Re: 3 part firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Mit, 2003-05-21 um 08.42 schrieb Robert Cole:
> Like David T I'm a bit frustrated myself. :)
Ok. let's see.
> 
> The flexiblity of iptables has got me pulling my hair out. Here's what I would 
> like to do:
> 
> I have a server that has 3 real interfaces (no aliases). eth0 is the public, 
> eth1 is the private and eth2 is the DMZ interface. All the books and docs 
> I've seen so far work with only two interfaces and trying to adapt those 
> scripts is giving me a headache.
> 
> I want to allow all private traffic out to the internet through PAT (port 
> address translation). But when going from the LAN to the DMZ I want no nat or 
> pat going on, only when leaving to the internet. 
Ok.
DMZ_DEV=eth2
PRV_DEV=eth1
PUB_DEV=eth0
# making up the network, replace as needed.
PRV_NET=192.168.0.0/24
DMZ_NET=192.168.1.0/24
# NAT rules
iptables -t nat -A POSTROUTING -s $PRV_NET -o $PUB_DEV -j MASQUERADE
> 
> Next I would like a strict rule that allows another public IP to be 1 to 1 
> nat'd from the public interface to a server out the DMZ interface.
PUB_IP=128.176.0.12
DMZ_IP=192.168.1.15
iptables -t nat -A POSTROUTING -i $PUB_DEV -d $PUB_IP -j DNAT --to
$DMZ_IP

So far we have setup the NAT rules, now the filtering.
# Allow all established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow traffic from the private network to the DMZ
iptables -A FORWARD -i $PRV_DEV -o $DMZ_DEV -s $PRV_NET -d $DMZ_NET -m
state --state NEW -j ACCEPT

# Allow traffic from the private network to the internet
iptables -A FORWARD -i $PRV_DEV -o $PUB_DEV -s $PRV_NET -d 0/0 -m state
--state NEW -j ACCEPT

# Allow traffic from the outside to the one machine on the DMZ
iptables -A FORWARD -i $PUB_DEV -o $DMZ_DEV -s 0/0 -d $DMZ_IP -m state
--state NEW -j ACCEPT

# Close everything else (you might want to move these rules to the
beginning
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Be aware that you cannot access the firewall anymore and the firewall
cannot access any other machine.
# Turn on forwarding 
sysctl -w net.ipv4.ip_forward=1


> 
> 
> Any ideas?
This should get you going. Email again if you've got problems.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux