Accurate Routing Rules for Best Security

Accurate Routing Rules for Best Security

Siva Naik Kethavath Siva Naik Kethavath

Siva Naik Kethavath

DevOps Engineer | MLOps | DataOps | Founding Engineer

发布日期: 2021年3月14日
+ 关注

Hello,

Here is my article about Security. The best security is to limit the exposure of the server to the outside world. The normal Personal computers we use have the power to go anywhere over the Internet. It's not at all a good security practice for a server running in production. Let's discuss how we can down the exposure of the server to limited guys out on the internet.


Requirement

I have a company and I want the traffic from my company want to go to Google and have to restrict the traffic to Facebook [There's no reason to do but just for demonstration ].

  • We can achieve this requirement by adjusting the routes in the server routing table.
  • In Linux, we have a route command to modify the routing table. I'm going to use the route command here

The default Routing Rules are

  • The following command sow the routing rules in the Routing Table
route  -n
No alt text provided for this image
  • We can ping Google and Facebook initially because the routing table has the rule to go anywhere on the internet with a net 0.0.0.0
  • Caution ? : Don't remove this route [0.0.0.0] directly if you are working on a remote host you can't control the remote host anymore. Check my next article/Post for the solution to recover remote host if you accidentally deleted that 0.0.0.0
  • Let's add a routing rule for us to be connected with the Remote host.
route add  -net [Public IP of your local Machine]  gw  [gateway of Remote Machine]  netmask  255.255.255.255  [NetworkInterfaceName]
No alt text provided for this image
  • I found the public IP of my local Machine It's 157.48.94.107 and It's in the range of 157.48.94.0 /24 so I added the netmask as 255.255.255.0. We can further narrow down the rule for a particular host with the IP address and 255.255.255.255
  • 157.48.94.107/32 we can add this. Now we can delete the rule 0.0.0.0 . Our screen won't pause
route del  -net  0.0.0.0
No alt text provided for this image
  • It's not possible to connect to any server running in Internet
No alt text provided for this image
  • Our requirement is to add the route to connect to Google. Let's add
  • Note the IP address of Google. We can find it with nslookup command
No alt text provided for this image

IP address: 142.250.183.46 which is in the range of 142.250.183.0/24 

route add  -net  142.250.183.0  gw [Gateway]  netmask  255.255.255.0  [NetworkInterface]


No alt text provided for this image
  • We can connect only to Google on the Internet.
  • If it doesn't work for you may be the reason the instance doesn't have a route to DNS. Add like this
No alt text provided for this image
Done this task under the guidance of Mr.Vimal Daga Sir

Thank you Vimal Daga sir.


Thank you for Reading, Please Drop a message If you have any questions about this article. Happy to Help!



要查看或添加评论,请登录

Siva Naik Kethavath的更多文章

社区洞察

其他会员也浏览了