* Please Review My Rules
@ 2006-06-25 19:09 Chris Miller
2006-06-27 16:50 ` Martijn Lievaart
0 siblings, 1 reply; 3+ messages in thread
From: Chris Miller @ 2006-06-25 19:09 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey guys, if it's not too much trouble I would like to ask you all to
take a second and review my rules. I have a CentOS box running
iptables. I have servers in two different VLAN's (VLAN 5 and VLAN 6)
that are all assigned private IP addresses in the 10.176.x.x range. I
assign the public IP addresses to the iptables firewall and use
static 1:1 NAT to translate traffic to the 10.176.x.x block. The
public network is in VLAN 9.
In my example below, I have changed the public IP addresses to be
192.168.x.x just for the sake of not revealing the real IP addresses.
- -----------------------------------
iptables -A INPUT -d 192.168.59.5 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A INPUT -d 192.168.59.7 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A INPUT -d 192.168.56.8 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A INPUT -d 192.168.58.4 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A INPUT -d 192.168.58.37 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A INPUT -d 192.168.57.6 -p icmp -j REJECT --reject-with
icmp-port-unreachable
iptables -A FORWARD -o eth0.5 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0.6 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0.9 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -t nat -A PREROUTING -d 192.168.56.8 -i eth0.9 -j DNAT --to-
destination 10.176.56.8
iptables -t nat -A PREROUTING -d 192.168.59.7 -i eth0.9 -j DNAT --to-
destination 10.176.59.7
iptables -t nat -A PREROUTING -d 192.168.59.5 -i eth0.9 -j DNAT --to-
destination 10.176.59.5
iptables -t nat -A PREROUTING -d 192.168.58.37 -i eth0.9 -j DNAT --to-
destination 10.176.58.37
iptables -t nat -A PREROUTING -d 192.168.58.4 -i eth0.9 -j DNAT --to-
destination 10.176.58.4
iptables -t nat -A PREROUTING -d 192.168.58.21 -i eth0.9 -j DNAT --to-
destination 10.176.58.21
iptables -t nat -A PREROUTING -d 192.168.58.29 -i eth0.9 -j DNAT --to-
destination 10.176.58.29
iptables -t nat -A PREROUTING -d 192.168.56.7 -i eth0.9 -j DNAT --to-
destination 10.176.56.7
iptables -t nat -A PREROUTING -d 192.168.56.5 -i eth0.9 -j DNAT --to-
destination 10.176.56.5
iptables -t nat -A PREROUTING -d 192.168.56.6 -i eth0.9 -j DNAT --to-
destination 10.176.56.6
iptables -t nat -A PREROUTING -d 192.168.57.5 -i eth0.9 -j DNAT --to-
destination 10.176.57.5
iptables -t nat -A POSTROUTING -s 10.176.56.8 -o eth0.9 -j SNAT --to-
source 192.168.56.8
iptables -t nat -A POSTROUTING -s 10.176.59.7 -o eth0.9 -j SNAT --to-
source 192.168.59.7
iptables -t nat -A POSTROUTING -s 10.176.59.5 -o eth0.9 -j SNAT --to-
source 192.168.59.5
iptables -t nat -A POSTROUTING -s 10.176.58.37 -o eth0.9 -j SNAT --to-
source 192.168.58.37
iptables -t nat -A POSTROUTING -s 10.176.58.4 -o eth0.9 -j SNAT --to-
source 192.168.58.4
iptables -t nat -A POSTROUTING -s 10.176.58.21 -o eth0.9 -j SNAT --to-
source 192.168.58.21
iptables -t nat -A POSTROUTING -s 10.176.58.29 -o eth0.9 -j SNAT --to-
source 192.168.58.29
iptables -t nat -A POSTROUTING -s 10.176.56.7 -o eth0.9 -j SNAT --to-
source 192.168.56.7
iptables -t nat -A POSTROUTING -s 10.176.56.5 -o eth0.9 -j SNAT --to-
source 192.168.56.5
iptables -t nat -A POSTROUTING -s 10.176.56.6 -o eth0.9 -j SNAT --to-
source 192.168.56.6
iptables -t nat -A POSTROUTING -s 10.176.57.5 -o eth0.9 -j SNAT --to-
source 192.168.57.5
- -----------------------------------
Currently I don't do any filtering, it just forwards any and all
requests for incoming traffic to whatever I have it set to translate
to. I'm going to create a separate chain for each server and jump to
that chain before I do the DNAT or SNAT rules to do traffic
filtering. Is that a good approach?
