[techtalk] Firewalls and internal machines
James
ranger at optonline.net
Sun Jun 3 07:10:09 EST 2001
On the advice of a friend (*cough* you know who you are) and the idea that I like to try new things (and was insanely bored), I decided to try this.
Previously I had my network router (Debian 2.2 w/ stock kernel, ipchains masqing for several computers) and I also ran www, smtp, pop3, dns, mysql, ftp and ssh on the router.
On their advice, I decided to move the services of smtp and pop3 behind my firewall using "ipmasqadm portfw".
However, now smtp and pop3 are unreachable if you try going to them via they internet address (Yes, they services are running on the internal machine, which is IP 192.168.0.2)
Here is my firewall file (at least the rules parts, I skipped the modprobe stuff for the different modules):
# Begin
ipchains -F # flush ipchains
ipmasqadm portfw -f # flush ipmasqadm portfwing
# Set policies
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
ipchains -A input -p all -i lo -j ACCEPT # Accept all connections from localhost
ipchains -A input -p all -i eth1 -j ACCEPT # Accept all connections from internal NIC
# Forward all connections going to 25/110 on external interface of router to internal IP of 192.168.0.2
ipmasqadm portfw -a -P tcp -L 24.186.86.160 25 -R 192.168.0.2 25
ipmasqadm portfw -a -P tcp -L 24.186.86.160 110 -R 192.168.0.2 110
ipchains -A input -p all -i eth0 -s 10.0.0.0/8 -j DENY # Refuse connections from priv ips
ipchains -A input -p all -i eth0 -s 172.16.0.0/12 -j DENY # Refuse connections from priv ips
ipchains -A input -p all -i eth0 -s 192.168.0.0/16 -j DENY # Refuse connections from priv ips
ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT # Allow return packets
# Allow specific ICMP stuff
ipchains -A input -i eth0 -p icmp --dport 0 -j ACCEPT
ipchains -A input -i eth0 -p icmp --dport 3 -j ACCEPT
ipchains -A input -i eth0 -p icmp --dport 11 -j ACCEPT
# Rules:
ipchains -A input -p udp -j ACCEPT -s 167.206.112.3 53 # Allow DNS from ISP's #1 DNS server
ipchains -A input -p udp -j ACCEPT -s 167.206.112.4 53 # Allow DNS from ISP's #2 DNS server
ipchains -A input -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80 -j ACCEPT # Allow connections to web server
ipchains -A input -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -j ACCEPT # Allow connections to ftp
ipchains -A input -p tcp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 3336 -j REJECT # REJECT connections to MySQL from outside
ipchains -A input -j DENY -l # DENY everything else
ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ # Masquerade
#EOF
I did "#ipmasqadm portfw -l -n" and got this:
prot localaddr rediraddr lport rport pcnt pref
TCP 24.186.86.160 192.168.0.2 110 110 3 10
TCP 24.186.86.160 192.168.0.2 25 25 10 10
And nmap -sT shows this:
Starting nmap V. 2.12 by Fyodor (fyodor at dhp.com, www.insecure.org/nmap/)
Host ool-18ba56a0.dyn.optonline.net (24.186.86.160) appears to be up ... good.
Initiating TCP connect() scan against ool-18ba56a0.dyn.optonline.net (24.186.86.160)
Adding TCP port 21 (state Open).
Adding TCP port 80 (state Open).
The TCP connect scan took 66 seconds to scan 1511 ports.
Interesting ports on ool-18ba56a0.dyn.optonline.net (24.186.86.160):
(Not showing ports in state: filtered)
Port State Protocol Service
21 open tcp ftp
80 open tcp http
Is there a way to force it to show filtered?
Now I just checked, the router can reach the server (telnet 192.168.0.2 110).
The error I am getting from MS Outlook Express is:
"The connection to the server has failed. Account: 'mail.kathweb.net', Server: 'www.kathweb.net', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E"
I also tried telnetting to www.kathweb.net on port 110 from internal (on my private network) and external (on some machines I administer remotely) and neither worked.
You guys/gals have any ideas?
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010603/d1d751b7/attachment.xhtml
More information about the Techtalk
mailing list