* LAN accessing DMZ
@ 2004-07-18 13:23 Payal Rathod
2004-07-18 15:10 ` Antony Stone
0 siblings, 1 reply; 11+ messages in thread
From: Payal Rathod @ 2004-07-18 13:23 UTC (permalink / raw)
To: netfilter
Hi,
I am trying out DMZ. But my LAN users (192.168 range) can access DMZ
(10.10.10.x) range without any restrictions. On this firewall machines
there are 3 cards 1 for DMZ range, 1 for LAN range and for my ISP.
I have,
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT # Is this a Bad Idea?
$IPTABLES -P FORWARD DROP
For FORWARD I allow just,
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 10.0/8 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -s 10.0/8 -p udp -j ACCEPT
$IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
(This I am just testing whether I can access my DMZ port 25 from outside)
But still my LAN users can access 10.10.10.2:25 and also the webin 10000 port.
What am I missing?
Thanks a lot in advance and waiting eagerly for any answers.
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: LAN accessing DMZ
2004-07-18 13:23 LAN accessing DMZ Payal Rathod
@ 2004-07-18 15:10 ` Antony Stone
2004-07-18 16:24 ` Payal Rathod
0 siblings, 1 reply; 11+ messages in thread
From: Antony Stone @ 2004-07-18 15:10 UTC (permalink / raw)
To: netfilter
On Sunday 18 July 2004 2:23 pm, Payal Rathod wrote:
> Hi,
> I am trying out DMZ. But my LAN users (192.168 range) can access DMZ
> (10.10.10.x) range without any restrictions. On this firewall machines
> there are 3 cards 1 for DMZ range, 1 for LAN range and for my ISP.
>
> I have,
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT # Is this a Bad Idea?
> $IPTABLES -P FORWARD DROP
>
> For FORWARD I allow just,
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
>
> $IPTABLES -A FORWARD -s 10.0/8 -p tcp -j ACCEPT
> $IPTABLES -A FORWARD -s 10.0/8 -p udp -j ACCEPT
> $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
> (This I am just testing whether I can access my DMZ port 25 from outside)
>
> But still my LAN users can access 10.10.10.2:25 and also the webin 10000
> port. What am I missing?
You are missing either a "-s" source address or "-i" input interface
specification for the rule allowing access to the DMZ machine, or else you
are missing either a "-d" destination address or "-o" output interface
specification for the rules allowing access from the LAN.
Regards,
Antony.
--
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: LAN accessing DMZ
2004-07-18 15:10 ` Antony Stone
@ 2004-07-18 16:24 ` Payal Rathod
2004-07-18 16:39 ` Antony Stone
0 siblings, 1 reply; 11+ messages in thread
From: Payal Rathod @ 2004-07-18 16:24 UTC (permalink / raw)
To: netfilter
On Sun, Jul 18, 2004 at 04:10:51PM +0100, Antony Stone wrote:
> You are missing either a "-s" source address or "-i" input interface
> specification for the rule allowing access to the DMZ machine, or else you
Which rule are you referring to exactly?
> are missing either a "-d" destination address or "-o" output interface
> specification for the rules allowing access from the LAN.
Can you tell me something more specific. I am still unable to figure that
if I have dropped all connections to outside, DMZ which is outside for the
LAN how can connections be allowed for it?
Do you want me to post the entire firewall file somwhere on net?
Waiting eagerly for the reply.
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: LAN accessing DMZ
2004-07-18 16:24 ` Payal Rathod
@ 2004-07-18 16:39 ` Antony Stone
2004-07-18 16:58 ` Payal Rathod
0 siblings, 1 reply; 11+ messages in thread
From: Antony Stone @ 2004-07-18 16:39 UTC (permalink / raw)
To: netfilter
On Sunday 18 July 2004 5:24 pm, Payal Rathod wrote:
> On Sun, Jul 18, 2004 at 04:10:51PM +0100, Antony Stone wrote:
> > You are missing either a "-s" source address or "-i" input interface
> > specification for the rule allowing access to the DMZ machine, or else
> > you
>
> Which rule are you referring to exactly?
This one:
> > > $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
It says "allow connections to 10.10.10.2 TCP port 25". It doesn't say "but
only from the Internet".
> > are missing either a "-d" destination address or "-o" output interface
> > specification for the rules allowing access from the LAN.
>
> Can you tell me something more specific. I am still unable to figure that
> if I have dropped all connections to outside, DMZ which is outside for the
> LAN how can connections be allowed for it?
All the following rules allow packets from your LAN:
> > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
These rules do not say "but only to the Internet", therefore they allow
packets to the DMZ as well.
