I am hosting a webservices to the public, the webserver got 2x interfaces; one pointing to my network LAN (10.x.x.x) and the other one connecting to the DMZ 192.x.x.x of the PIX. Inside PIX I blocked every protocol except WWW and DNS. >From inside the LAN I did the following rules to allow outgoing ssh, Oracle ports, www, ... from the private network.
I want to add more rules via iptableas to _protect_ my internal LAN from the public packets. i.e to block any forwarded packets to my internal lan
Madunix schrieb: > I am hosting a webservices to the public, the webserver got 2x > interfaces; one pointing to my network LAN (10.x.x.x) > and the other one connecting to the DMZ 192.x.x.x of the PIX. > Inside PIX I blocked every protocol except WWW and DNS. >>From inside the LAN I did the following rules to allow outgoing ssh, > Oracle ports, www, ... from the private network. > I want to add more rules via iptableas to _protect_ my internal LAN > from the public packets. i.e > to block any forwarded packets to my internal lan > Destination Gateway Genmask Iface > 10.5.0.0 0.0.0.0 255.255.0.0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 eth1 > 192.x.0.0 0.0.0.0 255.255.0.0 eth1 > 10.0.0.0 10.5.0.1 255.0.0.0 eth0 > 0.0.0.0 192.x.x.1 0.0.0.0 eth1 This needs a bit more explanation for to be clear. Please make an artwork of the topology of your networks and hosts.
On Aug 5, 10:44 pm, Christoph Scheurer wrote: > madunix schrieb: > > I am hosting a webservices to the public, the webserver got 2x > > interfaces; one pointing to my network LAN (10.x.x.x) > > and the other one connecting to the DMZ 192.x.x.x of the PIX. > > Inside PIX I blocked every protocol except WWW and DNS. > >>From inside the LAN I did the following rules to allow outgoing ssh, > > Oracle ports, www, ... from the private network. > > I want to add more rules via iptableas to _protect_ my internal LAN > > from the public packets. i.e > > to block any forwarded packets to my internal lan > > Destination Gateway Genmask Iface > > 10.5.0.0 0.0.0.0 255.255.0.0 eth0 > > 169.254.0.0 0.0.0.0 255.255.0.0 eth1 > > 192.x.0.0 0.0.0.0 255.255.0.0 eth1 > > 10.0.0.0 10.5.0.1 255.0.0.0 eth0 > > 0.0.0.0 192.x.x.1 0.0.0.0 eth1 > This needs a bit more explanation for to be clear. Please make an > artwork of the topology of your networks and hosts. > Greets > Chris- Hide quoted text - > - Show quoted text -
Internet --------FW------- DMZ----------192.x.x.x---------------------|------Web |----------------------------LAN 10.x.x.x
Madunix schrieb: > On Aug 5, 10:44 pm, Christoph Scheurer wrote: >> madunix schrieb: >>>>>> I am hosting a webservices to the public, the webserver got 2x >>> interfaces; one pointing to my network LAN (10.x.x.x) >>> and the other one connecting to the DMZ 192.x.x.x of the PIX. >>> Inside PIX I blocked every protocol except WWW and DNS. >>> >From inside the LAN I did the following rules to allow outgoing ssh, >>> Oracle ports, www, ... from the private network. >>> I want to add more rules via iptableas to _protect_ my internal LAN >>> from the public packets. i.e >>> to block any forwarded packets to my internal lan >>> Destination Gateway Genmask Iface >>> 10.5.0.0 0.0.0.0 255.255.0.0 eth0 >>> 169.254.0.0 0.0.0.0 255.255.0.0 eth1 >>> 192.x.0.0 0.0.0.0 255.255.0.0 eth1 >>> 10.0.0.0 10.5.0.1 255.0.0.0 eth0 >>> 0.0.0.0 192.x.x.1 0.0.0.0 eth1 >> This needs a bit more explanation for to be clear. Please make an >> artwork of the topology of your networks and hosts. >>> Greets >> Chris- Hide quoted text - >>> - Show quoted text - > Internet --------FW------- > DMZ----------192.x.x.x---------------------|------Web > |----------------------------LAN > 10.x.x.x for protecting the Intranet, you could use: iptables -A FORWARD -m state --state ESTABLISHED,RELATED - ACCEPT iptables -A FORWARD -m state --state NEW -p tcp --syn -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -m state --state NEW -p udp -i eth1 -o eth0 -j ACCEPT
That would be a stateful filter which allows all traffic originating from the Intranet and blocking everything trying to get inside.
It can be refined.
Greets Chris
Vulnerabilite.com ne peut être tenu responsable des propos tenus dans le Newsgroup comp.os.linux.security
Sécuriser ses échanges électroniques avec une PKI Par Thierry Autret, Laurent Bellefin, Marie-Laure Oble-Laffaire (Eyrolles) Les lecteurs de ce livre lui attribuent une note moyenne de 4/5.<
/font>
Message de Christoph Scheurer (cyberfarm@rebmatt.ch) (05 Aout 2007)
Les lecteurs de ce livre lui attribuent une note moyenne de 4/5.<
/font>
