-
Notifications
You must be signed in to change notification settings - Fork 1
/
GW-Staff.startup
32 lines (20 loc) · 975 Bytes
/
GW-Staff.startup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Gateway Staff is responsible to route different
# departments (i.e business units) in a manner that
# provides departmental isolation to prevent an
# attacker's lateral movement.
ifconfig eth0 10.0.3.2/30
ifconfig eth1 10.0.4.1/30
ifconfig eth2 10.0.6.1/30
# This gateway knows about the deeper networks it
# accommodates to successfully deliver packets.
# These include the Dep-A and Dep-B LAN via GW-Staff.
# OpenVPN Server accessible though the DMZ Gateway VPN.
route add -net 10.0.5.0/24 gw 10.0.4.2
# Mail Server accessible though the DMZ Gateway Mail.
route add -net 10.0.7.0/24 gw 10.0.6.2
# Defaults to the Internal Firewall.
route add default gw 10.0.3.1
# Firewall rules to prevent attacker's lateral movement
# from Dep-A to Dep-B and vice-versa.
iptables -A FORWARD -i eth1 -o eth2 -m comment --comment "Drops packets from Dep-A to Dep-B" -j DROP
iptables -A FORWARD -i eth2 -o eth1 -m comment --comment "Drops packets from Dep-B to Dep-A" -j DROP