* Firewall help
@ 2002-12-11 19:49 DeWet van Rooyen
2002-12-11 20:01 ` Marcello Scacchetti
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: DeWet van Rooyen @ 2002-12-11 19:49 UTC (permalink / raw)
To: netfilter
I installed a machine with Redhat 8 and are trying to set up a iptables
firewall with 2 internal segments (DMZ and internal network).
My machine have 3 Network cards.
Is this possible ?
I can seem to get all the segments to see each other. Can you give me an
idea on how to do this. Is it just a question of routes / Nat and Arp
entries ?
DMZ - 192.168.1.0 / 255.255.255.0
Internal Network / 192.168.2.0 / 255.255.255.0
For the external interface, I have 64 ip addresses - 255.255.255.192
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: Firewall help
2002-12-11 19:49 Firewall help DeWet van Rooyen
@ 2002-12-11 20:01 ` Marcello Scacchetti
2002-12-11 20:20 ` Tom Eastep
2002-12-11 21:36 ` Louie
2 siblings, 0 replies; 8+ messages in thread
From: Marcello Scacchetti @ 2002-12-11 20:01 UTC (permalink / raw)
To: netfilter
Hi,
make sure you have enabled ip forwarding into
/proc/sys/net/ipv4/ip_forward, if this file contains 0 do an:
echo "1" > /proc/sys/net/ipv4/ip_forward. This should solve the problem
between internal network and dmz. For the external network you probably
need nat or masq. This is because each machine on dmz and internal
network should have default gateway set to firewall interfaces suppose
for dmz the gateway could be: 192.168.1.1 and for internal network could
be: 192.168.2.1. Each of this addresses should be configured on firewall
interfaces as (for example) eth0 and eth1. To be able to talk with
public services you must use nat or set on all public servers something
like: route add -net 192.168.1.0 netmask 255.255.255.0 gw
xxx.xxx.xxx.xxx
and
route add -net 192.168.2.0 netmask 255.255.255.0 gw xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your firewall external interface ip address (in
my example eth2 interface address).
This of course could lead to many security risks, so i can't suggest
this to you, really. Better could be to set a masq on packets coming
from your dmz and internal network going to external networks. This
could be done on the firewall using something like:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
where eth2 is your external firewall interface.
Hope to have solved your problem,
Marcello
Il mer, 2002-12-11 alle 20:49, DeWet van Rooyen ha scritto:
> I installed a machine with Redhat 8 and are trying to set up a iptables
> firewall with 2 internal segments (DMZ and internal network).
> My machine have 3 Network cards.
>
> Is this possible ?
>
> I can seem to get all the segments to see each other. Can you give me an
> idea on how to do this. Is it just a question of routes / Nat and Arp
> entries ?
>
> DMZ - 192.168.1.0 / 255.255.255.0
> Internal Network / 192.168.2.0 / 255.255.255.0
> For the external interface, I have 64 ip addresses - 255.255.255.192
--
Marcello Scacchetti <marcello.scacchetti@nextrem.it>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall help
2002-12-11 19:49 Firewall help DeWet van Rooyen
2002-12-11 20:01 ` Marcello Scacchetti
@ 2002-12-11 20:20 ` Tom Eastep
2002-12-11 22:00 ` Paul Frieden
2002-12-11 21:36 ` Louie
2 siblings, 1 reply; 8+ messages in thread
From: Tom Eastep @ 2002-12-11 20:20 UTC (permalink / raw)
To: netfilter
--On Wednesday, December 11, 2002 09:49:49 PM +0200 DeWet van Rooyen
<dewet@cyberdawn.co.za> wrote:
> I installed a machine with Redhat 8 and are trying to set up a iptables
> firewall with 2 internal segments (DMZ and internal network).
> My machine have 3 Network cards.
>
> Is this possible ?
>
> I can seem to get all the segments to see each other. Can you give me an
> idea on how to do this. Is it just a question of routes / Nat and Arp
> entries ?
>
> DMZ - 192.168.1.0 / 255.255.255.0
> Internal Network / 192.168.2.0 / 255.255.255.0
> For the external interface, I have 64 ip addresses - 255.255.255.192
>
If you would be willing to forego using iptables directly, take a look at
http://shorewall.sf.net/three-interface.htm.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall help
2002-12-11 20:20 ` Tom Eastep
@ 2002-12-11 22:00 ` Paul Frieden
0 siblings, 0 replies; 8+ messages in thread
From: Paul Frieden @ 2002-12-11 22:00 UTC (permalink / raw)
To: netfilter
I would also recommend looking at my project PacketFlow Firewall
Generator. You can download it from
http://packetflowfw.sourceforge.net. It generates rules from a simple
XML configuration format. It includes several examples, including
single and multi DMZ configs. It should be simple to modify one of
these to your purposes. It doesn't currently generate NAT rules, but
I've found that they are fairly easy to make by hand.
