Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] iptables question
  • From: Ferdinand Schmid <fschmid@xxxxxxxxxxxxxx>
  • Date: Fri, 27 Sep 2002 10:40:49 -0600
  • Message-id: <3D948A11.8070003@xxxxxxxxxxxxxx>
GentooRulez wrote:
> The problem is not iptables, but the routing.
> A short excourse.
>
> The subnet mask connected with an a ip address determines,
> whether another ip should be reachable via the standard gateway
> or directly through a certain nic.
>
> For example (only 1 NIC in your box)
>
> 192.168.1.0/24 means a subnetmask of 255.255.255.0 so if
> the routing part of your kernel has to reach 192.168.2.1 it does
> following:
>
> own ip AND 255.255.255.0 = 192.168.1
> other ip AND 255.255.255.0 = 192.168.2
>
> if the results differ the routing routine decides to take the standard
> gateway.
>
> To be more precious: any box in your 10.1.1.1/8 network will
> not be routed through your standard gateway according above
> description. For example 10.1.1.30 want to reach mail server.
>
> 10.1.1.20 and 255.0.0.0 = 10.0.0.0
> 10.1.1.30 and 255.0.0.0 = 10.0.0.0
>
> result DONT differ, so kernel will send packets directly.
>
> Solution:
>
> add extra routes for e.g mail server
>
> route add 10.1.1.20 netmask 255.0.0.0 gw your.ext.ip.addr

Michael,
Thanks for the info. I am not quite sure if I understand your answer correctly:

Say my network is 10.0.0.0/24

on machine 10.0.0.20 I try to establish a connection to world.ip.addr.mailserver

Then the kernel on 10.0.0.20 should route this connection through the default gateway, which happens to by the dmz router. So I would expect my packets to go to the dmz router and get lost there.

NAT is set up on that machine and it routes all packets to the smtp port to the mail server.

iptables -t nat -A PREROUTING -p tcp -d $MailIP --dport 25 -j DNAT --to-destination $dmzMailIP
iptables -t nat -s $dmzMailIP -A POSTROUTING -p tcp --sport 25 -o $extIF -j SNAT --to-source $MailIP

Now I see my problem - it sends the response out the external interface and not back through the dmz interface :)

I still don't know how to fix this though. Your suggestion of specifying routes to certain world addresses would work - but I would prefer configuring everything through the dmz router for maintenance reasons.

BTW: Why you want to do so - logging purposes ?

I would like to create an environment that allows html and server side code to work the same, no matter if it is visited by an outside person or by a developer who gets to the dmz from an internal network. The internal network is connected through a firewall that connects straight into the dmz.

--
Ferdinand Schmid
Architectural Energy Corporation
Celebrating 20 Years of Improving Building Energy Performance
http://www.archenergy.com


< Previous Next >
References