newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[David Williamson]

I'm brand new at this but have managed to get my Ubuntu Debian box
routing for my home LAN.  The point for me was to replace my little blue
Linksys router, and it's working fine so far.  About all I had to do was
apt-get install ipmasq and dnsmasq.  

There's a feature on the Linksys box, however, that I can't figure out
how to implement, because I don't know how it worked on the Linksys box,
and that is the DMZ function.  When a machine behind the router was
going to serve as a, for example, game server (like Unreal Tournament
2004), the only way I could get it to work was to put that particular IP
on the DMZ, which, I gather, meant that it looked like it was right on
the net, unprotected, unrouted, unmasqed, et cetera.  

Since I'm trying to understand what the Linksys box did and give the new
router box the same abilities, it would help if I knew what the heck
that feature was really called, and/or how to implement that in
iptables. 

Looking through the archives I see a lot of Linksys-related questions;
please forgive yet another one.

david williamson

Re: newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[Chris Brenton]

On Sat, 2004-11-13 at 19:42, David Williamson wrote:
>
> When a machine behind the router was
> going to serve as a, for example, game server (like Unreal Tournament
> 2004), the only way I could get it to work was to put that particular IP
> on the DMZ, which, I gather, meant that it looked like it was right on
> the net, unprotected, unrouted, unmasqed, et cetera.  
> 
> Since I'm trying to understand what the Linksys box did and give the new
> router box the same abilities, it would help if I knew what the heck
> that feature was really called, and/or how to implement that in
> iptables. 

Check out the docs located here:
http://www.netfilter.org/documentation/index.html#documentation-howto

and do some reading on SNAT (rewrites source IP address) and DNAT
(rewrites destination IP address). This will mimic the feature you
describe above.

HTH,
Chris

Question; what is this netfilter logfile entry ?

[Bo Jacobsen]

Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]

It looks like ICMP with an embedded DNS call  ?.
What is it exactly, and how would a rule to allow this look like ?

Thanks in advance

Bo

Re: Question; what is this netfilter logfile entry ?

[Marc Haber]

On Sun, Nov 14, 2004 at 03:18:46AM +0100, Bo Jacobsen wrote:
> Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
> 
> It looks like ICMP with an embedded DNS call  ?.
> What is it exactly, and how would a rule to allow this look like ?

That's a "destination unreachable" triggered by the DNS call (probably
an answer packet) mentioned there.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Re: Question; what is this netfilter logfile entry ?

[Chris Brenton]

On Sat, 2004-11-13 at 21:18, Bo Jacobsen wrote:
>
> Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
> 
> It looks like ICMP with an embedded DNS call  ?.

It's an ICMP port unreachable. Looks like 198.41.0.4 tried to send a
reply to one of your DNS queries, took too long to respond, and by the
time they did the port was closed. What's kind of interesting is that it
was a full size answer so I'm guessing the truncation bit was set. This
means that if this packet had been returned in time your system would
have had to switch to TCP to get a full answer.

The UDP info is embedded in the payload so the remote system knows which
port was unreachable. This is in case multiple session were running at
the same time. Perfectly normal for an ICMP error packet.

> What is it exactly, and how would a rule to allow this look like ?

This would be permitted if you are letting "RELATED" traffic through.
This ensures that only legit ICMP errors are passed. While you could
define an accept rule for the ICMP type code, this would let all
matching traffic through opening up the possibilities of a covert
communication channel. 

HTH,
Chris

Re: newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[Tobias DiPasquale]

On Sat, 13 Nov 2004 19:42:35 -0500, David Williamson
<nospam1@nullcutter.com> wrote:
> There's a feature on the Linksys box, however, that I can't figure out
> how to implement, because I don't know how it worked on the Linksys box,
> and that is the DMZ function.  When a machine behind the router was
> going to serve as a, for example, game server (like Unreal Tournament
> 2004), the only way I could get it to work was to put that particular IP
> on the DMZ, which, I gather, meant that it looked like it was right on
> the net, unprotected, unrouted, unmasqed, et cetera.

If:

INTINT=<the interface from which packets from the outside come into
your local network>, and you want to DMZ 192.168.1.100...

Then:

# iptables -A FORWARD -o $INTINT -d 192.168.1.100 -j ACCEPT

That's all. Just accepting everything destined for the DMZ is good
enough to make it the DMZ. Repeat as necessary.

