Port forwarding problem
Hi list members, I have a firewall problem I have resigned on. I hope there's someone out there who can help me and explain what's wrong. First of all our network looks like this Internet | | Firewall (eth0) NAT for LAN | |-- DMZ (eth1) | | | |-- HostInDMZ (IP_DMZHOST) | |-- LAN (eth2) | |-- HostInLAN (IP_LAN) Firewall is SuSE 7.3, kernel 2.4.16, iptables 1.2.2.60. HostInLAN is W2K Server, II5. What I try to do is to port forward all requests on host IP_DMZHOST port PORTFW to host IP_LAN port 80, meaning forward all request on a special port to internal IIS. Pretty simple and done a thousand times I guess. I already do the same for forwarding request on another port to ssh on another host. But when setting up port forwarding like given below with PORTFW anything else than 80 nothing works. All other necessary rules are in place too, e.g. allow any access from any host/port to IP_DMZHOST:PORTFW etc. iptables -A PREROUTING -t nat -p tcp -s 0.0.0.0/0 -d IP_DMZHOST --dport PORTFW -j DNAT --to-destination IP_LAN:80 Any special feature of IIS? I don't see any reason why port forwarding from port!=80 is different to port=80. Of course this works for pure Internet connections only, like CallByCall provides. Due to general NAT of all LAN traffic this doesn't work for "firewalled" or "proxied" connections. Therefore I put the following rule in place which should SNAT the specific traffic coming from IIS. iptables -I POSTROUTING -t nat -s IP_LAN -d ! 10.0.0.0/8 -j SNAT --to-source IP_DMZHOST I need "-d ! 10.0.0.0/8" option because of our IPSec VPN. But after applying this rule nothing works. In my opinion there must be a general "design" mistake I have made. But I don't know which Thx, Oliver
Hi all, I've made one of those web security scans and the result was pretty good in general, except for one point: Vulnerability 3 (of max 5) for "Global User List" It seems it can obtain my user list, and it shows some system users that are created by default like gdm, irc, mail, news, etc. The only service/port I keep public is 53/udp and 80/tcp, all the rest is dropped by the firewall. How can I avoid this situation? Thanks, Pedro Marques pedromarques@seara.com
The most plausible suggestion is that you have a misconfigured Apache server (eg. it allows a request of the form http://your.site/../../../etc/passwd or such), or a badly written cgi script that lists whatever files on the system. Check your web logs. On Mon, 3 Mar 2003, Pedro Marques wrote:
Hi all, I've made one of those web security scans and the result was pretty good in general, except for one point:
Vulnerability 3 (of max 5) for "Global User List" It seems it can obtain my user list, and it shows some system users that are created by default like gdm, irc, mail, news, etc.
The only service/port I keep public is 53/udp and 80/tcp, all the rest is dropped by the firewall.
How can I avoid this situation?
Thanks, Pedro Marques pedromarques@seara.com
I've found it in the logs. The method used was checking some urls looking for users accounts. Something like: http://domain/~gdm it'll give a 403 error http://domain/~joe - it'll give a 404 error Pedro Marques pedromarques@seara.com ----- Original Message ----- From: "Razvan Cosma" <razvan.cosma@catv.telemach.ro> To: <suse-security@suse.com> Sent: Monday, March 03, 2003 5:31 PM Subject: Re: [suse-security] Global User List
The most plausible suggestion is that you have a misconfigured Apache server (eg. it allows a request of the form http://your.site/../../../etc/passwd or such), or a badly written cgi script that lists whatever files on the system. Check your web logs.
On Mon, 3 Mar 2003, Pedro Marques wrote:
Hi all, I've made one of those web security scans and the result was pretty good
in
general, except for one point:
Vulnerability 3 (of max 5) for "Global User List" It seems it can obtain my user list, and it shows some system users that are created by default like gdm, irc, mail, news, etc.
The only service/port I keep public is 53/udp and 80/tcp, all the rest is dropped by the firewall.
How can I avoid this situation?
Thanks, Pedro Marques pedromarques@seara.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi Pedro, can you tell me please, which web security scanner did you try? Thanks, Thorsten.
I've found it in the logs. The method used was checking some urls looking for users accounts. Something like:
http://domain/~gdm it'll give a 403 error http://domain/~joe - it'll give a 404 error
Pedro Marques
Hi, here's the url: https://www.qualys.com/ Pedro ----- Original Message ----- From: "Thorsten D. Marsen" <t.d.marsen@web.de> To: <suse-security@suse.com> Sent: Monday, March 03, 2003 7:46 PM Subject: Re: [suse-security] Global User List
Hi Pedro, can you tell me please, which web security scanner did you try?
Thanks, Thorsten.
On Mon, 3 Mar 2003, Pedro Marques wrote:
I've found it in the logs. The method used was checking some urls looking for users accounts. Something like:
http://domain/~gdm it'll give a 403 error http://domain/~joe - it'll give a 404 error
the webserver has user directories enabled and the scanner tries some short names. that's all. -- BINGO: innovative solutions --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6410 Telfs Untermarkt 9 / Tel. ++43-5262-64727 ----+
Hi Oliver,
I have a firewall problem I have resigned on. I hope there's someone out there who can help me and explain what's wrong.
I do not see much wrong with this.
iptables -A PREROUTING -t nat -p tcp -s 0.0.0.0/0 -d IP_DMZHOST --dport PORTFW -j DNAT --to-destination IP_LAN:80
I have used almost identical rules. I do not bother with -s "any" as its assumed if omitted and I use --to just because its shorter :-). So functionally, there is no difference. There are 2 areas that may be causing you grief. 1) Have you set up the forward table? You will need iptables -A FORWARD -i eth0 -o eth2 -p tcp -d IP_LAN --dport 80 -j ACCEPT and also its inverse. Personally I prefer connection tracking so you can do iptables -A FORWARD -i eth0 -o eth2 -p tcp -d IP_LAN --dport 80 \ -m state --state NEW -j ACCEPT with a global iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED -j ACCEPT for the return. 2) Have you prevented the return packets from being masqueraded? If not they will be leaving your firewall with a source IP of IP_eth0. You need something like: iptables -t nat -A POSTROUTING -o eth0 -s IP_DMZ -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
"firewalled" or "proxied" connections. Therefore I put the following rule in place which should SNAT the specific traffic coming from IIS.
iptables -I POSTROUTING -t nat -s IP_LAN -d ! 10.0.0.0/8 -j SNAT --to-source IP_DMZHOST
I need "-d ! 10.0.0.0/8" option because of our IPSec VPN. But after applying this rule nothing works.
I'm not surprised. By adding this rule you would be creating a separate NAT entry for the outbound traffic.
In my opinion there must be a general "design" mistake I have made. But I don't know which
I think its only an omission. If you're still stuck, come back to me on the list. Don't use direct mail as this address is a spam trap which throws non list mail straight into /dev/null. John
participants (6)
-
engelbert.gruber@ssg.co.at -
John Trickey -
Pedro Marques -
Razvan Cosma -
Schoenwaelder Oliver -
Thorsten D. Marsen