As an example of what I was suggesting, suppose eth0 is your Internet
interface, eth1 is your LAN interface, and eth2 is your DMZ interface, and
suppose you want to allow SMTP to your DMZ mail server from the Internet, but
not from your LAN. Then the rule should be something like:
iptables -A FORWARD -i eth0 -o eth2 -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
This rule says "allow packets to address 10.10.10.2 on TCP port 25, provided
they come from eth0, and they're going to eth2".
I hope that clarifies things and gives you enough information to apply the
principle to the other rules?
Regards,
Antony.
--
All matter in the Universe can be placed into one of two categories:
1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with
them.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: LAN accessing DMZ
2004-07-18 16:39 ` Antony Stone
@ 2004-07-18 16:58 ` Payal Rathod
2004-07-18 17:12 ` Antony Stone
0 siblings, 1 reply; 11+ messages in thread
From: Payal Rathod @ 2004-07-18 16:58 UTC (permalink / raw)
To: netfilter
On Sun, Jul 18, 2004 at 05:39:05PM +0100, Antony Stone wrote:
> This one:
> > > > $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT
I have pasted my FORWARD rules at, (they are small and simple),
http://payal.staticky.com/fw1.txt
> > > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT
> > > > $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT
>
> These rules do not say "but only to the Internet", therefore they allow
> packets to the DMZ as well.
It is still very confusing. Forget port 25 for a moment. I have never
mentioned port 10000, the webmin port at all. Still I can access it
from my LAN machine? HOW? Afterall the FORWARD policy is DROP. It should
DROP what it cannot find.
If I do a specific DROP like
$IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 10000 -j DROP
the packets are dropped, but not otherwise.
What must be wrong?
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: LAN accessing DMZ
2004-07-18 16:58 ` Payal Rathod
@ 2004-07-18 17:12 ` Antony Stone
2004-07-18 17:39 ` Payal Rathod
0 siblings, 1 reply; 11+ messages in thread
From: Antony Stone @ 2004-07-18 17:12 UTC (permalink / raw)
To: netfilter
On Sunday 18 July 2004 5:58 pm, Payal Rathod wrote:
> I have pasted my FORWARD rules at, (they are small and simple),
> http://payal.staticky.com/fw1.txt
>
> It is still very confusing. Forget port 25 for a moment. I have never
> mentioned port 10000, the webmin port at all. Still I can access it
> from my LAN machine? HOW? Afterall the FORWARD policy is DROP. It should
> DROP what it cannot find.
I do not see how TCP port 10000 should be accessible from the Internet either
(which is what I believe you were asking about - allowing access to the DMZ
from the Internet, but not from the LAN?)
Please post the output of "iptables -L -nvx; iptables -L -t nat -nvx". Post
it on the website if you prefer (the formatting is probably easier to read
there anyway). Please also post the IP addresses of the machine you are
connecting from, and the machine you are connecting to, on TCP port 10000.
Regards,
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: LAN accessing DMZ
2004-07-18 17:12 ` Antony Stone
@ 2004-07-18 17:39 ` Payal Rathod
2004-07-18 17:59 ` Antony Stone
0 siblings, 1 reply; 11+ messages in thread
From: Payal Rathod @ 2004-07-18 17:39 UTC (permalink / raw)
To: netfilter
On Sun, Jul 18, 2004 at 06:12:31PM +0100, Antony Stone wrote:
> I do not see how TCP port 10000 should be accessible from the Internet either
> (which is what I believe you were asking about - allowing access to the DMZ
> from the Internet, but not from the LAN?)
We will keep it more simple. All ports which are allowed from internet are
allowed from LAN (192.168) range for DMZ. Ok? Just for start-up.
> Please post the output of "iptables -L -nvx; iptables -L -t nat -nvx". Post
> it on the website if you prefer (the formatting is probably easier to read
I do not have access to that machine till tomorrow. But I have copied the
firewall script at,
http://payal.staticky.com/fw2.txt
I have masked the real IP and I have noticed a small error now.
"INET_IFACE" is not eth0 as in script but eth1. eth0 is blank. Not
using it.
My firewall IP is 10.10.10.1.
> there anyway). Please also post the IP addresses of the machine you are
> connecting from, and the machine you are connecting to, on TCP port 10000.
I am connecting from any machine in range 192.168/16
If you want any more *live* information I will get it tomorrow.
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: LAN accessing DMZ
2004-07-18 17:39 ` Payal Rathod
@ 2004-07-18 17:59 ` Antony Stone
2004-07-18 18:51 ` Payal Rathod
0 siblings, 1 reply; 11+ messages in thread
From: Antony Stone @ 2004-07-18 17:59 UTC (permalink / raw)
To: netfilter
On Sunday 18 July 2004 6:39 pm, Payal Rathod wrote:
> I do not have access to that machine till tomorrow. But I have copied the
> firewall script at http://payal.staticky.com/fw2.txt
I do not understand how you can connect through this ruleset to TCP port 10000
from anywhere.
