From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?G=E1sp=E1r_Lajos?= Subject: Re: Problem about LAN/DMZ Date: Wed, 23 Aug 2006 09:57:05 +0200 Message-ID: <44EC0A51.5000103@freemail.hu> References: <44EB5BCA.2010504@dmusyd.edu> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <44EB5BCA.2010504@dmusyd.edu> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-1?Q?Per_J=F8rgensen?= Cc: netfilter@lists.netfilter.org Per J=F8rgensen wrote: > Hey Netfilter! > I have been studying netfilter for several days now for building my=20 > own firewall. But have ran into a problem and goes like this: > The machine Soekris 4801 Debian Sarge is my firewall > eth0 --> WAN --> Directly connected to the internet > eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1 > eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1 > I have installed bind and are running perfectly and NSLOOKUP are=20 > showing the coorectly things > In the zone file I have named the servers with their external IP. > > The IPTABLES script are an bash file with these rules for: > the interfaces: > lan: > $IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT > dmz: > $IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT > wan: > $IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT > > The connections: > lantowan: > $IPTABLES -A lantowan -s $LAN_NET -j ACCEPT > lantodmz: > $IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT > dmztolan: > $IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j=20 > ACCEPT > dmztowan: > $IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT > $IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j=20 > ACCEPT > wantolan: > $IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT > wantodmz: > ## HTTP ## > $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT=20 > --to-destination $ATLANTIS:80 > $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT > ## SSH ## > $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT=20 > --to-destination $ATLANTIS:22 > $IPTABLES -A wantodmz -s $SSH -d $ATLANTIS -p tcp --dport 22 -j ACCEPT > ## SMTP ## > $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT=20 > --to-destination $ATLANTIS:25 > $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT > ## IMAP ## > $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT=20 > --to-destination $ATLANTIS:143 > $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT > > the masquerade: > $IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT=20 > --to-source $WAN_IP > $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT=20 > --to-source $WAN_IP > > Apending the chains: > $IPTABLES -A INPUT -i $WAN -j wan > $IPTABLES -A INPUT -i $LAN -j lan > $IPTABLES -A INPUT -i $DMZ -j dmz > $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz > $IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan > $IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan > $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan > $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz > $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan > > The funny part is that it was working earliere today - And afterwards=20 > setting it all up - I did a reboot and deleted the uncommented lines =20 > - (And perhaps deleted an role) I have lost the look for where this=20 > should be - and hopefully I'll be able to get some help here???? > Thanks > I have reordered and hopefuly repaired your script and added some comment= s: #eth0 --> WAN --> Directly connected to the internet #eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1 #eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1 $IPTABLES -F nat $IPTABLES -X nat 2>/dev/null $IPTABLES -F filter $IPTABLES -X filter 2>/dev/null $IPTABLES -P nat PREROUTING ACCEPT $IPTABLES -P nat POSTROUTING ACCEPT $IPTABLES -P nat OUTPUT ACCEPT $IPTABLES -P filter INPUT DROP $IPTABLES -P filter FORWARD DROP $IPTABLES -P filter OUTPUT ACCEPT ## COMMON ## $IPTABLES -X connected 2>/dev/null $IPTABLES -A connected -m state --state ESTABLISHED,RELATED -j ACCEPT ## NAT ## # PREROUTING # $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp -m multiport --dports=20 22,25,80,143 -j DNAT --to-destination $ATLANTIS #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT=20 --to-destination $ATLANTIS:22 #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT=20 --to-destination $ATLANTIS:25 #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT=20 --to-destination $ATLANTIS:80 #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT=20 --to-destination $ATLANTIS:143 # POSTROUTING # $IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_IP #$IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT --to-source=20 $WAN_IP #$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT --to-source=20 $WAN_IP ## FILTER ## # INPUT # $IPTABLES -A INPUT -j connected $IPTABLES -A INPUT -j ACCEPT ! -i $WAN #$IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A INPUT -i $WAN -j wan #$IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT #$IPTABLES -A INPUT -i $LAN -j lan #$IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT #??????????=20 Interface=3DDMZ AND Source=3D172.16.0.0/24 ???????????? #$IPTABLES -A INPUT -i $DMZ -j dmz # FORWARD # $IPTABLES -A FORWARD -j connected $IPTABLES -X atlantis 2>/dev/null $IPTABLES -A atlantis $IPTABLES -A atlantis -p tcp --dport 22 -s $SSH -j ACCEPT $IPTABLES -A atlantis -p tcp --dport 25 -j ACCEPT $IPTABLES -A atlantis -p tcp --dport 80 -j ACCEPT $IPTABLES -A atlantis -p tcp --dport 143 -j ACCEPT $IPTABLES -X wantodmz 2>/dev/null $IPTABLES -A wantodmz -d $ATLANTIS -j atlantis $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz #$IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan #$IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j=20 ACCEPT #$IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan $IPTABLES -X dmztolan 2>/dev/null #$IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j=20 ACCEPT #$IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT #=20 !!!! NEVER GET USED !!!! -o $LAN OR -o $WAN ?????? $IPTABLES -A dmztolan -i $DMZ -p tcp --dport 25 -j ACCEPT # THIS WORKS !!= ! $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan $IPTABLES -X lantodmz 2>/dev/null $IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz $IPTABLES -X lantowan 2>/dev/null $IPTABLES -A lantowan -s $LAN_NET -j ACCEPT $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan Swifty