From: O-Zone <liste@zerozone.it>
To: netfilter@lists.netfilter.org
Subject: DMZ to DMZ - COMPLETE CONFIGURATION
Date: Thu, 20 May 2004 18:37:31 +0200 [thread overview]
Message-ID: <200405201837.36780.liste@zerozone.it> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
First thanks to all to try solve my problem. To simplify it, i've cutpasted
the full firewall configuration:
#!/bin/sh
#
# 1.1 Internet Configuration.
#
INET_IP="151.8.47.82"
SIENA_IP="151.8.47.83"
DOMINI_IP="151.8.47.84"
LEONARDO_IP="151.8.47.85"
PROXYSAT_IP="151.8.47.86"
ELEKTRA_IP="151.8.47.87"
EXCHANGE_IP="151.8.47.90"
INET_IFACE="eth0"
INET2_IP="81.113.95.245"
SIENA2_IP="81.113.95.250"
DOMINI2_IP="81.113.95.251"
INET2_IFACE="eth1"
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="10.0.0.1"
LAN2_IP="172.16.0.1"
LAN_IFACE="eth3"
#
# 1.3 DMZ Configuration.
#
DMZ_IP="192.168.0.1"
DMZ_SIENA_IP="192.168.0.2"
DMZ_DOMINI_IP="192.168.0.3"
DMZ_ELEKTRA_IP="192.168.0.7"
DMZ_EXCHANGE_IP="192.168.0.10"
DMZ_PROXYSAT_IP="192.168.0.11"
DMZ_LEONARDO_IP="192.168.0.12"
DMZ_IFACE="eth2"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/usr/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
- --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
- --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# IPSEC
$IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Packets from the Internet to this box
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p ICMP -i $INET2_IFACE -j icmp_packets
#
# Packets from LAN, DMZ or LOCALHOST
#
#
# From DMZ Interface to DMZ firewall IP
#
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
#
# From LAN Interface to LAN firewall IP
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN2_IP -j ACCEPT
#
# From Localhost interface to Localhost IP's
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN2_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET2_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# All established and related packets incoming from the internet to the
# firewall
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET2_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -p TCP -d $INET_IP -m multiport --dports 22 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
- --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET2_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET2_IFACE -o $DMZ_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
#
# LAN section
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
- --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN2_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET2_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
- --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
$IPTABLES -t nat -F
########################### PORT FORWARDING DA ESTERNO AD INTRANET
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d 10.0.0.50 --dport
1494 -j allowed # CITRIX ICA
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d 151.8.47.82 --dport
1494 -j DNAT --to-destination 10.0.0.50
########################### SERVIZI DOMINI.TDSIENA.IT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 25,110 -j allowed # SOLO SIENA
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 20,21,53,80 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 53 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 25,110 -j allowed # SOLO SIENA
$IPTABLES -A FORWARD -p TCP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 20,21,53,80 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 53 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 25,110 -j allowed # SOLO SIENA
$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 20,21,53,80 -j allowed
$IPTABLES -A FORWARD -p UDP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -m
multiport --dports 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DOMINI_IP -j
icmp_packets
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DOMINI_IP -m
multiport --dports 20,21,80 -j DNAT --to-destination $DMZ_DOMINI_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DOMINI_IP -m
multiport --dport 25,110 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET2_IFACE -d $DOMINI_IP -m
multiport --dports 20,21,80 -j DNAT --to-destination $DMZ_DOMINI_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET2_IFACE -d $DOMINI_IP -m
multiport --dport 25,110 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $DOMINI_IP -m multiport
- --dports 20,21,80 -j DNAT --to-destination $DMZ_DOMINI_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $DOMINI_IP -m multiport
- --dport 25,110 -j DNAT --to-destination $DMZ_SIENA_IP
########################### SERVIZI SIENA.TDSIENA.IT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 25,53,110 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 53 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -j
icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 25,53,110 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -m
