DMZ and iptables breaks my head!!! Avanced Help please!!!!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
DMZ and iptables breaks my head!!! Avanced Help please!!!!
Please, somebody can help me???
I ask you apologize for shoot you with this "pack", but before come here I had saw lots of forums and I have used google more than in my life, for resolve this problem...
Could someone checking this script of iptables and says me what's the matter with the rules?? Why I only see the webpages from the IP address of LAN BUT NOT from outside, from Internet??
Now I'm get strong headaches, it's guilt of iptables on a DMZwebserver - LAN - INET from ISP.
All the conectivity ethernet and TCP/IP works fine on the network.
After I spend three weeks with this trouble, my ignorance has won!!!!
I know that the IPTABLES script is very long and complex (that not means which to be good... ) BUT FOR THIS REASON I NEED HELP!!!!!!!!!!!
------------Paste script iptables---------------------------
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
#NAMESERVER_1="x.x.x.x"
#NAMESERVER_2="x.x.x.x"
#BROADCAST="x.x.x.255"
#LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
#
/sbin/depmod -a
#
#
# 2.1 Required modules
#
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable redir ping
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Register strange access, fakes ..
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
##########################################################################
######
# 4.1 Filter table
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
$IPTABLES -A INPUT -i $INET_IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES -A INPUT -i $INET_IFACE -f -j DROP
#
# SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
# have set in the kernel above ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
$IPTABLES -A INPUT -i $LO_IFACE -s $LO_IP -j ACCEPT
# Refuse spoofed packets pretending to be from your IP address.
$IPTABLES -A INPUT -i $INET_IFACE -s $INET_IP -j DROP
# Refuse packets claiming to be from a Class A private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
$IPTABLES -A INPUT -i $INET_IFACE -d $LO_IP -j DROP
# Refuse broadcast address packets.
$IPTABLES -A INPUT -i $INET_IFACE -d $INET_BROADCAST -j DROP
#
# TCP rules
#
#WWW
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
#
# UDP ports
#
$IPTABLES -A udp_packets -p udp -j LOG
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 32768 -j DROP
$IPTABLES -A tcp_packets -p UDP -s 0/0 --dport 48639 -j DROP
$IPTABLES -A udp_packets -p udp -j DROP
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# Packets from LAN, DMZ or LOCALHOST
#
#
# From DMZ Interface to DMZ firewall IP
#
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
#
# From LAN Interface to LAN firewall IP
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 32768 -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 --dport 48639 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
# Bad TCP packets we don't want
#
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# DMZ section
#
# General rules
#
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
#
# HTTP server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets
#
# DNS server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets
#
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
#DNS
#$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 32768 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 32768 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 48639 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 48639 -j DROP
$IPTABLES -A OUTPUT -p tcp --sport 32768 -j DROP
$IPTABLES -A OUTPUT -p udp --sport 32768 -j DROP
$IPTABLES -A OUTPUT -p tcp --sport 48639 -j DROP
$IPTABLES -A OUTPUT -p udp --sport 48639 -j DROP
Squid accelerates page loading as a proxy ... and as a "transparent" avoids having to configure each client with the proxy port 3128. For that cause is the rule in iptables: to force LAN clients to make requests through 3128...
Last edited by MikeHammer; 12-16-2009 at 10:00 PM.
It was just an example IP. The question was, will request go through squid.
Mmmm, no... When I said "Why I only see the webpages from the IP address of LAN BUT NOT from outside, from Internet??", I mean that the webpages of my site on DMZ 192.168.222.22 (webserver) only are see if I write the URL 192.168.222.22, BUT if I write www.mysite.com the pages don't see. This happens inside LAN. Outside LAN from Internet, the pages don't see....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
