Bastion Host Firewall
Bastion Host Firewall
20 October 2020
Limiting access to resources is the best practice for network management. In this article you know one method of hardening an infrastructure called a Bastion Host.
You harden the server during operations by removing its external IP address which prevents internet connections. You start a bastion host that has an external IP address during maintenance. You then connect to the bastion host via SSH, and from there over the internal IP address to the server. Use firewall laws, you can further restrict access.
Launch an instance
In the Console, on the Navigation menu, click Compute Engine > VM instances. Click Create.
Specify the following, and leave the rest of the settings as default:
| Property | Value |
| Name | webserver |
| Region | us-central1 |
| Zone | us-central1-c |
| Firewall | Allow HTTP traffic |
Click Create.
Restrict firewall rule settings for SSH
To allow SSH access from any source IP address, the default configuration for a default or auto-type network is. Restrict access to your source IP address only to see what happens when attempting to connect from the GCP Console.
When you adjust the default SSH firewall rule to allow your IP address only, you will be able to get SSH from the console to your vm as you would expect.
Edit SSH rule by default. In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-ssh rule, and then click Edit.
Specify the following, and leave the rest of the settings as default:
| Property | Value |
| Description | Allow SSH from my IP only |
| Source IP ranges | Remove 0.0.0.0/0 Add [YOUR_IP_ADDRESS] |
Click Save. Stay until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).
Check compatibility Press Compute Engine > VM instances on the Navigation menu. Click on SSH to open a terminal and link to the webserver.
What went wrong?
When connecting from your browser via SSH to an instance, you need to allow SSH from the resources of the Cloud Platform, so you need to allow connections from either any IP address or from Google’s IP address list, which you can get from Public SPF records. You need SSH from a terminal session if you want to limit SSH access to only your IP address.
For this, leaving SSH open to any connections is sufficient. Reset the IP address range in the firewall rule
In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-ssh rule, and then click Edit.
Specify the following, and leave the rest of the settings as default:
| Property | Value |
| Description | Allow SSH from all IPs |
| Source IP ranges | Add 0.0.0.0/0 |
Click Save. Wait until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).
On the Navigation menu, click Compute Engine > VM instances. For webserver, click SSH to launch a terminal and connect. Leave the terminal open for the next task.
Install a simple web application
To reflect an internal application download a simple web application on your case. Then, you protect it by preventing internet access.
Download and set up a Web Server
In the webserver SSH terminal, update the package index:
sudo apt-get update
Install the apache2 package:
sudo apt-get install apache2 -y
To create a new default web page by overwriting the default, run the following:
echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' | sudo tee /var/www/html/index.html
Verify that the webserver is working. Test that your instance is serving traffic on its external IP. In the GCP Console, on the Navigation menu, click Compute Engine > VM instances.
For webserver, click the external IP to open in a new tab. You should see the “Hello World!” page you updated earlier.
Restrict firewall rule settings for HTTP
Restrict access to the web interface by changing the source IP address in the default-allow-http rule to your IP address.
Restrict HTTP access. In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-http rule, and then click Edit.
Specify the following, and leave the rest of the settings as default:
| Property | Value |
| Description | Allow HTTP from my IP only |
| Source IP ranges | Remove 0.0.0.0/0 Add [YOUR_IP_ADDRESS] |
Click Save. Wait until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).
On the navigation screen, press Compute Engine > VM instances to check that you still have access to the web server. Tap on the external IP to open in a new tab for the webserver. You should see the “Hello World!” sign anyway.
Restrict access to the VM from the internet
What’ll happen if you limit internet access to the VM?
- You won’t be able to access the Web server via http or ssh.
- From the command line you will be able to do SSH.
- From the console you will be able to do SSH.
- You can access the Web server via http.
- Submit.
- Edit the VM Properties
- Return to the VM instances page of the GCP Console.
- Click webserver to access the instance details.
- Click Edit.
- For Network interfaces, click the default network and change External IP from Ephemeral to None.
- Click Done.
- Click Save.
- Try to access the VM
- First try HTTP: In the left pane, click VM instances. Notice that webserver doesn’t have a value under External IP.
- Try SSH: for webserver, try to use the SSH link to launch a terminal and connect.
What happened?
The VM is no longer associated with an External IP. It is no longer reachable from the internet.
Launch another instance
Click Create instance.
Specify the following, and leave the rest of the settings as default:
| Property | Value |
| Name | bastion |
| Region | us-central1 |
| Zone | us-central1-c |
Click Create. Link to the Bastion Host via SSH and verify web server access For bastion, press SSH to open a terminal and link. Verify that the webserver home page is accessible from bastion by running the following command:
curl webserver
Although the webserver is no longer associated with an external IP address, clients within your network still have the ability to view and use the web service over the internal IP address on this VM.
Connect to the webserver from the bastion SSH terminal, by running the following command:
ssh -a webserver
Type Yes when asked to start.
When instances do not have external IP addresses, only other instances on the network or via a managed VPN gateway can access them.
In this case, the bastion VM serves the webserver VM as a management and maintenance GUI.