Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Reverse masquerade one IP ...
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Wed, 14 Nov 2001 08:57:59 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56C06@xxxxxxxxxxxxxxxxx>
> I have since opted to not use SNAT or MASQUERADE, but to only allow access
> to
> the net via a proxy.
>
Good (IMHO).
> > > My firewall script also contains these rules to log any packets that
> reach
> > > the end
> > > of the chain:
> > >
[snip]
> > > # log any packets that reach the end
> > > $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT
> INTERNAL:
> > > "
> > > $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD
> > > INTERNAL: "
> > > $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT
> > > INTERNAL: "
> > > $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ:
> "
> > > $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD
> DMZ:
> > > "
> > > $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT
> DMZ: "
> > > $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT
> INET: "
> > > $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD
> > > INET: "
> > > $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT
> INET:
> > > "
>
You may want to add additional logging rules with no qualifiers but the
chain names themselves, as a final safety net, sort of.
> > > Any ideas?
> > >
> > Is the DNS lookup of mail.knowledgefactory.co.za successful?
>
> Yes, it resolves to and tries to contact 196.38.2.132
>
See my other mail on other points of interest. Can you see its attempts to
contact 196.38.2.132 when tcpdumping on the different interfaces of the
firewall?
> > > I don't want to setup pop3 and smtp proxies on my firewall ...
> > >
> > You should consider setting those up in your DMZ, though, really.
>
> The proxy or the servers (smtp, pop3)?
>
Heh heh, the (get this) proxy servers. :-)
Cheers,
Tobias
> to
> the net via a proxy.
>
Good (IMHO).
> > > My firewall script also contains these rules to log any packets that
> reach
> > > the end
> > > of the chain:
> > >
[snip]
> > > # log any packets that reach the end
> > > $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT
> INTERNAL:
> > > "
> > > $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD
> > > INTERNAL: "
> > > $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT
> > > INTERNAL: "
> > > $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ:
> "
> > > $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD
> DMZ:
> > > "
> > > $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT
> DMZ: "
> > > $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT
> INET: "
> > > $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD
> > > INET: "
> > > $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT
> INET:
> > > "
>
You may want to add additional logging rules with no qualifiers but the
chain names themselves, as a final safety net, sort of.
> > > Any ideas?
> > >
> > Is the DNS lookup of mail.knowledgefactory.co.za successful?
>
> Yes, it resolves to and tries to contact 196.38.2.132
>
See my other mail on other points of interest. Can you see its attempts to
contact 196.38.2.132 when tcpdumping on the different interfaces of the
firewall?
> > > I don't want to setup pop3 and smtp proxies on my firewall ...
> > >
> > You should consider setting those up in your DMZ, though, really.
>
> The proxy or the servers (smtp, pop3)?
>
Heh heh, the (get this) proxy servers. :-)
Cheers,
Tobias
| < Previous | Next > |