Isolate a legacy machine

Isolate a legacy machine

[Ringer, Torleiv]

Hi there,

I am not exactly sure how this needs to be done...

I have a legacy machine that I need to isolate from our LAN. Network access to this machine will be limited to port forwarding of telnet, and a limited FTP access that will only be initiated locally on a proxy machine (which will also run the iptables).

Let's say that the legacy machine currently has address 10.2.1.100, and I would like my proxy/firewall to have the same address. I will be unplugging the legacy machine from the LAN, then assigning the proxy/firewall the same IP.

Can I isolate the 100 machine from the LAN, and keep the same IP? I need to do this for failover, so that if the proxy box goes down, I can just unplug the 100 machine from the proxy/firewall, and plug it back into the LAN. I would also be unplugging the proxy/firewall from the LAN at this point.

Can I port forward telnet from the LAN (eth0) side to the legacy (eth1) side where both the proxy machine and the legacy machine have the same IP but are isolated from each other? Is this impossible?

Torleiv Ringer
IT Support
Minnesota Public Radio
http://www.mpr.org

Bridge question

[Herman]

Hi everybody,

This question is not about iptables, but it is closely related, so somebody 
might know the answer:
I am trying to construct a bridge, to filter 802.1q tags and protect a legacy 
version 2.2 kernel server, while preserving port to port security on the LAN, 
using the VLAN module.

Can anybody refer me to some documentation on filtering on a bridge for the 
2.4 kernel?

Regards,
-- 
Herman

RE: Bridge question

[Mark E. Donaldson]

Here's a good place to start: http://bridge.sourceforge.net/

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Herman
Sent: Thursday, October 16, 2003 8:15 PM
To: netfilter@lists.netfilter.org
Subject: Bridge question


Hi everybody,

This question is not about iptables, but it is closely related, so somebody
might know the answer:
I am trying to construct a bridge, to filter 802.1q tags and protect a
legacy
version 2.2 kernel server, while preserving port to port security on the
LAN,
using the VLAN module.

Can anybody refer me to some documentation on filtering on a bridge for the
2.4 kernel?

Regards,
--
Herman

Re: Bridge question

[tsh]

Hi Herman,
We're using netfilter as a filtering bridge + NAT + local router between
us and the the local university router (via which we are attached to
*its* LAN) using proxy arp and iptables. It's been running happily for about
1.5 years (touch wood) supporting about 1200 hosts behind it.


Cheers,
Terry.


[Charset iso-8859-1 unsupported, filtering to ASCII...]
>Hi everybody,
>
>This question is not about iptables, but it is closely related, so somebody 
>might know the answer:
>I am trying to construct a bridge, to filter 802.1q tags and protect a legacy 
>version 2.2 kernel server, while preserving port to port security on the LAN, 
>using the VLAN module.
>
>Can anybody refer me to some documentation on filtering on a bridge for the 
>2.4 kernel?
>
>Regards,
>-- 
>Herman
>
>

Re: Bridge question

[Herman]

Hmmm, could you clue me up a little more?

Our problem is this:
- Hotel with 300 rooms.
- VLANs on 3COM switches to isolate the guests and consolidate the feed, back 
to the server.
- Kernel 2.2 server system - does not understand VLAN packets and rejects 
them.

As a stop-gap, until the server is updated to kernel 2.4, we want to filter 
the VLAN Q-tags using a kernel 2.4 bridge.  We have this working, but the 
bridge works like a hub and connects everything to everything, so then the 
VLAN 'security' is lost, putting us back to square one.

We therefore need to add filtering capability to the bridge to keep the guests 
separated.  Preferably, this should be done at the ethernet level, but since 
this is a stopgap solution, we could use netfilter to block certain packets 
to prevent guests from browsing each other.

Now, the part from your comment that I don't understand is 'proxy ARP'.