multiport --dports 53 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET2_IFACE -o $DMZ_IFACE -d $DMZ_SIENA_IP -j
icmp_packets
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SIENA_IP -m multiport
- --dports 25,53,80,110 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $SIENA_IP -m multiport
- --dports 53 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET2_IFACE -d $SIENA_IP -m
multiport --dports 25,53,80,110 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET2_IFACE -d $SIENA_IP -m
multiport --dports 53 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $SIENA_IP -m multiport
- --dports 25,53,80,110 -j DNAT --to-destination $DMZ_SIENA_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $LAN_IFACE -d $SIENA_IP -m multiport
- --dports 53 -j DNAT --to-destination $DMZ_SIENA_IP
########################### SERVIZI EXCHANGE.TDSIENA.IT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_EXCHANGE_IP
- -m multiport --dports 80,110,143,389,443,691,3268 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_EXCHANGE_IP
- -m multiport --dports 135,389 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_EXCHANGE_IP
- -j icmp_packets
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $EXCHANGE_IP -m
multiport --dports 80,110,135,143,389,443,691,3268 -j DNAT --to-destination
$DMZ_EXCHANGE_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $EXCHANGE_IP -m
multiport --dports 135,389 -j DNAT --to-destination $DMZ_EXCHANGE_IP
########################### SERVIZI PROXYSAT.TDSIENA.IT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PROXYSAT_IP
- --dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PROXYSAT_IP
- -j icmp_packets
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PROXYSAT_IP --dport
80 -j DNAT --to-destination $DMZ_PROXYSAT_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $PROXYSAT_IP --dport 80
- -j DNAT --to-destination $DMZ_PROXYSAT_IP
########################### SERVIZI LEONARDO
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_LEONARDO_IP
- -m multiport --dports 80,3389 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_LEONARDO_IP
- --dport 4000:10000 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_LEONARDO_IP
- --dport 4000:10000 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_LEONARDO_IP
- -j icmp_packets
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $LEONARDO_IP -m
multiport --dports 80,3389 -j DNAT --to-destination $DMZ_LEONARDO_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $LEONARDO_IP --dport
4000:10000 -j DNAT --to-destination $DMZ_LEONARDO_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $LEONARDO_IP --dport
4000:10000 -j DNAT --to-destination $DMZ_LEONARDO_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $LEONARDO_IP -m
multiport --dports 80,3389 -j DNAT --to-destination $DMZ_LEONARDO_IP
########################### SERVIZI ELEKTRA
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_ELEKTRA_IP -m
multiport --dports 20,21,22,25,80,110 -j allowed
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $ELEKTRA_IP -m
multiport --dports 20,21,22,25,80,110 -j DNAT --to-destination
$DMZ_ELEKTRA_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $ELEKTRA_IP -m
multiport --dports 20,21,22,25,80,110 -j DNAT --to-destination
$DMZ_ELEKTRA_IP
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_ELEKTRA_IP
- -j icmp_packets
# Squid Trasparent Proxy
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s 10.0.0.0/24 --dport 80
- -j REDIRECT --to-port 8080
$IPTABLES -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s 172.16.0.0/24 --dport
80 -j REDIRECT --to-port 8080
#
# POSTROUTING chain
#
$IPTABLES -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET2_IFACE -s 192.168.0.0/24 -d
81.113.95.242 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -j
SNAT --to 192.168.0.1
$IPTABLES -t nat -A POSTROUTING -s $DMZ_SIENA_IP -o $INET_IFACE -j SNAT
- --to-source $SIENA_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_DOMINI_IP -o $INET_IFACE -j SNAT
- --to-source $DOMINI_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_EXCHANGE_IP -o $INET_IFACE -j SNAT
- --to-source $EXCHANGE_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_ELEKTRA_IP -o $INET_IFACE -j SNAT
- --to-source $ELEKTRA_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_LEONARDO_IP -o $INET_IFACE -j SNAT
- --to-source $LEONARDO_IP
$IPTABLES -t nat -A POSTROUTING -s $DMZ_PROXYSAT_IP -o $INET_IFACE -j SNAT
- --to-source $PROXYSAT_IP
There's the full IP...i hope that anyone try to hack me ;-)
Oz
- --
Mulder: I know what I saw, Scully. and I saw you about to do
the wild thing with some stranger!
"The X-Files: Genderbender"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFArN7OYuBSFbgkEysRAvDOAKCXTRreZTgXJU04HoY17Ty2zbsBqgCgm7iv
AmsqRbGcm2wc5e3l985xilA=
=DCpW
-----END PGP SIGNATURE-----
reply other threads:[~2004-05-20 16:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200405201837.36780.liste@zerozone.it \
--to=liste@zerozone.it \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.