Help!

LAN protection from WAN packets

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security RSS
Next:  malware question  
Author Message
madunix
External


Since: Aug 05, 2007
Posts: 2
PostPosted: Sun Aug 05, 2007 12:49 am    Post subject: LAN protection from WAN packets
Archived from groups: comp>os>linux>security (more info?)
I am hosting a webservices to the public, the webserver got 2x
interfaces; one pointing to my network LAN (10.x.x.x)
and the other one connecting to the DMZ 192.x.x.x of the PIX.
Inside PIX I blocked every protocol except WWW and DNS.
>From inside the LAN I did the following rules to allow outgoing ssh,
Oracle ports, www, ... from the private network.

I want to add more rules via iptableas to _protect_ my internal LAN
from the public packets. i.e
to block any forwarded packets to my internal lan

Destination Gateway Genmask Iface
10.5.0.0 0.0.0.0 255.255.0.0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 eth1
192.x.0.0 0.0.0.0 255.255.0.0 eth1
10.0.0.0 10.5.0.1 255.0.0.0 eth0
0.0.0.0 192.x.x.1 0.0.0.0 eth1
Back to top
Christoph Scheurer
External


Since: Apr 19, 2004
Posts: 40
PostPosted: Sun Aug 05, 2007 10:44 pm    Post subject: Re: LAN protection from WAN packets [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
madunix schrieb:
> I am hosting a webservices to the public, the webserver got 2x
> interfaces; one pointing to my network LAN (10.x.x.x)
> and the other one connecting to the DMZ 192.x.x.x of the PIX.
> Inside PIX I blocked every protocol except WWW and DNS.
>>From inside the LAN I did the following rules to allow outgoing ssh,
> Oracle ports, www, ... from the private network.
>
> I want to add more rules via iptableas to _protect_ my internal LAN
> from the public packets. i.e
> to block any forwarded packets to my internal lan
>
> Destination Gateway Genmask Iface
> 10.5.0.0 0.0.0.0 255.255.0.0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 eth1
> 192.x.0.0 0.0.0.0 255.255.0.0 eth1
> 10.0.0.0 10.5.0.1 255.0.0.0 eth0
> 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>
This needs a bit more explanation for to be clear. Please make an
artwork of the topology of your networks and hosts.

Greets
Chris
Back to top
madunix
External


Since: Aug 05, 2007
Posts: 2
PostPosted: Sun Aug 05, 2007 11:22 pm    Post subject: Re: LAN protection from WAN packets [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Aug 5, 10:44 pm, Christoph Scheurer <cyberf... RemoveThis @rebmatt.ch> wrote:
> madunix schrieb:
>
>
>
> > I am hosting a webservices to the public, the webserver got 2x
> > interfaces; one pointing to my network LAN (10.x.x.x)
> > and the other one connecting to the DMZ 192.x.x.x of the PIX.
> > Inside PIX I blocked every protocol except WWW and DNS.
> >>From inside the LAN I did the following rules to allow outgoing ssh,
> > Oracle ports, www, ... from the private network.
>
> > I want to add more rules via iptableas to _protect_ my internal LAN
> > from the public packets. i.e
> > to block any forwarded packets to my internal lan
>
> > Destination Gateway Genmask Iface
> > 10.5.0.0 0.0.0.0 255.255.0.0 eth0
> > 169.254.0.0 0.0.0.0 255.255.0.0 eth1
> > 192.x.0.0 0.0.0.0 255.255.0.0 eth1
> > 10.0.0.0 10.5.0.1 255.0.0.0 eth0
> > 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>
> This needs a bit more explanation for to be clear. Please make an
> artwork of the topology of your networks and hosts.
>
> Greets
> Chris- Hide quoted text -
>
> - Show quoted text -

Internet --------FW-------
DMZ----------192.x.x.x---------------------|------Web
|----------------------------LAN
10.x.x.x
Back to top
Christoph Scheurer
External


Since: Apr 19, 2004
Posts: 40
PostPosted: Mon Aug 06, 2007 9:56 am    Post subject: Re: LAN protection from WAN packets [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
madunix schrieb:
> On Aug 5, 10:44 pm, Christoph Scheurer <cyberf....DeleteThis@rebmatt.ch> wrote:
>> madunix schrieb:
>>
>>
>>
>>> I am hosting a webservices to the public, the webserver got 2x
>>> interfaces; one pointing to my network LAN (10.x.x.x)
>>> and the other one connecting to the DMZ 192.x.x.x of the PIX.
>>> Inside PIX I blocked every protocol except WWW and DNS.
>>> >From inside the LAN I did the following rules to allow outgoing ssh,
>>> Oracle ports, www, ... from the private network.
>>> I want to add more rules via iptableas to _protect_ my internal LAN
>>> from the public packets. i.e
>>> to block any forwarded packets to my internal lan
>>> Destination Gateway Genmask Iface
>>> 10.5.0.0 0.0.0.0 255.255.0.0 eth0
>>> 169.254.0.0 0.0.0.0 255.255.0.0 eth1
>>> 192.x.0.0 0.0.0.0 255.255.0.0 eth1
>>> 10.0.0.0 10.5.0.1 255.0.0.0 eth0
>>> 0.0.0.0 192.x.x.1 0.0.0.0 eth1
>> This needs a bit more explanation for to be clear. Please make an
>> artwork of the topology of your networks and hosts.
>>
>> Greets
>> Chris- Hide quoted text -
>>
>> - Show quoted text -
>
> Internet --------FW-------
> DMZ----------192.x.x.x---------------------|------Web
> |----------------------------LAN
> 10.x.x.x
>
for protecting the Intranet, you could use:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED - ACCEPT
iptables -A FORWARD -m state --state NEW -p tcp --syn -i eth1 -o
eth0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -p udp -i eth1 -o eth0 -j
ACCEPT

That would be a stateful filter which allows all traffic originating
from the Intranet and blocking everything trying to get inside.

It can be refined.

Greets
Chris
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum