DMZ problems

DMZ problems

[Bill Tangren]

Hello,

I'm trying to set up a firewall with a DMZ using iptables, but without the use 
of NATing. [This firewall is going to be on the SIPRNet, and I'm told that I 
cannot use NATing.] I think the lack of NATing is what is causing the problems 
here, but I'm not sure. My firewall IP is 10.1.5.94. The server behind the 
firewall should have an IP of 10.1.5.95.

I read the iptables man page, and Oskar Andreasson's web site, using his DMZ 
example as a guide. I think it LOOKS OK, but no packets seem to be getting 
though. The firewall logs don't seem to see any packets coming from the DMZ at 
all. The following is a stripped down version of a script I use to start the 
firewall.

Would someone please take a quick look at this and tell me what I am doing wrong?

#!/bin/sh
# IP for the firewall
INET_IP="10.1.5.94"
# IP for the web server
HTTP_IP="10.1.5.95"
# name of network card
INET_IFACE="eth0"

# 1.3 DMZ Configuration.
DMZ_HTTP_IP="10.1.5.95"
DMZ_IP="10.1.5.94"
DMZ_IFACE="eth1"

# 1.4 Localhost Configuration.
LO_IFACE="lo"
LO_IP="127.0.0.1"

# Create another chain to filter bad tcp packets
$IPT -N icmp_packets
$IPT -N allowed

# allowed chain
$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j DROP

# icmp_packets
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# INPUT chain
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
      -j ACCEPT

# FORWARD chain
$IPT -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
    --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
    --destination-port 80 -j allowed
$IPT -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
    -j icmp_packets

# OUTPUT chain
$IPT -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
     --log-prefix "OUTPUT packet died: "


I get quite a number of packets from eth0 (the internet side) that show up in 
the log as "INPUT packet died:", but NOTHING from eth1. I am running this on a 
Redhat Enterprise Linux ES 4 server, fully patched. I'm using iptablles version 
1.2.11-3.1.RHEL4.

In this post, I removed all the lines I inserted into the script to log each 
rule above, and the lines I used to delete old rules and chains.

Any ideas?

Bill Tangren

Re: DMZ problems

[Michael Gale]

Hey,

	Why can you not use DNAT ?

If you can not NAT the traffic then it needs to function as a router or a bridge. A lot of companies use a "Interconnect". the ISP will provide a small public subnet which 
is available behind a public IP.

So our ISP provides us with a /27 subnet of public IP's available behind a public IP:

ISP -> route (X.X.X.X/27) -> external IP (Cisco router) Internal IP[X.X.X.X/27]

So on the "internal" side of our Cisco router is a small /27 public routeable network. We then assign the public IP's to our firewall and other systems if needed.

You could do the same, if you were provided a small subnet. You could also create bridge.

Michael


Bill Tangren wrote:
> Hello,
> 
> I'm trying to set up a firewall with a DMZ using iptables, but without 
> the use of NATing. [This firewall is going to be on the SIPRNet, and I'm 
> told that I cannot use NATing.] I think the lack of NATing is what is 
> causing the problems here, but I'm not sure. My firewall IP is 
> 10.1.5.94. The server behind the firewall should have an IP of 10.1.5.95.
> 
> I read the iptables man page, and Oskar Andreasson's web site, using his 
> DMZ example as a guide. I think it LOOKS OK, but no packets seem to be 
> getting though. The firewall logs don't seem to see any packets coming 
> from the DMZ at all. The following is a stripped down version of a 
> script I use to start the firewall.
> 
> Would someone please take a quick look at this and tell me what I am 
> doing wrong?
> 
> #!/bin/sh
> # IP for the firewall
> INET_IP="10.1.5.94"
> # IP for the web server
> HTTP_IP="10.1.5.95"
> # name of network card
> INET_IFACE="eth0"
> 
> # 1.3 DMZ Configuration.
> DMZ_HTTP_IP="10.1.5.95"
> DMZ_IP="10.1.5.94"
> DMZ_IFACE="eth1"
> 
> # 1.4 Localhost Configuration.
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> 
> # Create another chain to filter bad tcp packets
> $IPT -N icmp_packets
> $IPT -N allowed
> 
> # allowed chain
> $IPT -A allowed -p TCP --syn -j ACCEPT
> $IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A allowed -p TCP -j DROP
> 
> # icmp_packets
> $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
> $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
> 
> # INPUT chain
> $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
> $IPT -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
>      -j ACCEPT
> 
> # FORWARD chain
> $IPT -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
> $IPT -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
>    --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
>    --destination-port 80 -j allowed
> $IPT -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
>    -j icmp_packets
> 
> # OUTPUT chain
> $IPT -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
>     --log-prefix "OUTPUT packet died: "
> 
> 
> I get quite a number of packets from eth0 (the internet side) that show 
> up in the log as "INPUT packet died:", but NOTHING from eth1. I am 
> running this on a Redhat Enterprise Linux ES 4 server, fully patched. 
> I'm using iptablles version 1.2.11-3.1.RHEL4.
> 
> In this post, I removed all the lines I inserted into the script to log 
> each rule above, and the lines I used to delete old rules and chains.
> 
> Any ideas?
> 
> Bill Tangren
> 

