[LARTC] how to configure linux in production line

[LARTC] how to configure linux in production line

[Gonn Star]

I am new in linux world,basically I'm using red hat 9
kernel 2.4.20-8. I need to build a trusted gateway. my
linux box will be the gateway for several machine PCs
to go to the desired server. there will be several
subnets under the linux box, I've already assigned
static IPs for the PCs . Now my problem is I only need
2 PCs from each subnets to connect to certain servers,
and those 2 PCs can only have transaction(open) to the
specified servers, for others it will
drop(firewalled). for other PCs, they can't log on to
the outside world. should I use only iptable rules or
with the help of squid(ACL) as well ? please add up
the commands as well. Thanks.


		
__________________________________ 
Discover Yahoo! 
Use Yahoo! to plan a weekend, have fun online and more. Check it out! 
http://discover.yahoo.com/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] how to configure linux in production line

[Sylvain BERTRAND]

On Jeu 2 juin 2005 11:37, Gonn Star a écrit :
> I am new in linux world,basically I'm using red hat 9
> kernel 2.4.20-8. I need to build a trusted gateway. my
> linux box will be the gateway for several machine PCs
> to go to the desired server. there will be several
> subnets under the linux box, I've already assigned
> static IPs for the PCs . Now my problem is I only need
> 2 PCs from each subnets to connect to certain servers,
> and those 2 PCs can only have transaction(open) to the
> specified servers, for others it will
> drop(firewalled). for other PCs, they can't log on to
> the outside world. should I use only iptable rules or
> with the help of squid(ACL) as well ? please add up
> the commands as well. Thanks.
>


Wether you need to use iptables or squid ACL's relies on the type of
traffic the 2 PCs on each subnet should be allowed to have with the
outside world. You may want to use both.


Regards,

Sylvain

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] how to configure linux in production line

[/dev/rob0]

Gonn Star wrote:
> I am new in linux world,basically I'm using red hat 9
> kernel 2.4.20-8. I need to build a trusted gateway. my

Whoa! You are starting out with something very old and bug-ridden. You 
should scrap that and switch to a current release, whatever distro you 
may choose.

Quite a few of those old bugs can bite very hard, including root 
compromises. Being new, did you know how to update for security? Sure, 
there's Fedora Legacy which may or may not be supporting the old stuff 
with updates, but that is intended for people who have long-running 
stable servers ... not to entice new users to RH 9.

> linux box will be the gateway for several machine PCs
> to go to the desired server. there will be several
> subnets under the linux box, I've already assigned
> static IPs for the PCs . Now my problem is I only need
> 2 PCs from each subnets to connect to certain servers,
> and those 2 PCs can only have transaction(open) to the
> specified servers, for others it will
> drop(firewalled). for other PCs, they can't log on to
> the outside world. should I use only iptable rules or
> with the help of squid(ACL) as well ?

You do not seem to understand that HTTP is just one of many TCP/IP 
protocols, and yet you want to set up complex networking controls. 
Anyone who knows more than you do would likely find it a trivial task to 
get around your controls.

> please add up the commands as well. Thanks.

Specific questions which show that you have tried will tend to be 
better-received than generalised requests for spoonfeeding. I do things 
like this for a living, and I do not have time to earn your living as well.

You mention "production" which implies that this is needed in a business 
setting. If so it's probably worth it to the business owners to pay for 
expertise. You can't learn everything you need to know, overnight.

For you, I would recommend starting with the basics. There are good 
HOWTOs at netfilter.org which might help.
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] how to configure linux in production line

[Taylor, Grant]

Gonn Star wrote:
> I am new in linux world,basically I'm using red hat 9
> kernel 2.4.20-8. I need to build a trusted gateway. my
> linux box will be the gateway for several machine PCs
> to go to the desired server. there will be several
> subnets under the linux box, I've already assigned
> static IPs for the PCs . Now my problem is I only need
> 2 PCs from each subnets to connect to certain servers,
> and those 2 PCs can only have transaction(open) to the
> specified servers, for others it will
> drop(firewalled). for other PCs, they can't log on to
> the outside world. should I use only iptable rules or
> with the help of squid(ACL) as well ? please add up
> the commands as well. Thanks.


This sounds like a fairly basic firewall with out Squid in the mix.  In short you are probably looking at a firewall like this (NOTE:  This script will be incomplete for just about any scenario, but will give you the idea.):

iptables -t filter -P FORWARD DROP
iptables -t filter -F FORWARD
iptables -t filter -A FORWARD -s 192.168.0.1 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.2 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.1.1 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.2.1 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.2.2 -j ACCEPT
iptables -t filter -A FORWARD -j REJECT --reject-with icmp-net-unreachable

This quick and dirty (and incomplete) script will set the default policy (-P) of the FORWARD chain to DROP all traffic that is to be forwarded and not handled by any other rule.  Once the default policy has been set it flushes (-F) the FORWARD chain to make sure that there were not any old rules lingering arround that could mess things up.  The next six rules are in place to explicietly allow just the two machines from three subnets (in this example) to pass traffic through the FORWARD chain on out to a different network.  Any traffic that is not explicietly handled by the six rules to allow traffic to be forwarded will meat the last rule which will reject the traffic with a message saying that there is no route to the destination thus making the computers think that they are icolated.

As someone else pointed out if you are new to the Linux community you might be better off served by finding someone in your area with more experience at hardening a box and a firewall to help you in this endevor.  Or if you are not new to unix or firewalling, just Linux and you need to acclimate your self with the Linux syntax and methodology you will probably be ok.  Either way it would probably be worth your time to skim some of the HOW-TOs that are out there, namely the NetFilter HOW-TO as you are asking questions that are answered in it.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc