Restricting services to a single network interface

Q I have a system that is going to be sitting on my internet connection and file sharing on my local LAN. It has two Ethernet cards for this purpose. I am going to configure Iptables, but also wondered if there were a way of restricting services (Samba, NFS etc) to only a single interface - in my case, the internal LAN connection. Is this done in each service or can it be set on a global scale? I shall be using either Fedora or SUSE.

A There are three ways to handle this. The first is to set up each service to only listen on the LAN interface. If you only run a small number of services, this may be easiest solution and certainly offers the most control. Check the man pages for each service and add the appropriate lines to the configuration files. Assuming your LAN interface has an IP address of 192.168.0.1, and your other interface has an address on a different subnet, usually supplied by the ISP, you could do the following:

Add 'Listen 192.168.0.1:631' to /etc/cups/cupsd.conf.
Add 'socket address = 192.168.0.1' to /etc/samba/smb.conf.
Add 'Listen 192.168.0.1:80' to /etc/apache2/httpd.conf (the location of this file may vary).

NFS is slightly different in that you specify the client addresses allowed to connect, so for each export you would have a line in /etc/exports like

/path/to/export  192.168.0.0/24(rw,sync)

The second method is to use Iptables to block all access from the internet to the ports of the various services on the WAN interface. You can do this on a per-port basis, but if you are doing that you may as well configure the individual services as above. Alternatively, you could block all incoming access, which is the default setting for most Linux firewalls. If you take this route, you can then open up specific ports for any services you may wish to let through, such as SSH. While configuring Iptables by hand is possible, it is also possible to inadvertently leave a security hole if you are not totally familiar with it.

The safest approach for anyone but Iptables experts is generally to use one of the GUI or script-based configuration tools, such as Guarddog or Shorewall. Fedora and SUSE both have tools for easily setting up Iptables to do this. The third option is to block access at your modem or router. This is in some ways the safest method, because you are stopping the traffic before it even reaches the computer, but it not always as configurable, depending on your modem or router. These three methods are not mutually exclusive - you could implement two, or even all, of them, to provide belt-and-braces security.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar