Re: 3 part firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, May 20, 2003 at 11:42:51PM -0700, Robert Cole spoke thusly:
>I have a server that has 3 real interfaces (no aliases). eth0 is the
>public, eth1 is the private and eth2 is the DMZ interface. All the books
>and docs I've seen so far work with only two interfaces and trying to
>adapt those scripts is giving me a headache.

You did not supply any real IP addresses to go with it. Therefore, I'll
assume it like so :

eth0	- 1.1.1.1
eth1	- 192.168.250.0/24
eth2	- 172.30.55.0/24

and the eth0 IP is static.

>I want to allow all private traffic out to the internet through PAT (port
>address translation). But when going from the LAN to the DMZ I want no nat
>or pat going on, only when leaving to the internet. 

Hmm, I don't think we hold the same definition for PAT. In any case, if you
merely want normal SNAT / MASQ, do it like so.

/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

/sbin/iptables -A FORWARD -p all -s 192.168.250.0/24 -d any/0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -p all -j SNAT --to-source \
               1.1.1.1

/sbin/iptables -A OUTPUT -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT
/sbin/iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT
/sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED \
               -j ACCEPT

>Next I would like a strict rule that allows another public IP to be 1 to 1 
>nat'd from the public interface to a server out the DMZ interface.

/sbin/iptables -t nat -A PREROUTING -p tcp -s any/0 -d 1.1.1.1 \
               --dport 12345 -j DNAT --to-destination 172.30.55.100:12345

/sbin/iptables -A FORWARD -p tcp -s any/0 -d 172.30.55.100 --dport 22 \
               -j ACCEPT

>I'm currently using narc to setup the firewall and it appears to work to
>get basic internet bound traffic from the lan and I can get to the DMZ
>from the LAN without translation so I'm close here but getting the 1 to 1
>NAT working is causing me grief.

Haven't use narc, can't comment. The aforementioned rules can be tightened
somemore, depending on your overall situation.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux