Isolating a subnet

CptDondo · External Since: Oct 05, 2005 Posts: 309

I need to allow public access to a web server on one computer on my
network. I'm forwarding from the main firewall to the computer. The
computer sits behind its own local router, and it's on its own physical
subnet.

I think all I need to do is something like this at the local router:

iptables -A INPUT -p TCP !--syn --interface vlanX --destination
192.168.0.0/16 -J ACCEPT
iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
iptables -A INPUT --interface vlanX -J DROP

In other words, only allow returning http connections and returning
connections from the local network (so I can get in with ssh).

Anyone see anything wrong with this?

--Yan

Leander de Graaf · External Since: Aug 03, 2007 Posts: 2

CptDondo wrote:
> I need to allow public access to a web server on one computer on my
> network. I'm forwarding from the main firewall to the computer. The
> computer sits behind its own local router, and it's on its own physical
> subnet.
>
> I think all I need to do is something like this at the local router:
>
> iptables -A INPUT -p TCP !--syn --interface vlanX --destination
> 192.168.0.0/16 -J ACCEPT
> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
> iptables -A INPUT --interface vlanX -J DROP
>
> In other words, only allow returning http connections and returning
> connections from the local network (so I can get in with ssh).
>
> Anyone see anything wrong with this?
>
> --Yan

Hello Yan,

It looks like you are using the wrong iptables chain here, use FORWARD
instead of the current one, which is used to filter routing traffic
assuming you are configuring your local router as noted on your post.
Also i advice you to have a look at iptables' statefull inspection
functionality (look at the state module in the man)

CptDondo · External Since: Oct 05, 2005 Posts: 309

Leander de Graaf wrote:
> CptDondo wrote:
>> I need to allow public access to a web server on one computer on my
>> network. I'm forwarding from the main firewall to the computer. The
>> computer sits behind its own local router, and it's on its own
>> physical subnet.
>>
>> I think all I need to do is something like this at the local router:
>>
>> iptables -A INPUT -p TCP !--syn --interface vlanX --destination
>> 192.168.0.0/16 -J ACCEPT
>> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
>> iptables -A INPUT --interface vlanX -J DROP
>>
>> In other words, only allow returning http connections and returning
>> connections from the local network (so I can get in with ssh).
>>
>> Anyone see anything wrong with this?
>>
>> --Yan
>
> Hello Yan,
>
> It looks like you are using the wrong iptables chain here, use FORWARD
> instead of the current one, which is used to filter routing traffic
> assuming you are configuring your local router as noted on your post.
> Also i advice you to have a look at iptables' statefull inspection
> functionality (look at the state module in the man)

It's been a while since I've used iptables...

I am trying to completely box this computer in... If it is compromised,
I don't want it to have any chance of even connecting to the router.
That's why I picked the INPUT chain. Maybe I need to read up on
iptables again....

What advantage would stateful inspection give me over the --syn packet
stuff?

Leander de Graaf · External Since: Aug 03, 2007 Posts: 2

CptDondo wrote:
> Leander de Graaf wrote:
>> CptDondo wrote:
>>> I need to allow public access to a web server on one computer on my
>>> network. I'm forwarding from the main firewall to the computer. The
>>> computer sits behind its own local router, and it's on its own
>>> physical subnet.
>>>
>>> I think all I need to do is something like this at the local router:
>>>
>>> iptables -A INPUT -p TCP !--syn --interface vlanX --destination
>>> 192.168.0.0/16 -J ACCEPT
>>> iptables -A INPUT -p TCP !--syn --interface vlanX --sport 80 -J ACCEPT
>>> iptables -A INPUT --interface vlanX -J DROP
>>>
>>> In other words, only allow returning http connections and returning
>>> connections from the local network (so I can get in with ssh).
>>>
>>> Anyone see anything wrong with this?
>>>
>>> --Yan
>>
>> Hello Yan,
>>
>> It looks like you are using the wrong iptables chain here, use FORWARD
>> instead of the current one, which is used to filter routing traffic
>> assuming you are configuring your local router as noted on your post.
>> Also i advice you to have a look at iptables' statefull inspection
>> functionality (look at the state module in the man)
>
> It's been a while since I've used iptables...
>
> I am trying to completely box this computer in... If it is compromised,
> I don't want it to have any chance of even connecting to the router.
> That's why I picked the INPUT chain. Maybe I need to read up on
> iptables again....
>
> What advantage would stateful inspection give me over the --syn packet
> stuff?

Having iptables only check on the packet flags without knowing what has
been going on in advance is not a very secure practice. Anyone trying to
abuse your net can possibly generate packets that can bypass the
firewall rules and reach your webserver. I have used this way on many
boxes and know it works flawlessly.

Greetings,
Leander de Graaf