3 part firewall

3 part firewall

[Robert Cole]

Like David T I'm a bit frustrated myself. :)

The flexiblity of iptables has got me pulling my hair out. Here's what I would 
like to do:

I have a server that has 3 real interfaces (no aliases). eth0 is the public, 
eth1 is the private and eth2 is the DMZ interface. All the books and docs 
I've seen so far work with only two interfaces and trying to adapt those 
scripts is giving me a headache.

I want to allow all private traffic out to the internet through PAT (port 
address translation). But when going from the LAN to the DMZ I want no nat or 
pat going on, only when leaving to the internet. 

Next I would like a strict rule that allows another public IP to be 1 to 1 
nat'd from the public interface to a server out the DMZ interface.

I've got the new riders second edition of the linux firewalls book and tons of 
howto's and yet I'm having trouble putting together this simple firewall.

I'm currently using narc to setup the firewall and it appears to work to get 
basic internet bound traffic from the lan and I can get to the DMZ from the 
LAN without translation so I'm close here but getting the 1 to 1 NAT working 
is causing me grief.

Any ideas?

Thanks,
Robert

Re: 3 part firewall

[Julian Gomez]

On Tue, May 20, 2003 at 11:42:51PM -0700, Robert Cole spoke thusly:
>I have a server that has 3 real interfaces (no aliases). eth0 is the
>public, eth1 is the private and eth2 is the DMZ interface. All the books
>and docs I've seen so far work with only two interfaces and trying to
>adapt those scripts is giving me a headache.

You did not supply any real IP addresses to go with it. Therefore, I'll
assume it like so :

eth0	- 1.1.1.1
eth1	- 192.168.250.0/24
eth2	- 172.30.55.0/24

and the eth0 IP is static.

>I want to allow all private traffic out to the internet through PAT (port
>address translation). But when going from the LAN to the DMZ I want no nat
>or pat going on, only when leaving to the internet. 

Hmm, I don't think we hold the same definition for PAT. In any case, if you
merely want normal SNAT / MASQ, do it like so.

/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

/sbin/iptables -A FORWARD -p all -s 192.168.250.0/24 -d any/0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p all -j SNAT --to-source \
               1.1.1.1

/sbin/iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT
/sbin/iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT
/sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT

>Next I would like a strict rule that allows another public IP to be 1 to 1 
>nat'd from the public interface to a server out the DMZ interface.

/sbin/iptables -t nat -A PREROUTING -p tcp -s any/0 -d 1.1.1.1 \
               --dport 12345 -j DNAT --to-destination 172.30.55.100:12345

/sbin/iptables -A FORWARD -p tcp -s any/0 -d 172.30.55.100 --dport 22 \
               -j ACCEPT

>I'm currently using narc to setup the firewall and it appears to work to
>get basic internet bound traffic from the lan and I can get to the DMZ
>from the LAN without translation so I'm close here but getting the 1 to 1
>NAT working is causing me grief.

Haven't use narc, can't comment. The aforementioned rules can be tightened
somemore, depending on your overall situation.

Re: 3 part firewall

[Oskar Andreasson]

Hi Robert,

Hmmm, there should actually be an abundant of those kind of scripts, if
I'm not totally offbase :).

I have at least one script that should do almost exactly what you want
in the iptables tutorial at http://iptables-tutorial.frozentux.net. I
hope this is of some help.

Have a nice day,

Oskar Andreasson <oan@frozentux.net>


On Wed, 2003-05-21 at 12:08, Julian Gomez wrote:
> On Tue, May 20, 2003 at 11:42:51PM -0700, Robert Cole spoke thusly:
> >I have a server that has 3 real interfaces (no aliases). eth0 is the
> >public, eth1 is the private and eth2 is the DMZ interface. All the books
> >and docs I've seen so far work with only two interfaces and trying to
> >adapt those scripts is giving me a headache.
> 
> You did not supply any real IP addresses to go with it. Therefore, I'll
> assume it like so :
> 
> eth0	- 1.1.1.1
> eth1	- 192.168.250.0/24
> eth2	- 172.30.55.0/24
> 
> and the eth0 IP is static.
> 
> >I want to allow all private traffic out to the internet through PAT (port
> >address translation). But when going from the LAN to the DMZ I want no nat
> >or pat going on, only when leaving to the internet. 
> 
> Hmm, I don't think we hold the same definition for PAT. In any case, if you
> merely want normal SNAT / MASQ, do it like so.
> 
> /sbin/iptables -F
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> 
> /sbin/iptables -A FORWARD -p all -s 192.168.250.0/24 -d any/0 -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -p all -j SNAT --to-source \
>                1.1.1.1
> 
> /sbin/iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> /sbin/iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> /sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> 
> >Next I would like a strict rule that allows another public IP to be 1 to 1 
> >nat'd from the public interface to a server out the DMZ interface.
> 
> /sbin/iptables -t nat -A PREROUTING -p tcp -s any/0 -d 1.1.1.1 \
>                --dport 12345 -j DNAT --to-destination 172.30.55.100:12345
> 
> /sbin/iptables -A FORWARD -p tcp -s any/0 -d 172.30.55.100 --dport 22 \
>                -j ACCEPT
> 
> >I'm currently using narc to setup the firewall and it appears to work to
> >get basic internet bound traffic from the lan and I can get to the DMZ
> >from the LAN without translation so I'm close here but getting the 1 to 1
> >NAT working is causing me grief.
> 
> Haven't use narc, can't comment. The aforementioned rules can be tightened
> somemore, depending on your overall situation.
> 

Re: 3 part firewall

[David Trott]

Hi Robert,

A strategy that might work is to get the NAT and routing working first
then lock everything down.

