Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Blocking access to an intranet from anyone outside my LAN


  • Please log in to reply
15 replies to this topic

#1 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 16 September 2014 - 05:50 AM

Hi,

 

I have an intranet set up as a virtual host on my web server. I need to block access to it from anyone outside my LAN. do I use a firewall to do this, and if so, and if so, can it run on Debian?

 

Thanks



BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN

Posted 16 September 2014 - 02:36 PM

Does the web server also serve a public web site?

 

Is the web server behind a router?


Edited by Kilroy, 16 September 2014 - 02:37 PM.


#3 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 16 September 2014 - 06:31 PM

Normally your web server would be in the DMZ [internet facing] and your intranet would be behind a firewall.  So it would be internet<>web server<>firewall<>intranet

 

You can't do that with a VM on the web server



#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 PM

Posted 16 September 2014 - 09:37 PM

Are you running Apache? You can edit the /etc/httpd/conf/httpd.conf file's directory section(s) to allow only connections from your intranet and deny all other connections. Or, if you have iptables installed, you can configure it on the web server to reject all external incoming HTTP and HTTPS requests.



#5 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 17 September 2014 - 01:49 AM

Does the web server also serve a public web site?

 

Is the web server behind a router?

Thanks for your reply

 

Yes, the server does serve public websites.

 

and yes the web server is behind the router



#6 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 17 September 2014 - 01:52 AM

Are you running Apache? You can edit the /etc/httpd/conf/httpd.conf file's directory section(s) to allow only connections from your intranet and deny all other connections. Or, if you have iptables installed, you can configure it on the web server to reject all external incoming HTTP and HTTPS requests.

Thanks for your reply.

 

I do have iptables set up but i am completely new to it. 

 

can you give me an example iptables entry to block any http/https requests?

 

thanks



#7 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 17 September 2014 - 03:09 AM

I know what you mean -- it's effective, but I grapple with the syntax quite a bit. If you want to block all http/https requests, you could enter

-A INPUT -j REJECT

-A FORWARD -j REJECT

This creates a default deny policy. You would then create exceptions for the traffic you want to allow in. For example, something like this:

 

-A INPUT -p TCP --dport 80 -m iprange --src-range 192.168.1.1-192.168.1.100 -j ACCEPT

 

This states all TCP traffic from the IP address range 192.168.1.1 to 192.168.1.100 that is arriving at port 80 will be allowed through.

 

Here's a few good places to start  in terms of configuring iptables.

https://wiki.debian.org/iptables

https://wiki.debian.org/DebianFirewall

http://ipset.netfilter.org/iptables.man.html


Edited by sflatechguy, 17 September 2014 - 03:11 AM.


#8 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  

Posted 17 September 2014 - 01:40 PM

I think we are missing the point that this is one physical server.  Hacker just has to compromise your web server to then access your intranet.  Iptables are not going to make a different to that fact.  A bad design is a bad design and there is no getting around that.  If you are serious about securing your intranet you need to have it on a different physical server with a firewall between it and the web server.



#9 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 17 September 2014 - 09:21 PM

I think we are missing the point that this is one physical server.  Hacker just has to compromise your web server to then access your intranet.  Iptables are not going to make a different to that fact.  A bad design is a bad design and there is no getting around that.  If you are serious about securing your intranet you need to have it on a different physical server with a firewall between it and the web server.


I understand what you are saying but I am running this web server on a raspberry pi. The intranet doesn't have any personal information or anything I realy need to hide. I would just prefer to keep random eyes stumbling across it.

Thanks

Edited by slehmann36, 17 September 2014 - 09:25 PM.


#10 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 17 September 2014 - 09:32 PM

Very cool, and a very nice proof of concept for the Pi. :thumbup2:  I've been meaning to get one and install something like centOS on it; been busy with other things and don't want it to just sit around and gather dust.

 

I take it you are running a basic Debian install, no desktop or GUI, just the OS and the Web server and running everything from the terminal shell? Then just configure iptables and you should be good.



#11 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 19 September 2014 - 11:45 PM

Is it possible to target a particular virtual host name with an iptables rule?

#12 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:40 PM

Posted 20 September 2014 - 12:09 AM

You should be able to. For example, instead of src 192.168.1.1 (as an example of the computer's IP address), you can use src computer1.mydomain.com, or whatever the computer name is.

#13 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 20 September 2014 - 07:00 AM

So I have the standard (allowing connections to all the apache virtualhosts via ports 22, 80 and 443):
 
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
 
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
 
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
 
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
 
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
 

But how exactly do i make the exception (to block all connections to the "intranet" virtualhost except clients on the local network)

 

-A INPUT [what goes here to say that all incoming connections to the "intranet" virtual host are to be rejected???]  -j REJECT

-A INPUT -p TCP --dport 80 -m iprange --src-range 10.0.0.2-10.0.0.254 -j ACCEPT [is that the best way to allow all connections to the "intranet" virtual host as long as the request originates from a local ip addess???]
 
any help is much appreciated
 
thanks


#14 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 PM

Posted 20 September 2014 - 10:57 AM

There are a number of ways you can configure this setup. If you are using an internal DNS server, you can enter DNS zone records to redirect those browser queries to the virtual host. If you aren't using DNS, you can configure the hosts file on each computer to do the same thing.

 

As for iptables, you would configure it to block all incoming traffic except for traffic coming in locally on the ports you want to use.  iptables -A INPUT -p TCP --dport 80,443 -s \!10.0.0.2-10.0.0.254 -j REJECT will reject all incoming connections on the intranet except for traffic coming in on ports 80 and 443.

 

You could also use the .htaccess file or the virtualhost configuration file on the Apache server to allow only internal traffic and deny the rest.

 

I don't know the full extent of your LAN configuration, but these links might be helpful:

http://unix.stackexchange.com/questions/51880/how-to-host-an-intranet-website-inaccessible-outside-the-lan

http://unix.stackexchange.com/questions/19791/set-some-firewall-ports-to-only-accept-local-network-connections

http://gerbenkleijn.com/?p=289



#15 Guest_slehmann36_*

Guest_slehmann36_*

  • Guests
  • OFFLINE
  •  

Posted 20 September 2014 - 11:39 AM

Great, Thanks everyone for your input. 

 

That should give me something to work on

 

Case Closed!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users