Isolating a subnet - Security

This is a discussion on Isolating a subnet - Security ; I need to allow public access to a web server on one computer on my network. I'm forwarding from the main firewall to the computer. The computer sits behind its own local router, and it's on its own physical subnet. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Isolating a subnet

  1. Isolating a subnet

    I need to allow public access to a web server on one computer on my
    network. I'm forwarding from the main firewall to the computer. The
    computer sits behind its own local router, and it's on its own physical
    subnet.

    I think all I need to do is something like this at the local router:

    iptables -A INPUT -p TCP !--syn --interface vlanX --destination
    192.168.0.0/16 -J ACCEPT
    iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
    iptables -A INPUT --interface vlanX -J DROP

    In other words, only allow returning http connections and returning
    connections from the local network (so I can get in with ssh).

    Anyone see anything wrong with this?

    --Yan

  2. Re: Isolating a subnet

    CptDondo wrote:
    > I need to allow public access to a web server on one computer on my
    > network. I'm forwarding from the main firewall to the computer. The
    > computer sits behind its own local router, and it's on its own physical
    > subnet.
    >
    > I think all I need to do is something like this at the local router:
    >
    > iptables -A INPUT -p TCP !--syn --interface vlanX --destination
    > 192.168.0.0/16 -J ACCEPT
    > iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
    > iptables -A INPUT --interface vlanX -J DROP
    >
    > In other words, only allow returning http connections and returning
    > connections from the local network (so I can get in with ssh).
    >
    > Anyone see anything wrong with this?
    >
    > --Yan


    Hello Yan,

    It looks like you are using the wrong iptables chain here, use FORWARD
    instead of the current one, which is used to filter routing traffic
    assuming you are configuring your local router as noted on your post.
    Also i advice you to have a look at iptables' statefull inspection
    functionality (look at the state module in the man)

  3. Re: Isolating a subnet

    Leander de Graaf wrote:
    > CptDondo wrote:
    >> I need to allow public access to a web server on one computer on my
    >> network. I'm forwarding from the main firewall to the computer. The
    >> computer sits behind its own local router, and it's on its own
    >> physical subnet.
    >>
    >> I think all I need to do is something like this at the local router:
    >>
    >> iptables -A INPUT -p TCP !--syn --interface vlanX --destination
    >> 192.168.0.0/16 -J ACCEPT
    >> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
    >> iptables -A INPUT --interface vlanX -J DROP
    >>
    >> In other words, only allow returning http connections and returning
    >> connections from the local network (so I can get in with ssh).
    >>
    >> Anyone see anything wrong with this?
    >>
    >> --Yan

    >
    > Hello Yan,
    >
    > It looks like you are using the wrong iptables chain here, use FORWARD
    > instead of the current one, which is used to filter routing traffic
    > assuming you are configuring your local router as noted on your post.
    > Also i advice you to have a look at iptables' statefull inspection
    > functionality (look at the state module in the man)


    It's been a while since I've used iptables...

    I am trying to completely box this computer in... If it is compromised,
    I don't want it to have any chance of even connecting to the router.
    That's why I picked the INPUT chain. Maybe I need to read up on
    iptables again....

    What advantage would stateful inspection give me over the --syn packet
    stuff?

  4. Re: Isolating a subnet

    CptDondo wrote:
    > Leander de Graaf wrote:
    >> CptDondo wrote:
    >>> I need to allow public access to a web server on one computer on my
    >>> network. I'm forwarding from the main firewall to the computer. The
    >>> computer sits behind its own local router, and it's on its own
    >>> physical subnet.
    >>>
    >>> I think all I need to do is something like this at the local router:
    >>>
    >>> iptables -A INPUT -p TCP !--syn --interface vlanX --destination
    >>> 192.168.0.0/16 -J ACCEPT
    >>> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
    >>> iptables -A INPUT --interface vlanX -J DROP
    >>>
    >>> In other words, only allow returning http connections and returning
    >>> connections from the local network (so I can get in with ssh).
    >>>
    >>> Anyone see anything wrong with this?
    >>>
    >>> --Yan

    >>
    >> Hello Yan,
    >>
    >> It looks like you are using the wrong iptables chain here, use FORWARD
    >> instead of the current one, which is used to filter routing traffic
    >> assuming you are configuring your local router as noted on your post.
    >> Also i advice you to have a look at iptables' statefull inspection
    >> functionality (look at the state module in the man)

    >
    > It's been a while since I've used iptables...
    >
    > I am trying to completely box this computer in... If it is compromised,
    > I don't want it to have any chance of even connecting to the router.
    > That's why I picked the INPUT chain. Maybe I need to read up on
    > iptables again....
    >
    > What advantage would stateful inspection give me over the --syn packet
    > stuff?


    Having iptables only check on the packet flags without knowing what has
    been going on in advance is not a very secure practice. Anyone trying to
    abuse your net can possibly generate packets that can bypass the
    firewall rules and reach your webserver. I have used this way on many
    boxes and know it works flawlessly.

    Greetings,
    Leander de Graaf

+ Reply to Thread