-- 
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.

Re: DMZ problems

[Bill Tangren]

Michael Gale wrote:
> Hey,
> 
>     Why can you not use DNAT ?
> 

We are not allowed to "hide" servers in a private network behind a firewall. All 
servers have to have public IP numbers.

   eth0:199.202.112.127/28  |  eth1:199.202.112.127/29      199.202.112.132
                       ------------                            ----------
{Internet}----------->| Firewall |--------------------------->| server |
                       ------------                            ----------

Let's say I've been allocated 199.202.112.127/28 (these are made up addresses) 
by my ISP, and I'm told to netmask as 255.255.255.0. Let's say I assign my 
firewall the IP address of 199.202.112.130 with a netmask of 255.255.255.0 as 
required. My /etc/sysconfig/network-scripts/ifcfg-eth0 will look something like 
this:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=199.202.112.255
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.130
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=199.202.112.1

I can then subnet eth1 as, let's say 199.202.112.127/29, but I cannot create a 
private network, so /etc/sysconfig/network-scripts/ifcfg-eth1 would have to look 
something like this:

DEVICE=eth1
BOOTPROTO=static
BROADCAST=199.202.112.134
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.127
NETMASK=255.255.255.248
ONBOOT=yes
TYPE=Ethernet

The problem I'm having is the netmask for the outside NIC (eth0) overlaps the 
netmask for the DMZ side NIC (eth1). If I try to ping a server connected via hub 
to eth1 on the firewall FROM the firewall:

# ping 199.202.112.132
Destination host unreachable

but

# ping -I eth1 199.202.112.132

works. I need to have all of the servers on the DMZ pingable from the Internet, 
but still protected by a firewall.

I believe I have iptables set up to adequately protect the DMZ, but I have not 
been able to solve the problem outlined above.

> If you can not NAT the traffic then it needs to function as a router or 
> a bridge. A lot of companies use a "Interconnect". the ISP will provide 
> a small public subnet which is available behind a public IP.
> 
> So our ISP provides us with a /27 subnet of public IP's available behind 
> a public IP:
> 
> ISP -> route (X.X.X.X/27) -> external IP (Cisco router) Internal 
> IP[X.X.X.X/27]
> 
> So on the "internal" side of our Cisco router is a small /27 public 
> routeable network. We then assign the public IP's to our firewall and 
> other systems if needed.
> 
> You could do the same, if you were provided a small subnet. You could 
> also create bridge.
> 
> Michael
> 
> 

Sorry Michael about the off list post.

Re: DMZ problems

[Ted Phelps]

Bill Tangren writes:
> Let's say I've been allocated 199.202.112.127/28 (these are made up addresses) 
> by my ISP, and I'm told to netmask as 255.255.255.0. Let's say I assign my 
> firewall the IP address of 199.202.112.130 with a netmask of 255.255.255.0 as 
> required.> # ping 199.202.112.132
> Destination host unreachable
> 
> but
> 
> # ping -I eth1 199.202.112.132
> 
> works.

Try using 255.255.255.240 as your netmask instead?

Cheers,
-Ted