[Cialug] Firewall/Virtual Interfaces (multiple ips)

Matt Stanton inflatablesoulmate at brothersofchaos.com
Fri Jan 1 20:27:43 CST 2010 

So, I'm excited about getting my server hosted finally.  I have a list 
of ips to configure my server to use, and have come up with a 'network 
plan' for what each ip will be used for, and what ports/services each ip 
will be responsible for.  Obviously, I am not going to be able to test 
whether my setup actually works until I can stick it on the network that 
those ips can be used on.

The server will be running ubuntu server 8.04LTS (newest ubuntu that 
zimbra is supported on... the last meeting convinced me that I should 
play with zimbra a bit).  I will have two of the ips set aside for 
apache/zimbra/MySQL, but one of the ips is just going to sit dormant 
until I have a real need to have multiple ips for web/email.  Two of the 
ips are going to be set aside for a couple of game servers (it helps to 
have one ip per game server, even though you can just specify a 
different range of ports for each server). The last ip will be set aside 
for administrative tasks such as SSH/FreeNX.

So, if someone doesn't mind looking over this /etc/network/interfaces 
file for me and letting me know if it looks like it should work, that 
would be awesome.  I will have a /29 subnet at my disposal, and I am 
going to replace the ip addresses from this file with <ip.0> through 
<ip.7>.  Obviously, <ip.0> would be the network ip, <ip.1> is the 
gateway address, and I'm assuming that <ip.7> would be the broadcast 
address.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address        <ip.2>
    netmask        255.255.255.248
    gateway        <ip.1>
iface eth0:0 inet static
    address        <ip.3>
    netmask        255.255.255.248
    gateway        <ip.1>
iface eth0:1 inet static
    address        <ip.4>
    netmask        255.255.255.248
    gateway        <ip.1>
iface eth0:2 inet static
    address        <ip.5>
    netmask        255.255.255.248
    gateway        <ip.1>
iface eth0:3 inet static
    address        <ip.6>
    netmask        255.255.255.248
    gateway        <ip.1>

Currently, eth1 is connected to my LAN with the static ip 192.168.1.42.  
When I type ifconfig on the server, eth0 does not show any of the 
virtual interfaces, and the listing for eth0 has no address (only 
hardware information).  I am just hoping that the reason behind this is 
because I don't have a cable plugged into the port that corresponds to 
eth0, and that they will just magically show up when it's connected to 
the proper network.  Also, I didn't bother using the 'network' or 
'broadcast' lines... Do I need them, or should it figure them out on its 
own?

Next, I need to set up a firewall.  I know what ports I want to be 
accessible for each virtual interface, but I have pretty much no 
experience whatsoever with iptables/ipchains/etc.  I tried to play with 
fwbuilder thinking that a GUI would make things easier, but no such 
luck.  Most tutorials online deal with masquerading or settings for 
people whose computer is behind NAT...  I guess if you've got a server 
that is facing the internet, you should already know all this stuff.  
So, here is what I want the firewall to do:

Incoming traffic:
eth0      allow SSH, allow me to use ftp to download stuff to the server 
(passive mode opens a listen port for the ftp server to send stuff on, 
right?)
eth0:0   allow HTTP, HTTPS, SMTP, SMTP/TLS, POP3, POP3/TLS, IMAP, 
IMAP/TLS, DNS
eth0:1   allow HTTP, HTTPS, SMTP, SMTP/TLS, POP3, POP3/TLS, IMAP, 
IMAP/TLS, DNS
eth0:2   allow 27000-27030 UDP/TCP, 7700-7730 UDP, 8075 TCP, 20560 UDP, 
28852 UDP/TCP
eth0:3   allow 27000-27030 UDP/TCP, 7700-7730 UDP, 8075 TCP, 20560 UDP, 
28852 UDP/TCP

Outgoing traffic:
??  Is there reason to block outgoing traffic?

Other than the services/ports listed there, I think everything else 
could be blocked.  Are there any services/ports that need to be open 
that I'm not thinking of?  I suppose everything going over loopback 
should be open?

I'm not really asking for a spoon-feeding of exactly what commands to 
use, but an example of a few lines would give me enough to figure things 
out on my own, and any suggestions that you'd make for changing the way 
this is planned would be helpful, because I really don't have a clue 
what I'm doing when it comes to security.

Thanks,
Matt

More information about the Cialug mailing list