On Thursday 09 January 2003 12:34 am, David Collodel wrote:
{Very heavily snipped}
> Perhaps it would help if I included my entire script? Or at least the
> relevant parts of it.
It seems you included it entire. :^)
> Thanks for any help you can offer.
[snipped lengthy but self-explanatory IP & interface aliases]
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> $IPTABLES -F
>
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
>
> $IPTABLES -F -t mangle
> $IPTABLES -t mangle -X
Why are you not flushing nat table as well? BTW, the "$IPTABLES -F"
encompasses all the filter table chains, so the following three flushes
are redundant.
Why do you have so many (snipped) rules for INPUT to the firewall box
itself? Do you really need to allow all ports and all protocols from
the DMZ and the LAN?? Unless you are running some services on the box
(which should probably be run on a server on the LAN or in the DMZ) you
really shouldn't allow ANY access, except SSH if you must. Other than
SSH I can't conceive of why you need ANY access to this box from the
Internet. Even the EST/REL shouldn't be necessary.
> $IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -j ACCEPT
This should probably be dropped in favor of individual rules to allow
each (if any other than DNS) connection that the DMZ machines would need
to initiate.
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
Do you trust the LAN machines and users this much? You'd probably be
much better off if you just have a handful of rules to ACCEPT the
services they really require. If someone needs something that doesn't
get through the firewall, you'll certainly get a call. :^) You can then
decide if you want to allow it, and if so then add an appropriate rule.
On my home network, where I control all machines, I STILL only allow
four ports through FORWARD, and log everything else. And my INPUT rules
are tighter than this, and my firewall IS my desktop machine, web
server, and an Unreal Tournament server, and runs P2P sometimes. (Both
those are toggled through a script, so I open the ports manually with
"fw ut" for example then close with "fw utx")
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This one makes all your other FORWARD state rules rather unnecessary,
since they are all tighter than this, and this accepts any interface.
> $IPTABLES -A OUTPUT -p ALL -s $EXT_IP -j ACCEPT
Again, what need do you have for this box to communicate directly with
anything on the internet? I would lock this sucker down TIGHT. Set up
a script owned by root that you can execute to temporarily open INPUT
and OUTPUT only as far as absolutely necessary if there's anything you
need to do from the box. Other than that leave OUTPUT and INPUT at just
DROP, with SSH allowed in and responded only if you have to. If
somebody gets this box, they own your network. Don't invite trouble.
(especially now that your complete firewall is part of a publicly
accessibly archive...)
I'm not sure why you bothered with a DROP policy on OUTPUT with the four
OUTPUT rules you use. The ONLY thing you prevent from going out is an
incorrect IP.
> $IPTABLES -F -t nat
Ah, here's the nat table flush, 2/3 of the way through the script... :^)
Not a big deal, just that everything else is organized fairly clearly.
> # 3.2 PREROUTING chain
> # 3.2.3 DMZ DNAT
> #
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $HTTP_IP
> --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $HTTP_IP
> --dport 22 -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $HTTP_IP
> --dport 443 -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $HTTP_IP
> --dport 8000 -j DNAT --to-destination $DMZ_HTTP_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $HTTP_IP
> --dport 8001 -j DNAT --to-destination $DMZ_HTTP_IP
>
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $DNS_IP --dport
> 53 -j DNAT --to-destination $DMZ_DNS_IP
> $IPTABLES -t nat -A PREROUTING -p UDP -i $EXT_IFACE -d $DNS_IP --dport
> 53 -j DNAT --to-destination $DMZ_DNS_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $DNS_IP --dport
> 443 -j DNAT --to-destination $DMZ_DNS_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $DNS_IP --dport
> 22 -j DNAT --to-destination $DMZ_DNS_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $DNS_IP --dport
> 25 -j DNAT --to-destination $DMZ_DNS_IP
> $IPTABLES -t nat -A PREROUTING -p TCP -i $EXT_IFACE -d $DNS_IP --dport
> 995 -j DNAT --to-destination $DMZ_DNS_IP
Hmmm. Well, this is the answer to your 'real' question. I don't see ANY
rules in PREROUTING to DNAT connections from the LAN. Those would be
addressed -d $DNS_IP, but would be -i $LAN_IFACE.
You should seriously reconsider what communications the firewall box
itself requires, and what traffic the LAN is allowed to conduct.
j
