[Techtalk] Firewall problems (For real!)
James
james at james-web.net
Sat Dec 29 14:42:54 EST 2001
I'm trying to get a public/private/dmz firewall running.
Right now, everything is sort of working, EXCEPT, a workstation in the
private network cannot reach a server in the DMZ via its public IP
address. A private network workstation can however talk to a server in
the DMZ by using the DMZ server's private IP address.
Any ideas? I've been at this for 10 hours... I know it is something
small and simple and stupid. Or huge. Whichever :)
This is the error piped to the logs when I try a pop3 connection, for
example:
Dec 29 08:21:02 firewall1 kernel: IPT INPUT packet died: IN=eth1 OUT=
MAC=00:60:b0:67:4d:65:00:20:35:67:26:e3:08:00 SRC=192.168.0.11
DST=24.186.81.114 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=40262 DF
PROTO=TCP SPT=2655 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0
Here is a copy of my rc.firewall, in full:
#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x
#
# Author: Oskar Andreasson <blueflux at koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please
with
# it as long as you don't distribute this without due credits to
# BoingWorld.com
#
# Out with the old, in with the new
iptables -F
iptables -X
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
INET_IFACE="eth0"
# This clipped from another script:
# I need to get my current IP address
MY_IP_ADDRESS=`/sbin/pump --status | /bin/grep IP: | /bin/sed -e
's/.*IP: //'`
if [ ${MY_IP_ADDRESS}x = "x" ]; then
INET_IP=`/sbin/ifconfig $INET_IFACE | grep 'inet addr:' | \
awk '{print $2}' | sed -e 's/addr://'`
fi
# End clippings
# LAN Settings:
LAN_IP="192.168.0.1"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
# Internet settings:
# DMZ Settings:
HTTP_IP=$INET_IP
DMZ_HTTP_IP="192.168.1.2"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
###########################################
#
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
# Commented out because these are all compiled in
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MASQUERADE
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################
#
# Chain Policies gets set up before any bad packets gets through
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# the allowed chain for TCP connections, utilized in the FORWARD chain
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j ACCEPT
#
# ICMP rules, utilized in the FORWARD chain
#
$IPTABLES -N icmp_packets
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
###########################################
# POSTROUTING chain in the nat table
#
# Transparently proxy all web-surfing through Squid box
# TODO
SQUID="192.168.0.2:8080"
SQUIDSSL="192.168.0.2:443"
# For now, masq it all...
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
###########################################
# PREROUTING chain in the nat table
#
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s $INET_IP -j DROP
#
# Enable IP Destination NAT for DMZ zone
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport
53 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport
25 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport
110 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $HTTP_IP --dport
53 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport
22 -j DNAT --to-destination $DMZ_HTTP_IP
###########################################
#
# FORWARD chain
#
# Get rid of bad TCP packets
#
#$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
#$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# DMZ section
#
# General rules
#
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT
#
# DMZ HTTP/DNS/EMAIL server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP
--dport 53 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP
--dport 25 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP
--dport 110 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP
--dport 53 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP -j icmp_packets
#
# LAN section
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# LOG all packets reaching here
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
###########################################################
#
# Firewall rules
# Rules applying to the firewall box
#
#
# INPUT chain
#
#
# Get rid of bad packets
#
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Packets from the Internet to this box
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# Packets from LAN, DMZ or LOCALHOST
#
# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
# From LAN Interface to LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
# From Localhost interface to Localhost IP
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
# All established and related packets incoming from the internet to the
# firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Logging rule
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
###########################################################
#
# OUTPUT chain
#
#
# Get rid of bad TCP packets
#
#$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Allow ourself to send packets not spoofed everywhere
#
$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
#
# Logging rule
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
--- End of file ---
Sorry for such a long email. But if anyone has any ideas, it is most
appreciated.
Thanks,
James the Flustered
More information about the Techtalk
mailing list