Solved

Disable communcation/services between eth0 and eth1

Posted on 2004-04-22
6
617 Views
Last Modified: 2008-01-16
I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including services). For example, if I connected to the machine via SSH on eth1 I do not want to able to connected to any machines located on the private network, eth0. However if I am sitting at the console I want to be able to connect to machines on both networks (eth0 and eth1).
0
Comment
Question by:commport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10890657
Is this system acting as a gateway for the private LAN? If it isn't setting a default stance of DENY for the FORWARD chain would stop someone from connecting through the box to a machine on the private LAN. That would have effect on some one opening an SSH session the this system and than starting another connection to an inside machine. While that can be blocked it would also prevent you from accessing machines on the local LAN while logged in to the console. In both cases you are running something on the system and using that to connect. That process neither knows nor cares where the user is.
0
 

Author Comment

by:commport
ID: 10892171
This system is not acting as a gateway. It is providing an NFS mount that is available on both networks(eth0 and eth1). The exact thing I am trying to prevent is using SSH to get to this machine and then using SSH from there to connect to an internal machine. I already had the FORWARD table set to DROP and ip forwarding is turned off.
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 100 total points
ID: 10892292
You could try the following :

$IPTABLES -A OUTPUT -p tcp --destination-port 22  -m state --state NEW  -j DENY

This would prevent non root users to initiate an ssh session FROM this box. But a root user can always tamper with the tables.
It's not big protection, but it's already something.
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 40

Expert Comment

by:jlevie
ID: 10892833
The conflict is that you want to be able to reach either network from a console login, but prevent anyone from leapfroging through the box. You really can't have it both ways. Once somone is logged onto the box they can do whatever you can do from a console login.
0
 
LVL 4

Expert Comment

by:bobgunzel
ID: 10897491
It should be possible to chroot the sshd service in such a way that ssh itself is not accessible.

Bob Gunzel
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10897649
Bob: This would not help much for administration !

There's not much you can do. Except restricting who can log on this box.
You could also simply chmod 700 /bin/ssh. This way, only root would have access to it.
But a clever user could simply upload another ssh client.

One thing you could do (even if it's a bit complex), is :

- Add iptables authentication mechanism
- Only allow authenticated (on a one-time basis) ssh rule on OUTPUT.

It can be tempered with by a root user, but would restrict the standard ones.

The best way however, is not to allow any unauthorized user to ssh into the box.
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question