-- 
[ Tobias DiPasquale ]
0x636f6465736c696e67657240676d61696c2e636f6d

Re: newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[Jason Opperisano]

David Williamson wrote:
> I'm brand new at this but have managed to get my Ubuntu Debian box
> routing for my home LAN.  The point for me was to replace my little blue
> Linksys router, and it's working fine so far.  About all I had to do was
> apt-get install ipmasq and dnsmasq.  
> 
> There's a feature on the Linksys box, however, that I can't figure out
> how to implement, because I don't know how it worked on the Linksys box,
> and that is the DMZ function.  When a machine behind the router was
> going to serve as a, for example, game server (like Unreal Tournament
> 2004), the only way I could get it to work was to put that particular IP
> on the DMZ, which, I gather, meant that it looked like it was right on
> the net, unprotected, unrouted, unmasqed, et cetera.  
> 
> Since I'm trying to understand what the Linksys box did and give the new
> router box the same abilities, it would help if I knew what the heck
> that feature was really called, and/or how to implement that in
> iptables. 

NOTE:  what you are about to read is a terrible, awful, ridiculous, 
horrendous idea and i condone absolutely no part of it.

what your linksys "DMZ" function performs is something along the lines of:

   iptables -t nat -A PREROUTING -i $EXTERNAL_IF -d $EXTERNAL_IP \
     -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -A FORWARD -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP -j ACCEPT

<rant>
using the "DMZ" function of the linksys or doing the above with 
netfilter is the ultimate act of laziness that does nothing but 
contribute to the never-ending security problems on the Internet.  if 
you desire to "step up" to a real firewall system, i would plead with 
you to do a little bit of homework and try to figure out what ports 
actually need to opened for the application in question to work.

searching the web for "unreal tournament firewall ports" turns up tons 
of information on how to do this.  you'd get much better responses on 
this list to a question like, "i found this list of ports i need to open 
for unreal tournament, but i'm not really sure how to write the rules" 
than "how do i setup a firewall to do absolutely no firewalling?"
</rant>

the answer to the question i wish you had asked (ports list taken from: 
  http://www.portforward.com/cports.htm):

   iptables -t nat -A PREROUTING -p udp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 7777:7778 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -t nat -A PREROUTING -p udp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 7787 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL_IF -d $EXTERNAL_IP \
     --dport 28902 -j DNAT --to-destination $DMZ_PC_PRIV_IP

   iptables -A FORWARD -p udp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 7777:7778 -j ACCEPT

   iptables -A FORWARD -p udp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 7787 -j ACCEPT

   iptables -A FORWARD -p tcp -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP \
     --dport 28902 -j ACCEPT

-j

--
Jason Opperisano <opie@817west.com>

Re: Question; what is this netfilter logfile entry ?

[Jason Opperisano]

Bo Jacobsen wrote:
> Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
> 
> It looks like ICMP with an embedded DNS call  ?.
> What is it exactly, and how would a rule to allow this look like ?

ICMP Type 3 Code 3:  Destination Unreachable, Port Unreachable

your gateway is telling 198.41.0.4 that it's packet with a src port of 
53 destined for 192.168.1.2:51981 was unreachable (i.e. host not 
listening on that port).

refer to:  http://www.iana.org/assignments/icmp-parameters

for the official list.

most of the time, these packets will fall under "-m state --state 
RELATED" however, from a "good Internet citizen" point of view, it's not 
a bad idea to allow ICMP errors codes to/from your gateway (PMTU 
discovery comes to mind).

   # unreachables
   iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
   iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT

   # time exceeded
   iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
   iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT

   # parameter problem
   iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
   iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT

-j

--
Jason Opperisano <opie@817west.com>

Re: newbie question - what is the iptables equivalent of a Linksys "DMZ" ?

[David Williamson]

On Sun, 2004-11-14 at 11:44 -0500, Jason Opperisano wrote:

> NOTE:  what you are about to read is a terrible, awful, ridiculous, 
> horrendous idea and i condone absolutely no part of it.
> 
> what your linksys "DMZ" function performs is something along the lines of:
> 
>    iptables -t nat -A PREROUTING -i $EXTERNAL_IF -d $EXTERNAL_IP \
>      -j DNAT --to-destination $DMZ_PC_PRIV_IP
> 
>    iptables -A FORWARD -i $EXTERNAL_IF -d $DMZ_PC_PRIV_IP -j ACCEPT

Thanks very much, that's what I was looking for.  I barely understand
NAT/DNAT/SNAT yet but from reading, I assumed it had to be doing
something with DNAT so that it was just wide-open.  Obviously this isn't
"safe" ;)  

The main advantage to this rule, for me, is giving me something to fall
back on for testing purposes.  If something isn't working from that
client box, and I can put it naked on the net with this rule and things
suddenly DO work, then I know I have a routing/firewall problem, not
some other problem.

