[Techtalk] iptables, dmz, public addys

Tue Mar 14 22:36:43 EST 2006

On Mon, Mar 13, 2006 at 01:03:16 -0800, Carla Schroder wrote:

Hi Carla,

> wan 1.2.3.4
> lan 192.168.1.1
> dmz 192.168.2.1
> 
> On the dmz are a few public servers, the usual web, mail, ftp, wotever. These 
> have public routable IPs. To correctly route incoming traffic to them, do I 
> need only FORWARD rules? Like this:
> 
> $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 1.2.3.44 --dport 80 -j 
> ACCEPT

To get packets from the outside to the dmz you only need FORWARD rules.  This
is different from ipchains which required input, forward and output rules.

INPUT handles packets incoming to the firewall itself.  OUTPUT handles packets
originating from the firewall itself.  FORWARD handles all traffic passing
through the firewall.  The NAT chains PREROUTING and POSTROUTING are applied
to *all* packets.  As the names imply, PREROUTING rules are applied before
the routing decision is made (and hence can change an INPUT packet into a
FORWARD packet or a FORWARD to an INPUT), and POSTROUTING after the routing 
decision is made.  DNAT and REDIRECT are done in the PREROUTING chain, SNAT
and MASQUERADE in the POSTROUTING chain.

In your example you've said the dmz uses an RFC 1918 address range, so you will
also need to DNAT the incoming packets.  For example, if your web server at 
1.2.3.44 is actually 192.168.2.44 on the dmz subnet, then these rules should do
the trick:

    $ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE -d 1.2.3.44 \
         --dport 80 -j DNAT --to-destination 192.168.2.44 -m state --state NEW
    $ipt -t nat -A POSTROUTING -p tcp -i $DMZ_IFACE -s 192.168.2.44 \
         -j SNAT --to-source 1.2.3.44 -m state --state NEW

The first rule DNATs incoming connections to the web server (you might want
to add further rules to handle traceroute, ping, etc).  The second rule SNATs
outgoing connections from the web server i.e. those originated by the web
server.

I always use state matching, and put a rule accepting RELATED and ESTABLISHED
packets at the start of each chain.  Most packets are then handled by the
first rule in each chain, and I don't need to have explicit rules for packets
in each direction.  Without it, you need at least two more rules to NAT the
returning packets, plus some to handle icmp, and similar rules in the FORWARD
chain.  It gets messy in a hurry.  State matching reduces the size of the
ruleset considerably.

State matching also handles ftp with only one firewall rule needed to match the
start of the connection, which has to be a good thing :-)

> I don't want any DNAT or SNAT on the server IPs, I want to use their real IPs. 
> I want to forward only traffic that belongs to the servers, and drop all the 
> other junk at the gateway.

If you configure your dmz to use the public addresses, then you won't need
to NAT anything, but if you're using private addresses then you will need to
NAT the incoming and outgoing traffic.

Cheers,

John
-- 
You can't fool me:  you're actually Eric Allman.  Be a good chap and
make sendmail.cf editable by humans, thanks so much.
            -- David P. Murphy