PacketFlow is written in Python and uses libxml2. Both of these should
be included in RH8, so it shouldn't be any trouble. If you have any
questions, you can post them on the site and I'll help if I can.
Paul
Tom Eastep wrote:
>
>
> --On Wednesday, December 11, 2002 09:49:49 PM +0200 DeWet van Rooyen
> <dewet@cyberdawn.co.za> wrote:
>
>> I installed a machine with Redhat 8 and are trying to set up a iptables
>> firewall with 2 internal segments (DMZ and internal network).
>> My machine have 3 Network cards.
>>
>> Is this possible ?
>>
>> I can seem to get all the segments to see each other. Can you give
>> me an
>> idea on how to do this. Is it just a question of routes / Nat and Arp
>> entries ?
>>
>> DMZ - 192.168.1.0 / 255.255.255.0
>> Internal Network / 192.168.2.0 / 255.255.255.0
>> For the external interface, I have 64 ip addresses - 255.255.255.192
>>
>
> If you would be willing to forego using iptables directly, take a look
> at http://shorewall.sf.net/three-interface.htm.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.sf.net
> Washington USA \ teastep@shorewall.net
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: Firewall help
2002-12-11 19:49 Firewall help DeWet van Rooyen
2002-12-11 20:01 ` Marcello Scacchetti
2002-12-11 20:20 ` Tom Eastep
@ 2002-12-11 21:36 ` Louie
2 siblings, 0 replies; 8+ messages in thread
From: Louie @ 2002-12-11 21:36 UTC (permalink / raw)
To: dewet, netfilter
Hello all, I also need help on firewall.
I just installed red hat 8 too. I would
like to learn how to set up my linux box
with a firewall that I could edit threw
the command line.
-----Original Message-----
From:
netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.
org]On Behalf Of DeWet van Rooyen
Sent: Wednesday, December 11, 2002 11:50
AM
To: netfilter@lists.netfilter.org
Subject: Firewall help
I installed a machine with Redhat 8 and
are trying to set up a iptables
firewall with 2 internal segments (DMZ
and internal network).
My machine have 3 Network cards.
Is this possible ?
I can seem to get all the segments to
see each other. Can you give me an
idea on how to do this. Is it just a
question of routes / Nat and Arp
entries ?
DMZ - 192.168.1.0 / 255.255.255.0
Internal Network / 192.168.2.0 /
255.255.255.0
For the external interface, I have 64 ip
addresses - 255.255.255.192
^ permalink raw reply [flat|nested] 8+ messages in thread
* firewall help..
@ 2004-03-02 16:05 Gilmore, Eric
0 siblings, 0 replies; 8+ messages in thread
From: Gilmore, Eric @ 2004-03-02 16:05 UTC (permalink / raw)
To: netfilter; +Cc: suse-security, suse-security-announce
Can anyone give me a clue? The basics are:
1 machine: SuSE 8.2
3 nics
2 internal networks (examples):
$INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2
3 good ip's (examples):
eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3
2 spoofed ip's:
$INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3
works:
-connecting from the internet/external LAN to all machines via (ssh, FTP, HTTP)
not:
-connecting between $INTLAN1 & $INTLAN2
-samba connections from anywhere
-afp (apple) connections from anywhere
-Thanks in advance....
PATH="$PATH:/usr/bin/:/usr/sbin"
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
EXTIF=eth0
INTIF1=eth1
INTIF2=eth2
case "$1" in
'start')
echo "Clearing any existing rules and setting default policy.."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -t nat -F
# loopback rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -j ACCEPT
echo "Adding Masquerade support for 192.0.0.0 subnet..."
iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
echo "Adding Masquerade support for 192.0.5.0 subnet..."
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
echo "Allowing traffic between internal networks..."
iptables -A FORWARD -i $INTIF1 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "Associating internal address 192.0.0.2 with external address 128.0.0.2"
iptables -t nat -A PREROUTING -p tcp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2
iptables -t nat -A PREROUTING -p udp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2
iptables -t nat -A PREROUTING -p icmp --dst 128.0.0.2 -j DNAT --to-destination 192.0.0.2
iptables -t nat -A POSTROUTING -p tcp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2
iptables -t nat -A POSTROUTING -p udp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2
iptables -t nat -A POSTROUTING -p icmp --dst 128.0.0.2 -j SNAT --to-source 192.0.0.2
echo "Associating internal address 192.0.5.2 with external address 128.0.0.3"
iptables -t nat -A PREROUTING -p tcp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2
iptables -t nat -A PREROUTING -p udp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2
iptables -t nat -A PREROUTING -p icmp --dst 128.0.0.3 -j DNAT --to-destination 192.0.5.2
iptables -t nat -A POSTROUTING -p tcp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2
iptables -t nat -A POSTROUTING -p udp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2
iptables -t nat -A POSTROUTING -p icmp --dst 128.0.0.3 -j SNAT --to-source 192.0.5.2
# add logging
iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -t nat -A PREROUTING -j LOG
#iptables -t nat -A POSTROUTING -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A block -j LOG
;;
'stop')
echo "Flushing iptables firewall..."
