firewalling

firewalling

[Eric Constantineau]

Hi everybody,

I run iptables in my "devil-linux" firewall but I still have some
questions.

I still have problems with FTP, it has to be set with "enable firewall
access" to be able to run well (I run cuteftp), passive mode or not.  I
want ftp to be transparent as if there were no firewall at all, so users
are not annoyed by settings...

Another thing is how could I set up a web server behind my firewall, I
read a bit about DNAT and SNAT, but still doesnt work from internet.  It
works inside, in the same LAN, but over the net, the server is
unreachable...

See the problem is, all my lan, including the firewall, has the same WAN
IP Address, lets say 1.2.3.4...  So when I connect to 1.2.3.4 with
destination port 80, with my DNAT settings :

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
--to-destination 4.3.2.1
it should redirect all packets to the web server lan ip(4.3.2.1)

then for the connexion within the LAN to this server I still have to add
this line :
iptables -t nat -A POSTROUTING -s 4.3.2.1 -p tcp --sport 80 -j SNAT
--to-source 1.2.3.4

I made that from scratch reading this quite good doc :
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html

at 5.5.11. DNAT target
but still, doesnt work perfectly, :-(

Thanks for helping me out

Eric

Re: firewalling

[Cedric Blancher]

Le mar 18/02/2003 à 10:45, Eric Constantineau a écrit :
> I still have problems with FTP, it has to be set with "enable firewall
> access" to be able to run well (I run cuteftp), passive mode or not.  I
> want ftp to be transparent as if there were no firewall at all, so users
> are not annoyed by settings...

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

Then play with state stuff (NEW, ESTABLISHED and RELATED). FTP helper
will handle everything right when you'll authorize TCP port 21.

> Another thing is how could I set up a web server behind my firewall, I
> read a bit about DNAT and SNAT, but still doesnt work from internet.  It
> works inside, in the same LAN, but over the net, the server is
> unreachable...
> See the problem is, all my lan, including the firewall, has the same WAN
> IP Address, lets say 1.2.3.4...  So when I connect to 1.2.3.4 with
> destination port 80, with my DNAT settings :
> 
> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT
> --to-destination 4.3.2.1
> it should redirect all packets to the web server lan ip(4.3.2.1)

Yes it should.
If it does not work, it may be a FORWARD filtering problem. Have you
authorized such traffic through FORWARD rule e.g. :

	iptables -A FORWARD -m state --state ESTABLISHED -p tcp \
			-s 4.3.2.1 --sport 80 -j ACCEPT
	iptables -A FORWARD -m state --state NEW -p tcp -d 4.3.2.1 \
			--dport 80 -j ACCEPT

If not, it won't work.

> then for the connexion within the LAN to this server I still have to add
> this line :
> iptables -t nat -A POSTROUTING -s 4.3.2.1 -p tcp --sport 80 -j SNAT
> --to-source 1.2.3.4

No, you don't.
Once a connection est established from outside to this server, it is
handled automagicly by Netfilter NAT stuff. This rule will be useful if
your 4.3.2.1 is to established connections to the outside, which does
not seem, regarding your rule, to be the case.

Things you can do are :

	. look at counters to see which rules are matching packets :

		iptables -L -v
		iptables -t nat -L -v

	. add debugging stuff using LOG target to track your packets


Should also read Linux Mag' HS 12, there's an article on Netfilter's
internals that can help you understand the NAT is going ;)))


-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE