Solved

Linux ipsec / firewall between interfaces

Posted on 2009-05-13
4
353 Views
Last Modified: 2012-05-06
Hi,

I have a server that has 2 NICs.
Lets say they are configured this way:

NIC1: 172.30.1.1

NIC2: 192.168.1.1

NIC1 is an external network, NIC2 is an internal network. Both interfaces are used to access a webserver.

What I want to prevent is that if somehow somebody from NIC1 infiltrates the server is able to get out through NIC2. Is this possible using ipsec?
Also traffic form NIC1 should never be able to get to NIC2 in general.
0
Comment
Question by:Cherubim
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
silk600 earned 500 total points
ID: 24374651
I'm assuming you mean iptables, not IPSec.

As long as the computer isn't configured for IP forwarding (Check with the command:

cat /proc/sys/net/ip4v/ip_forward

, should be 0 if forwarding is disabled)

and the default policies are set to default deny, then traffic will only be allowed through interfaces when you specifically allow it. Also, traffic will not be passed between interfaces by default.

To check the default policies use

iptables -L

To set the default policies to deny, use

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then you must allow the specific traffic that you want to accept. For web browsing, you will need to allow port 80 and port 53 outgoing (web and DNS)

# allow stateful connections (replies from web and dns servers)
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow dns requests
iptables -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 --sport 1024:65535 -j ACCEPT

#allow outgoing web access
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 80 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 8080 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 443 --sport 1024:65535 -j ACCEPT


It would be best for you to put these commands in a script that runs on startup, as the rules will be cleared on reboot. Any other traffic you wish to allow must also be specifically allowed. You will need to be root to manipulate iptables.

Also, it should be noted that if your webserver is compromised, an attacker may be able to change the rules anyway.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24374711
Yeah i meant iptables, sorry my bad.

I already thought about the situation that an intruder might be able to change the rules, but at least it will be a little more hassle.
0
 
LVL 1

Expert Comment

by:silk600
ID: 24375035
Is the server with two NICs the webserver, or is it a different server that needs access to internal and external websites?

If the dual-homed server is the webserver, then the commands I gave you must be adjusted to allow input, not output

iptables -A INPUT -i eth0 -p --dport 80 --sport 1024:65535 -j ACCEPT

and so on.

Also, there is no need to allow inbound (or outbound) DNS, in this case.
0
 
LVL 3

Author Comment

by:Cherubim
ID: 24375292
The server with two NICs is the webserver.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question