I look forward to the ruleset listing with packet counters.
Please make sure you also post the following information:
1. The IP address of the machine you are connecting *from* to TCP port 10000.
2. The IP address of the machine you are connecting *to* on TCP port 10000.
3. The network info for each subnet connected to the firewall.
(By the way, there is a problem, probably unimportant, but worth correcting
anyway, with the "-s 10.10.10.0/255.0.0.0" in your ruleset. The address
should not contain more 1-bits than the netmask, therefore this should either
be "-s 10.10.10.0/255.255.255.0" or else "-s 10.0.0.0/255.0.0.0", depending
on which netmask is correct for your subnet.)
Regards,
Antony.
--
These clients are often infected by viruses or other malware and need to be
fixed. If not, the user at that client needs to be fixed...
- Henrik Nordstrom, on Squid users' mailing list
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: LAN accessing DMZ
2004-07-18 17:59 ` Antony Stone
@ 2004-07-18 18:51 ` Payal Rathod
2004-07-18 19:12 ` Antony Stone
0 siblings, 1 reply; 11+ messages in thread
From: Payal Rathod @ 2004-07-18 18:51 UTC (permalink / raw)
To: netfilter
On Sun, Jul 18, 2004 at 06:59:47PM +0100, Antony Stone wrote:
> On Sunday 18 July 2004 6:39 pm, Payal Rathod wrote:
>
> > I do not have access to that machine till tomorrow. But I have copied the
> > firewall script at http://payal.staticky.com/fw2.txt
>
> I do not understand how you can connect through this ruleset to TCP port 10000
I have http that I have squid on this machine. Is it because of that?
Is it passing thru' squid cos' I enter in my browser
https://10.10.10.2:10000
Just a thought till tomorrow.
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: LAN accessing DMZ
2004-07-18 18:51 ` Payal Rathod
@ 2004-07-18 19:12 ` Antony Stone
2004-07-19 11:13 ` Payal Rathod
0 siblings, 1 reply; 11+ messages in thread
From: Antony Stone @ 2004-07-18 19:12 UTC (permalink / raw)
To: netfilter
On Sunday 18 July 2004 7:51 pm, Payal Rathod wrote:
> On Sun, Jul 18, 2004 at 06:59:47PM +0100, Antony Stone wrote:
> >
> > I do not understand how you can connect through this ruleset to TCP port
> > 10000
>
> I have squid on this machine. Is it because of that?
> Is it passing thru' squid cos' I enter in my browser
> https://10.10.10.2:10000
Yes. A web proxy running on the same machine means that the INPUT and OUTPUT
rules apply, not the FORWARD rules.
Antony.
--
"There is no reason for any individual to have a computer in their home."
- Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed
by Compaq, later merged with HP)
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: LAN accessing DMZ
2004-07-18 19:12 ` Antony Stone
@ 2004-07-19 11:13 ` Payal Rathod
0 siblings, 0 replies; 11+ messages in thread
From: Payal Rathod @ 2004-07-19 11:13 UTC (permalink / raw)
To: netfilter
On Sun, Jul 18, 2004 at 08:12:13PM +0100, Antony Stone wrote:
> > >
> > > I do not understand how you can connect through this ruleset to TCP port
> > > 10000
> >
> > I have squid on this machine. Is it because of that?
> > Is it passing thru' squid cos' I enter in my browser
> > https://10.10.10.2:10000
>
> Yes. A web proxy running on the same machine means that the INPUT and OUTPUT
> rules apply, not the FORWARD rules.
Oh! got it now. But now the problem I faced was that my users could not
use hotmail. But once I allowed FORWARD for port 443 they could easily.
Now, if you say FORWARD rules are not applied for web proxy on same machine,
why do i need to open port 443 for hotmail, where as I have declared 443 as
Safe_port in squid's configuration file.
With warm regards,
-Payal
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2004-07-19 11:13 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-18 13:23 LAN accessing DMZ Payal Rathod
2004-07-18 15:10 ` Antony Stone
2004-07-18 16:24 ` Payal Rathod
2004-07-18 16:39 ` Antony Stone
2004-07-18 16:58 ` Payal Rathod
2004-07-18 17:12 ` Antony Stone
2004-07-18 17:39 ` Payal Rathod
2004-07-18 17:59 ` Antony Stone
2004-07-18 18:51 ` Payal Rathod
2004-07-18 19:12 ` Antony Stone
2004-07-19 11:13 ` Payal Rathod
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.