0

I have a server which has multiple NICs (ignoring redundant pairs):

  • 'inward' facing production (connects to other servers);
  • 'outward' external facing production (connects out to the internet via a DMZ),
  • 'outward' internal facing production (connects to internal users including application admins); and
  • management NIC that connects to the management network.

My question then is, can I limit account access based on the NIC through which the user connected: for example:

  • you can only access the root account or some sudoer accounts if you connected through the management NIC;
  • you can only access application admin accounts if you connected through the internal-facing NIC?
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Hiding From The Jackasses
  • 21
  • 1
  • These are two completely different questions: one for Windows, and one for Linux. You need to ask them separately. Since there is now an answer about Linux, I've edited your question to be about Linux; ask another one about Windows. – Gilles 'SO- stop being evil' Aug 20 '14 at 09:33
  • 1
    Also note that these questions are a bit borderline between [security.se] and sites like [su] and [unix.se], since they are about using OS features to achieve a given security policy, rather than about designing a security policy or analyzing compliance to a security policy. – Gilles 'SO- stop being evil' Aug 20 '14 at 09:36
  • @Gilles: I disagree. A policy that can't be implemented will become a joke. So knowing it's possible to implement before defining a policy requiring makes sense. Which is why it also makes sense to ask the question about both Linux and Windows at the same time. – Hiding From The Jackasses Aug 21 '14 at 10:43

1 Answers1

2

There's no good way to restrict accounts based on network interface in Linux (by the time a packet reaches a layer that understands the concept of "account", it's forgotten which interface it came in on). However, there are two easy ways to restrict access to an application based on which interface is used:

  1. At the OS level, the iptables firewall has options you can use. The -i option to iptables lets you filter packets based on which interface they came in on. Combine that with the --dport option, and you can selectively drop or accept packets bound for a given program, based on which interface the packet came in on.

  2. At the application level, most server programs let you restrict which IP addresses they'll listen on. For example, you might have an SSH server listening on the address belonging to the "management" interface, and a webserver listening on the external address.

You can sometimes combine the above with application-level options to get the per-account filtering you want. For example, you could have one sshd instance listening on the "management" interface and permitting administrator logins, and a second instance listening on the "external" interface and only permitting logins from ordinary users.

Mark
  • 34,390
  • 9
  • 85
  • 134