IP Filtering

  • Thread starter Thread starter Asad Chaudhary
  • Start date Start date
A

Asad Chaudhary

I've been unable to find clear documentation on how to set
up IP Filtering on Windows 2000 Advanced Server.
Here's the setup:
There are 2 NICs on the Win2k AS box. One connected to a
255.255.255.0 (Class D?) subnet, which is our office LAN.
This subnet has globally accessible IPs. The other NIC is
connected to a 255.255.0.0 also globaly accessible IPs;
this is our campus network, with a gateway to the Internet,
etc. Our server handles all routing between the 2 subnets
as well as providing e-mail (POP3, IMAP, SMTP and Webmail
(port 8383)), web (HTTP and HTTPS), FTP and Remote Desktop
service to both our subnets and the Internet at large.
However, at the moment ALL hosts on both subnets are able
to see all ports on both interfaces on the server. This
has left the server and our internal LAN vulnerable to
Blaster, etc., since there are too many machines to patch
on time.
What I'm trying to do is:
1. Make our internal subnet and the internal IP of the
server invisible to the external subnet and the Internet,
EXCEPT for connections initiated FROM our subnet or the
internal IP.
2. Block all incoming traffic to the external IP, except
on the ports that provide e-mail, web, FTP, RDP, etc.
How can I do this?
 
Uh, it's not clear what type of IP addressing you are
really using for either network, since you have only
supplied the netmasking numbers. but if you mean that all
of your machines are using public IP addresses, then you
why are you using a "gateway" to the internet?

If all your machines access the internet through a gateway
(or router), then all you have to do is to close off all
the ports on the router's external interface, except those
that are specifically needed for some purpose (web server,
ftp, mail, etc).
 
You might like to look as firewall software rather than relying on port
filtering. There are many available. Some are free.

Port filtering is tricky. And to be effective, you need to use the "Deny
all except " rather than "Allow all except" option. This is safer, because
you are less likely to leave something important open. However it means you
have to specifically enable every port you need.
 
I'm using a 'gateway' in the sense that physically, all our
machines (255.255.255.x) are connected to switches, which
are connected to the server, which is then connected to the
rest of the campus (255.255.x.x) and so on to the Internet.
How do I distinguish between blocking ports on the server's
external IP, and blocking incoming connections to those
same ports to other machines behind it? Does setting up a
filter to block all ports except those that should be open
for some reason, on the external interface, also block
packets being forwarded through to other machines on the
internal subnet on those ports? Does it block inbound
pakcets even if the connection was initiated from one of
our machines? If not, where do I set up 'routing' filters?
I can understand that people will have some difficulty
understanding exactly what I want to do using plain text.
The real solution is finding documentation or some sort of
step-by-step guide to configuring Windows 2000 Server when
it's acting both as a public web / mail server, etc., AND
as a gateway for machines behind it, EVEN THOUGH those
machines have global IP addresses.
 
Back
Top