restricting connections from a single connection to a single destination

restricting connections from a single connection to a single destination

[Todd Landfried]

I'm trying to protect some people from themselves and I want to set  
up a rule that allows a single IP on the network to connect only to  
the gateway's internal IP, thereby restricting as much as possible  
user's ability to connect to other PCs on the network. Yes, I know  
about VLANs and I know about port isolation on the hardware side, and  
I've tried explaining how to do it these folks, but they're just not  
getting it.

 From what I have read, this should work, but it doesn't. I'm not  
sure which loopback this refers to, the host or the source. Any  
suggestions?

-A PREROUTING -i lo -p icmp -d gateway-internal-private-ip -j ACCEPT
-A PREROUTING -i lo -p tcp -d gateway-internal-private-ip -j ACCEPT
-A PREROUTING -i lo -p udp -d gateway-internal-private-ip -j ACCEPT

Thanks

Re: restricting connections from a single connection to a single destination

[Grant Taylor]

Todd Landfried wrote:
> I'm trying to protect some people from themselves and I want to set  up 
> a rule that allows a single IP on the network to connect only to  the 
> gateway's internal IP, thereby restricting as much as possible  user's 
> ability to connect to other PCs on the network. Yes, I know  about VLANs 
> and I know about port isolation on the hardware side, and  I've tried 
> explaining how to do it these folks, but they're just not  getting it.

This is really the more proper solution to me verses trying to protect things on a routing / firewalling level.

>  From what I have read, this should work, but it doesn't. I'm not  sure 
> which loopback this refers to, the host or the source. Any  suggestions?
> 
> -A PREROUTING -i lo -p icmp -d gateway-internal-private-ip -j ACCEPT
> -A PREROUTING -i lo -p tcp -d gateway-internal-private-ip -j ACCEPT
> -A PREROUTING -i lo -p udp -d gateway-internal-private-ip -j ACCEPT

Hmm.  I don't quite know what people were attempting to do with these rules.  First of all you will have to define a table to apply these rules to as there is no PREROUTING chain in the filter table.  Second of all I don't know why people would use a variable (I suppose that is what they are trying to do in place of "gateway-internal-private-ip") for the IP for loop back (lo) as there is no way that I'm aware of that you can get any source or destination IP in to the subnet on lo as the kernel's alien / martin code will drop it and complain LOUDLY about it in logs.  The only other way that I could see this making any sense is if these rules are really meant to be written as

-A PREROUTING -i ${IF} -p icmp -d ${IFIPAddress} -j ACCEPT
-A PREROUTING -i ${IF} -p tcp -d ${IFIPAddress} -j ACCEPT
-A PREROUTING -i ${IF} -p udp -d ${IFIPAddress} -j ACCEPT

On a different note I do not know of any filtering you will be able to do on the firewall to prevent two systems on the same LAN in the same subnet from being able to talk to each other with out some sort of layer 2 firewall.  If you are running managed layer 3 switches you *might* be able to configure them such that the only traffic that can pass through any given port is either to the router / broadcast or from the router / servers thus attempting to cut down on traffic from host to host.  Even this would be hard to implement and will require more advanced switches.

The only other way that I can think to get around this would be to have a subnet for each client system but IMHO this is just absolutely insane.



Grant. . . .

P.S.  If you would like help trying to explain the VLAN concept let me know as I'm having to implement this at one of my clients now.  In fact I may just write a How-To on it and see about submitting it somewhere b/c I think it will be rather interesting (read "fun" to those of us who like challenges) to do.

Re: restricting connections from a single connection to a single destination

[psihozefir]

Grant Taylor wrote:

> P.S.  If you would like help trying to explain
> the VLAN concept let me know as I'm having to
> implement this at one of my clients now.  In fact I may just write a How-To
> on it and see about
> submitting it somewhere b/c I think it will be rather interesting
> (read "fun" to those of us who like > challenges) to do.

I have a small LAN with my neighbours and they have access to the
Internet through my router. I once needed to block pc to pc traffic
because the LAN is made of about 10 low cost ethernet switching hubs
on four level tree and they could not manage the connections between
machines. So I had a lot of unuseful traffic in the network. They
started to act like non-switching hubs. The maximum transfer speed
dropped to 2.5 Mbyte/s (that's unacceptable). [ They are 48 neighbours
connected to this LAN. ]

Solution:
Each switch has its own subnet and the router is virtually on all
subnets with the lowest address on that subnet. The router has aliases
for eth1 (10 aliases). Problem: the traffic between subnets goes
through the router. The router has one 100 Mbit/s connection to LAN.
Concurrent connections slow each other, if they are all betweeen
different subnets. The router is unnecesarily loaded.

