[Courses] [Security] Firewalls: Ipchains syntax and implementation

Hamster hamster at hamsternet.org
Sun Apr 7 23:20:09 EST 2002


Hello!

I'd like to try to formulate an answer to the firewall/network design question.
I must however admit that I know zilch about ipchains, as I have been busy the last few days reading all the iptables doco :)
So rather than fry my brain with both tables and chains and end up getting totally confused, I'd rather try the initial implementation and not start writing rules until the (future) iptables lesson.

So here goes.

I started by drawing a diagram of the current layout. Now this is the funny thing. As soon as I'd drawn it, I recognised it instantly as being a DMZ drawing, even though my understanding of DMZ is only basic.

So to sum up my waffle in some ascii art :)

{internet}--[FW1]--{DMZ}--[FW2]--{client computers}

The DMZ will contain the FTP, Web/Mail, DNS servers.
I have left off the file server from this list, and that will be the basis of my first question to the company about their network. I believe though that the fileserver could be put on the internal network - remote access to it (should the need arise) could be given by a vpn solution. A change in IP address shouldnt be a problem here as the box is probably being found via wins. That would be the basis for question two :) But as long as the name stays the same there should be little interruption in connectivity if my assumption is correct.

I would recommend that the internal network be put on DHCP (if it isnt already).
For the linux users to be able to ssh to their boxes remotely, I would set up mac-address based client reservations on the dhcp server. I would then setup portforwarding on FW1 so that the ssh session can get passed though to the linux boxes.
ie.
say your private linux box has the address 10.1.1.1. On FW1 I would setup, so that if you wanted to get to 10.1.1.1 you would ssh to port 10111 on FW1 (to pick any port number) and that FW1 would have forwarding and a routing table setup to pass traffic from port 10111 to the internal box 10.1.1.1. A private box on 10.1.1.2 would ssh to FW1:10112 and have that traffic forwarded on to 10.1.1.1 and so on.

But as I said I am not too clear on the DMZ part, and quite fuzzy on the different roles the two FW's play. 

The other questions I would like to ask about the setup are concerning the rules for the firewalls, ie are employees allowed to irc, icq, etc etc.

Sorry that I've probably been a bit vague here, but I'm still learning :)

So if I've forgotten something, maybe a little prodding is in order to get me to think about it :)

Thanks for going over this!

Hamster






More information about the Courses mailing list