Skip to ContentSkip to Footer
Start of content
- Community Home
- >
- Servers and Operating Systems
- >
- Operating System - Linux
- >
- General
- >
- Planning linux ipchains
General
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Latin America
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-08-2002 01:44 AM
02-08-2002 01:44 AM
I??m planning to securize an HP-UX box whith a linux running ipchains.
I??ve done the first step.
Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.
Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)
But ...
I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.
It??s possible?
What??s wrong?
Thank??s
I??ve done the first step.
Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.
Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)
But ...
I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.
It??s possible?
What??s wrong?
Thank??s
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-08-2002 01:35 PM
02-08-2002 01:35 PM
Solution
Hello Rafael,
As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.
There are several ways to achieve this :
-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...
In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.
-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.
In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).
This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).
-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...
To summarize : I would prefer, in the following order :
1. Ipchains with masquerading (separate private and public subnets)
2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.
3. Service-by-service filtering, if you know exactly what runs on your machine.
Good luck.
Kodjo
As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.
There are several ways to achieve this :
-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...
In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.
-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.
In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).
This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).
-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...
To summarize : I would prefer, in the following order :
1. Ipchains with masquerading (separate private and public subnets)
2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.
3. Service-by-service filtering, if you know exactly what runs on your machine.
Good luck.
Kodjo
Learn and explain...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-10-2002 11:43 PM
02-10-2002 11:43 PM
Re: Planning linux ipchains
Thank??s Kodjo.
Really I think that a mixture of 3 solutions is the best solution, but ...
IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.
And changing the HP-UX boxes IP is too difficult ...
Best regards
Really I think that a mixture of 3 solutions is the best solution, but ...
IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.
And changing the HP-UX boxes IP is too difficult ...
Best regards
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
End of content
United States
Hewlett Packard Enterprise International
Communities
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP