Re: Problem about LAN/DMZ - Per Jørgensen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Per Jørgensen" <pj4a@dmusyd.edu>
To: "Gáspár Lajos" <swifty@freemail.hu>, netfilter@lists.netfilter.org
Subject: Re: Problem about LAN/DMZ
Date: Wed, 23 Aug 2006 10:03:23 +0200	[thread overview]
Message-ID: <44EC0BCB.8050102@dmusyd.edu> (raw)
In-Reply-To: <44EC0A51.5000103@freemail.hu>

Gáspár Lajos skrev:
> Per Jørgensen wrote:
>> Hey Netfilter!
>> I have been studying netfilter for several days now for building my 
>> own firewall. But have ran into a problem and goes like this:
>> The machine Soekris 4801 Debian Sarge is my firewall
>> eth0 --> WAN --> Directly connected to the internet
>> eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1
>> eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1
>> I have installed bind and are running perfectly and NSLOOKUP are 
>> showing the coorectly things
>> In the zone file I have named the servers with their external IP.
>>
>> The IPTABLES script are an bash file with these rules for:
>> the interfaces:
>> lan:
>> $IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT
>> dmz:
>> $IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT
>> wan:
>> $IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> The connections:
>> lantowan:
>> $IPTABLES -A lantowan -s $LAN_NET -j ACCEPT
>> lantodmz:
>> $IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT
>> dmztolan:
>> $IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j 
>> ACCEPT
>> dmztowan:
>> $IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT
>> $IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j 
>> ACCEPT
>> wantolan:
>> $IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT
>> wantodmz:
>> ## HTTP ##
>> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT 
>> --to-destination $ATLANTIS:80
>> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT
>> ## SSH ##
>> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT 
>> --to-destination $ATLANTIS:22
>> $IPTABLES -A wantodmz -s $SSH -d $ATLANTIS -p tcp --dport 22 -j ACCEPT
>> ## SMTP ##
>> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT 
>> --to-destination $ATLANTIS:25
>> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT
>> ## IMAP ##
>> $IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT 
>> --to-destination $ATLANTIS:143
>> $IPTABLES -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT
>>
>> the masquerade:
>> $IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT 
>> --to-source $WAN_IP
>> $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT 
>> --to-source $WAN_IP
>>
>> Apending the chains:
>> $IPTABLES -A INPUT -i $WAN -j wan
>> $IPTABLES -A INPUT -i $LAN -j lan
>> $IPTABLES -A INPUT -i $DMZ -j dmz
>> $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz
>> $IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan
>> $IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan
>> $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan
>> $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz
>> $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan
>>
>> The funny part is that it was working earliere today - And afterwards 
>> setting it all up - I did a reboot  and deleted the uncommented 
>> lines  -  (And perhaps  deleted an role) I have lost the look for 
>> where this should be - and hopefully I'll be able to get some help 
>> here????
>> Thanks
>>
> I have reordered and hopefuly repaired your script and added some 
> comments:
>
> #eth0 --> WAN --> Directly connected to the internet
> #eth1 --> LAN --> 172.16.0.0/24 --> eth1 address 0.1
> #eth2 --> DMZ --> 172.16.10.0/24 --> eth2 address 10.1
>
> $IPTABLES -F nat
> $IPTABLES -X nat 2>/dev/null
>
> $IPTABLES -F filter
> $IPTABLES -X filter 2>/dev/null
>
> $IPTABLES -P nat PREROUTING ACCEPT
> $IPTABLES -P nat POSTROUTING ACCEPT
> $IPTABLES -P nat OUTPUT ACCEPT
>
> $IPTABLES -P filter INPUT DROP
> $IPTABLES -P filter FORWARD DROP
> $IPTABLES -P filter OUTPUT ACCEPT
