Topic: Block access to server manager and ssh from one lan host

[nuxero]

Hello everybody.

So, I want to disable access to server manager and ssh to the host 192.168.2.1 of my lan.

Any ideas?

[Stefano]

please, explain your problem, not your solution

[CharlieBrady]

You can do it with custom templates. But why do you want to do it? What problem are you trying to solve?

[nuxero]

OK. In the company where I work there is a SME Server with a WAN and LAN interfaces. The lan to which is connected has its own Firewall with a couple of WAN interfaces. Something like this

Internet ---------- Sme Server --------|
                                                    |
                                                 Lan
                                                    |
Internet -----------Firewall ------------ |

The SME Server is reachable from the internet by itself but is also connected the LAN. We also wanted to reach the server by the Firewall, so we made a NAT 1:1 on the firewall but didn't work.

It turns out that when the firewall was trying to do the NAT, the SME Server was sending the reply to his own WAN interface and never got back to the firewall, so in the firewall we change the Source Adress from the NATed packages so as they come from the firewall itself to make sure they return.

Here is the thing, the NAT now works because the reply is send to the firewall, which act like the source. But because of this every connection made to the public IP that is being NATed (You know, the one that is using to do the NAT ) is consider as a local connection by SME Server.

We had some trouble in the past with the smtp server that allowed to local user send emails without authentication but we get to solve it by adding authentication. Now we wanted block access to the server manager and ssh port only to the firewall host, we believed that this is the most appropiate approach, however if there is a better solution you can suggest it.

I tried to explain as clear as I can, my english is not very good so some things may have no sense, sorry about that.

[CharlieBrady]

For ssh, I think you might be able to do:

/sbin/e-smith/config setprop sshd DenyHosts 192.168.2.1
/sbin/e-smith/signal-event remoteaccess-update

For server-manager I think you would need to use a custom template.

It would be much better if you could avoid the SNAT on your firewall. The SNAT on your firewall means that you create a backdoor access to your SME server where the real source of connections is hidden, and doesn't show up in logs, etc.

One way to do that would be to use policy routing on SME server. However that would be a non-trivial customisation.

Your best solution would be to avoid the access to your SME server which is coming via the Firewall. Why do you have two Internet connections?

[nuxero]

The SME Server is our Mail Server and the firewall provides Internet to the LAN, each one has its own public IP given by ISP. Recently we've got a backup Internet Service with another ISP but we only get one Public IP, so in order to have both internet and mail in the backup service we have to make the DNAT. The firewall also makes load balance and failover.

[CharlieBrady]

IMO you would be better with SME server in server-only mode, with port 25 forwarded from your firewall. If you need two Internet connections and load balancing, you can do that at or outside your firewall.

Is your main ISP connection really unreliable?

[nuxero]

Actually no, only failed one time last year. Though the managers want to have a Plan B. Server mode will make the trick but it seems that there is one reason for the former sysadmin did the actual configuration and IT Manager want to avoid a reconfiguration if it is posible