server in DMZ

server in DMZ

[Payal Rathod]

Hi,
I have a small webserver in DMZ at 10.10.10.3 where we load our designs.
I want to allow access to its port 80 only from local LAN (via. a squid 
proxy on the gateway machine) and my client's office at 1.2.3.4. 
Right now I can see it from all over the world, but I do want to restrict 
the access. Remember that as now I want to continue accessing the DMZ machine 
using its public IP and not just 10.10.10.3 IP even from inside the LAN.
What do I do in such case?
Thanks a lot for the help in advance.
With warm regards,
-Payal
p.s. is DMZ pronounced as DMZ or DMZee?

Re: server in DMZ

[Jason Opperisano]

On Wed, 2004-09-01 at 22:50, Payal Rathod wrote:
> Hi,
> I have a small webserver in DMZ at 10.10.10.3 where we load our designs.
> I want to allow access to its port 80 only from local LAN (via. a squid 
> proxy on the gateway machine) and my client's office at 1.2.3.4. 

i assume the squid proxy can already fetch content from the web server
in the DMZ for your LAN--if this is not the case; please post your
current rules:

  iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

allowing access from the outside:

iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \
  -s 1.2.3.4 --sport 1024:65535 -d 10.10.10.3 --dport 80 \
  -j ACCEPT

> Right now I can see it from all over the world, but I do want to restrict 
> the access. Remember that as now I want to continue accessing the DMZ machine 
> using its public IP and not just 10.10.10.3 IP even from inside the LAN.
> What do I do in such case?

looks like the topic of the week is split-dns...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: server in DMZ

[Payal Rathod]

On Wed, Sep 01, 2004 at 11:04:56PM -0400, Jason Opperisano wrote:
> i assume the squid proxy can already fetch content from the web server
> in the DMZ for your LAN--if this is not the case; please post your
> current rules:

Yes, it can access the DMZ using public IP right now. Now I want something
very simple, I want to allow only the client to access the machine.

> iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \
>   -s 1.2.3.4 --sport 1024:65535 -d 10.10.10.3 --dport 80 \
>   -j ACCEPT

Can you make this a bit simpler? I am not too worried about security of 
designs (no need for VPN). I just want only the client's IP to access it.
Right now I have,
-A PREROUTING -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3

5.6.7.8 is my external IP of the DMZ machine.

I am afraid if I give it as,
-A PREROUTING -s 1.2.3.4 -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3

it will block access from my local LAN also via. the squid proxy and yes 
the gateway (squid proxy) machine does have 3 cards.

With warm regards,
-Payal

Re: server in DMZ

[Jason Opperisano]

On Wed, 2004-09-01 at 23:17, Payal Rathod wrote:
> On Wed, Sep 01, 2004 at 11:04:56PM -0400, Jason Opperisano wrote:
> > i assume the squid proxy can already fetch content from the web server
> > in the DMZ for your LAN--if this is not the case; please post your
> > current rules:
> 
> Yes, it can access the DMZ using public IP right now. Now I want something
> very simple, I want to allow only the client to access the machine.
> 
> > iptables -A FORWARD -i $extIf -o $dmzIf -p tcp --syn \
> >   -s 1.2.3.4 --sport 1024:65535 -d 10.10.10.3 --dport 80 \
> >   -j ACCEPT
> 
> Can you make this a bit simpler? I am not too worried about security of 
> designs (no need for VPN). I just want only the client's IP to access it.
> Right now I have,
> -A PREROUTING -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3

i can simplify it to:

  -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT

the rules i post in my responses mimic the rules that i actually use on
my firewalls--i don't mean to over-complicate things...

> 5.6.7.8 is my external IP of the DMZ machine.
> 
> I am afraid if I give it as,
> -A PREROUTING -s 1.2.3.4 -d 5.6.7.8 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.3
> 
> it will block access from my local LAN also via. the squid proxy and yes 
> the gateway (squid proxy) machine does have 3 cards.

yes--you're probably right that it would break access from the local LAN
in your current configuration

-j

-- 
Jason Opperisano <opie@817west.com>

Re: server in DMZ

[Payal Rathod]

On Wed, Sep 01, 2004 at 11:24:41PM -0400, Jason Opperisano wrote:
> i can simplify it to:
> 
>   -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT

Ok easy enough I guess :)

> > it will block access from my local LAN also via. the squid proxy and yes 
> > the gateway (squid proxy) machine does have 3 cards.
> 
> yes--you're probably right that it would break access from the local LAN
> in your current configuration

So, what do I do for such a case?

