confused fw block int and ext traffic ..

Lars Nixdorf <lars.nixdorf@xxxxxxxxx> · Wed, 24 Nov 2004 13:58:15 +0100

hi,

i want to make a ruleset, that protect the intranet. Ok, no Problem. But 
it should also protect the "internet". That means only .. simple :

ruleset extern_to_intern:
	allow some ports to fw
	allow some ports through fw to some hosts / subnets
	deny all

ruleset intern_to extern:
	allow some ports (most of them) to fw
	allow some ports trough fw to some hosts in internet
	deny all

ruleset vpn-connections
	allow all to intranet and fw
	deny all (also traffic to internet)

ruleset for special handling
	some nats / port forwards intern <--> intern

ruleset for masquarading
	masq. all behind offical ip

My interfaces are:
	eth0 - intranet interface
	eth1 - internet interface

.. short lines from my configs :

-----------------------------------------------------------------------

-N extern

-A extern -m state --state ESTABLISHED,RELATED -j ACCEPT

-A extern -i $INTERNET -m state --state NEW -p tcp --dport 22 -j ACCEPT

-A extern -i $INTERNET -m state --state NEW -p tcp --dport 25 -j ACCEPT

-A extern -i $INTERNET -p 50 -j ACCEPT 

-A extern -i $INTERNET -p 51 -j ACCEPT
-A extern -i $INTERNET -m state --state NEW -p udp --dport 500 -j ACCEPT
-A extern -j DROP
-A INPUT -j extern
-A FORWARD -j extern

-N intern
-A intern -m state --state ESTABLISHED,RELATED -j ACCEPT
-A intern -m state --state NEW -i ! $LOCAL -j ACCEPT

-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 25
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p udp -d $FIREWALL --dport 37
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 37
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p udp -d $FIREWALL --dport 53
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 53
	-j ACCEPT
-A intern -i $LOCAL -m state --state NEW -p tcp -d $FIREWALL --dport 80
	-j ACCEPT
-A intern -j DROP
-A INPUT -j intern
-A FORWARD -j intern

-N vpn
-A vpn -i ppp+ -j ACCEPT
-A INPUT -j vpn
-A FORWARD -j vpn

iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE

--------------------------------------------------------------------------

it doesnt work correctly . :/ Need some hints, how to organize this 
construction, or a suggest for a better one.

Thx all
  Best regards

Lars Nixdorf