Re: 3 part firewall

[David Trott <linux@davidtrott.com>]

Hi Robert,

A strategy that might work is to get the NAT and routing working first
then lock everything down.

Assuming:
Your external IP range is: 1.2.3.*
Your internal IP range is: 10.*.*.*
Your DMZ IP range is: 192.168.1.*

And your interface addresses are:
eth0: 1.2.3.1
eth1: 10.1.1.1
eth2: 192.168.1.1

I would try the following.

--- Begin ---

#!/bin/sh

# Disable the filter till we get things working
iptables -t filter -F
iptables -t filter -P INPUT        ACCEPT
iptables -t filter -P FORWARD      ACCEPT
iptables -t filter -P OUTPUT       ACCEPT

# NAT Policy - do nothing
iptables -t nat -F
iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P OUTPUT       ACCEPT
iptables -t nat -P POSTROUTING  ACCEPT

# Bi-directional nat (in then out) for one host in DMZ
iptables -t nat -A PREROUTING  -i eth0 -d 1.2.3.4     -j DNAT --to-destination 1
92.168.1.4
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.4 -j SNAT --to-source      1
.2.3.4

# All remaining outbound traffic will be nat'ed to the firewall address
# This is a catch all rule hence it must come after the host specific nats.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.1

# Make sure forwarding is on
echo 1 > /proc/sys/net/ipv4/ip_forward

--- End ---

Assuming that works all you have to do is change the INPUT and FORWARD
filter policies to DROP (at your option you can also change the OUTPUT
filter). Then add the rules for the services you want to allow.

If you want to use a GUI to create your rules you may want to take out
any NAT information from the GUI and just use it to build your filter
rules. IP tables has a very clean design, so you should be able to lock
down your system without having to touch any of your NAT rules.

If this doesn’t work either I have made a mistake or there is a problem
with your routing:
All of your internal hosts should have their default gateway set to 10.1.1.1
All of your DMZ hosts should have their default gateway set to 192.168.1.1

Hence if things aren’t working it’s probably a problem with your
upstream router not sending the packets to your firewall correctly.

I hope this gets you started,
David


From Robert Cole <robert.cole@support4linux.com> on 20 May 2003:

> Like David T I'm a bit frustrated myself. :)
> 
> The flexiblity of iptables has got me pulling my hair out. Here's what I
> would 
> like to do:
> 
> I have a server that has 3 real interfaces (no aliases). eth0 is the
> public, 
> eth1 is the private and eth2 is the DMZ interface. All the books and
> docs 
> I've seen so far work with only two interfaces and trying to adapt those
> 
> scripts is giving me a headache.
> 
> I want to allow all private traffic out to the internet through PAT
> (port 
> address translation). But when going from the LAN to the DMZ I want no
> nat or 
> pat going on, only when leaving to the internet. 
> 
> Next I would like a strict rule that allows another public IP to be 1 to
> 1 
> nat'd from the public interface to a server out the DMZ interface.
> 
> I've got the new riders second edition of the linux firewalls book and
> tons of 
> howto's and yet I'm having trouble putting together this simple
> firewall.
> 
> I'm currently using narc to setup the firewall and it appears to work to
> get 
> basic internet bound traffic from the lan and I can get to the DMZ from
> the 
> LAN without translation so I'm close here but getting the 1 to 1 NAT
> working 
> is causing me grief.
> 
> Any ideas?
> 
> Thanks,
> Robert
> 
> 
>