cancel
Showing results for 
Search instead for 
Did you mean: 

firewall script

tyut
Occasional Visitor

firewall script

currently i have a firewall which serves only a dmz. Eth0 is connected to the internet and eth1 to the dmz(10.0.0.0/24). My first question: is this script correct? My second question..i want to add a second net card (eth2) which will serve masq'd clients on the 10.0.1.0/24 network. Can someone show me the way. Thanks!!
10 REPLIES
benoit Bruckert
Honored Contributor

Re: firewall script

Hi,
I'm not sure, but I think you have to nat also the output of your inet services....
I.E :
iptables -a POSTROUTING -t nat -p tcp -s 10.0.0.141 --source-port 80 -j SNAT --to-source 204.91.104.141:80
THis is for http, idem for the others services....

With the other card (eth2),
iptables -A FORWARD --in-interface eth2 -j ACCEPT
should be enough...
I noticed that you stop icmp packets, which is a security option, but you don't control the proper tcp packets which is better..
ie. :
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
bad_tcp_packets is a new chain you have to define....
and apply this chain on your INPUT,OUPUT chains (first rule).
ex :
iptables -A INPUT -p tcp -j bad_tcp_packets


and the best way is to try !!! + tcpdump to diagnose...

hth
Benoit
Une application mal pansée aboutit à une usine à gaze (GHG)
tyut
Occasional Visitor

Re: firewall script

I will try what you said.. one more question.

this is what i have for each ip/port that i will be using:
***********
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25

iptables -A FORWARD -p tcp -d 204.91.104.94 --dport 25 -o eth1 -j ACCEPT
***********
is the FORWARD rule even applicable. From what i have read, the forward rules are implimented after the PREROUTING rules. So by the time the packet gets to FORWARD, the packet doent read 204.91.104.94...It reads 10.0.0.94:25. So can i just get rid of the forward rule altogether and keep only the PREROUTING rule?
***********
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
***********
benoit Bruckert
Honored Contributor

Re: firewall script

Well, you are right, but you need to keep the forward rule but with the 10.0.0... route (eth1 is connected to 10.0.0. network..)
this means the forward rule looks :
iptables -A FORWARD -p tcp -d 10.0.0.94 --dport 25 -o eth1 -j ACCEPT
because the default policy is DROP for the forward chain....
but the best way is experiment !!!!

hth
Benoit
Amour, amour, quand tu nous tiens, on peut bien dire : "Adieu, prudence !" Jean De La Fontaine
Une application mal pansée aboutit à une usine à gaze (GHG)
Steven E. Protter
Exalted Contributor

Re: firewall script

Once you are done you should save your settings to the file /etc/sysconfig/iptables so they work at boot.

I am providing you mine as a reference.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
tyut_1
Occasional Visitor

Re: firewall script

than you
so far the script is working with only:
*****
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
*****
i dont need the forward...
how will packets from the internal net (eth2) reach the dmz? Will the router automatically do this?

example: I am in the internal and want to go to a web server on my dmz (204.91.104.5). What are the steps in which the packet will go based on the script i have attached

***
into eth2 then out eth0 then back into eth0 then to eth1?
***
or
***
into eth2 forwarded to eth1
***
tyut_1
Occasional Visitor

Re: firewall script

thank you
so far the script is working with only:
*****
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
*****
i dont need the forward...
how will packets from the internal net (eth2) reach the dmz? Will the router automatically do this?

example: I am in the internal and want to go to a web server on my dmz (204.91.104.5). What are the steps in which the packet will go based on the script i have attached

***
into eth2 then out eth0 then back into eth0 then to eth1?
***
or
***
into eth2 forwarded to eth1
***
benoit Bruckert
Honored Contributor

Re: firewall script

Hi,
You packets will go from eth2 to eth1, and then back from eth1 to eth2.. That's all, in fact it's a kind of router.
And if you need to go to internet (eth0) from your lan, it'll go from eth2 to eth0 and back. Don't forget masquerade of your lan adresses...

hth
Benoit
___________
Un bon "tiens",vaut mieux que deux "tu l'auras"
Une application mal pansée aboutit à une usine à gaze (GHG)
tyut
Occasional Visitor

Re: firewall script

attached is the meat to my final firewall script.
#eth0 (Internet) has the IP 204.91.104.5 and 204.91.104.6
#eth1 (DMZ) has the IP 10.0.0.1, gateway for the 10.0.0.0/24 network
#eth2 (Local Lan) has the IP 10.0.1.1, gateway for the 10.0.1.0/24 network
#everything seems to work except the connection betwen the Lan and the DMZ, I am trying to stop any NEW packets going from the DMZ to the LAN, only ESTABLISHED,RELATED..I am however, trying to have all connections accepted (NEW,ESTABLISHED,RELATED) going to the DMZ from the LAN. when i ping 10.0.0.5 from the lan network(10.0.1.0), I get a reply. When I ping 204.91.104.5 from the lan network(10.0.1.0) I get a time out. I can ftp (passive only) to 204.91.104.5 and 10.0.0.5 from the lan network(10.0.1.0). When I try to connect to the sql server. The reason why i am testing the ping to 204.91.104.5 from inside the LAN network it to see how the packet gets from the LAN to the DMZ. Does it go into eth2, out eth0, back into eth0 as 204.91.104.6, then out eth1, then to 10.0.0.5 or does it go from eth2 straight to eth1 directly using the 10.0.0/ network address

tyut
Occasional Visitor

Re: firewall script

sorry i did not finish my sentence:
Whene i try to connect to the sql server on 10.0.0.5 i get a time out
benoit Bruckert
Honored Contributor

Re: firewall script

Hi,
I have no idea about the sql server protocol, if it works like ftp (a new connection is established) then you need to know source and dest of this connection may be there's a patch - like ftp conntrack - or feature about that (check at http://www.netfilter.org).

To give you the answer, about forwards between your cards, it's always direct ! packets are not going outside a card to come back immediatly.

About nat, you have 2 magic words :
PREROUTING and POSTROUTING,
which mean that addresses are changed before the FORWARD chain for the PREROUTING (at this step, in the FORWARD chain you will manipulate addresses after translation).
Fort POSTROUTING, the forward chain manipulates the initials adresses, it's only at the output that adresses are translated..
I don't know if this give you the answer, but it may help..
regards
Benoit
______
"Les femmes ont plus de honte de confesser une chose d'amour que de la faire." Marguerite De Navarre
Une application mal pansée aboutit à une usine à gaze (GHG)