[RHEL6] A poor man's network isolation using RHEL.
Let a very common scenario:
-
You have your home network, safe and sound, which you really work hard to keep it updated and secure.
-
And then... You host a visit. And you look at the visit's operating system or surfing habits and you feel a cold in the spine.
What if the visit have viruses, worms, botnets, ransomware, etc.? Deny the visit's access to your network?
I've stumbled upon this very scenario recently, and I had to be creative in order to not hurt some susceptibilities and friendships.
Plot
My home network is a enhanced standard network. My network switch is a old 10/100 Mbps WRT54G (wifi and routing disabled; just serving as switch), cascaded to a Belkin router (also passive as WRT54G but it serves 2.4 and 5 GHz WiFi). I'm uncertain if both it supports VLAN tagging and I didn't have the time to tinker with. At the network border, I have a RHEL 6 host, which also runs DHCP, DNS and the NAT services. Word of advice: you should consider having a system that you fully control at your border instead of trusting those flaky embeeded systems.
How-to
And so, I don't have state of art equipment and I can't isolate the networks; the WiFi and ethernet. But... What if use the same media but different and non-routeable networks?
That's what I did. Ok, one may say that someone could just listen to the network and change the IP address, blah blah blah, but hopefully, I mostly host non-expert people which just doesn't care about system security, so network isolation is good enough.
In this example, we will tie a IP address at the DHCP server to every known "good" system's MAC address. Unknown systems will get a different network IP address, and it won't be routeable good
--->-
Define the networks. In our example, it will be protected network:
. The guests network:172.16.1.0/24.192.168.1.0/24 -
In the border server, add a alias interface to your internal network interface (in our case,
):eth0# ip address add 192.168.1.3 dev eth0 -
Now, edit
, and set up like this:/etc/dhcpd.conf## Default options for my "safe" network option domain-name "home.rf.corp"; option domain-name-servers 172.16.1.3; # default-lease-time 172800; max-lease-time 1209600; # authoritative; # ## HERE the magic is done: shared-network rodhome { # ## This is the network for the visits subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.50 192.168.1.79; option routers 192.168.1.3; option domain-name-servers 201.6.2.104, 201.6.2.184; option domain-name "visitor.rf.corp"; } # ## This is a declaration of my "safe" network, with no leases subnet 172.16.1.0 netmask 255.255.255.0 { option routers 172.16.1.3; deny unknown-clients; } } # ## And here begins my internal hosts: host appliance01 { hardware ethernet FF:BD:B9:32:CC:CC; fixed-address 172.16.1.242; } # host notebook01-lan { hardware ethernet FF:90:A9:75:DD:DD; fixed-address 172.16.1.243; } # host notebook01-wifi { hardware ethernet FF:90:A9:C6:EE:EE; fixed-address 172.16.1.244; } # host desktop { hardware ethernet FF:e0:eb:c5:FF:FF; fixed-address 172.16.1.245; } # host smartphone01 { hardware ethernet FF:90:A9:9F:00:00; fixed-address 172.16.1.246; } # host tablet01 { hardware ethernet FF:90:A9:14:11:11; fixed-address 172.16.1.247; } # host smartphone02 { hardware ethernet FF:DE:F1:03:22:22; fixed-address 172.16.1.110; } # ## ... and so forth. -
Set up the isolation rules:
# /sbin/iptables -I FORWARD -s 192.168.1.0/24 -d 172.16.1.0/24 -i eth0 -j DROP # /sbin/iptables -I INPUT -s 192.168.1.0/24 -d 192.168.1.3 -i eth0 -j DROP -
Enable the masquerading (being eth1 your public network) and save the ruleset:
# /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE # service iptables save -
Restart your DHCP server
-
Hook up a client with no MAC reservation and refresh its IP address.
And you're done!
Thanks!!
To my dear friend Flávio Leitner (fbl) for helping me enhance this quick 'n' dirty howto
Responses