Could you clue me up?
   We're using netfilter as a filtering bridge + NAT + local router between
   us and the the local university router (via which we are attached to
   *its* LAN) using proxy arp and iptables. It's been running happily for
 about 1.5 years (touch wood) supporting about 1200 hosts behind it.

What I have been thinking, in order to avoid having to apply patches to the 
kernel to get bridge+iptables to work, is to simply use more ethernet ports 
and loop two of them with a cross-over cable.  Then run a bridge between eth0 
and eth1, loop eth1 to eth3 and run iptables between eth2 and eth3.  Kludgy 
but doable.  Finally, use iptables as an Ingress filter to the Bridge to 
block the MS Windows Network Neighborhood feature, making the usual kind of 
guest unable to browse other guests.  

The 3COM switches will then be connected to the iptables side of the thing and 
the server to the bridge side.  Technically, the VLAN security will still be 
lost, but the addition of iptables will allow us to limit the damage and have 
improved isolation between guests.

Comments?

Cheers,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com

Re: Bridge question

[Jeremy Jones]

Herman,

in addition to the bridge.sourceforge.net pages, have a look at
ebtables.sourceforge.net.  the howto documentation you'll find at, say,
tldp.org is a little out of date, but at ebtables, you may find more
helpful info.  i've been using the bridging code & netfilter-bridge
kernel patch with 2.4.x for a while now, along with ebtables (analagous
to iptables, but filters at layer 2), and it's doing wonders for me.

good luck,

Jeremy

On Thu, 2003-10-16 at 21:15, Herman wrote:
> Hi everybody,
> 
> This question is not about iptables, but it is closely related, so
somebody 
> might know the answer:
> I am trying to construct a bridge, to filter 802.1q tags and protect a
legacy 
> version 2.2 kernel server, while preserving port to port security on
the LAN, 
> using the VLAN module.
> 
> Can anybody refer me to some documentation on filtering on a bridge
for the 
> 2.4 kernel?
> 
> Regards,

Re: Bridge question

[Herman]

Aaaaaaaaah...  Thanks Jeremy!

I think ebtables is exactly what the doctor ordered.

I'll try my bridge+iptables kludge - explained in another post - as well and 
see which one we get to work properly first - we are running short on time 
with this project.

Cheers,

Herman

On Friday 17 October 2003 7:37 am, Jeremy Jones wrote:
   Herman,

   in addition to the bridge.sourceforge.net pages, have a look at
   ebtables.sourceforge.net.  the howto documentation you'll find at, say,
   tldp.org is a little out of date, but at ebtables, you may find more
   helpful info.  i've been using the bridging code & netfilter-bridge
   kernel patch with 2.4.x for a while now, along with ebtables (analagous
   to iptables, but filters at layer 2), and it's doing wonders for me.

   good luck,

   Jeremy

   On Thu, 2003-10-16 at 21:15, Herman wrote:
   > Hi everybody,
   >
   > This question is not about iptables, but it is closely related, so

   somebody

   > might know the answer:
   > I am trying to construct a bridge, to filter 802.1q tags and protect a

   legacy

   > version 2.2 kernel server, while preserving port to port security on

   the LAN,

   > using the VLAN module.
   >
   > Can anybody refer me to some documentation on filtering on a bridge

   for the

   > 2.4 kernel?
   >
   > Regards,

Re: Isolate a legacy machine

[Bill Chappell]

I will take a stab at this, with the expectation that
if I do not understand the configuration needed,
people will be kind.

2 machines can have the same IP address (your 10.2.1.100)
so long as there will be no confusion when another machine
sends a packet to 10.2.1.100 as to which box is meant.

Your "sneakernet" failover would definitely be do-able in
this case.

I have the sense that this will not exactly be the case.