Is there anything I should keep in mind when doing this type of setup?
Thanks,
Chris Miller
ServerMotion
www.servermotion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFEnt9kxBwlCB7CRwsRAukCAJ91Q6pkkJ4Hc/Fb3PBOVzqjzBvCCACdEOqj
2/DPOQKCVn1n+EEF8s+D5mg=
=I2kw
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Please Review My Rules
2006-06-25 19:09 Please Review My Rules Chris Miller
@ 2006-06-27 16:50 ` Martijn Lievaart
2006-06-27 19:42 ` Chris Miller
0 siblings, 1 reply; 3+ messages in thread
From: Martijn Lievaart @ 2006-06-27 16:50 UTC (permalink / raw)
To: Chris Miller; +Cc: netfilter
Chris Miller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey guys, if it's not too much trouble I would like to ask you all to
> take a second and review my rules. I have a CentOS box running
> iptables. I have servers in two different VLAN's (VLAN 5 and VLAN 6)
> that are all assigned private IP addresses in the 10.176.x.x range. I
> assign the public IP addresses to the iptables firewall and use
> static 1:1 NAT to translate traffic to the 10.176.x.x block. The
> public network is in VLAN 9.
>
> In my example below, I have changed the public IP addresses to be
> 192.168.x.x just for the sake of not revealing the real IP addresses.
>
> - -----------------------------------
> iptables -A INPUT -d 192.168.59.5 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
> iptables -A INPUT -d 192.168.59.7 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
> iptables -A INPUT -d 192.168.56.8 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
> iptables -A INPUT -d 192.168.58.4 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
> iptables -A INPUT -d 192.168.58.37 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
> iptables -A INPUT -d 192.168.57.6 -p icmp -j REJECT --reject-with
> icmp-port-unreachable
Are these all adresses of the firewall? If not, these rules will not do
anything. If yes, why bother?
If your policy is set to ACCEPT, this will break things (most notably
PMTUD). If your policy is set to DROP, why reject these?
Also note that if these are all the addresses of the firewall itself,
the same can be achieved by simply saying
iptables -A INPUT -p icmp -j REJECT --reject-with
icmp-port-unreachable
Even then, take into account that these addresses are reachable from
both the inside LANS as well as the outside, are you sure you want to
restrict the inside as wel?
Normally I write rules like this:
iptables -A INPUT -i $EXT_IF -j FROM_INTERNET
iptables -A INPUT -i $VLAN5 -j FROM_VLAN5
iptables -A INPUT -i $VLAN6 -j FROM_VLAN6
and the define the respective chains that describe what traffic coming
from that interface is allowed. I seldom make destiction on addresses
(in the INPUT chain), making the distinction on interface is much easier
in the long run.
>
> iptables -A FORWARD -o eth0.5 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -o eth0.6 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0.9 -m state --state RELATED,ESTABLISHED -j
> ACCEPT
Fine, but why not for INPUT and OUTPUT?
