925-456-1020 info@acornnmr.com

Isolating a LAN or NMR Spectrometer from the Internet

To create a LAN which has access to the internet but which restricts the internet’s access to the LAN, we use a PC with two network cards (NICs) running Redhat Linux 7.2.

A valid internet IP address is configured for eth0 and an IP address reserved for local LANs is configured for eth1 (such as 10.0.0.1/255.255.255.0).

We then run the script (/etc/iptables.nat with chmod 700) shown below to restrict the internetís access to the Linux system and the isolated LAN behind the Linux gateway PC.

You can comment out all the services you donít need on this Linux box to tighten security. If you donít need it, then comment it out.

I also run TCP wrappers, but in theory they are not required.  The files for TCP wrappers are /etc/host.allow and /etc/hosts.deny and are the standard files with the services we want allowed in the /etc/hosts.accept file and all services denied in the /etc/hosts.deny file.

The second NIC (eth1) should be connected to a hub. Other computers can then be configured to use IP addresses 10.0.0.x/255.255.255.0 where x is between 2 and 254. These PCs should use a gateway IP of 10.0.0.1.

When so configured, systems running Windows, Macintosh, Linux and other Unixes have good access to the local LAN and the internet, but the internet has highly restricted access to the local LAN. Since one line of /etc/iptables.nat gives all machines on the local LAN INPUT access to the gateway Linux PC even if the service is commented out. When a service is uncommented out then the internet will have access to this service.

Once the script is installed and working it can be made permanent on reboot with the following command issued as root.

/sbin/iptables-save > /etc/sysconfig/iptables

The /sbin/modprobes are necessary to allow Active and Passive FTP connections through the NAT (Network Address Translation). Without these Windows PCs behind the gateway Linux box cannot FTP to all systems on the internet.

After setting up the system, the log files

/var/log/messages
/var/log/secure

should be monitored daily for intrusion attempts. Monitoring these logs can lead to timely correction of problem areas. Monitoring the logs can also be farmed out to anyone on the internet
who is allowed access from the internet to the gateway Linux PC.


/etc/iptables (chmod 700)

#!/bin/bash
# iptables rules

# load modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
# Enable passive ftp
/sbin/modprobe ip_conntrack_ftp
#Enable passive ftp with NAT
/sbin/modprobe ip_nat_ftp
#Enable IRC stuff
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
echo "Modules loaded"

# Definitions
EXT_NIC="eth0"
INT_NIC="eth1"
EXT_IP="x.x.x.x"
INT_IP="10.0.0.1"
LAN0="x.x.x.x/24"
LAN1="10.0.0.0/24"
DNS1="y.y.y.y"
DNS2="y.y.y.y"
DNS3="y.y.y.y"
echo "Definitions have been initialized."
# Clear out any existing firewall rules,
# and any chains that might have been created
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
# Default POLICIES
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
echo "Default policies have been set."

# Badguys list
# After seeing an IP address appearing in the logs
# repeatedly trying to access the Linux box, its connections
# can be dropped by uncommenting a line like the one below with
# x.x.x.x being replaced by the offending IP address.
# Add as many such lines as necessary.
#/sbin/iptables -A INPUT -s x.x.x.x -j DROP


## LOOPBACK
# Allow unlimited traffic on the loopback interface.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# SPOOFING
# Do not allow anything in to this computer
# which says it is coming from this computer.
/sbin/iptables -A INPUT -i $EXT_NIC -s $EXT_IP -j DROP
/sbin/iptables -A INPUT -i $INT_NIC -s $INT_IP -j DROP

# INPUT rules
# allow anything from local LANs
/sbin/iptables -A INPUT -s $LAN0 -j ACCEPT
/sbin/iptables -A INPUT -s $LAN1 -j ACCEPT

# Enables ip forwarding, and by extension, NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "ip_forward set to 1"

# NAT rules
# Source NAT everything heading out the external interface
# to be EXT_IP
/sbin/iptables -t nat -A POSTROUTING -s $LAN1 -o $EXT_NIC 
-j SNAT --to $EXT_IP
echo "NAT established"

# uncomment the next two lines to allow ftp from internet
#/sbin/iptables -A INPUT -p tcp --syn --dport 20 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --syn --dport 21 -j ACCEPT

# uncomment the next line to allow ssh from internet
/sbin/iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT

# uncomment the next two lines to allow smpt from internet
#/sbin/iptables -A INPUT -p udp --dport 25 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT

