LAN accessing DMZ

LAN accessing DMZ

[Payal Rathod]

Hi,
I am trying out DMZ. But my LAN users (192.168 range) can access DMZ 
(10.10.10.x) range without any restrictions. On this firewall machines
there are 3 cards 1 for DMZ range, 1 for LAN range  and for my ISP.

I have,
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT  # Is this a Bad Idea?
$IPTABLES -P FORWARD DROP

For FORWARD I allow just,
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -s 10.0/8 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -s 10.0/8 -p udp -j ACCEPT
$IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
(This I am just testing whether  I can access my DMZ port 25 from outside)

But still my LAN users can access 10.10.10.2:25 and also the webin 10000 port.
What am I missing?

Thanks a lot in advance and waiting eagerly for any answers.

With warm regards,
-Payal

Re: LAN accessing DMZ

[Antony Stone]

On Sunday 18 July 2004 2:23 pm, Payal Rathod wrote:

> Hi,
> I am trying out DMZ. But my LAN users (192.168 range) can access DMZ
> (10.10.10.x) range without any restrictions. On this firewall machines
> there are 3 cards 1 for DMZ range, 1 for LAN range  and for my ISP.
>
> I have,
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT  # Is this a Bad Idea?
> $IPTABLES -P FORWARD DROP
>
> For FORWARD I allow just,
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
>
> $IPTABLES -A FORWARD -s 10.0/8 -p tcp -j ACCEPT
> $IPTABLES -A FORWARD -s 10.0/8 -p udp -j ACCEPT
> $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
> (This I am just testing whether  I can access my DMZ port 25 from outside)
>
> But still my LAN users can access 10.10.10.2:25 and also the webin 10000
> port. What am I missing?

You are missing either a "-s" source address or "-i" input interface 
specification for the rule allowing access to the DMZ machine, or else you 
are missing either a "-d" destination address or "-o" output interface 
specification for the rules allowing access from the LAN.

Regards,

Antony.

-- 
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: LAN accessing DMZ

[Payal Rathod]

On Sun, Jul 18, 2004 at 04:10:51PM +0100, Antony Stone wrote:
> You are missing either a "-s" source address or "-i" input interface 
> specification for the rule allowing access to the DMZ machine, or else you 

Which rule are you referring to exactly?

> are missing either a "-d" destination address or "-o" output interface 
> specification for the rules allowing access from the LAN.

Can you tell me something more specific. I am still unable to figure that
if I have dropped all connections to outside, DMZ which is outside for the 
LAN how can connections be allowed for it?
Do you want me to post the entire firewall file somwhere on net?

Waiting eagerly for the reply.
With warm regards,
-Payal

Re: LAN accessing DMZ

[Antony Stone]

On Sunday 18 July 2004 5:24 pm, Payal Rathod wrote:

> On Sun, Jul 18, 2004 at 04:10:51PM +0100, Antony Stone wrote:
> > You are missing either a "-s" source address or "-i" input interface
> > specification for the rule allowing access to the DMZ machine, or else
> > you
>
> Which rule are you referring to exactly?

This one:
> > > $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT

It says "allow connections to 10.10.10.2 TCP port 25".   It doesn't say "but 
only from the Internet".

> > are missing either a "-d" destination address or "-o" output interface
> > specification for the rules allowing access from the LAN.
>
> Can you tell me something more specific. I am still unable to figure that
> if I have dropped all connections to outside, DMZ which is outside for the
> LAN how can connections be allowed for it?

All the following rules allow packets from your LAN:

> > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT

These rules do not say "but only to the Internet", therefore they allow 
packets to the DMZ as well.

As an example of what I was suggesting, suppose eth0 is your Internet 
interface, eth1 is your LAN interface, and eth2 is your DMZ interface, and 
suppose you want to allow SMTP to your DMZ mail server from the Internet, but 
not from your LAN.   Then the rule should be something like:

iptables -A FORWARD -i eth0 -o eth2 -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT

This rule says "allow packets to address 10.10.10.2 on TCP port 25, provided 
they come from eth0, and they're going to eth2".

I hope that clarifies things and gives you enough information to apply the 
principle to the other rules?

Regards,

Antony.

-- 
All matter in the Universe can be placed into one of two categories:

1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: LAN accessing DMZ

[Payal Rathod]

On Sun, Jul 18, 2004 at 05:39:05PM +0100, Antony Stone wrote:
> This one:
> > > > $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT

I have pasted my FORWARD rules at, (they are small and simple),
http://payal.staticky.com/fw1.txt

> > > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
> 
> These rules do not say "but only to the Internet", therefore they allow 
> packets to the DMZ as well.

It is still very confusing. Forget port 25 for a moment. I have never 
mentioned port 10000, the webmin port at all. Still I can access it
from my LAN machine? HOW? Afterall the FORWARD policy is DROP. It should
DROP what it cannot find.
If I do a specific DROP like 
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 10000 -j DROP 
the packets are dropped, but not otherwise.

What must be wrong?

