Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
cancel
Showing results for 
Search instead for 
Did you mean: 

Planning linux ipchains

SOLVED
Go to solution

Planning linux ipchains

I??m planning to securize an HP-UX box whith a linux running ipchains.

I??ve done the first step.

Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.

Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)

But ...

I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.

It??s possible?
What??s wrong?

Thank??s
2 REPLIES
Kodjo Agbenu
Honored Contributor
Solution

Re: Planning linux ipchains

Hello Rafael,

As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.

There are several ways to achieve this :

-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...

In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.


-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.

In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).

This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).


-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...


To summarize : I would prefer, in the following order :

1. Ipchains with masquerading (separate private and public subnets)

2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.

3. Service-by-service filtering, if you know exactly what runs on your machine.

Good luck.

Kodjo
Learn and explain...

Re: Planning linux ipchains

Thank??s Kodjo.

Really I think that a mixture of 3 solutions is the best solution, but ...

IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.

And changing the HP-UX boxes IP is too difficult ...

Best regards