-Payal

Re: server in DMZ

[John A. Sullivan III]

On Wed, 2004-09-01 at 23:51, Payal Rathod wrote:
> On Wed, Sep 01, 2004 at 11:24:41PM -0400, Jason Opperisano wrote:
> > i can simplify it to:
> > 
> >   -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT
> 
> Ok easy enough I guess :)
> 
> > > it will block access from my local LAN also via. the squid proxy and yes 
> > > the gateway (squid proxy) machine does have 3 cards.
> > 
> > yes--you're probably right that it would break access from the local LAN
> > in your current configuration
> 
> So, what do I do for such a case?
> 
> -Payal
I think you have confused the issues.  Do not put the source match in
the PREROUTING rule (thus your squid access from the local LAN will not
break).  Do put the source match in the FORWARD rule.  That will
restrict outside access to only 1.2.3.4.  I assume there is already a
FORWARD rule that allows access from the LAN.  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: server in DMZ

[Payal Rathod]

On Wed, Sep 01, 2004 at 11:54:55PM -0400, John A. Sullivan III wrote:

> I think you have confused the issues.  Do not put the source match in
> the PREROUTING rule (thus your squid access from the local LAN will not
> break).  Do put the source match in the FORWARD rule.  That will
> restrict outside access to only 1.2.3.4.  I assume there is already a
> FORWARD rule that allows access from the LAN.  Hope this helps - John

So, you mean I keep the PREROUTING rule as before and make
-A FORWARD -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT
to
-A FORWARD -s 5.6.7.8 -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT

But will this not forward requests from my squid proxy server too?

-Payal

Re: server in DMZ

[John A. Sullivan III]

On Thu, 2004-09-02 at 00:08, Payal Rathod wrote:
> On Wed, Sep 01, 2004 at 11:54:55PM -0400, John A. Sullivan III wrote:
> 
> > I think you have confused the issues.  Do not put the source match in
> > the PREROUTING rule (thus your squid access from the local LAN will not
> > break).  Do put the source match in the FORWARD rule.  That will
> > restrict outside access to only 1.2.3.4.  I assume there is already a
> > FORWARD rule that allows access from the LAN.  Hope this helps - John
> 
> So, you mean I keep the PREROUTING rule as before and make
> -A FORWARD -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT
> to
> -A FORWARD -s 5.6.7.8 -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT
> 
> But will this not forward requests from my squid proxy server too?
> 
> -Payal
That's right - I keep forgetting that you are using Squid.  As I
mentioned, I'm a little rusty on Squid configuration.  How is the
traffic getting to Squid.  If I recall correctly, I usually do it with a
REDIRECT.  That means there needs to be a rule to allow the traffic to
Squid (it sounds like there already is one because access is working). 
However, at that point, doesn't the Squid ACL list take over? If I
recall, there is a section in the Squid configuration file where one
specifies which addresses are allowed what access - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: server in DMZ

[Jason Opperisano]

On Thu, 2004-09-02 at 00:08, Payal Rathod wrote:
> On Wed, Sep 01, 2004 at 11:54:55PM -0400, John A. Sullivan III wrote:
> 
> > I think you have confused the issues.  Do not put the source match in
> > the PREROUTING rule (thus your squid access from the local LAN will not
> > break).  Do put the source match in the FORWARD rule.  That will
> > restrict outside access to only 1.2.3.4.  I assume there is already a
> > FORWARD rule that allows access from the LAN.  Hope this helps - John
> 
> So, you mean I keep the PREROUTING rule as before and make
> -A FORWARD -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT
> to
> -A FORWARD -s 5.6.7.8 -d 10.10.10.3 -p tcp -m tcp --dport 80 -j ACCEPT
> 
> But will this not forward requests from my squid proxy server too?
> 
> -Payal

i think there's some confusion here...there are three rules involved in
this scenario:

(1) NAT rule that maps port 80 on the outside to port 80 on your DMZ
server:

  -A PREROUTING -d 5.6.7.8 -p tcp -m tcp --dport 80 \
    -j DNAT --to-destination 10.10.10.3

(2) FILTER rule that allows external access to server in DMZ from client
IP:

  -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT

(3) FILTER rule that allows squid proxy running directly on your
firewall to fetch content from server in DMZ:

