Solved

Linux ipsec / firewall between interfaces

Posted on 2009-05-13
4
349 Views
Last Modified: 2012-05-06
Hi,

I have a server that has 2 NICs.
Lets say they are configured this way:

NIC1: 172.30.1.1

NIC2: 192.168.1.1

NIC1 is an external network, NIC2 is an internal network. Both interfaces are used to access a webserver.

What I want to prevent is that if somehow somebody from NIC1 infiltrates the server is able to get out through NIC2. Is this possible using ipsec?
Also traffic form NIC1 should never be able to get to NIC2 in general.
0
Comment
Question by:Cherubim
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
silk600 earned 500 total points
ID: 24374651
I'm assuming you mean iptables, not IPSec.

As long as the computer isn't configured for IP forwarding (Check with the command:

cat /proc/sys/net/ip4v/ip_forward

, should be 0 if forwarding is disabled)

and the default policies are set to default deny, then traffic will only be allowed through interfaces when you specifically allow it. Also, traffic will not be passed between interfaces by default.

To check the default policies use

iptables -L

To set the default policies to deny, use

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then you must allow the specific traffic that you want to accept. For web browsing, you will need to allow port 80 and port 53 outgoing (web and DNS)

# allow stateful connections (replies from web and dns servers)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow dns requests
iptables -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 --sport 1024:65535 -j ACCEPT

#allow outgoing web access
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT


It would be best for you to put these commands in a script that runs on startup, as the rules will be cleared on reboot. Any other traffic you wish to allow must also be specifically allowed. You will need to be root to manipulate iptables.

Also, it should be noted that if your webserver is compromised, an attacker may be able to change the rules anyway.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24374711
Yeah i meant iptables, sorry my bad.

I already thought about the situation that an intruder might be able to change the rules, but at least it will be a little more hassle.
0
 
LVL 1

Expert Comment

by:silk600
ID: 24375035
Is the server with two NICs the webserver, or is it a different server that needs access to internal and external websites?

If the dual-homed server is the webserver, then the commands I gave you must be adjusted to allow input, not output

iptables -A INPUT -i eth0 -p --dport 80 --sport 1024:65535 -j ACCEPT

and so on.

Also, there is no need to allow inbound (or outbound) DNS, in this case.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24375292
The server with two NICs is the webserver.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help with Security Onion/Snorby 14 98
android wifi service info 12 175
IPA and Samba (and NFS and Samba....) 1 118
Missing Crypto Commands 6 69
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now