Re: restrict implicit binding to addresses

On Oct 29, 4:55 pm, Wolfgang Draxinger <wdraxin...@xxxxxxxxxxxxxxxx>
wrote:

Programs don't bind to interfaces. Your question doesn't make
any sense.

s/interface/address/ then. Well in my case that's equivalent
(for IPv4), as two of the networks (read, logical networks,
address/netmask level) use private IP address ranges, thus
my wrong naming. I'm thinking mostly in secure and insecure
interfaces right now.

Then the solution is to use the machine's firewalling capability to
block connections to restricted ports from untrusted source addresses.

(Anyway, some programs _do_ bind to interfaces, think about
dhcpd; alas, that's on the raw level).

Right, and that's not what you're talking about.

In the particular case it's a proxy server (the deamon is not
buggy, so explicit binding works, but I'd like to have some
fallback). Squid shall listen only to the internal network, so
it can't be abused from outside.

Programs don't listen to networks. Again, your question doesn't
make any sense.

With network I didn't mean physical network, but logical
network like in IP subnet.

You need a firewall. The best solution is to block all incoming
traffic from untrusted sources to undesired ports.

Can you state precisely what it is you are trying to do? What
is the rule for whether a connection should or should not be
allowed to the proxy?

If a socket is bound to a port only, it will listen to connection
attempts on all addresses of the machine. One can of course bind
to certain addresses explicitly.

That doesn't provide any level of security. It simply provides service
differentiation. It is a mistake to rely on this for security.

You can see, that there's a program dnscache, listening on .1.2:53
Using a interface based iptables rule it's easy to block all
incoming connection requests from (sub)nets not designated to
that interface. No problems there. In this case dnscache is
bound to a specific address explicitly, because it must so.
The same goes for tinydns, which is turn cached by dnscache.

Now there's also a Samba and a NTP running on the system. And
those are not bound explicitly to a certain address. What I'd
like to have, independent of ports on which a socket listens,
is that all sockets, which are not bound to an address explicitly,
behave as if the had been bound to a preselected set of addresses,
and that addresses only, so that programs, that can't be configured
to listen on specific addresses, or a buggy won't attach to those.

A iptables makes it then easy to block all traffic from a certain
interface, designated to that set of addresses.

Right, that's what you want. You need a set of allow rules to allow
inbound connections to be established from untrusted addresses to
those services you want to allow, and to refuse them on those you
don't want to allow.

You need to configure allowed and un-allowed services, obviously, so
why not do it in the iptables? You can do it by user, by port, or by
any other method iptables allows.

The machine will be something like a major data storage and exchange
hub, providing services for private internal and public external
users, but only certain services/programs shall be made public.
Normally one would do that using separate machines or
paravirtualization. In that case it was ruled out for performance
reasons: huge DB, full access to the RDBS from two intern
(sub)networks (physical and logical), access from extern network
only through special proxy daemons.

Normally this would be done by a firewall. Why is iptables not the
answer?

DS
.

Relevant Pages

  • RE: IPTables to restrict an IP address to certain ports
    ... Sorry for not being more exact. ... computer on the network has access to. ... I want to restrict, in IPTables, so that computer A can print on computer B ... IPTables to restrict an IP address to certain ports ...
    (Fedora)
  • Re: Tunneling server for http and https traffic
    ... my linux machine and network B. ... configure it as a tunneling server, listening on ports 80 and 443, ... using iptables to allow IP forwarding for TCP ports ...
    (comp.os.linux.networking)
  • Re: Opinions: Warn about online registration checks?
    ... The fact that I _could_ lie to people doesn't stop me from making statements to people that they can trust to be true. ... part of establishing trust with your user is being explicit about what you're doing and doing only what the user asks you to do. ... That said, you seem to be focusing on one narrow part of why it's important to ask the user before using the network, if using the network is not an implicit part of your application's operation. ... So, if the user tries to use a feature that requires registration, verify with the user that they want to try to access the registration database. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: samba and iptables
    ... >> havent finished setting up all the user permissions. ... >> dont have permission to access this network resource. ... >following (with iptables enabled): ... I did try allowing ports 135-139 and 445 in iptables for both tcp and udp. ...
    (RedHat)
  • Re: iptables not opening ports after reinstall of lenny
    ... I think I've narrowed it down to the ports. ... machines on the network and those ports open for other computers respond ... I have tried disabling iptables and just depending on the ... connection refused on canyouseeme.org. ...
    (Debian-User)