LAN protection from WAN packets - Security

This is a discussion on LAN protection from WAN packets - Security ; I am hosting a webservices to the public, the webserver got 2x interfaces; one pointing to my network LAN (10.x.x.x) and the other one connecting to the DMZ 192.x.x.x of the PIX. Inside PIX I blocked every protocol except WWW ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: LAN protection from WAN packets

  1. LAN protection from WAN packets

    I am hosting a webservices to the public, the webserver got 2x
    interfaces; one pointing to my network LAN (10.x.x.x)
    and the other one connecting to the DMZ 192.x.x.x of the PIX.
    Inside PIX I blocked every protocol except WWW and DNS.
    >From inside the LAN I did the following rules to allow outgoing ssh,

    Oracle ports, www, ... from the private network.

    I want to add more rules via iptableas to _protect_ my internal LAN
    from the public packets. i.e
    to block any forwarded packets to my internal lan

    Destination Gateway Genmask Iface
    10.5.0.0 0.0.0.0 255.255.0.0 eth0
    169.254.0.0 0.0.0.0 255.255.0.0 eth1
    192.x.0.0 0.0.0.0 255.255.0.0 eth1
    10.0.0.0 10.5.0.1 255.0.0.0 eth0
    0.0.0.0 192.x.x.1 0.0.0.0 eth1


  2. Re: LAN protection from WAN packets

    madunix schrieb:
    > I am hosting a webservices to the public, the webserver got 2x
    > interfaces; one pointing to my network LAN (10.x.x.x)
    > and the other one connecting to the DMZ 192.x.x.x of the PIX.
    > Inside PIX I blocked every protocol except WWW and DNS.
    >>From inside the LAN I did the following rules to allow outgoing ssh,

    > Oracle ports, www, ... from the private network.
    >
    > I want to add more rules via iptableas to _protect_ my internal LAN
    > from the public packets. i.e
    > to block any forwarded packets to my internal lan
    >
    > Destination Gateway Genmask Iface
    > 10.5.0.0 0.0.0.0 255.255.0.0 eth0
    > 169.254.0.0 0.0.0.0 255.255.0.0 eth1
    > 192.x.0.0 0.0.0.0 255.255.0.0 eth1
    > 10.0.0.0 10.5.0.1 255.0.0.0 eth0
    > 0.0.0.0 192.x.x.1 0.0.0.0 eth1
    >

    This needs a bit more explanation for to be clear. Please make an
    artwork of the topology of your networks and hosts.

    Greets
    Chris

  3. Re: LAN protection from WAN packets

    On Aug 5, 10:44 pm, Christoph Scheurer wrote:
    > madunix schrieb:
    >
    >
    >
    > > I am hosting a webservices to the public, the webserver got 2x
    > > interfaces; one pointing to my network LAN (10.x.x.x)
    > > and the other one connecting to the DMZ 192.x.x.x of the PIX.
    > > Inside PIX I blocked every protocol except WWW and DNS.
    > >>From inside the LAN I did the following rules to allow outgoing ssh,

    > > Oracle ports, www, ... from the private network.

    >
    > > I want to add more rules via iptableas to _protect_ my internal LAN
    > > from the public packets. i.e
    > > to block any forwarded packets to my internal lan

    >
    > > Destination Gateway Genmask Iface
    > > 10.5.0.0 0.0.0.0 255.255.0.0 eth0
    > > 169.254.0.0 0.0.0.0 255.255.0.0 eth1
    > > 192.x.0.0 0.0.0.0 255.255.0.0 eth1
    > > 10.0.0.0 10.5.0.1 255.0.0.0 eth0
    > > 0.0.0.0 192.x.x.1 0.0.0.0 eth1

    >
    > This needs a bit more explanation for to be clear. Please make an
    > artwork of the topology of your networks and hosts.
    >
    > Greets
    > Chris- Hide quoted text -
    >
    > - Show quoted text -


    Internet --------FW-------
    DMZ----------192.x.x.x---------------------|------Web
    |----------------------------LAN
    10.x.x.x


  4. Re: LAN protection from WAN packets

    madunix schrieb:
    > On Aug 5, 10:44 pm, Christoph Scheurer wrote:
    >> madunix schrieb:
    >>
    >>
    >>
    >>> I am hosting a webservices to the public, the webserver got 2x
    >>> interfaces; one pointing to my network LAN (10.x.x.x)
    >>> and the other one connecting to the DMZ 192.x.x.x of the PIX.
    >>> Inside PIX I blocked every protocol except WWW and DNS.
    >>> >From inside the LAN I did the following rules to allow outgoing ssh,
    >>> Oracle ports, www, ... from the private network.
    >>> I want to add more rules via iptableas to _protect_ my internal LAN
    >>> from the public packets. i.e
    >>> to block any forwarded packets to my internal lan
    >>> Destination Gateway Genmask Iface
    >>> 10.5.0.0 0.0.0.0 255.255.0.0 eth0
    >>> 169.254.0.0 0.0.0.0 255.255.0.0 eth1
    >>> 192.x.0.0 0.0.0.0 255.255.0.0 eth1
    >>> 10.0.0.0 10.5.0.1 255.0.0.0 eth0
    >>> 0.0.0.0 192.x.x.1 0.0.0.0 eth1

    >> This needs a bit more explanation for to be clear. Please make an
    >> artwork of the topology of your networks and hosts.
    >>
    >> Greets
    >> Chris- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > Internet --------FW-------
    > DMZ----------192.x.x.x---------------------|------Web
    > |----------------------------LAN
    > 10.x.x.x
    >

    for protecting the Intranet, you could use:
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED - ACCEPT
    iptables -A FORWARD -m state --state NEW -p tcp --syn -i eth1 -o
    eth0 -j ACCEPT
    iptables -A FORWARD -m state --state NEW -p udp -i eth1 -o eth0 -j
    ACCEPT

    That would be a stateful filter which allows all traffic originating
    from the Intranet and blocking everything trying to get inside.

    It can be refined.

    Greets
    Chris

+ Reply to Thread