## uncomment the next 6 lines for DNS access from the internet
/sbin/iptables -A INPUT -i $EXT_NIC -p udp -s $DNS1 ñ-dport 53 
-j ACCEPT
/sbin/iptables -A INPUT -i $EXT_NIC -p udp -s $DNS2 --dport 53 
-j ACCEPT
/sbin/iptables -A INPUT -i $EXT_NIC -p udp -s $DNS3 --dport 53 
-j ACCEPT
/sbin/iptables -A INPUT -i $EXT_NIC -p tcp -s $DNS1 --dport 53 
-j ACCEPT
/sbin/iptables -A INPUT -i $EXT_NIC -p tcp -s $DNS2 --dport 53 
-j ACCEPT
/sbin/iptables -A INPUT -i $EXT_NIC -p tcp -s $DNS3 --dport 53 
-j ACCEPT

# uncomment the next line to allow http from internet
#/sbin/iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT

# uncomment the next line to allow pop3 from internet
/sbin/iptables -A INPUT -p udp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 110 -j ACCEPT

# uncomment the next two lines to allow auth (authentication tap ident)
# from internet
# auth (authentication tap ident)
#/sbin/iptables -A INPUT -p tcp --syn --dport 113 -j ACCEPT

# This is NETBIOS Name Service
# uncomment the next line to allow netbios-ns the internet.
#/sbin/iptables -A INPUT -p tcp --syn --dport 137 -j ACCEPT

# This is NETBIOS Datagram Service.
# uncomment the next line to allow netbios-dgm the internet.
#/sbin/iptables -A INPUT -p tcp --syn --dport 138 -j ACCEPT

# This is the NETBIOS session service
# uncomment the next line to allow netbios-ssn.
/sbin/iptables -A INPUT -p tcp --syn --dport 139 -j ACCEPT

# uncomment the next line to allow imap access from the internet.
/sbin/iptables -A INPUT -p udp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --syn --dport 143 -j ACCEPT

# Allow any already established or related connection
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#=============================================================
# uncomment the next line to allow ping replies to the internet.
/sbin/iptables -A INPUT -p ICMP -s 0/0 --icmp-type echo-request 
-j ACCEPT

# specific defense rules eg DoS attacks

# syn-flood protection
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s 
-j ACCEPT

# furtive port scanner
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST 
-m limit --limit 1/s -j ACCEPT

# ping of death
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request 
-m limit --limit 1/s -j ACCEPT
echo "DoS defenses set up."

# Drop all other TCP open requests
# This should prevent any TCP input to any port
# not allowed by a rule above.
/sbin/iptables -A INPUT -p tcp --syn -j DROP

#=============================================================
## LOGGING
# Not much should get here.
# This can be commented out after things are working, but the logging
# can be very useful during setup and while looking for problems.
#
# Any udp not already allowed is logged.
/sbin/iptables -A INPUT -i $EXT_NIC -p udp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES UDP-IN: "
/sbin/iptables -A INPUT -i $EXT_NIC -p udp -j DROP
/sbin/iptables -A OUTPUT -o $EXT_NIC -p udp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES UDP-OUT: "
/sbin/iptables -A OUTPUT -o $EXT_NIC -p udp -j DROP
echo "UDP logged"

# Any icmp not already allowed is logged.
/sbin/iptables -A INPUT -i $EXT_NIC -p icmp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES ICMP-IN: "
/sbin/iptables -A INPUT -i $EXT_NIC -p icmp -j DROP
/sbin/iptables -A OUTPUT -o $EXT_NIC -p icmp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES ICMP-OUT: "
/sbin/iptables -A OUTPUT -o $EXT_NIC -p icmp -j DROP
echo "ICMP logged"

# Any tcp not already allowed is logged and then dropped.
/sbin/iptables -A INPUT -i $EXT_NIC -p tcp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES TCP-IN: "
/sbin/iptables -A INPUT -i $EXT_NIC -p tcp -j DROP
/sbin/iptables -A OUTPUT -o $EXT_NIC -p tcp -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES TCP-OUT: "
/sbin/iptables -A OUTPUT -o $EXT_NIC -p tcp -j DROP
echo "TCP logged"

# Anything else not already allowed is logged.
/sbin/iptables -A INPUT -i $EXT_NIC -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
/sbin/iptables -A INPUT -i $EXT_NIC -j DROP
/sbin/iptables -A OUTPUT -o $EXT_NIC -m limit --limit 6/h 
--limit-burst 5 -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
/sbin/iptables -A OUTPUT -o $EXT_NIC -j DROP


exit

Other NMR-related technical
notes


Last updated: 01/22/03