Bastion Host Firewall

Bastion Host Firewall

20 October 2020

Limiting access to resources is the best practice for network management. In this article you know one method of hardening an infrastructure called a Bastion Host.

You harden the server during operations by removing its external IP address which prevents internet connections. You start a bastion host that has an external IP address during maintenance. You then connect to the bastion host via SSH, and from there over the internal IP address to the server. Use firewall laws, you can further restrict access.

Launch an instance

In the Console, on the Navigation menu, click Compute Engine > VM instances. Click Create.

Specify the following, and leave the rest of the settings as default:

PropertyValue
Namewebserver
Regionus-central1
Zoneus-central1-c
FirewallAllow HTTP traffic

 

Click Create.

Restrict firewall rule settings for SSH

To allow SSH access from any source IP address, the default configuration for a default or auto-type network is. Restrict access to your source IP address only to see what happens when attempting to connect from the GCP Console.

When you adjust the default SSH firewall rule to allow your IP address only, you will be able to get SSH from the console to your vm as you would expect.

Edit SSH rule by default. In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-ssh rule, and then click Edit.

Specify the following, and leave the rest of the settings as default:

PropertyValue
DescriptionAllow SSH from my IP only
Source IP rangesRemove 0.0.0.0/0 Add [YOUR_IP_ADDRESS]

 

Click Save. Stay until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).

Check compatibility Press Compute Engine > VM instances on the Navigation menu. Click on SSH to open a terminal and link to the webserver.

What went wrong?

When connecting from your browser via SSH to an instance, you need to allow SSH from the resources of the Cloud Platform, so you need to allow connections from either any IP address or from Google’s IP address list, which you can get from Public SPF records. You need SSH from a terminal session if you want to limit SSH access to only your IP address.

For this, leaving SSH open to any connections is sufficient. Reset the IP address range in the firewall rule

In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-ssh rule, and then click Edit.

Specify the following, and leave the rest of the settings as default:

PropertyValue
DescriptionAllow SSH from all IPs
Source IP rangesAdd 0.0.0.0/0

 

Click Save. Wait until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).

On the Navigation menu, click Compute Engine > VM instances. For webserver, click SSH to launch a terminal and connect. Leave the terminal open for the next task.

Install a simple web application

To reflect an internal application download a simple web application on your case. Then, you protect it by preventing internet access.

Download and set up a Web Server

In the webserver SSH terminal, update the package index:

sudo apt-get update

Install the apache2 package:

sudo apt-get install apache2 -y

To create a new default web page by overwriting the default, run the following:

echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' | sudo tee /var/www/html/index.html

Verify that the webserver is working. Test that your instance is serving traffic on its external IP. In the GCP Console, on the Navigation menu, click Compute Engine > VM instances.

For webserver, click the external IP to open in a new tab. You should see the “Hello World!” page you updated earlier.

Restrict firewall rule settings for HTTP

Restrict access to the web interface by changing the source IP address in the default-allow-http rule to your IP address.

Restrict HTTP access. In the GCP Console, on the Navigation menu, click VPC network > Firewall rules. Click the default-allow-http rule, and then click Edit.

Specify the following, and leave the rest of the settings as default:

PropertyValue
DescriptionAllow HTTP from my IP only
Source IP rangesRemove 0.0.0.0/0 Add [YOUR_IP_ADDRESS]

 

Click Save. Wait until the rule on the firewall is changed (the status in the bottom pane is Updating the rule on the firewall; you can start when it closes).

On the navigation screen, press Compute Engine > VM instances to check that you still have access to the web server. Tap on the external IP to open in a new tab for the webserver. You should see the “Hello World!” sign anyway.

Restrict access to the VM from the internet

What’ll happen if you limit internet access to the VM?

  • You won’t be able to access the Web server via http or ssh.
  • From the command line you will be able to do SSH.
  • From the console you will be able to do SSH.
  • You can access the Web server via http.
  • Submit.
  • Edit the VM Properties
  • Return to the VM instances page of the GCP Console.
  • Click webserver to access the instance details.
  • Click Edit.
  • For Network interfaces, click the default network and change External IP from Ephemeral to None.
  • Click Done.
  • Click Save.
  • Try to access the VM
  • First try HTTP: In the left pane, click VM instances. Notice that webserver doesn’t have a value under External IP.
  • Try SSH: for webserver, try to use the SSH link to launch a terminal and connect.

What happened?

The VM is no longer associated with an External IP. It is no longer reachable from the internet.

Launch another instance

Click Create instance.

Specify the following, and leave the rest of the settings as default:

PropertyValue
Namebastion
Regionus-central1
Zoneus-central1-c

 

Click Create. Link to the Bastion Host via SSH and verify web server access For bastion, press SSH to open a terminal and link. Verify that the webserver home page is accessible from bastion by running the following command:

curl webserver

Although the webserver is no longer associated with an external IP address, clients within your network still have the ability to view and use the web service over the internal IP address on this VM.

Connect to the webserver from the bastion SSH terminal, by running the following command:

ssh -a webserver

Type Yes when asked to start.

When instances do not have external IP addresses, only other instances on the network or via a managed VPN gateway can access them.

In this case, the bastion VM serves the webserver VM as a management and maintenance GUI.

Request a quote