  -A OUTPUT -p tcp -d 10.10.10.3 --dport 80 -j ACCEPT

remember:  packets passing through the firewall are filtered by FORWARD,
packets coming from the firewall are filtered by OUTPUT.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: server in DMZ

[Payal Rathod]

On Thu, Sep 02, 2004 at 09:13:25AM -0400, Jason Opperisano wrote:
> i think there's some confusion here...there are three rules involved in
> this scenario:

Yes, I already have the 3 rules. The only thing I am worrying about 
is how do I let my internal LAN users access the DMZ machine using
its public IP if I use the 3 rules given by you below. The below rules
will effectively block all traffic except from 1.2.3.4 and my LAN users
are on 192.168.x.x series and using squid as their proxy.
(squid machine is the gateway/firewall machine itself)
-Payal

> 
> (1) NAT rule that maps port 80 on the outside to port 80 on your DMZ
> server:
> 
>   -A PREROUTING -d 5.6.7.8 -p tcp -m tcp --dport 80 \
>     -j DNAT --to-destination 10.10.10.3
> 
> (2) FILTER rule that allows external access to server in DMZ from client
> IP:
> 
>   -A FORWARD -p tcp -s 1.2.3.4 -d 10.10.10.3 --dport 80 -j ACCEPT
> 
> (3) FILTER rule that allows squid proxy running directly on your
> firewall to fetch content from server in DMZ:
> 
>   -A OUTPUT -p tcp -d 10.10.10.3 --dport 80 -j ACCEPT
> 
> remember:  packets passing through the firewall are filtered by FORWARD,
> packets coming from the firewall are filtered by OUTPUT.
> 
> -j
> 
> -- 
> Jason Opperisano <opie@817west.com>
> 
> 

Re: server in DMZ

[Jason Opperisano]

On Thu, 2004-09-02 at 15:04, Payal Rathod wrote:
> On Thu, Sep 02, 2004 at 09:13:25AM -0400, Jason Opperisano wrote:
> > i think there's some confusion here...there are three rules involved in
> > this scenario:
> 
> Yes, I already have the 3 rules. The only thing I am worrying about 
> is how do I let my internal LAN users access the DMZ machine using
> its public IP if I use the 3 rules given by you below. The below rules
> will effectively block all traffic except from 1.2.3.4 

no.  please review the differences between INPUT, FORWARD, and OUTPUT.

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES

the request from your LAN users only traverses the INPUT chain for the
request to the squid proxy.

the request from the squid proxy then traverses the OUTPUT chain to
fetch content from the web server.

LAN -> SQUID -> Web Server *never* enters to FORWARD chain.

the rule you are worrying about is in the FORWARD chain.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: server in DMZ

[John A. Sullivan III]

On Wed, 2004-09-01 at 22:50, Payal Rathod wrote:
> Hi,
> I have a small webserver in DMZ at 10.10.10.3 where we load our designs.
> I want to allow access to its port 80 only from local LAN (via. a squid 
> proxy on the gateway machine) and my client's office at 1.2.3.4. 
> Right now I can see it from all over the world, but I do want to restrict 
> the access. Remember that as now I want to continue accessing the DMZ machine 
> using its public IP and not just 10.10.10.3 IP even from inside the LAN.
> What do I do in such case?
> Thanks a lot for the help in advance.
> With warm regards,
> -Payal
> p.s. is DMZ pronounced as DMZ or DMZee?
I assume you have at least three interfaces in the firewall -- the
public IF, the DMZee IF (to answer your last question) and the internal
IF.  As long as your internal clients resolve the web server name to the
public address, all should work fine.

You will need to DNAT the web server on both the public and internal
interfaces and have a FORWARD chain rule that allows access from the
internal network and 1.2.3.4.  Oops! That's right -- you are using Squid
and not just DNAT.  I'm a bit rusty on Squid configuration but I would
imagine you can use the same principle to make it work.  Treat the
inside network like an outside network for the web server.

However, I would give two cautions.  You may want to create a VPN to the
client office if the designs are important.  The transmission without
the VPN will be in the clear.

If the designs are important, I would not put this device on the same
DMZ as public devices.  If someone cracks one of the public devices,
they may have free reign of any device on the DMZ from that compromised
device.  That means they can get your designs.  Anything that is private
and confidential should not be on the same network as something publicly
exposed.  Of course, this may be the only device on your DMZ in which
case you are fine.  Hope this helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net