With warm regards,
-Payal

Re: LAN accessing DMZ

[Antony Stone]

On Sunday 18 July 2004 5:58 pm, Payal Rathod wrote:

> I have pasted my FORWARD rules at, (they are small and simple),
> http://payal.staticky.com/fw1.txt
>
> It is still very confusing. Forget port 25 for a moment. I have never
> mentioned port 10000, the webmin port at all. Still I can access it
> from my LAN machine? HOW? Afterall the FORWARD policy is DROP. It should
> DROP what it cannot find.

I do not see how TCP port 10000 should be accessible from the Internet either 
(which is what I believe you were asking about - allowing access to the DMZ 
from the Internet, but not from the LAN?)

Please post the output of "iptables -L -nvx; iptables -L -t nat -nvx".   Post 
it on the website if you prefer (the formatting is probably easier to read 
there anyway).   Please also post the IP addresses of the machine you are 
connecting from, and the machine you are connecting to, on TCP port 10000.

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: LAN accessing DMZ

[Payal Rathod]

On Sun, Jul 18, 2004 at 06:12:31PM +0100, Antony Stone wrote:
> I do not see how TCP port 10000 should be accessible from the Internet either 
> (which is what I believe you were asking about - allowing access to the DMZ 
> from the Internet, but not from the LAN?)

We will keep it more simple. All ports which are allowed from internet are 
allowed from LAN (192.168) range for DMZ. Ok? Just for start-up.

> Please post the output of "iptables -L -nvx; iptables -L -t nat -nvx".   Post 
> it on the website if you prefer (the formatting is probably easier to read 

I do not have access to that machine till tomorrow. But I have copied the 
firewall script at,
http://payal.staticky.com/fw2.txt
I have masked the real IP and I have noticed a small error now.
"INET_IFACE" is not eth0 as in script but eth1. eth0 is blank. Not
using it.
My firewall IP is 10.10.10.1.

> there anyway).   Please also post the IP addresses of the machine you are 
> connecting from, and the machine you are connecting to, on TCP port 10000.

I am connecting from any machine in range 192.168/16

If you want any more *live* information I will get it tomorrow.

With warm regards,
-Payal

Re: LAN accessing DMZ

[Antony Stone]

On Sunday 18 July 2004 6:39 pm, Payal Rathod wrote:

> I do not have access to that machine till tomorrow. But I have copied the
> firewall script at http://payal.staticky.com/fw2.txt

I do not understand how you can connect through this ruleset to TCP port 10000 
from anywhere.

I look forward to the ruleset listing with packet counters.

Please make sure you also post the following information:

1. The IP address of the machine you are connecting *from* to TCP port 10000.

2. The IP address of the machine you are connecting *to* on TCP port 10000.

3. The network info for each subnet connected to the firewall.

(By the way, there is a problem, probably unimportant, but worth correcting 
anyway, with the "-s 10.10.10.0/255.0.0.0" in your ruleset.   The address 
should not contain more 1-bits than the netmask, therefore this should either 
be "-s 10.10.10.0/255.255.255.0" or else "-s 10.0.0.0/255.0.0.0", depending 
on which netmask is correct for your subnet.)

Regards,

Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

                                                     Please reply to the list;
                                                           please don't CC me.

Re: LAN accessing DMZ

[Payal Rathod]

On Sun, Jul 18, 2004 at 06:59:47PM +0100, Antony Stone wrote:
> On Sunday 18 July 2004 6:39 pm, Payal Rathod wrote:
> 
> > I do not have access to that machine till tomorrow. But I have copied the
> > firewall script at http://payal.staticky.com/fw2.txt
> 
> I do not understand how you can connect through this ruleset to TCP port 10000 
I have http that I have squid on this machine. Is it because of that?
Is it passing thru' squid cos' I enter in my browser 
https://10.10.10.2:10000
Just a thought till tomorrow.
-Payal

Re: LAN accessing DMZ

[Antony Stone]

On Sunday 18 July 2004 7:51 pm, Payal Rathod wrote:

> On Sun, Jul 18, 2004 at 06:59:47PM +0100, Antony Stone wrote:
> >
> > I do not understand how you can connect through this ruleset to TCP port
> > 10000
>
> I have squid on this machine. Is it because of that?
> Is it passing thru' squid cos' I enter in my browser
> https://10.10.10.2:10000

Yes.   A web proxy running on the same machine means that the INPUT and OUTPUT 
rules apply, not the FORWARD rules.

Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

                                                     Please reply to the list;
                                                           please don't CC me.

Re: LAN accessing DMZ

[Payal Rathod]

On Sun, Jul 18, 2004 at 08:12:13PM +0100, Antony Stone wrote:
> > >
> > > I do not understand how you can connect through this ruleset to TCP port
> > > 10000
> >
> > I have squid on this machine. Is it because of that?
> > Is it passing thru' squid cos' I enter in my browser
> > https://10.10.10.2:10000
> 
> Yes.   A web proxy running on the same machine means that the INPUT and OUTPUT 
> rules apply, not the FORWARD rules.

Oh! got it now. But now the problem I faced was that my users could not
use hotmail. But once I allowed FORWARD for port 443 they could easily.
Now, if you say FORWARD rules are not applied for web proxy on same machine,
why do i need to open port 443 for hotmail, where as I have declared 443 as
Safe_port in squid's configuration file.

With warm regards,
-Payal