I just wiped out some thoughts on using MASQUERADE to
hide the true IP address of the legacy box and DNAT
to send traffic to the legacy box that is addressed 
to the box that is doing the MASQUERADE-ing of outgoing 
traffic from the legacy box because it falls apart when
the box doing the MASQUERADE-ing can see both the legacy
box and the proxy/firewall box at the same time.
??? which box gets the traffic for 10.2.1.100 ??? 

My last thought, which fits here, is that the above
might work if you did it twice - hid the real IP address
of both the legacy and the proxy/firewall boxes behind
2 different IP addresses so no one box would see both
the legacy and the proxy/firewall at the same time at
the same IP address.
This might be on the right path to a solution.


(I use DNAT in -t nat PREROUTING to force all DNS traffic 
to a specific DNS server, if that helps with part of
your question.)


If you do not need the telnet and ftp functionality
of the legacy box when it is acting as your sneakernet
failover, and assuming that the time to change the
IP address of the legacy machine is included in acceptable
downtime, and assuming that MPR is not replete with
extra boxes, Garrison Keillor's popularity notwithstanding,
I would just put the legacy machine at a
different IP address for normal use and change its IP
address as part of the sneakernet failover process.

Hope this helps.

Bill Chappell



"Ringer, Torleiv" wrote:
> 
> Hi there,
> 
> I am not exactly sure how this needs to be done...
> 
> I have a legacy machine that I need to isolate from our LAN. Network access to this machine will be limited to port forwarding of telnet, and a limited FTP access that will only be initiated locally on a proxy machine (which will also run the iptables).
> 
> Let's say that the legacy machine currently has address 10.2.1.100, and I would like my proxy/firewall to have the same address. I will be unplugging the legacy machine from the LAN, then assigning the proxy/firewall the same IP.
> 
> Can I isolate the 100 machine from the LAN, and keep the same IP? I need to do this for failover, so that if the proxy box goes down, I can just unplug the 100 machine from the proxy/firewall, and plug it back into the LAN. I would also be unplugging the proxy/firewall from the LAN at this point.
> 
> Can I port forward telnet from the LAN (eth0) side to the legacy (eth1) side where both the proxy machine and the legacy machine have the same IP but are isolated from each other? Is this impossible?
> 
> Torleiv Ringer
> IT Support
> Minnesota Public Radio
> http://www.mpr.org




-- 
William Chappell,     Software Engineer,     Critical Technologies, Inc.
Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY
13501
315-793-0248  x148  < bill.chappell@critical.com >  www.critical.com

Re: Isolate a legacy machine

[Joel Newkirk]

On Thu, 2003-10-16 at 18:02, Ringer, Torleiv wrote:
> Hi there,
> 
> I am not exactly sure how this needs to be done...
> 
> I have a legacy machine that I need to isolate from our LAN. Network access to this machine will be limited to port forwarding of telnet, and a limited FTP access that will only be initiated locally on a proxy machine (which will also run the iptables).
> 
> Let's say that the legacy machine currently has address 10.2.1.100, and I would like my proxy/firewall to have the same address. I will be unplugging the legacy machine from the LAN, then assigning the proxy/firewall the same IP.
> 
> Can I isolate the 100 machine from the LAN, and keep the same IP? I need to do this for failover, so that if the proxy box goes down, I can just unplug the 100 machine from the proxy/firewall, and plug it back into the LAN. I would also be unplugging the proxy/firewall from the LAN at this point.
> 
> Can I port forward telnet from the LAN (eth0) side to the legacy (eth1) side where both the proxy machine and the legacy machine have the same IP but are isolated from each other? Is this impossible?

If for some reason the proxy/firewall MUST be at the IP the 'legacy'
machine currently uses, just put it there, and put the legacy box on a
private subnet accessible only to it and the firewall.

You just set a DNAT rule for the traffic you want forwarded to the
legacy box, and FORWARD to let it through.

At need you can change the IP of the legacy box, if it's still on the
same physical network.

j

> Torleiv Ringer
> IT Support
> Minnesota Public Radio
> http://www.mpr.org