>
> iptables -t nat -A PREROUTING -d 192.168.56.8 -i eth0.9 -j DNAT --to-
> destination 10.176.56.8
> iptables -t nat -A PREROUTING -d 192.168.59.7 -i eth0.9 -j DNAT --to-
> destination 10.176.59.7
> iptables -t nat -A PREROUTING -d 192.168.59.5 -i eth0.9 -j DNAT --to-
> destination 10.176.59.5
> iptables -t nat -A PREROUTING -d 192.168.58.37 -i eth0.9 -j DNAT --to-
> destination 10.176.58.37
> iptables -t nat -A PREROUTING -d 192.168.58.4 -i eth0.9 -j DNAT --to-
> destination 10.176.58.4
> iptables -t nat -A PREROUTING -d 192.168.58.21 -i eth0.9 -j DNAT --to-
> destination 10.176.58.21
> iptables -t nat -A PREROUTING -d 192.168.58.29 -i eth0.9 -j DNAT --to-
> destination 10.176.58.29
> iptables -t nat -A PREROUTING -d 192.168.56.7 -i eth0.9 -j DNAT --to-
> destination 10.176.56.7
> iptables -t nat -A PREROUTING -d 192.168.56.5 -i eth0.9 -j DNAT --to-
> destination 10.176.56.5
> iptables -t nat -A PREROUTING -d 192.168.56.6 -i eth0.9 -j DNAT --to-
> destination 10.176.56.6
> iptables -t nat -A PREROUTING -d 192.168.57.5 -i eth0.9 -j DNAT --to-
> destination 10.176.57.5
>
> iptables -t nat -A POSTROUTING -s 10.176.56.8 -o eth0.9 -j SNAT --to-
> source 192.168.56.8
> iptables -t nat -A POSTROUTING -s 10.176.59.7 -o eth0.9 -j SNAT --to-
> source 192.168.59.7
> iptables -t nat -A POSTROUTING -s 10.176.59.5 -o eth0.9 -j SNAT --to-
> source 192.168.59.5
> iptables -t nat -A POSTROUTING -s 10.176.58.37 -o eth0.9 -j SNAT --to-
> source 192.168.58.37
> iptables -t nat -A POSTROUTING -s 10.176.58.4 -o eth0.9 -j SNAT --to-
> source 192.168.58.4
> iptables -t nat -A POSTROUTING -s 10.176.58.21 -o eth0.9 -j SNAT --to-
> source 192.168.58.21
> iptables -t nat -A POSTROUTING -s 10.176.58.29 -o eth0.9 -j SNAT --to-
> source 192.168.58.29
> iptables -t nat -A POSTROUTING -s 10.176.56.7 -o eth0.9 -j SNAT --to-
> source 192.168.56.7
> iptables -t nat -A POSTROUTING -s 10.176.56.5 -o eth0.9 -j SNAT --to-
> source 192.168.56.5
> iptables -t nat -A POSTROUTING -s 10.176.56.6 -o eth0.9 -j SNAT --to-
> source 192.168.56.6
> iptables -t nat -A POSTROUTING -s 10.176.57.5 -o eth0.9 -j SNAT --to-
> source 192.168.57.5
There is a target (was it NETMAP?) that can do this in just two rules,
it maps a complete subnet to another subnet.
> - -----------------------------------
>
> Currently I don't do any filtering, it just forwards any and all
> requests for incoming traffic to whatever I have it set to translate
> to. I'm going to create a separate chain for each server and jump to
> that chain before I do the DNAT or SNAT rules to do traffic
> filtering. Is that a good approach?
Fine. However that is not done before the DNAT, the filter chain is
always executed after the PREROUTING chain. Keep that in mind when using
--destination, you need to match on the DNATted addresses.
>
> Is there anything I should keep in mind when doing this type of setup?
>
I think I covered most.
HTH,
M4
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Please Review My Rules
2006-06-27 16:50 ` Martijn Lievaart
@ 2006-06-27 19:42 ` Chris Miller
0 siblings, 0 replies; 3+ messages in thread
From: Chris Miller @ 2006-06-27 19:42 UTC (permalink / raw)
To: Martijn Lievaart; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for all the tips, I'll review my rules with this new knowledge.
One thing I did want to mention was I didn't mean to leave the REJECT
statements in there. I had those there for some testing I was doing,
forgot to take them out.
Thanks!
Thanks,
Chris Miller
ServerMotion
www.servermotion.com
On Jun 27, 2006, at 11:50 AM, Martijn Lievaart wrote:
> Chris Miller wrote:
>
> Are these all adresses of the firewall? If not, these rules will
> not do anything. If yes, why bother?
>
> If your policy is set to ACCEPT, this will break things (most
> notably PMTUD). If your policy is set to DROP, why reject these?
>
> Also note that if these are all the addresses of the firewall
> itself, the same can be achieved by simply saying
>
> iptables -A INPUT -p icmp -j REJECT --reject-with icmp-port-
> unreachable
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFEoYooxBwlCB7CRwsRAmtrAJ9Fz3gIvh+JHN3bRSl6XNS1eO0g0QCdHRDo
fK3eprj2DrDg4A/NI3x6ChI=
=Lr48
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-27 19:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-25 19:09 Please Review My Rules Chris Miller
2006-06-27 16:50 ` Martijn Lievaart
2006-06-27 19:42 ` Chris Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.