> using the "DMZ" function of the linksys or doing the above with 
> netfilter is the ultimate act of laziness that does nothing but 
> contribute to the never-ending security problems on the Internet.  if 
> you desire to "step up" to a real firewall system, i would plead with 
> you to do a little bit of homework and try to figure out what ports 
> actually need to opened for the application in question to work.

I agree with you, I didn't make myself very clear.  If I were going to
try to replace the Linksys box feature-for-feature, just for s&g's, I
need to understand what it's doing, and the DMZ is a feature I used
while gaming.  Since my original post, though, I've found that DNAT is
the answer, and as soon as my gaming buddy across town gets back home
I'll test it and see if it works.

> searching the web for "unreal tournament firewall ports" turns up tons 
> of information on how to do this.  you'd get much better responses on 
> this list to a question like, "i found this list of ports i need to open 
> for unreal tournament, but i'm not really sure how to write the rules" 
> than "how do i setup a firewall to do absolutely no firewalling?"

That's not my intent, really... I just wanted to know what the so-called
DMZ was and how to replicate it in iptables.  

What I did was this (after much googling):

iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 7777
-j DNAT --to-destination 192.168.0.101:7777
iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 7778
-j DNAT --to-destination 192.168.0.101:7778
iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 7787
-j DNAT --to-destination 192.168.0.101:7787
iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 7788
-j DNAT --to-destination 192.168.0.101:7788
iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 28900
-j DNAT --to-destination 192.168.0.101:28900
iptables -t nat -I PREROUTING -p udp -d <my external IP> --dport 28902
-j DNAT --to-destination 192.168.0.101:28902

> the answer to the question i wish you had asked (ports list taken from: 
>   http://www.portforward.com/cports.htm):

<snip>

First, thanks for the VERY handy link.  Second, looks like I got about
half of it right - I had the PREROUTING steps but none of the FORWARD
steps.

I understand your frustration, thinking I was gonna have a wide-open box
<g> and I'm embarrassed that I was taken as that sort of silly newbie;
it's my fault for not posing the question better.

Thanks for taking the time to answer, I appreciate it.  I'm only up to
chapter four of Tony Mancill's Linux Routers book - maybe by the time
I'm done I'll have a bigger clue.

david williamson

Re: Question; what is this netfilter logfile entry ?

[Bo Jacobsen]

> >
> > Nov 14 02:24:48 WF1-HOME kernel: DENY-OUT:.IN= OUT=eth0 SRC=192.168.1.2 DST=198.41.0.4 LEN=560 TOS=0x00 PREC=0xC0 TTL=64 ID=3123 PROTO=ICMP TYPE=3 CODE=3 [SRC=198.41.0.4 DST=192.168.1.2 LEN=532 TOS=0x00 PREC=0x00 TTL=49 ID=41159 PROTO=UDP SPT=53 DPT=51981 LEN=512 ]
> > 
> > It looks like ICMP with an embedded DNS call  ?.
> 
> It's an ICMP port unreachable. Looks like 198.41.0.4 tried to send a
> reply to one of your DNS queries, took too long to respond, and by the
> time they did the port was closed. What's kind of interesting is that it
> was a full size answer so I'm guessing the truncation bit was set. This
> means that if this packet had been returned in time your system would
> have had to switch to TCP to get a full answer.
> 
> The UDP info is embedded in the payload so the remote system knows which
> port was unreachable. This is in case multiple session were running at
> the same time. Perfectly normal for an ICMP error packet.
> 
> > What is it exactly, and how would a rule to allow this look like ?
> 
> This would be permitted if you are letting "RELATED" traffic through.
> This ensures that only legit ICMP errors are passed. While you could
> define an accept rule for the ICMP type code, this would let all
> matching traffic through opening up the possibilities of a covert
> communication channel. 
> 
It has something to do with PSD. When it's "enabled" the problem arises 
trigered by  prior PSD denials to DNS traffic comming from unknown external
ip's. With no iptables PSD statements it never happens.

On our inside we have djbdns acting as an internal forwarding DNS server. 
When PSD closes trafffic of like this, this type of "traffic" is taking up all 
internet bandwith, and filling up the syslog message log. If djbdns is
killed / restarted the traffic stops, and everything works again. If just left 
alone, after a minute or two, everything goes back to normal.
Maybe djbdns starts spewing out DNS requests, and is denied the reply
because a trigered PSD will not allow any DNS response back in.

Strangely enough, we have only seen this problem when 
accessing the www.space.com

We currently run iptables 1.2.8 on a 2.4.21 kernel. We have not yet tested it with 
a 2.6 kernel.


Bo