Hi, folks
I am trying to install a iptables based firewall to protect my servers providing
information to the Internet in a DMZ fashioned mode.
I need some help to debug the rules I have set up.
I will provide some background information:
1. The firewall is a box with two ethernet adapters. The external adapter piles
two valid adresses (200.x.y.z) and the internel adapter has one invalid address
(172.16.a.b)
2. One DMZ machine (ip 172.16.0.5) is used to serve smtp, http, https, ftp.
3. Another DMZ machine (ip 172.16.0.2) is a bastion host, serving dns (bind) and
mascarading traffic from my internal network.
As for the firewall (packet filtering) configuration I have set up a bunch of
rules. Here are the outputs to the commands "iptables -nL" and "iptables -nL -t
nat"
------------------------------------------------------- begin
Chain INPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
icmp_packets icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 172.16.0.1
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 200.x.y.2 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 200.x.y.2 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
allowed tcp -- 0.0.0.0/0 172.16.0.5 multiport dports
20,21,25,80,443
icmp_packets icmp -- 0.0.0.0/0 172.16.0.5
allowed tcp -- 0.0.0.0/0 172.16.0.2 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 172.16.0.2 udp dpt:53
icmp_packets icmp -- 0.0.0.0/0 172.16.0.2
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 172.16.0.1 0.0.0.0/0
ACCEPT all -- 200.x.y.2 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '
Chain allowed (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (3 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
Chain icmp_packets (3 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 200.x.y.5 multiport dports
20,21,25,80,443 to:172.16.0.5
DNAT tcp -- 0.0.0.0/0 200.x.y.2 tcp dpt:53 to:172.16.0.2
DNAT udp -- 0.0.0.0/0 200.x.y.2 udp dpt:53 to:172.16.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.5 0.0.0.0/0 to:200.x.y.5
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:200.x.y.2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
------------------------------------------------------ end
Are these setting correct?
Is there a reason why a secondary DNS server, outside my DMZ, would not be able
to syncronize (initiate a zone transfer) to my firewalled Bind server?
Any comments are welcome.
Thx.
________________________________________________________________
Fabricio
________________________________________________________________
________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.
http://www.nod32.com
