Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] Network setup (howto configure iptables) ...
- From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Nov 2001 08:28:20 +0200
- Message-id: <3BF20F03.EA54BB84@xxxxxxxxxxxxxxxxxxxxxx>
Hi
Thanks for the response and advice.
"Reckhard, Tobias" wrote:
> Have you been doing your homework? Check out http://netfilter.samba.org
>
I have read all the docs there, compiled my own firewall script (several times)
and it is now 250 lines (with comments).
>
> > I'm trying to setup my network as follows:
> >
> > +----------------+
> > | Internet |
> > +-------+--------+
> > |
> > +-------+--------+
> > | | DMZ +----------------+
> > | Firewall +-----+ 192.168.1.0/24 |
> > | | +----------------+
> > +-------+--------+
> > |
> > +-------+--------+
> > | 10.0.0.0/24 | <- Internal network
> > +-------+--------+
> > |
> > +-------+--------+
> > | LAN Users |
> > +----------------+
> >
> > Here's the situation:
> >
> > In the DMZ there are web servers that need to be browsed from the
> > internet for ftp, http, tomcat (21,80,8080)
> >
> You need to configure destination NAT to do that. See
> http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-6.
> html. For the FTP control channel, HTTP and TCP 8080 you need:
>
> iptables -t nat -A PREROUTING -p tcp --dport 21 -i <outside interface> -j
> DNAT --to 192.168.1.<FTP>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i <outside interface> -j
> DNAT --to 192.168.1.<HTTP>
> iptables -t nat -A PREROUTING -p tcp --dport 8080 -i <outside interface> -j
> DNAT --to 192.168.1.<Tomcat>
>
Done.
>
> You need to load the ip_nat_ftp.o module, which should automagically take
> care of the FTP data channels.
>
Done.
>
> Furthermore, you need to set up forwarding and perhaps postrouting rules to
> allow (at least) the above (and block anything you don't allow). Note that
> you'll need to allow for some other traffic as well, such as DNS and some
> ICMP, unless you want to take your network down. Don't open up the filter
> too much, though. Hey, who ever said that firewalling was easy?
>
Uhuh, the POSTROUTING is what was missing. The web servers and ftp were trying
to reply directly to the clients, instead of via the firewall.
>
> > In the Internal Network there is a mail server with a private ip of
> > 10.0.0.3 that needs to accept pop3 and smtp from the internet and send
> > smtp to the internet.
> >
> Ugh.. Why not put a mail-relay host into the DMZ, if you've got one already?
>
Umm... do I need a smtp and pop3 'proxy' on the firewall to do that?
>
> > The internal network must be able to browse, ftp via a transparent proxy
> > on the firewall.
> >
> Ugh, why make the proxy transparent? I have a definite dislike for any
> attempts at transparent proxying, they're bound to fail, since only 95% of
> the web sites out there listen on port 80. That's no problem with an
> explicit proxy, but muchos problemas with a transparent one.
>
The transparent proxy is just a convenience for the (l)users who don't know what
a proxy is. Most users will be configured with fixed proxy settings or via a
proxy config script from a web server.
>
> > The internal network must be able to browse, ftp to the DMZ.
> > The DMZ needs to send smtp to the mail server on the internal network.
> >
> See the links above to learn how to write iptables rules.
>
> > Can someone tell me what rules I should define to set all this up. I
> > have tried several things and I haven't ironed out all the crinkles yet.
> > I haven't managed to get the mail part working.
> >
> Well, what's the specific problem?
>
I have issues when the mail server tries to send out smtp messages (maybe due to
the DNAT / SNAT stuff above)
I also have issues with the POP3 clients authentication with the mail server.
>
> Cheers,
> Tobias
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
Thanks
Ray
--
----------------------------------------------------------------------
Raymond Leach
Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007
eMail:raymondl@xxxxxxxxxxxxxxxxxxxxxx
www:http://www.knowledgefactory.co.za
"No matter where you go, there you are ..."
----------------------------------------------------------------------
Thanks for the response and advice.
"Reckhard, Tobias" wrote:
> Have you been doing your homework? Check out http://netfilter.samba.org
>
I have read all the docs there, compiled my own firewall script (several times)
and it is now 250 lines (with comments).
>
> > I'm trying to setup my network as follows:
> >
> > +----------------+
> > | Internet |
> > +-------+--------+
> > |
> > +-------+--------+
> > | | DMZ +----------------+
> > | Firewall +-----+ 192.168.1.0/24 |
> > | | +----------------+
> > +-------+--------+
> > |
> > +-------+--------+
> > | 10.0.0.0/24 | <- Internal network
> > +-------+--------+
> > |
> > +-------+--------+
> > | LAN Users |
> > +----------------+
> >
> > Here's the situation:
> >
> > In the DMZ there are web servers that need to be browsed from the
> > internet for ftp, http, tomcat (21,80,8080)
> >
> You need to configure destination NAT to do that. See
> http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-6.
> html. For the FTP control channel, HTTP and TCP 8080 you need:
>
> iptables -t nat -A PREROUTING -p tcp --dport 21 -i <outside interface> -j
> DNAT --to 192.168.1.<FTP>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i <outside interface> -j
> DNAT --to 192.168.1.<HTTP>
> iptables -t nat -A PREROUTING -p tcp --dport 8080 -i <outside interface> -j
> DNAT --to 192.168.1.<Tomcat>
>
Done.
>
> You need to load the ip_nat_ftp.o module, which should automagically take
> care of the FTP data channels.
>
Done.
>
> Furthermore, you need to set up forwarding and perhaps postrouting rules to
> allow (at least) the above (and block anything you don't allow). Note that
> you'll need to allow for some other traffic as well, such as DNS and some
> ICMP, unless you want to take your network down. Don't open up the filter
> too much, though. Hey, who ever said that firewalling was easy?
>
Uhuh, the POSTROUTING is what was missing. The web servers and ftp were trying
to reply directly to the clients, instead of via the firewall.
>
> > In the Internal Network there is a mail server with a private ip of
> > 10.0.0.3 that needs to accept pop3 and smtp from the internet and send
> > smtp to the internet.
> >
> Ugh.. Why not put a mail-relay host into the DMZ, if you've got one already?
>
Umm... do I need a smtp and pop3 'proxy' on the firewall to do that?
>
> > The internal network must be able to browse, ftp via a transparent proxy
> > on the firewall.
> >
> Ugh, why make the proxy transparent? I have a definite dislike for any
> attempts at transparent proxying, they're bound to fail, since only 95% of
> the web sites out there listen on port 80. That's no problem with an
> explicit proxy, but muchos problemas with a transparent one.
>
The transparent proxy is just a convenience for the (l)users who don't know what
a proxy is. Most users will be configured with fixed proxy settings or via a
proxy config script from a web server.
>
> > The internal network must be able to browse, ftp to the DMZ.
> > The DMZ needs to send smtp to the mail server on the internal network.
> >
> See the links above to learn how to write iptables rules.
>
> > Can someone tell me what rules I should define to set all this up. I
> > have tried several things and I haven't ironed out all the crinkles yet.
> > I haven't managed to get the mail part working.
> >
> Well, what's the specific problem?
>
I have issues when the mail server tries to send out smtp messages (maybe due to
the DNAT / SNAT stuff above)
I also have issues with the POP3 clients authentication with the mail server.
>
> Cheers,
> Tobias
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
Thanks
Ray
--
----------------------------------------------------------------------
Raymond Leach
Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007
eMail:raymondl@xxxxxxxxxxxxxxxxxxxxxx
www:http://www.knowledgefactory.co.za
"No matter where you go, there you are ..."
----------------------------------------------------------------------
| < Previous | Next > |