Re: [suse-security] iptables question
The problem is not iptables, but the routing. A short excourse. The subnet mask connected with an a ip address determines, whether another ip should be reachable via the standard gateway or directly through a certain nic. For example (only 1 NIC in your box) 192.168.1.0/24 means a subnetmask of 255.255.255.0 so if the routing part of your kernel has to reach 192.168.2.1 it does following: own ip AND 255.255.255.0 = 192.168.1 other ip AND 255.255.255.0 = 192.168.2 if the results differ the routing routine decides to take the standard gateway. To be more precious: any box in your 10.1.1.1/8 network will not be routed through your standard gateway according above description. For example 10.1.1.30 want to reach mail server. 10.1.1.20 and 255.0.0.0 = 10.0.0.0 10.1.1.30 and 255.0.0.0 = 10.0.0.0 result DONT differ, so kernel will send packets directly. Solution: add extra routes for e.g mail server route add 10.1.1.20 netmask 255.0.0.0 gw your.ext.ip.addr hope that helps Yours Michael BTW: Why you want to do so - logging purposes ?
I have a dmz firewall setup that connects 2 private networks with the public Internet (net1 and net2).
I don't seem to be able to get my configuration to the point where a machine in net1 can connect to another machine in net1 trough its public IP address. Example: dmz router: 10.1.1.1 mail server: 10.1.1.20 http server: 10.1.1.30
I would like to enable the http server to to go to the mail server through the public IP address of the mail server rather than being limited to going straight to 10.1.1.20.
All machines have 10.1.1.1 as their default gateway and NAT for mail connections from the outside works. I don't see any packets being dropped on the firewall since I allowed port 25 connections from the inside of the firewall as well.
GentooRulez wrote:
The problem is not iptables, but the routing. A short excourse.
The subnet mask connected with an a ip address determines, whether another ip should be reachable via the standard gateway or directly through a certain nic.
For example (only 1 NIC in your box)
192.168.1.0/24 means a subnetmask of 255.255.255.0 so if the routing part of your kernel has to reach 192.168.2.1 it does following:
own ip AND 255.255.255.0 = 192.168.1 other ip AND 255.255.255.0 = 192.168.2
if the results differ the routing routine decides to take the standard gateway.
To be more precious: any box in your 10.1.1.1/8 network will not be routed through your standard gateway according above description. For example 10.1.1.30 want to reach mail server.
10.1.1.20 and 255.0.0.0 = 10.0.0.0 10.1.1.30 and 255.0.0.0 = 10.0.0.0
result DONT differ, so kernel will send packets directly.
Solution:
add extra routes for e.g mail server
route add 10.1.1.20 netmask 255.0.0.0 gw your.ext.ip.addr
Michael, Thanks for the info. I am not quite sure if I understand your answer correctly: Say my network is 10.0.0.0/24 on machine 10.0.0.20 I try to establish a connection to world.ip.addr.mailserver Then the kernel on 10.0.0.20 should route this connection through the default gateway, which happens to by the dmz router. So I would expect my packets to go to the dmz router and get lost there. NAT is set up on that machine and it routes all packets to the smtp port to the mail server. iptables -t nat -A PREROUTING -p tcp -d $MailIP --dport 25 -j DNAT --to-destination $dmzMailIP iptables -t nat -s $dmzMailIP -A POSTROUTING -p tcp --sport 25 -o $extIF -j SNAT --to-source $MailIP Now I see my problem - it sends the response out the external interface and not back through the dmz interface :) I still don't know how to fix this though. Your suggestion of specifying routes to certain world addresses would work - but I would prefer configuring everything through the dmz router for maintenance reasons.
BTW: Why you want to do so - logging purposes ?
I would like to create an environment that allows html and server side code to work the same, no matter if it is visited by an outside person or by a developer who gets to the dmz from an internal network. The internal network is connected through a firewall that connects straight into the dmz. -- Ferdinand Schmid Architectural Energy Corporation Celebrating 20 Years of Improving Building Energy Performance http://www.archenergy.com
participants (2)
-
Ferdinand Schmid -
GentooRulez