N00b2015
asked on
Isolate Linux PC on Home network
Hi All!!
Is it possible to isolate a small linux box computer from the rest of my home network but still have internet capabilities. My home network connects to a single router which has various devices connected to it, such as Windows machines and other devices (not many but some).
The ideas is, if the linux PC or other devices are compromised, it will not affect the others. I would also like to to port-forward the linux box for remote use. So by isolating it from the network i can minimise the risks if any.
I understand that the likelihood of Linux devices infecting Windows (or vice versa) is rare but I'd still like to achieve this.
After doing research, i have come up with the below...
I would very much appreciate it if someone would be able to assist me in understanding and designing a solution.
Thank you!!
Is it possible to isolate a small linux box computer from the rest of my home network but still have internet capabilities. My home network connects to a single router which has various devices connected to it, such as Windows machines and other devices (not many but some).
The ideas is, if the linux PC or other devices are compromised, it will not affect the others. I would also like to to port-forward the linux box for remote use. So by isolating it from the network i can minimise the risks if any.
I understand that the likelihood of Linux devices infecting Windows (or vice versa) is rare but I'd still like to achieve this.
After doing research, i have come up with the below...
- Installing/Configuring A/V on the Linux Terminal
- Using IPtables to restrict other devices accessing. - Complete newbie to this but would appreciate some guidance.
- Different IP Subnets.
I would very much appreciate it if someone would be able to assist me in understanding and designing a solution.
Thank you!!
ASKER
I'll try and clarify, thank you.
As all my devices are on a single home network, they have the potential to see other devices within. I understand that this can be restricted by using the standard O/S firewalls but lets say for this purpose, all devices can communicate and that they are off.
I have 2 Windows based machines and 1 Linux in my network coonected to my ISP's router. If one of the above PC's are compromised, it has the possibility to spread through the network.
I would like to make my linux pc a webserver and I would like to administer remotley using port forwarding. By doing this, i understand that there could potential (albeit small) risk doing so. So, my idea was to isolate the Linux PC on say its own network which cannot communicate to any other device at home.
If I place the Linux PC in the DMZ, this would actually make that particular box less secure, am I right in saying that? This is something i would not like to do. I was hoping to have it setup in a way that it is isolated on its own network, protected and port forwarding possible.
Hope that makes sense
As all my devices are on a single home network, they have the potential to see other devices within. I understand that this can be restricted by using the standard O/S firewalls but lets say for this purpose, all devices can communicate and that they are off.
I have 2 Windows based machines and 1 Linux in my network coonected to my ISP's router. If one of the above PC's are compromised, it has the possibility to spread through the network.
I would like to make my linux pc a webserver and I would like to administer remotley using port forwarding. By doing this, i understand that there could potential (albeit small) risk doing so. So, my idea was to isolate the Linux PC on say its own network which cannot communicate to any other device at home.
If I place the Linux PC in the DMZ, this would actually make that particular box less secure, am I right in saying that? This is something i would not like to do. I was hoping to have it setup in a way that it is isolated on its own network, protected and port forwarding possible.
Hope that makes sense
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is brilliant Arnold, thank you. For my understanding. I could use an AV also on my Linux box as well as the security you have mentioned?. In regards to port forwarding (apologies for this, I'm a noobie as my username suggests) I'm just getting my head around this... So, if I port forward to a random port, say 423 other than the standard port 80, would that make it safer? Can attackers scan my open ports if I don't configure this right. What would be the best method of configuring port forwarding through your recommendations ? Thanks again!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, thank you David!!
So, what i plan to do is put the Linux webserver into my home routers DMZ. I will also use a dynamic ip host service such as noip so that I can access the server dynamically.
I'll also put the connect the Linux box physically to my router and use IPtables as recommended. When you mention allowing 0 ports/protocols for it to be accessible to other devices in the network, i presume you mean for it to be accessible for other devices within the DMZ? Slightly confused here (sorry)
So, what i plan to do is put the Linux webserver into my home routers DMZ. I will also use a dynamic ip host service such as noip so that I can access the server dynamically.
I'll also put the connect the Linux box physically to my router and use IPtables as recommended. When you mention allowing 0 ports/protocols for it to be accessible to other devices in the network, i presume you mean for it to be accessible for other devices within the DMZ? Slightly confused here (sorry)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Arnold.
I have just added the Linux box to the DMZ in my router settings but I am still able to see the other computers on the network? I was under the impression by doing so it would have been separate.
I have just added the Linux box to the DMZ in my router settings but I am still able to see the other computers on the network? I was under the impression by doing so it would have been separate.
This might be possible, depending on the exact network chip implementing your Ethernet.
In general, a DMZ is exactly that, a DMZ, through which all packets flow upstream + downstream.
So all machines past your DMZ can only see the DMZ (can't see anything else upstream).
Then depending on your iptables rules, machines connected to the DMZ may or may not be able to contact other machines.
In general, a DMZ is exactly that, a DMZ, through which all packets flow upstream + downstream.
So all machines past your DMZ can only see the DMZ (can't see anything else upstream).
Then depending on your iptables rules, machines connected to the DMZ may or may not be able to contact other machines.
ASKER
Thanks David, i guess there's just more tinkering in my side to restrict this. One thing i notice when placing the Linux box on the DMZ or even port forwarding, it is extremely slow and the webpage doesn't display properly. Is that a common issue?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What router do you have?
What do you mean see?
What do you mean see?
ASKER
Result, it was just a wordpress issue. I had to set the options to display the ddns address as it was pointing to the local host IP. Now that works perfectly.
I now just need to work out how to secure the DMZ so that it cannot see any of the other devices on the network below. I'll try use IPtables as per your suggestion. Will be a tricky task!
Thank you both Arnold and David!!
I now just need to work out how to secure the DMZ so that it cannot see any of the other devices on the network below. I'll try use IPtables as per your suggestion. Will be a tricky task!
Thank you both Arnold and David!!
You're welcome!
You could put the Linux box in a dmz, but your second item, while you would be able to remotely to connect to the Linux box, but because it is in the dmz, isolated it can not be used to forward access into other systems on the LAN. Systems on the LAN could access the Linux box.
Not sure why you look at two factor authentication for the Linux box ...........