I need to allow public access to a web server on one computer on my network. I'm forwarding from the main firewall to the computer. The computer sits behind its own local router, and it's on its own physical subnet.
I think all I need to do is something like this at the local router:
iptables -A INPUT -p TCP !--syn --interface vlanX --destination 192.168.0.0/16 -J ACCEPT iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT iptables -A INPUT --interface vlanX -J DROP
In other words, only allow returning http connections and returning connections from the local network (so I can get in with ssh).
Anyone see anything wrong with this?
--Yan
Les réponses au message de CptDondo (yan@NsOeSiPnAeMr.com)
CptDondo wrote: > I need to allow public access to a web server on one computer on my > network. I'm forwarding from the main firewall to the computer. The > computer sits behind its own local router, and it's on its own physical > subnet. > I think all I need to do is something like this at the local router: > iptables -A INPUT -p TCP !--syn --interface vlanX --destination > 192.168.0.0/16 -J ACCEPT > iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT > iptables -A INPUT --interface vlanX -J DROP > In other words, only allow returning http connections and returning > connections from the local network (so I can get in with ssh). > Anyone see anything wrong with this? > --Yan
Hello Yan,
It looks like you are using the wrong iptables chain here, use FORWARD instead of the current one, which is used to filter routing traffic assuming you are configuring your local router as noted on your post. Also i advice you to have a look at iptables' statefull inspection functionality (look at the state module in the man)
Leander de Graaf wrote: > CptDondo wrote: >> I need to allow public access to a web server on one computer on my >> network. I'm forwarding from the main firewall to the computer. The >> computer sits behind its own local router, and it's on its own >> physical subnet. >>> I think all I need to do is something like this at the local router: >>> iptables -A INPUT -p TCP !--syn --interface vlanX --destination >> 192.168.0.0/16 -J ACCEPT >> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT >> iptables -A INPUT --interface vlanX -J DROP >>> In other words, only allow returning http connections and returning >> connections from the local network (so I can get in with ssh). >>> Anyone see anything wrong with this? >>> --Yan > Hello Yan, > It looks like you are using the wrong iptables chain here, use FORWARD > instead of the current one, which is used to filter routing traffic > assuming you are configuring your local router as noted on your post. > Also i advice you to have a look at iptables' statefull inspection > functionality (look at the state module in the man)
It's been a while since I've used iptables...
I am trying to completely box this computer in... If it is compromised, I don't want it to have any chance of even connecting to the router. That's why I picked the INPUT chain. Maybe I need to read up on iptables again....
What advantage would stateful inspection give me over the --syn packet stuff?
CptDondo wrote: > Leander de Graaf wrote: >> CptDondo wrote: >>> I need to allow public access to a web server on one computer on my >>> network. I'm forwarding from the main firewall to the computer. The >>> computer sits behind its own local router, and it's on its own >>> physical subnet. >>>>> I think all I need to do is something like this at the local router: >>>>> iptables -A INPUT -p TCP !--syn --interface vlanX --destination >>> 192.168.0.0/16 -J ACCEPT >>> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT >>> iptables -A INPUT --interface vlanX -J DROP >>>>> In other words, only allow returning http connections and returning >>> connections from the local network (so I can get in with ssh). >>>>> Anyone see anything wrong with this? >>>>> --Yan >>> Hello Yan, >>> It looks like you are using the wrong iptables chain here, use FORWARD >> instead of the current one, which is used to filter routing traffic >> assuming you are configuring your local router as noted on your post. >> Also i advice you to have a look at iptables' statefull inspection >> functionality (look at the state module in the man) > It's been a while since I've used iptables... > I am trying to completely box this computer in... If it is compromised, > I don't want it to have any chance of even connecting to the router. > That's why I picked the INPUT chain. Maybe I need to read up on > iptables again.... > What advantage would stateful inspection give me over the --syn packet > stuff?
Having iptables only check on the packet flags without knowing what has been going on in advance is not a very secure practice. Anyone trying to abuse your net can possibly generate packets that can bypass the firewall rules and reach your webserver. I have used this way on many boxes and know it works flawlessly.
Greetings, Leander de Graaf
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup comp.os.linux.security
Message de Leander De Graaf (unreachable@invalid) (03 Aout 2007)