I had to develop the solution fast, and I know nothing about vlans. I
googled for docs but none I've found was short and step-oriented. I
also looked for solutions that explaind in terms of "for this feature
to work these are the minimum requirements: a), b) and c)". This could
improve troubleshooting in case of something is not working. I just
verify the a), b) and c) conditions to be fulfilled.

I've found sites where the concept was explained, but it was too much
to read and experiment until I could be able to do something useful.
The network should be operational during the tests with short times of
inoperability.

Sorin...
P.S. If you can explain the VLAN concepts and write a How-to I would
very much appreciate your effort. Thank you.

Re: restricting connections from a single connection to a single destination

[Taylor, Grant]

psihozefir wrote:
> I have a small LAN with my neighbours and they have access to the
> Internet through my router. I once needed to block pc to pc traffic
> because the LAN is made of about 10 low cost ethernet switching hubs
> on four level tree and they could not manage the connections between
> machines. So I had a lot of unuseful traffic in the network. They
> started to act like non-switching hubs. The maximum transfer speed
> dropped to 2.5 Mbyte/s (that's unacceptable). [ They are 48 neighbours
> connected to this LAN. ]

This is not your typical "Small LAN".  I would be willing to bet that you are breaking the 3-4-5 rule for ethernet if I am guessing at your LAN correctly.  I HOPE that you have a hub / switch in each apartment and then are uplinking them all to a master switch (no hub for the master).  I'm guessing that you are not using any managed switches and that they are all layer 2 at that.  With this in mind there is not much that can be doen to establish redundant / additional links to handle more of the bandwidth.  If for some reason you are not able to physically cable the hubs / switches in each apartment back up to a central switch you should at least cable as many as you can to say three or four intermediary switches that then cable back up to the central switch.  If you do have a couple of apartments that have a lot of traffic that they send back and forth between each other I would try to 
 put them on the same upstream switch thus limiting their traffic to that switch and two li
nks not the entire network.  If you could spend a little bit of money on at least a low end managed layer 2 switch for the center, say a D-Link DES-3226, I think you could bond together multiple 10/100 links from your router to the switch thus giving you more bandwidth to work with too.

> Solution:
> Each switch has its own subnet and the router is virtually on all
> subnets with the lowest address on that subnet. The router has aliases
> for eth1 (10 aliases). Problem: the traffic between subnets goes
> through the router. The router has one 100 Mbit/s connection to LAN.
> Concurrent connections slow each other, if they are all betweeen
> different subnets. The router is unnecesarily loaded.

If you only need to send traffic from one subnet to a limited number of hosts on another subnet try multi homing the device that is on the other subnet back to the first subnet so it is included in the subnet and thus does not have to have it's traffic go through the router.

> I had to develop the solution fast, and I know nothing about vlans. I
> googled for docs but none I've found was short and step-oriented. I
> also looked for solutions that explaind in terms of "for this feature
> to work these are the minimum requirements: a), b) and c)". This could
> improve troubleshooting in case of something is not working. I just
> verify the a), b) and c) conditions to be fulfilled.
> 
> I've found sites where the concept was explained, but it was too much
> to read and experiment until I could be able to do something useful.
> The network should be operational during the tests with short times of
> inoperability.

*nod*  If you have never messed with VLANs they can be a bit much to take in at one time.  However having read what your network layout is I don't think that VLANs are a good choice for you b/c you would have to have support for it in your end equipment as it sounds like your hubs / switches will not have support for it.  Thus it is not the best candidate for your situation.

> Sorin...
> P.S. If you can explain the VLAN concepts and write a How-to I would
> very much appreciate your effort. Thank you.

I have a client now that is a sorority with 22 rooms (4 computers per room) plus a small computer lab (4 computers) and the house mother's room.  Last year the network would go down at least once per month b/c of viral activity running rampant on the network.  What I'm going to be doing is setting up a VLAN for each room.  Thus I'm going to have to configure the 2 network switches to put the ports for each room in to a VLAN and then set up an interface on the router that is also in that VLAN.  I'll have to trunk (802.1q tag) the traffic between the switches and the router that I'm going to put in to place.  I'm having to replace the router that is there b/c it does not understand VLANs.  Once I have all 24 VLAN interfaces on the router configured I'm going to set up bridging between all the interfaces so that the router's IP can be on the bri0 interface.  I'll use EBTables to make sure t
 hat the VLANs will not be able to talk to each other, just the VLAN and the router.



Grant. . . .