When writing rules for multiple sequenced firewalls, does the source IP of client need to be modified at each firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Experts,

Suppose I have two firewalls in the network and suppose the network
consisted of the following:

Internet -- gwFirewall -- tier2firewall -- sshServer

gwFirewall has two interfaces:
eth0 = Internet facing (IP address 1.2.3.4)
eth1 = Internal facing (IP address 192.168.1.1)

tier2firewall has two interfaces:
eth2 = gwFirewall facing (IP address 192.168.1.4)
eth3 = deep internal facing (IP address 192.168.2.1)

sshServer = IP address 192.168.2.2, Port 22

Now suppose the two firewalls where a typical SOHO box like the
linksys 54G WRT runnning dd-wrt, so they handle my Netfilter firewalls
rules and NAT etc.
Or the Firewalls could be any PC's converted to a netfilter firewall
(filter, nat and mangle enabled).

My question is, when writing rules to permit Internet access to a
system deep in the network, do you keep the original source IP address
of the internet client in your firewall rules for each firewall in the
path?

That is, if a internet client (source IP address 94.108.94.75) needs
to access a ssh server (destination IP address 192.168.2.2) across two
firewalls how should the inbound rules look?


Scenario 1)

On the gwFirewall you permit the internet client access to
tier2Firewall on the IP address of eth2 and from there, tier2Firewall
will permit that same client IP to the ssh sever.

For example:

iptables -A FORWARD -i eth0 -s 94.108.94.75 -d 192.168.1.4 --dport 22  -j ACCEPT
iptables -A FORWARD -i eth2 -s 94.108.94.75 -d 192.168.2.2 --dport 22  -j ACCEPT

Scenario 2)

On the gwFirewall you permit the internet client access to
tier2Firewall on the IP address of eth2 and from there, tier2Firewall
will permit the *gwFirewall* internal IP to the ssh sever. Because of
NAT etc I wonder will the source IP addresses etc be changed.

For example

iptables -A FORWARD -i eth0 -s 94.108.94.75 -d 192.168.1.4 --dport 22  -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.1.1 -d 192.168.2.2 --dport 22  -j ACCEPT

I presume its Scenario 1 above is correct and the original source IP
address of requesting Internet client is carried through the chain of
firewalls towards the destination.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux