Re: Problem about LAN/DMZ - Gáspár Lajos

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: "Per Jørgensen" <pj4a@dmusyd.edu>
Cc: netfilter@lists.netfilter.org
Subject: Re: Problem about LAN/DMZ
Date: Wed, 23 Aug 2006 09:57:05 +0200	[thread overview]
Message-ID: <44EC0A51.5000103@freemail.hu> (raw)
In-Reply-To: <44EB5BCA.2010504@dmusyd.edu>

Per Jørgensen wrote:
> Hey Netfilter!
> I have been studying netfilter for several days now for building my 
> own firewall. But have ran into a problem and goes like this:
> The machine Soekris 4801 Debian Sarge is my firewall
> eth0 --> WAN --> Directly connected to the internet
> eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1
> eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1
> I have installed bind and are running perfectly and NSLOOKUP are 
> showing the coorectly things
> In the zone file I have named the servers with their external IP.
>
> The IPTABLES script are an bash file with these rules for:
> the interfaces:
> lan:
> $IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT
> dmz:
> $IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT
> wan:
> $IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> The connections:
> lantowan:
> $IPTABLES -A lantowan -s $LAN_NET -j ACCEPT
> lantodmz:
> $IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT
> dmztolan:
> $IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> dmztowan:
> $IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> wantolan:
> $IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT
> wantodmz:
> ## HTTP ##
> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT 
> --to-destination $ATLANTIS:80
> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT
> ## SSH ##
> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT 
> --to-destination $ATLANTIS:22
> $IPTABLES -A wantodmz -s $SSH -d $ATLANTIS -p tcp --dport 22 -j ACCEPT
> ## SMTP ##
> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT 
> --to-destination $ATLANTIS:25
> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT
> ## IMAP ##
> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT 
> --to-destination $ATLANTIS:143
> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT
>
> the masquerade:
> $IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT 
> --to-source $WAN_IP
> $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT 
> --to-source $WAN_IP
>
> Apending the chains:
> $IPTABLES -A INPUT -i $WAN -j wan
> $IPTABLES -A INPUT -i $LAN -j lan
> $IPTABLES -A INPUT -i $DMZ -j dmz
> $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz
> $IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan
> $IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan
> $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan
> $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz
> $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan
>
> The funny part is that it was working earliere today - And afterwards 
> setting it all up - I did a reboot  and deleted the uncommented lines  
> -  (And perhaps  deleted an role) I have lost the look for where this 
> should be - and hopefully I'll be able to get some help here????
> Thanks
>
I have reordered and hopefuly repaired your script and added some comments:

#eth0 --> WAN --> Directly connected to the internet
#eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1
#eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1

$IPTABLES -F nat
$IPTABLES -X nat 2>/dev/null

$IPTABLES -F filter
$IPTABLES -X filter 2>/dev/null

$IPTABLES -P nat PREROUTING ACCEPT
$IPTABLES -P nat POSTROUTING ACCEPT
$IPTABLES -P nat OUTPUT ACCEPT

$IPTABLES -P filter INPUT DROP
$IPTABLES -P filter FORWARD DROP
$IPTABLES -P filter OUTPUT ACCEPT

## COMMON ##

$IPTABLES -X connected 2>/dev/null
$IPTABLES -A connected -m state --state ESTABLISHED,RELATED -j ACCEPT

## NAT ##

# PREROUTING #

$IPTABLES -t nat -A PREROUTING  -d $WAN_IP -p tcp -m multiport --dports 
22,25,80,143 -j DNAT --to-destination $ATLANTIS
#$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT 
--to-destination $ATLANTIS:22
#$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT 
--to-destination $ATLANTIS:25
#$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT 
--to-destination $ATLANTIS:80
#$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT 
--to-destination $ATLANTIS:143

# POSTROUTING #

$IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_IP
#$IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT --to-source 
$WAN_IP
#$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT --to-source 
$WAN_IP

## FILTER ##

# INPUT #

$IPTABLES -A INPUT -j connected
$IPTABLES -A INPUT -j ACCEPT ! -i $WAN


#$IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $WAN -j wan

#$IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i $LAN -j lan

#$IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT #?????????? 
Interface=DMZ AND Source=172.16.0.0/24 ????????????
#$IPTABLES -A INPUT -i $DMZ -j dmz

# FORWARD #

$IPTABLES -A FORWARD -j connected

$IPTABLES -X atlantis 2>/dev/null
$IPTABLES -A atlantis
$IPTABLES -A atlantis -p tcp --dport 22 -s $SSH -j ACCEPT
$IPTABLES -A atlantis -p tcp --dport 25 -j ACCEPT
$IPTABLES -A atlantis -p tcp --dport 80 -j ACCEPT
$IPTABLES -A atlantis -p tcp --dport 143 -j ACCEPT
$IPTABLES -X wantodmz 2>/dev/null
$IPTABLES -A wantodmz -d $ATLANTIS -j atlantis
$IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz

#$IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan

#$IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j 
ACCEPT
#$IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan

$IPTABLES -X dmztolan 2>/dev/null
#$IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j 
ACCEPT
#$IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT # 
!!!! NEVER GET USED !!!! -o $LAN OR -o $WAN ??????
$IPTABLES -A dmztolan -i $DMZ -p tcp --dport 25 -j ACCEPT # THIS WORKS !!!
$IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan

$IPTABLES -X lantodmz 2>/dev/null
$IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz

$IPTABLES -X lantowan 2>/dev/null
$IPTABLES -A lantowan -s $LAN_NET -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan

Swifty

next prev parent reply	other threads:[~2006-08-23  7:57 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-22 19:32 Problem about LAN/DMZ Per Jørgensen
2006-08-23  7:57 ` Gáspár Lajos [this message]
2006-08-23  8:03   ` Per Jørgensen
2006-08-23 15:37 ` P-O-M - cvs server down? Pablo Sanchez
2006-08-23 16:38   ` Rob Sterenborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44EC0A51.5000103@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=netfilter@lists.netfilter.org \
    --cc=pj4a@dmusyd.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.