Hi Marvin, I run two LTSP servers, one with a separate physical network for the clients and another where the clients share the unprotected accessible from anywhere network.
The first case is simple, simply run ipchains (or iptables) on the exposed interface to eliminate any packets (other than to the SSH port 22) from the outside world. In the second case, I run a second un-routable network such as 192.168.* or 10.* on the server and the clients boot and are assigned IPs there. A would be hacker could not reach one of those machines without hacking the server. The server runs ipchains to block access on its real IP and allows ones needed for the clients on the fake net. The only downside to this approach is that the DHCP server is unprotected (unless you have a second NIC on the server with the fake subnet - it can be attached to the same hub/switch). Sample rules are below for RedHat 7.2. Edit and install in /etc/sysconfig and run /etc/init.d/ipchains start. I would also harden /etc/hosts.allow (also below). /etc/hosts.deny should contain ALL: ALL Best, ---Venkat. Venkat Manakkal President, Manakkal & Associates, Inc. http://www.manakkal.com/ Tel: 607-546-7300 Fax: 509-471-5693 ## /etc/sysconfig/ipchains for LTSP server on a public network running a fake subnet in 10.9.1. for ltsp clients. :input ACCEPT :forward ACCEPT :output ACCEPT # Allow ssh -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT #Allow local loop -A input -s 0/0 -d 0/0 -i lo -j ACCEPT # Ignore any router discovery packets -A input -s 0/0 -d 224.0.0.0/8 -j DENY # Ignore any Server Locate stuff -A input -p udp --destination-port 427 -j DENY # Allow local subnet traffic -A input -s real.sub.net.0/24 -d 0/0 -p tcp -j ACCEPT -A input -s real.sub.net.0/24 -d 0/0 -p udp -j ACCEPT #Allow local subnet on fake local IPs -A input -s 10.9.1.0/24 -d 0/0 -p tcp -j ACCEPT -A input -s 10.9.1.0/24 -d 0/0 -p udp -j ACCEPT # Allow DHCP -A input -s 0/0 -d 0/0 67 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 68 -p udp -j ACCEPT # Allow TFTP -A input -s 0/0 -d 0/0 69 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 69 -p tcp -j ACCEPT # Allow DNS -A input -s dns.server.ip.addr 53 -d 0/0 -p udp -j ACCEPT - # Reject Others -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT -l -A input -s 0/0 -d 0/0 -p udp -j REJECT -l ----------------------------- # This is /etc/hosts.allow sshd: ALL bootpd: 0.0.0.0 in.tftpd: 10.9.1. portmap: 10.9.1. gdm: 10.9.1. ypserv: local.host.subnet. #(we run NIS between servers) At 01:59 AM 3/25/2002 -0800, you wrote: >Hello LTSP gurus, > >Can I ask your personal experiences and setups on how to secure your LTSP >especially the server(s) for public and private networks? Any HOW-TO is >very much appreciated. > >Thank you very much... > >God bless you all... > >Marvin > >__________________________________ >www.edsamail.com > >_____________________________________________________________________ >Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss >For additional LTSP help, try #ltsp channel on irc.openprojects.net _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
