting a default stance of DENY for the FORWARD chain would stop someone from connecting through the box to a machine on the private LAN. That would have effect on some one opening an SSH session the this system and than starting another connection to an inside machine. While that can be blocked it would also prevent you from accessing machines on the local LAN while logged in to the console. In both cases you are running something on the system and using that to connect. That process neither knows nor cares where the user is.
0
 
commportAuthor Commented:
This system is not acting as a gateway. It is providing an NFS mount that is available on both networks(eth0 and eth1). The exact thing I am trying to prevent is using SSH to get to this machine and then using SSH from there to connect to an internal machine. I already had the FORWARD table set to DROP and ip forwarding is turned off.
0
 
Alf666Commented:
You could try the following :

$IPTABLES -A OUTPUT -p tcp --destination-port 22  -m state --state NEW  -j DENY

This would prevent non root users to initiate an ssh session FROM this box. But a root user can always tamper with the tables.
It's not big protection, but it's already something.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
jlevieCommented:
The conflict is that you want to be able to reach either network from a console login, but prevent anyone from leapfroging through the box. You really can't have it both ways. Once somone is logged onto the box they can do whatever you can do from a console login.
0
 
bobgunzelCommented:
It should be possible to chroot the sshd service in such a way that ssh itself is not accessible.

Bob Gunzel
0
 
Alf666Commented:
Bob: This would not help much for administration !

There's not much you can do. Except restricting who can log on this box.
You could also simply chmod 700 /bin/ssh. This way, only root would have access to it.
But a clever user could simply upload another ssh client.

One thing you could do (even if it's a bit complex), is :

- Add iptables authentication mechanism
- Only allow authenticated (on a one-time basis) ssh rule on OUTPUT.

It can be tempered with by a root user, but would restrict the standard ones.

The best way however, is not to allow any unauthorized user to ssh into the box.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now