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
#iptables -F block
iptables -t nat -F
;;
'restart')
$0 stop
$0 start
;;
*)
echo "$0 {start|stop}"
exit 1
;;
esac
exit 0
^ permalink raw reply [flat|nested] 8+ messages in thread* Firewall Help
@ 2005-10-11 16:42 Russ Kreigh
0 siblings, 0 replies; 8+ messages in thread
From: Russ Kreigh @ 2005-10-11 16:42 UTC (permalink / raw)
To: netfilter
Hello -
When I applied the following rules below to my firewall my clients starting
having problems browsing webpages. When I did a tcpdump I could see the
request go to the DNS server, but never saw a reply.
When I commented out the tcp rules, everything worked fine.
Do you think my limits are too low? I would estimate there are around 200
pcs coming through this.
Also, I am unclear if the rules are applied on a collective basis, or per ip
address. I assume it is ALL traffic, not per IP.
$IPTABLES -A INPUT -s X.X.30.0/24 -j ACCEPT # Exclude Management subnet
from below rules
$IPTABLES -A INPUT -d X.X.30.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s X.X.30.0/24 -j ACCEPT
$IPTABLES -A FORWARD -d X.X.30.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 500/s -j REJECT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 500/s -j REJECT
$IPTABLES -A INPUT -p tcp -m limit --limit 2500/s -j REJECT
$IPTABLES -A FORWARD -p tcp -m limit --limit 2500/s -j REJECT
$IPTABLES -A INPUT -p icmp -m limit --limit 200/s -j REJECT
$IPTABLES -A FORWARD -p icmp -m limit --limit 200/s -j REJECT
Thanks,
Russ Kreigh
Network Engineer
OnlyInternet.Net Broadband & Wireless
Supernova Technologies
Office: (800) 363-0989
Direct: (260) 827-2486
Fax: (260) 824-9624
kreigh@onlyinternet.net
http://www.oibw.net
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: Firewall Help
@ 2005-10-11 16:47 Gary W. Smith
0 siblings, 0 replies; 8+ messages in thread
From: Gary W. Smith @ 2005-10-11 16:47 UTC (permalink / raw)
To: Russ Kreigh, netfilter
It's nice that you are letting traffic out but don't you want the
related traffic to some back in? If so, you need to allow related
and/or established connections to return.
-A $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A INPUT -s X.X.30.0/24 -j ACCEPT # Exclude Management
subnet
> from below rules
> $IPTABLES -A INPUT -d X.X.30.0/24 -j ACCEPT
-A $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -s X.X.30.0/24 -j ACCEPT
> $IPTABLES -A FORWARD -d X.X.30.0/24 -j ACCEPT
>
> $IPTABLES -A INPUT -p tcp --syn -m limit --limit 500/s -j REJECT
> $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 500/s -j REJECT
>
> $IPTABLES -A INPUT -p tcp -m limit --limit 2500/s -j REJECT
> $IPTABLES -A FORWARD -p tcp -m limit --limit 2500/s -j REJECT
>
> $IPTABLES -A INPUT -p icmp -m limit --limit 200/s -j REJECT
> $IPTABLES -A FORWARD -p icmp -m limit --limit 200/s -j REJECT
>
> Thanks,
>
>
> Russ Kreigh
> Network Engineer
> OnlyInternet.Net Broadband & Wireless
> Supernova Technologies
> Office: (800) 363-0989
> Direct: (260) 827-2486
> Fax: (260) 824-9624
> kreigh@onlyinternet.net
> http://www.oibw.net
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-10-11 16:47 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-11 19:49 Firewall help DeWet van Rooyen
2002-12-11 20:01 ` Marcello Scacchetti
2002-12-11 20:20 ` Tom Eastep
2002-12-11 22:00 ` Paul Frieden
2002-12-11 21:36 ` Louie
-- strict thread matches above, loose matches on Subject: below --
2004-03-02 16:05 firewall help Gilmore, Eric
2005-10-11 16:42 Firewall Help Russ Kreigh
2005-10-11 16:47 Gary W. Smith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox