Very Computer

I've got a 3 machine network, and I am far from a competent sysadmin.
I'd like to restrict certain services (such as RPC and printer services)
to specific network interfaces.  Any help would really be appreciated.

One machine (tycho) has a cable modem connection to the net, and is the
NFS/NIS/DHCP server to the other two machines (jake & elwood).  On tycho,
eth0 is the cable modem, eth1 is a crossover cable to elwood, and eth2 is
a crossover cable to jake.  This is the current output from an nmap on
tycho's public IP (eth0), run from elwood:

Port       State       Service
22/tcp     open        ssh                    
111/tcp    open        sunrpc                  
139/tcp    open        netbios-ssn            
515/tcp    open        printer                
600/tcp    open        ipcserver              
617/tcp    open        unknown                
658/tcp    open        unknown                
758/tcp    open        nlogin                  

Ideally, I'd like these ports to only be open to eth[12], and I'd like
outside connections to only be able to see an open port 22 for ssh
connections.

How can I achieve this?  Is there some general way to do it for all
services, or do I need to tackle this on a service-by-service basis?

--
Cheers,
Glen

Quote:> I've got a 3 machine network, and I am far from a competent sysadmin.
> I'd like to restrict certain services (such as RPC and printer services)
> to specific network interfaces.  Any help would really be appreciated.

> One machine (tycho) has a cable modem connection to the net, and is the
> NFS/NIS/DHCP server to the other two machines (jake & elwood).  On tycho,
> eth0 is the cable modem, eth1 is a crossover cable to elwood, and eth2 is
> a crossover cable to jake.  This is the current output from an nmap on
> tycho's public IP (eth0), run from elwood:

> Port       State       Service
> 22/tcp     open        ssh                    
> 111/tcp    open        sunrpc                  
> 139/tcp    open        netbios-ssn            
> 515/tcp    open        printer                
> 600/tcp    open        ipcserver              
> 617/tcp    open        unknown                
> 658/tcp    open        unknown                
> 758/tcp    open        nlogin                  

> Ideally, I'd like these ports to only be open to eth[12], and I'd like
> outside connections to only be able to see an open port 22 for ssh
> connections.

> How can I achieve this?  Is there some general way to do it for all
> services, or do I need to tackle this on a service-by-service basis?

No general way, you have to read the docs/manpages for each service and
see how you configure it(if you can at all)
Alternativly, put a firewall rule that blocks that port on the specific
interface.

Quote:> I've got a 3 machine network, and I am far from a competent sysadmin.
> I'd like to restrict certain services (such as RPC and printer services)
> to specific network interfaces.  Any help would really be appreciated.

> One machine (tycho) has a cable modem connection to the net, and is the
> NFS/NIS/DHCP server to the other two machines (jake & elwood).  On tycho,
> eth0 is the cable modem, eth1 is a crossover cable to elwood, and eth2 is
> a crossover cable to jake.  This is the current output from an nmap on
> tycho's public IP (eth0), run from elwood:

> Port       State       Service
> 22/tcp     open        ssh
> 111/tcp    open        sunrpc
> 139/tcp    open        netbios-ssn
> 515/tcp    open        printer
> 600/tcp    open        ipcserver
> 617/tcp    open        unknown
> 658/tcp    open        unknown
> 758/tcp    open        nlogin

> Ideally, I'd like these ports to only be open to eth[12], and I'd like
> outside connections to only be able to see an open port 22 for ssh
> connections.

Okay, for one - you can't see what ports are open on the outside interface
from within your network.
Any and all firewall rules / port forwarding etc. throw the results out the
window.
You can simply run nmap on the external machine - that will give you a clear
answer.

Basically, ANY service which runs from (x)inet.d , i.e. the internet
superserver, looks to the /etc/hosts.allow and /etc/hosts.deny files for
info on allowable networks and hosts.

"man hosts.allow" to find out how this can be applied to all services or to
individual services - it's quite flexible.

Windows networking ( the netbios-ssn port you have open - BAD idea) is
controlled by samba; "man smb.conf" for info on how to restrict this to one
or more interfaces.

Quote:

> How can I achieve this?  Is there some general way to do it for all
> services, or do I need to tackle this on a service-by-service basis?

Oops - seems I was a bit early...

As stated - it depends on the services involved.