During my free time, I did a quick investigation of how to “secure”of a small corporate network by just publish a small group of servers into the internet, I can say that it was a good challenge, several forums provides you with thousands of approaches, some really expensive but I personally go directly into the “Free” option. If you can pay for a proprietary firewall like Cisco, Symantec or Juniper then go ahead, but if you don’t need a high profile firewall then you should consider iptables.

Iptables is network filter, you can define rules that manipulates the connectivity based on several policies that can be applied to them, in short, you can deny, allow and forward any connection from to (and to) your computer. With this, you can create your own firewall server without paying an expensive license or equipment.

Now let’s see iptables in a little scenario, consider the following diagram as your typical corporate network and you want to publish some servers into the internet:

A network diagram

A network diagram

 

Some additional details for our scenario:

  1. We want to publish our FTP and HTTP server to the Internet, their ip are 192.168.1.3 and 192.168.1.4
  2. Our intranet works within the subnet 10.0.0.0/24

Now our objectives are:

  1. We should allow access to our FTP and HTTP service but only on their service ports (80 and 21)
  2. Any connection from the internet to our intranet should be rejected.
  3. Any connection from our servers to out intranet should be rejected.

 

Now let’s create a quick bash script on which we can set all our iptables policies:

Let’s review a really critical section here:

## 1. Golden Rule: DROP ALL CONNECTIONS BY DEFAULT (Good practice alert!)

## This will ensure, that you will open what you need

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

This is the best advice ever… my network professor Luis Loría, at the University of Costa Rica did a really good job passing down this tip, the concept is really simple: “close all the doors, then open the ones you need”, A brilliant approach.

With this script, we should be able to set up a your servers without problems, but be careful, iptables may require additional love when you are actually using “A NETWORK CONNECTION” to set up your firewall, you may end up dropping your own connection, so write down your policies on paper first, then create a script, or set your policies manually.

Tested on:

CentOS 6, Ubuntu 12 and Ubuntu 13.02

Sources:

http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html

Follow me

Carlos Alberto Umanzor Arguedas

Web Developer at carlosumanzor.com
Web Developer, QA Engineer and Gamer Enthusiast, Developer of Linkcrawler and Father of a future computer ninja.
Follow me

 

Pin It on Pinterest

Shares
Share This
Optimization WordPress Plugins & Solutions by W3 EDGE