Planning linux ipchains

Go to solution
Lukas Grijander

Planning linux ipchains

I??m planning to securize an HP-UX box whith a linux running ipchains.

I??ve done the first step.

Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.

Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)

But ...

I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.

It??s possible?
What??s wrong?

Kodjo Agbenu
Honored Contributor

Re: Planning linux ipchains

Hello Rafael,

As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.

There are several ways to achieve this :

-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...

In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.

-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.

In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).

This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).

-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...

To summarize : I would prefer, in the following order :

1. Ipchains with masquerading (separate private and public subnets)

2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.

3. Service-by-service filtering, if you know exactly what runs on your machine.

Good luck.

Learn and explain...
Lukas Grijander

Re: Planning linux ipchains

Thank??s Kodjo.

Really I think that a mixture of 3 solutions is the best solution, but ...

IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.

And changing the HP-UX boxes IP is too difficult ...

Best regards