Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
we have a secure ftp server that we're trying to protect by putting an extra layer between it and the 'net. the idea is to keep the SFTP server on the LAN and have a machine in the DMZ port forward the necessary ports (990 and 28000-28030) to it. eth0 connects to the internet and eth1 connects to the LAN.
first question: is this a good idea or is there a better way? (we don't want to put the SFTP server itself in the DMZ since local users here need to put files on it frequently)
second question: why in the world doesn't this script work? (note that i'm using port 80 to test since http should be fairly simple to get going)
/proc/sys/net/ipv4/ip_forward is set to 1 already
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -m --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.109
iptables -A FORWARD -s 10.0.0.109 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
I don't really see the point of what you're suggesting. The point of a DMZ is to hold a system in an intermediate security level between the internal LAN and external internet bedlam. What you're doing would totally invalidate the DMZ, as you would have a single TCP connection right from the net into your secure network. If you were going to have an intermediate system then you would generally convert the protocol at that point, or at the absolute least genuinely proxy the data to stop many attacks getting through.
A DMZ is also not necessarily inaccessible from the internal network, the only standard logic is that you can only pass form the internal network to the DMZ one, not the other way round, due to firewall constraints.
chris, what you're saying makes sense. we're using apache to proxy 443 and 80 to our internal web server but we couldn't find a tool to do the same with SFTP's ports. is it your consensus that the safest thing would be to keep the SFTP server in the DMZ and not allow it to touch the internal LAN at all?
what product are you actually using? sftp is just ssh with a secondary subsystem in it... just port 22 and nothing else. google says you're actually trying to play blockland...
well *THE* safest thing is to have a literal airgap in the architecture, sharing power supplies and nothing else, but in reality there's little wrong in allowing some access through a firewall from lan to dmz, just not in the other direction.
Last edited by acid_kewpie; 04-28-2008 at 04:46 PM.
this is a two part question =)
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -m --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.109
iptables -A FORWARD -s 10.0.0.109 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Code:
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
EDIT: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.109 this is better.. otherwise it will send all of tcp 80 requests to 10.0.0.109
Chris, we're using GlobalSCAPE Secure FTP for our SFTP needs.
Maxut, is your code snippet with the forward intended to replace my line with the forward?
Would it help security in any way if we had a linux box port forwarding 990 and 28000-28030 to the SFTP server even with the SFTP server in the DMZ also? We just want it to be as solid and safe as possible.
ok, well looking at that product, if you're using sftp, then those port ranges are irrelevant... are you really sure what actual protocol you are using? if you do want to use sftp, then that'd just be single port 22, nice and simple (and recommended by them on their KB it seems)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.