Solved

Disable communcation/services between eth0 and eth1

Posted on 2004-04-22
6
610 Views
Last Modified: 2008-01-16
I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including services). For example, if I connected to the machine via SSH on eth1 I do not want to able to connected to any machines located on the private network, eth0. However if I am sitting at the console I want to be able to connect to machines on both networks (eth0 and eth1).
0
Comment
Question by:commport
6 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Is this system acting as a gateway for the private LAN? If it isn't setting a default stance of DENY for the FORWARD chain would stop someone from connecting through the box to a machine on the private LAN. That would have effect on some one opening an SSH session the this system and than starting another connection to an inside machine. While that can be blocked it would also prevent you from accessing machines on the local LAN while logged in to the console. In both cases you are running something on the system and using that to connect. That process neither knows nor cares where the user is.
0
 

Author Comment

by:commport
Comment Utility
This system is not acting as a gateway. It is providing an NFS mount that is available on both networks(eth0 and eth1). The exact thing I am trying to prevent is using SSH to get to this machine and then using SSH from there to connect to an internal machine. I already had the FORWARD table set to DROP and ip forwarding is turned off.
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 100 total points
Comment Utility
You could try the following :

$IPTABLES -A OUTPUT -p tcp --destination-port 22  -m state --state NEW  -j DENY

This would prevent non root users to initiate an ssh session FROM this box. But a root user can always tamper with the tables.
It's not big protection, but it's already something.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The conflict is that you want to be able to reach either network from a console login, but prevent anyone from leapfroging through the box. You really can't have it both ways. Once somone is logged onto the box they can do whatever you can do from a console login.
0
 
LVL 4

Expert Comment

by:bobgunzel
Comment Utility
It should be possible to chroot the sshd service in such a way that ssh itself is not accessible.

Bob Gunzel
0
 
LVL 9

Expert Comment

by:Alf666
Comment Utility
Bob: This would not help much for administration !

There's not much you can do. Except restricting who can log on this box.
You could also simply chmod 700 /bin/ssh. This way, only root would have access to it.
But a clever user could simply upload another ssh client.

One thing you could do (even if it's a bit complex), is :

- Add iptables authentication mechanism
- Only allow authenticated (on a one-time basis) ssh rule on OUTPUT.

It can be tempered with by a root user, but would restrict the standard ones.

The best way however, is not to allow any unauthorized user to ssh into the box.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now