Re: 3 part firewall

[Oskar Andreasson <oan@frozentux.net>]

Hi Robert,

Hmmm, there should actually be an abundant of those kind of scripts, if
I'm not totally offbase :).

I have at least one script that should do almost exactly what you want
in the iptables tutorial at http://iptables-tutorial.frozentux.net. I
hope this is of some help.

Have a nice day,

Oskar Andreasson <oan@frozentux.net>


On Wed, 2003-05-21 at 12:08, Julian Gomez wrote:
> On Tue, May 20, 2003 at 11:42:51PM -0700, Robert Cole spoke thusly:
> >I have a server that has 3 real interfaces (no aliases). eth0 is the
> >public, eth1 is the private and eth2 is the DMZ interface. All the books
> >and docs I've seen so far work with only two interfaces and trying to
> >adapt those scripts is giving me a headache.
> 
> You did not supply any real IP addresses to go with it. Therefore, I'll
> assume it like so :
> 
> eth0	- 1.1.1.1
> eth1	- 192.168.250.0/24
> eth2	- 172.30.55.0/24
> 
> and the eth0 IP is static.
> 
> >I want to allow all private traffic out to the internet through PAT (port
> >address translation). But when going from the LAN to the DMZ I want no nat
> >or pat going on, only when leaving to the internet. 
> 
> Hmm, I don't think we hold the same definition for PAT. In any case, if you
> merely want normal SNAT / MASQ, do it like so.
> 
> /sbin/iptables -F
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> 
> /sbin/iptables -A FORWARD -p all -s 192.168.250.0/24 -d any/0 -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -p all -j SNAT --to-source \
>                1.1.1.1
> 
> /sbin/iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> /sbin/iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> /sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED \
>                -j ACCEPT
> 
> >Next I would like a strict rule that allows another public IP to be 1 to 1 
> >nat'd from the public interface to a server out the DMZ interface.
> 
> /sbin/iptables -t nat -A PREROUTING -p tcp -s any/0 -d 1.1.1.1 \
>                --dport 12345 -j DNAT --to-destination 172.30.55.100:12345
> 
> /sbin/iptables -A FORWARD -p tcp -s any/0 -d 172.30.55.100 --dport 22 \
>                -j ACCEPT
> 
> >I'm currently using narc to setup the firewall and it appears to work to
> >get basic internet bound traffic from the lan and I can get to the DMZ
> >from the LAN without translation so I'm close here but getting the 1 to 1
> >NAT working is causing me grief.
> 
> Haven't use narc, can't comment. The aforementioned rules can be tightened
> somemore, depending on your overall situation.
>