HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Planning linux ipchains
Operating System - Linux
1829187
Members
2689
Online
109986
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2002 01:44 AM
02-08-2002 01:44 AM
I??m planning to securize an HP-UX box whith a linux running ipchains.
I??ve done the first step.
Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.
Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)
But ...
I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.
It??s possible?
What??s wrong?
Thank??s
I??ve done the first step.
Connect HP-UX and linux to a hub and the other linux interface to the rest of the net.
Changing the HP-UX and linux IPs to another subnet, I can ping from net to HP-UX (adding a static route) and I can ping from the HP-UX box to the net. (works fine)
But ...
I don??t want to chain any IP, in other words, I want HP-UX to stay in the same net than the rest of boxes and users (like now). And it doesn??t work.
It??s possible?
What??s wrong?
Thank??s
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2002 01:35 PM
02-08-2002 01:35 PM
Solution
Hello Rafael,
As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.
There are several ways to achieve this :
-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...
In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.
-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.
In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).
This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).
-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...
To summarize : I would prefer, in the following order :
1. Ipchains with masquerading (separate private and public subnets)
2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.
3. Service-by-service filtering, if you know exactly what runs on your machine.
Good luck.
Kodjo
As far as I understand, you have an HP-UX box on the same subnet as user machines, and you just want to secure the HP-UX against the rest of the subnet.
There are several ways to achieve this :
-> Using a Linux box with ipchains is a good solution, but it is better with masquerading. In 2 words, you have a separate private subnet for your HP-UX server, and the Linux translate IP addresses between that private network and the public one.
From my point of view, this is the most secure, because your ipchains rules would be as simple as :
* everything is forbidden, unless explicitly authorized
* from private to public on this type of packet or protocol or service authorize under these conditions...
In my opinion, using a Linux router with ipchains to route on the same subnet makes no sense, because below are better solutions if your HP-UX box is to be on the same subnet as the end users.
-> Using service-level protection. You can use /var/adm/inetd.sec, /etc/ftpusers, /etc/securetty, etc... to prevent unauthorized access to your HP-UX box on a service by service basis.
In my opinion, this is a good method, BUT you need to have the exact knowledge of all TCP/IP services running on your server, and all these must rely on a security mechanism (authentication, list of authorized/denied IP addresses...).
This may be a little difficult to implement if you have more that the standard services usually started by /etc/inetd.conf (ftp, telnet, http...).
-> Using IPFilter : starting from HP-UX 11.x, IPFilter aims to implement packet filtering on HP-UX, just as ipchains does on Linux.
I have not yet tried it, but I guess you can have rules that help you detect the service or connection port, and do selective allow or deny based on the IP address, etc...
To summarize : I would prefer, in the following order :
1. Ipchains with masquerading (separate private and public subnets)
2. IPFilter if it gives the same functionality as ipchains, without the need of a second machine to do routing.
3. Service-by-service filtering, if you know exactly what runs on your machine.
Good luck.
Kodjo
Learn and explain...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2002 11:43 PM
02-10-2002 11:43 PM
Re: Planning linux ipchains
Thank??s Kodjo.
Really I think that a mixture of 3 solutions is the best solution, but ...
IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.
And changing the HP-UX boxes IP is too difficult ...
Best regards
Really I think that a mixture of 3 solutions is the best solution, but ...
IPFilter/9000 doesn??t run when MC/Service Guard runs ... what a pity.
And changing the HP-UX boxes IP is too difficult ...
Best regards
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP