Solved

Linux ipsec / firewall between interfaces

Posted on 2009-05-13
4
371 Views
Last Modified: 2012-05-06
Hi,

I have a server that has 2 NICs.
Lets say they are configured this way:

NIC1: 172.30.1.1

NIC2: 192.168.1.1

NIC1 is an external network, NIC2 is an internal network. Both interfaces are used to access a webserver.

What I want to prevent is that if somehow somebody from NIC1 infiltrates the server is able to get out through NIC2. Is this possible using ipsec?
Also traffic form NIC1 should never be able to get to NIC2 in general.
0
Comment
Question by:Cherubim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
silk600 earned 500 total points
ID: 24374651
I'm assuming you mean iptables, not IPSec.

As long as the computer isn't configured for IP forwarding (Check with the command:

cat /proc/sys/net/ip4v/ip_forward

, should be 0 if forwarding is disabled)

and the default policies are set to default deny, then traffic will only be allowed through interfaces when you specifically allow it. Also, traffic will not be passed between interfaces by default.

To check the default policies use

iptables -L

To set the default policies to deny, use

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then you must allow the specific traffic that you want to accept. For web browsing, you will need to allow port 80 and port 53 outgoing (web and DNS)

# allow stateful connections (replies from web and dns servers)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow dns requests
iptables -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 --sport 1024:65535 -j ACCEPT

#allow outgoing web access
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT


It would be best for you to put these commands in a script that runs on startup, as the rules will be cleared on reboot. Any other traffic you wish to allow must also be specifically allowed. You will need to be root to manipulate iptables.

Also, it should be noted that if your webserver is compromised, an attacker may be able to change the rules anyway.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24374711
Yeah i meant iptables, sorry my bad.

I already thought about the situation that an intruder might be able to change the rules, but at least it will be a little more hassle.
0
 
LVL 1

Expert Comment

by:silk600
ID: 24375035
Is the server with two NICs the webserver, or is it a different server that needs access to internal and external websites?

If the dual-homed server is the webserver, then the commands I gave you must be adjusted to allow input, not output

iptables -A INPUT -i eth0 -p --dport 80 --sport 1024:65535 -j ACCEPT

and so on.

Also, there is no need to allow inbound (or outbound) DNS, in this case.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24375292
The server with two NICs is the webserver.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Fine Tune your automatic Updates for Ubuntu / Debian
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question