>
> ## COMMON ##
>
> $IPTABLES -X connected 2>/dev/null
> $IPTABLES -A connected -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ## NAT ##
>
> # PREROUTING #
>
> $IPTABLES -t nat -A PREROUTING  -d $WAN_IP -p tcp -m multiport 
> --dports 22,25,80,143 -j DNAT --to-destination $ATLANTIS
> #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 22 -j DNAT 
> --to-destination $ATLANTIS:22
> #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 25 -j DNAT 
> --to-destination $ATLANTIS:25
> #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT 
> --to-destination $ATLANTIS:80
> #$IPTABLES -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 143 -j DNAT 
> --to-destination $ATLANTIS:143
>
> # POSTROUTING #
>
> $IPTABLES -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $WAN_IP
> #$IPTABLES -t nat -A POSTROUTING -s $DMZ_NET -o $WAN -j SNAT 
> --to-source $WAN_IP
> #$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT 
> --to-source $WAN_IP
>
> ## FILTER ##
>
> # INPUT #
>
> $IPTABLES -A INPUT -j connected
> $IPTABLES -A INPUT -j ACCEPT ! -i $WAN
>
>
> #$IPTABLES -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
> #$IPTABLES -A INPUT -i $WAN -j wan
>
> #$IPTABLES -A INPUT -i $LAN -m state --state NEW -j ACCEPT
> #$IPTABLES -A INPUT -i $LAN -j lan
>
> #$IPTABLES -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
> #$IPTABLES -A dmz -s $LAN_NET -m state --state NEW -j ACCEPT 
> #?????????? Interface=DMZ AND Source=172.16.0.0/24 ????????????
> #$IPTABLES -A INPUT -i $DMZ -j dmz
>
> # FORWARD #
>
> $IPTABLES -A FORWARD -j connected
>
> $IPTABLES -X atlantis 2>/dev/null
> $IPTABLES -A atlantis
> $IPTABLES -A atlantis -p tcp --dport 22 -s $SSH -j ACCEPT
> $IPTABLES -A atlantis -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A atlantis -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A atlantis -p tcp --dport 143 -j ACCEPT
> $IPTABLES -X wantodmz 2>/dev/null
> $IPTABLES -A wantodmz -d $ATLANTIS -j atlantis
> $IPTABLES -A FORWARD -i $WAN -o $DMZ -j wantodmz
>
> #$IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT
> #$IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan
>
> #$IPTABLES -A dmztowan -o $WAN -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> #$IPTABLES -A FORWARD -i $DMZ -o $WAN -j dmztowan
>
> $IPTABLES -X dmztolan 2>/dev/null
> #$IPTABLES -A dmztolan -o $LAN -m state --state ESTABLISHED,RELATED -j 
> ACCEPT
> #$IPTABLES -A dmztolan -i $DMZ -o $WAN -p tcp --dport 25 -j ACCEPT # 
> !!!! NEVER GET USED !!!! -o $LAN OR -o $WAN ??????
> $IPTABLES -A dmztolan -i $DMZ -p tcp --dport 25 -j ACCEPT # THIS WORKS 
> !!!
> $IPTABLES -A FORWARD -i $DMZ -o $LAN -j dmztolan
>
> $IPTABLES -X lantodmz 2>/dev/null
> $IPTABLES -A lantodmz -s $LAN_NET -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $DMZ -j lantodmz
>
> $IPTABLES -X lantowan 2>/dev/null
> $IPTABLES -A lantowan -s $LAN_NET -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan
>
> Swifty
Thanks Swifty!
As I can see from your writing there´s still a lot of rewriting still 
for mee to do!
I will try your script when I come home from school!

I added following line in my script late last night and got it to work.
$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d $ATLANTIS -j SNAT --to 
$WAN_IP

But still I can see that there´s a lot to learn still for me - Good for 
me I have now ordered the book from O´reilly
Thanks
Per Jørgensen

next prev parent reply	other threads:[~2006-08-23  8:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-22 19:32 Problem about LAN/DMZ Per Jørgensen
2006-08-23  7:57 ` Gáspár Lajos
2006-08-23  8:03   ` Per Jørgensen [this message]
2006-08-23 15:37 ` P-O-M - cvs server down? Pablo Sanchez
2006-08-23 16:38   ` Rob Sterenborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44EC0BCB.8050102@dmusyd.edu \
    --to=pj4a@dmusyd.edu \
    --cc=netfilter@lists.netfilter.org \
    --cc=swifty@freemail.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.