Solved

Linux ipsec / firewall between interfaces

Posted on 2009-05-13
4
359 Views
Last Modified: 2012-05-06
Hi,

I have a server that has 2 NICs.
Lets say they are configured this way:

NIC1: 172.30.1.1

NIC2: 192.168.1.1

NIC1 is an external network, NIC2 is an internal network. Both interfaces are used to access a webserver.

What I want to prevent is that if somehow somebody from NIC1 infiltrates the server is able to get out through NIC2. Is this possible using ipsec?
Also traffic form NIC1 should never be able to get to NIC2 in general.
0
Comment
Question by:Cherubim
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
silk600 earned 500 total points
ID: 24374651
I'm assuming you mean iptables, not IPSec.

As long as the computer isn't configured for IP forwarding (Check with the command:

cat /proc/sys/net/ip4v/ip_forward

, should be 0 if forwarding is disabled)

and the default policies are set to default deny, then traffic will only be allowed through interfaces when you specifically allow it. Also, traffic will not be passed between interfaces by default.

To check the default policies use

iptables -L

To set the default policies to deny, use

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then you must allow the specific traffic that you want to accept. For web browsing, you will need to allow port 80 and port 53 outgoing (web and DNS)

# allow stateful connections (replies from web and dns servers)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow dns requests
iptables -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 --sport 1024:65535 -j ACCEPT

#allow outgoing web access
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT


It would be best for you to put these commands in a script that runs on startup, as the rules will be cleared on reboot. Any other traffic you wish to allow must also be specifically allowed. You will need to be root to manipulate iptables.

Also, it should be noted that if your webserver is compromised, an attacker may be able to change the rules anyway.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24374711
Yeah i meant iptables, sorry my bad.

I already thought about the situation that an intruder might be able to change the rules, but at least it will be a little more hassle.
0
 
LVL 1

Expert Comment

by:silk600
ID: 24375035
Is the server with two NICs the webserver, or is it a different server that needs access to internal and external websites?

If the dual-homed server is the webserver, then the commands I gave you must be adjusted to allow input, not output

iptables -A INPUT -i eth0 -p --dport 80 --sport 1024:65535 -j ACCEPT

and so on.

Also, there is no need to allow inbound (or outbound) DNS, in this case.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24375292
The server with two NICs is the webserver.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question