Assuming:
Your external IP range is: 1.2.3.*
Your internal IP range is: 10.*.*.*
Your DMZ IP range is: 192.168.1.*

And your interface addresses are:
eth0: 1.2.3.1
eth1: 10.1.1.1
eth2: 192.168.1.1

I would try the following.

--- Begin ---

#!/bin/sh

# Disable the filter till we get things working
iptables -t filter -F
iptables -t filter -P INPUT        ACCEPT
iptables -t filter -P FORWARD      ACCEPT
iptables -t filter -P OUTPUT       ACCEPT

# NAT Policy - do nothing
iptables -t nat -F
iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P OUTPUT       ACCEPT
iptables -t nat -P POSTROUTING  ACCEPT

# Bi-directional nat (in then out) for one host in DMZ
iptables -t nat -A PREROUTING  -i eth0 -d 1.2.3.4     -j DNAT --to-destination 1
92.168.1.4
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.4 -j SNAT --to-source      1
.2.3.4

# All remaining outbound traffic will be nat'ed to the firewall address
# This is a catch all rule hence it must come after the host specific nats.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.1

# Make sure forwarding is on
echo 1 > /proc/sys/net/ipv4/ip_forward

--- End ---

Assuming that works all you have to do is change the INPUT and FORWARD
filter policies to DROP (at your option you can also change the OUTPUT
filter). Then add the rules for the services you want to allow.

If you want to use a GUI to create your rules you may want to take out
any NAT information from the GUI and just use it to build your filter
rules. IP tables has a very clean design, so you should be able to lock
down your system without having to touch any of your NAT rules.

If this doesn’t work either I have made a mistake or there is a problem
with your routing:
All of your internal hosts should have their default gateway set to 10.1.1.1
All of your DMZ hosts should have their default gateway set to 192.168.1.1

Hence if things aren’t working it’s probably a problem with your
upstream router not sending the packets to your firewall correctly.

I hope this gets you started,
David


From Robert Cole <robert.cole@support4linux.com> on 20 May 2003:

> Like David T I'm a bit frustrated myself. :)
> 
> The flexiblity of iptables has got me pulling my hair out. Here's what I
> would 
> like to do:
> 
> I have a server that has 3 real interfaces (no aliases). eth0 is the
> public, 
> eth1 is the private and eth2 is the DMZ interface. All the books and
> docs 
> I've seen so far work with only two interfaces and trying to adapt those
> 
> scripts is giving me a headache.
> 
> I want to allow all private traffic out to the internet through PAT
> (port 
> address translation). But when going from the LAN to the DMZ I want no
> nat or 
> pat going on, only when leaving to the internet. 
> 
> Next I would like a strict rule that allows another public IP to be 1 to
> 1 
> nat'd from the public interface to a server out the DMZ interface.
> 
> I've got the new riders second edition of the linux firewalls book and
> tons of 
> howto's and yet I'm having trouble putting together this simple
> firewall.
> 
> I'm currently using narc to setup the firewall and it appears to work to
> get 
> basic internet bound traffic from the lan and I can get to the DMZ from
> the 
> LAN without translation so I'm close here but getting the 1 to 1 NAT
> working 
> is causing me grief.
> 
> Any ideas?
> 
> Thanks,
> Robert
> 
> 
> 

Re: 3 part firewall

[Ralf Spenneberg]

Am Mit, 2003-05-21 um 08.42 schrieb Robert Cole:
> Like David T I'm a bit frustrated myself. :)
Ok. let's see.
> 
> The flexiblity of iptables has got me pulling my hair out. Here's what I would 
> like to do:
> 
> I have a server that has 3 real interfaces (no aliases). eth0 is the public, 
> eth1 is the private and eth2 is the DMZ interface. All the books and docs 
> I've seen so far work with only two interfaces and trying to adapt those 
> scripts is giving me a headache.
> 
> I want to allow all private traffic out to the internet through PAT (port 
> address translation). But when going from the LAN to the DMZ I want no nat or 
> pat going on, only when leaving to the internet. 
Ok.
DMZ_DEV=eth2
PRV_DEV=eth1
PUB_DEV=eth0
# making up the network, replace as needed.
PRV_NET=192.168.0.0/24
DMZ_NET=192.168.1.0/24
# NAT rules
iptables -t nat -A POSTROUTING -s $PRV_NET -o $PUB_DEV -j MASQUERADE
> 
> Next I would like a strict rule that allows another public IP to be 1 to 1 
> nat'd from the public interface to a server out the DMZ interface.
PUB_IP=128.176.0.12
DMZ_IP=192.168.1.15
iptables -t nat -A POSTROUTING -i $PUB_DEV -d $PUB_IP -j DNAT --to
$DMZ_IP

So far we have setup the NAT rules, now the filtering.
# Allow all established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow traffic from the private network to the DMZ
iptables -A FORWARD -i $PRV_DEV -o $DMZ_DEV -s $PRV_NET -d $DMZ_NET -m
state --state NEW -j ACCEPT

# Allow traffic from the private network to the internet
iptables -A FORWARD -i $PRV_DEV -o $PUB_DEV -s $PRV_NET -d 0/0 -m state
--state NEW -j ACCEPT

# Allow traffic from the outside to the one machine on the DMZ
iptables -A FORWARD -i $PUB_DEV -o $DMZ_DEV -s 0/0 -d $DMZ_IP -m state
--state NEW -j ACCEPT

# Close everything else (you might want to move these rules to the
beginning
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Be aware that you cannot access the firewall anymore and the firewall
cannot access any other machine.
# Turn on forwarding 
sysctl -w net.ipv4.ip_forward=1


> 
> 
> Any ideas?
This should get you going. Email again if you've got problems.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org