Multihomed firewall and port forwarding nightmare ))):-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi!

Using ipchains for a while and relatively new to iptables.
 
I have to setup a somewhat special multihomed firewall:
It has three external interfaces with public addresses, one for http, one for both smtp and pop3 and the third for ftp. These are real hardware NICS, not virtual.
 
It has one internal interface which acts as the gateway for the LAN.
 
          Debian 3.0r1 iptables 1.2.6a kernel 2.4.18           ISP router
        +--------------------------------------------+     +----------------+
        |                  195.65.176.162 ftp        |     |                |
LAN --- +192.168.124.253   195.65.176.163 smtp/pop3  + --- + 195.65.176.161 + --- Internet
        |                  195.65.176.164 http       |     |                |
        +--------------------------------------------+     +----------------+
LAN: 192.168.124.0/24, public IP range: 195.65.176.160/29
 
DNSes are hosted by the ISP. I have local DNSes for the LAN.
 
What is working:
 
From the LAN, everything works fine, all 4 protocols are working from any client, all port redirections are fine.
From the public IP range, as you might think, same thing, everything works fine from any test workstation plugged in it.
 
The problem is from the Internet (aka going through the firewall...).
Every request to the http server run fine, both ICMP's and port 80 forwarding.
But I cannot even ping the smtp/pop3 external interface, and ports 25 and 110 do connect, just send no packets back, then disconnection occurs after workstation timeout !
The same thing occurs with the ftp connection.
 
After some days and nights of fumbling and reading, I turn to the list. Sorry if this topic has been already submitted and solved, I could not find it.
 
Pleeeeeeease help !
 
Here are the output of iptables-save as well as the routing table of the firewall:
 

# Generated by iptables-save v1.2.6a on Wed Jan 14 23:44:21 2004

*mangle

:PREROUTING ACCEPT [338:163396]

:INPUT ACCEPT [26:1386]

:FORWARD ACCEPT [297:161318]

:OUTPUT ACCEPT [68:8805]

:POSTROUTING ACCEPT [313:161958]

COMMIT

# Completed on Wed Jan 14 23:44:21 2004

# Generated by iptables-save v1.2.6a on Wed Jan 14 23:44:21 2004

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:allowed - [0:0]

:bad_tcp_packets - [0:0]

:icmp_packets - [0:0]

:tcp_packets - [0:0]

:udp_packets - [0:0]

-A INPUT -p tcp -j bad_tcp_packets

-A INPUT -s 192.168.124.0/255.255.255.0 -i eth0 -j ACCEPT

-A INPUT -s 127.0.0.1 -i lo -j ACCEPT

-A INPUT -s 192.168.124.254 -i lo -j ACCEPT

-A INPUT -s 195.65.176.162 -i lo -j ACCEPT

-A INPUT -s 195.65.176.163 -i lo -j ACCEPT

-A INPUT -s 195.65.176.164 -i lo -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT

-A INPUT -d 195.65.176.162 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 195.65.176.163 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 195.65.176.164 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -p tcp -j tcp_packets

-A INPUT -i eth1 -p udp -j udp_packets

-A INPUT -i eth1 -p icmp -j icmp_packets

-A INPUT -i eth2 -p tcp -j tcp_packets

-A INPUT -i eth2 -p udp -j udp_packets

-A INPUT -i eth2 -p icmp -j icmp_packets

-A INPUT -i eth3 -p tcp -j tcp_packets

-A INPUT -i eth3 -p udp -j udp_packets

-A INPUT -i eth3 -p icmp -j icmp_packets

-A INPUT -d 224.0.0.0/255.0.0.0 -i eth1 -j DROP

-A INPUT -d 224.0.0.0/255.0.0.0 -i eth2 -j DROP

-A INPUT -d 224.0.0.0/255.0.0.0 -i eth3 -j DROP

-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7

-A FORWARD -p tcp -j bad_tcp_packets

-A FORWARD -i eth0 -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -d 192.168.124.103 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -d 192.168.124.104 -p tcp -m tcp --dport 25 -j ACCEPT

-A FORWARD -d 192.168.124.104 -p tcp -m tcp --dport 110 -j ACCEPT

-A FORWARD -d 192.168.124.105 -p tcp -m tcp --dport 21 -j ACCEPT

-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7

-A OUTPUT -p tcp -j bad_tcp_packets

-A OUTPUT -s 127.0.0.1 -j ACCEPT

-A OUTPUT -s 192.168.124.254 -j ACCEPT

-A OUTPUT -s 195.65.176.162 -j ACCEPT

-A OUTPUT -s 195.65.176.163 -j ACCEPT

-A OUTPUT -s 195.65.176.164 -j ACCEPT

-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7

-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

-A allowed -p tcp -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW not SYN: " --log-level 7

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A tcp_packets -p tcp -m tcp --dport 21 -j allowed

-A tcp_packets -p tcp -m tcp --dport 80 -j allowed

-A udp_packets -d 195.65.176.167 -i eth1 -p udp -m udp --dport 135:139 -j DROP

COMMIT

# Completed on Wed Jan 14 23:44:21 2004

# Generated by iptables-save v1.2.6a on Wed Jan 14 23:44:21 2004

*nat

:PREROUTING ACCEPT [32:1675]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [24:1752]

-A PREROUTING -d 195.65.176.164 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.124.103:80

-A PREROUTING -d 195.65.176.163 -p tcp -m multiport --ports smtp,pop3 -j DNAT --to-destination 192.168.124.104

-A PREROUTING -d 195.65.176.162 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.124.105:21

-A POSTROUTING -d 192.168.124.105 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.124.254

-A POSTROUTING -d 192.168.124.104 -p tcp -m multiport --ports smtp,pop3 -j SNAT --to-source 192.168.124.254

-A POSTROUTING -d 192.168.124.103 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.124.254

-A POSTROUTING -o eth1 -j SNAT --to-source 195.65.176.162

-A POSTROUTING -o eth2 -j SNAT --to-source 195.65.176.163

-A POSTROUTING -o eth3 -j SNAT --to-source 195.65.176.164

COMMIT

# Completed on Wed Jan 14 23:44:21 2004

---------------------------------------------------------------

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

195.65.176.160 * 255.255.255.248 U 0 0 0 eth1

195.65.176.160 * 255.255.255.248 U 0 0 0 eth2

195.65.176.160 * 255.255.255.248 U 0 0 0 eth3

localnet * 255.255.255.0 U 0 0 0 eth0

default 195.65.176.161 0.0.0.0 UG 0 0 0 eth3

default 195.65.176.161 0.0.0.0 UG 0 0 0 eth2

default 195.65.176.161 0.0.0.0 UG 0 0 0 eth1

default 192.168.124.253 0.0.0.0 UG 0 0 0 eth0

 
 
Caracal - G. Hostettler


e-mail travaux généraux : info@xxxxxxxxxx
e-mail travaux webmaster : info@xxxxxxxxxx
e-mail personnel : ghostettler@xxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux