I have a set of virtual servers running on a single home physical server. I like to be able to remote into my home servers when I’m away from home so that I can get to the home automation if I need to. So one of my virtual servers is internet facing – I have a port on my router mapped through to ssh on that server.
I had thought I had configured that server with public key logon only to the ssh, but apparently I hadn’t, and I got a breach on that server. Which is embarrassing. So I decided to do a solid pass through the security of my environment.
My desire is to run a DMZ network, with only a jump-box machine in the DMZ visible to the internet. This machine will be locked down tightly, and only permit ssh off that machine to a single machine in the inner network zone. No root login will be permitted on any ssh. That means that a penetration of the environment would require cracking the public key logon on the jump-box, then cracking the username/password of the single machine that is connectable from that jump-box.
I’ll walk through the configuration I did there, but a key in all this is that it means my host server (the physical machine that hosts the virtuals) is actually connected to both the inner network and the DMZ network. But I don’t want that machine answering any connections on the DMZ network – that would effectively put the physical host into the DMZ. The hardest thing in this setup was having virtual servers that are on the DMZ network without having the host itself on that network.
So, configuration that I did. I am using a single physical network interface on the host, and I want from that:
- The physical network interface itself. I’d like this to not get an IP address, as I don’t want it to be routable
- A bridge interface build from the physical network, with a DHCP address on the inner network, this is on VLAN 1 / default. This bridge is made available to all virtual machines that are on the inner network
- A virtual network interface that is build from the underlying physical network interface, but that is tagged to be on VLAN 3 (my DMZ). All traffic that transits this interface will be VLAN 3 without any configuration needed to be done on the individual machines. I don’t want this interface to be routable – I don’t want the host iself
- A bridge interface build from this virtual network interface, allowing virtuals to be on this DMZ (VLAN 3). I don’t want this routable directly from the host, as I don’t want the host on the DMZ network
To achieve this, I have configuration in both /etc/network/interfaces
, and in /etc/dhcpcd.conf
. Both of these are involved in network routing and DHCP addresses, and I found that if I just create bridge configuration in the interfaces file then dhcpcd will still grab that bridge and allocate an IP address to, making it a routable interface.
Note that I did play around with using the nogateway
directive in dhcpcd.conf,
and with using post-up hooks to delete the routes after they were created. Neither of those gave the result I wanted.
Here is my configuration in /etc/network/interfaces
:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto enp3s0
iface enp3s0 inet manual
# iface enp3s0 inet manual
# vlan network interface - the .3 automatically tells it what to tag (apparently) - 3 is DMZ
auto enp3s0.3
iface enp3s0.3 inet manual
# The primary network interface
auto br0
iface br0 inet dhcp
bridge_ports enp3s0
bridge_stp off
bridge_maxwait 0
bridge_waitport 0
bridge_fd 0
metric 10
pre-up /sbin/ifconfig enp3s0 mtu 9000
# the vlan bridge - DMZ
auto br0-3
iface br0-3 inet manual
bridge_ports enp3s0.3
bridge_stp off
bridge_maxwait 0
bridge_waitport 0
bridge_fd 0
metric 1000
pre-up /sbin/ifconfig enp3s0.3 mtu 9000
This defines my primary interface enp3s0
, but tells it that I want a manual IP address – in other words, please don’t allocate an IP address from this service. Note that if you only do this, dhcpcd will still allocate an address, so we need more configuration in dhcpcd.conf
.
Then it defines a bridge br0
from that interface. This is the primary network connection that this server uses, and also the bridge used for any virtual that is on the inner network. This gets it’s IP address from DHCP, my DHCP server allocates a static address based on MAC.
Next, I define a virtual network interface on my DMZ network VLAN 3, enp3s0.3
. It appears that the .3 on the end of the interface is how you tell it that you would like it tagged to VLAN 3, there isn’t some sort of tag directive. Again, I don’t want an IP address for this interface, I don’t want the host answering on the DMZ network.
Finally, I define a virtual bridge br0-3
on the virtual network interface, giving me a bridge that I can make available to my virtual servers that I want on the DMZ network.
Now, I need to do configuration in /etc/dhcpcd.conf
to tell it which of these devices I want to have IP addresses. I am also blocking ipv6, because I haven’t worked out yet what firewalling I’d need on this.
interface br0
noipv6
interface enp3s0
noipv4
noipv6
interface enp3s0.3
noipv4
noipv6
interface br0-3
noipv4
noipv6
So we have interface br0, which we are happy to have an ipv4 address (the only addressable interface) but we don’t want an ipv6 address on it. Then our other three interfaces all have no ipv4 or ipv6 on them, meaning they’re not routable at all.
We can check the routing that we get by using ip route
:
root@server:/home/paul# ip route
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.4 metric 10
default via 192.168.1.1 dev br0 metric 10
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.4 metric 10
root@server:/home/paul#
This is telling us that the only routes available are via the gateway on the inner network (192.168.1.1), and via br0
with its IP address. Prior to this configuration you would have seen here something more like:
paul@server:~/ansible$ ip route
default via 192.168.1.1 dev br0 proto dhcp src 192.168.1.4 metric 10
default via 192.168.1.1 dev enp3s0 proto dhcp src 192.168.1.148 metric 202
default via 192.168.3.1 dev enp3s0.3 proto dhcp src 192.168.3.148 metric 204
default via 192.168.3.1 dev br0-3 proto dhcp src 192.168.3.201 metric 206
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.4 metric 10
192.168.1.0/24 dev enp3s0 proto dhcp scope link src 192.168.1.148 metric 202
192.168.3.0/24 dev enp3s0.3 proto dhcp scope link src 192.168.3.148 metric 204
192.168.3.0/24 dev br0-3 proto dhcp scope link src 192.168.3.201 metric 206
This is what I had before I started the dhcpcd.conf changes, and it meant the host server was answering on all 4 interfaces, and it was very hard to work out what was going on / where network traffic was going.