Solved

Disable communcation/services between eth0 and eth1

Posted on 2004-04-22
6
615 Views
Last Modified: 2008-01-16
I have recently setup a new linux machine running Red Hat Linux. This machine is located on two network with eth0 being an internal/private network and eth1 being external. I was wondering if there is a method to stop communcation between the two network devices (including services). For example, if I connected to the machine via SSH on eth1 I do not want to able to connected to any machines located on the private network, eth0. However if I am sitting at the console I want to be able to connect to machines on both networks (eth0 and eth1).
0
Comment
Question by:commport
6 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10890657
Is this system acting as a gateway for the private LAN? If it isn't setting a default stance of DENY for the FORWARD chain would stop someone from connecting through the box to a machine on the private LAN. That would have effect on some one opening an SSH session the this system and than starting another connection to an inside machine. While that can be blocked it would also prevent you from accessing machines on the local LAN while logged in to the console. In both cases you are running something on the system and using that to connect. That process neither knows nor cares where the user is.
0
 

Author Comment

by:commport
ID: 10892171
This system is not acting as a gateway. It is providing an NFS mount that is available on both networks(eth0 and eth1). The exact thing I am trying to prevent is using SSH to get to this machine and then using SSH from there to connect to an internal machine. I already had the FORWARD table set to DROP and ip forwarding is turned off.
0
 
LVL 9

Accepted Solution

by:
Alf666 earned 100 total points
ID: 10892292
You could try the following :

$IPTABLES -A OUTPUT -p tcp --destination-port 22  -m state --state NEW  -j DENY

This would prevent non root users to initiate an ssh session FROM this box. But a root user can always tamper with the tables.
It's not big protection, but it's already something.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 40

Expert Comment

by:jlevie
ID: 10892833
The conflict is that you want to be able to reach either network from a console login, but prevent anyone from leapfroging through the box. You really can't have it both ways. Once somone is logged onto the box they can do whatever you can do from a console login.
0
 
LVL 4

Expert Comment

by:bobgunzel
ID: 10897491
It should be possible to chroot the sshd service in such a way that ssh itself is not accessible.

Bob Gunzel
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10897649
Bob: This would not help much for administration !

There's not much you can do. Except restricting who can log on this box.
You could also simply chmod 700 /bin/ssh. This way, only root would have access to it.
But a clever user could simply upload another ssh client.

One thing you could do (even if it's a bit complex), is :

- Add iptables authentication mechanism
- Only allow authenticated (on a one-time basis) ssh rule on OUTPUT.

It can be tempered with by a root user, but would restrict the standard ones.

The best way however, is not to allow any unauthorized user to ssh into the box.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question