Oliver Grube wrote:
Hello Marc,
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Sorry, i've read too fast. Think that Marc means that he *NEED* the HTTP server running for *INTERNAL* machines only. So stop apache is not a solution. You can use a firewall, directly using ipchains in example, or ( i didn't try this and i'm not sure if it's factible ), wrap apache with inetd daemon and edit /etc/hosts.allow and/or /etc/hosts.deny to tell your systems the IP addresses that are allowed to access that service. I've wrote a tiny perl script that do, among others, exactly this. It starts masquerading services and some firewalling rules, i've attached it with this message because it's very little, excuse me if a disturb anybody. It is normally called by ip-up (start) and ip-down (stop) scripts from pppd. Have a good one.
Greetinx,
Oliver Grube
--------------------------------------------- --IT-Secure - Mit Sicherheit gute Lösungen.-- --------------------------------------------- Security Support * oliver.grube@it-secure.de +49 2161 6897-180 * http://www.it-secure.de
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45 #!/usr/bin/perl # Author: Francisco M. Marzoa Alonso # Last update: Mon Jan 17 17:49:04 CET 2000 # # This script starts internet masquerading and firewalling services. # use strict; sub showUsage { my $pName = $0; # This should be changed by a true detection of program invocation name print STDERR "This script starts/stops internet masquerading services.\n\n"; print STDERR "Usage:\n"; print STDERR "$pName start|stop|restart networkdevice localaddress\n\n"; } sub startMasquerading { my $nDevice = shift @_; my $localIP = shift @_; # DONE! : This should be changed in the future by a symbolic value which returns this host IP. system ("logger -t '/etc/ppp/inet.masq' 'Starting masquerading nd=$nDevice'"); # Masquerading system ("/sbin/ipchains -P forward DENY"); system ("/sbin/ipchains -A forward -i $nDevice -j MASQ"); system ("echo 1 > /proc/sys/net/ipv4/ip_forward"); # Bloqueo de conexiones externas a telnet system ("/sbin/ipchains -I input -s! 192.168.66.0/24 -d $localIP/32 telnet -p tcp -j DENY"); # Bloqueo de conexiones externas al web system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 www -p tcp -j DENY"); # Bloqueo de conexiones externas a sendmail system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 smtp -p tcp -j DENY"); # Bloqueo de conexiones a lpd system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 printer -p tcp -j DENY"); # Bloqueo de conexiones al servidor pop system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 pop3 -p tcp -j DENY"); # Bloqueo de conexiones al servidor fax # system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 hylafax -p tcp -j DENY"); } sub stopMasquerading { my $nDevice = shift @_; # Eliminar los bloqueos system ("/sbin/ipchains -F input"); # Eliminar el masquerading system ("/sbin/ipchains -D forward -i $nDevice -j MASQ"); system ("/sbin/ipchains -P forward ACCEPT"); } my ($action, $networkDevice, $localAddress); $action = $ARGV [0]; $networkDevice = $ARGV [1]; $localAddress = $ARGV [2]; system ( "logger -t '/etc/ppp/inet.masq' 'a = $action, nd = $networkDevice , la = $localAddress'"); if ( (!$action) || (!$networkDevice) || (!$localAddress) ) { showUsage (); } else { if ($action eq 'start') { startMasquerading ($networkDevice, $localAddress); } elsif ($action eq 'stop') { stopMasquerading ($networkDevice); } elsif ($action eq 'restart') { stopMasquerading ($networkDevice); startMasquerading ($networkDevice); } else { showUsage (); } }