LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-06-2008, 10:01 PM   #1
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Rep: Reputation: 18
Question Help with a Tri-Homed firewall/router


Hello.

I have a situation:
I had a box with two NICs installed acting as a router between two networks: 192.168.1.0 and 192.168.2.0. I had everthing working ok between the two networks. I could ssh from one network to the other without a problem. Now, I added another NIC, now a tri-homed firewall. Now, I can't ssh from one network to the other and vice versa. I can't even ssh from the firewall out. This is part of the iptables script:

EXT_IFACE="eth0"
LAN_IFACE="eth1"
DMZ_IFACE="eth2"
LOOPBACK_IFACE="lo"

EXT_IP="192.168.1.2"
LAN_IP="192.168.2.1"
DMZ_IP="192.168.3.1"

LAN_ADDRESSES="192.168.2.0/24"
LAN_NETWORK="192.168.2.0"
LAN_BROADCAST="192.168.2.255"
LAN_NETMASK="255.255.255.0"

DMZ_ADDRESSES="192.168.3.0/24"
DMZ_NETWORK="192.168.3.0"
DMZ_BROADCAST="192.168.3.255"
DMZ_NETMASK="255.255.255.0"

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to DROP
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy OUTPUT DROP
iptables -t nat --policy POSTROUTING DROP

#iptables -t mangle --policy PREROUTING DROP
#iptables -t mangle --policy OUTPUT DROP

# Delete any pre-existing user defined chains
iptables --delete-chain
#iptables -t nat --delete-chain
#iptables -t mangle --delete-chain

# Allow access to Internet
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH connection from this station
iptables -A OUTPUT -o $LAN_IFACE -p tcp \
-s $LAN_IP --sport $UNPRIVPORTS \
-d $LAN_ADDRESSES --dport 22 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $LAN_IFACE -p tcp \
-s $LAN_ADDRESSES --sport 22 \
-d $LAN_IP --dport $UNPRIVPORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o $DMZ_IFACE -p tcp \
-s $DMZ_IP --sport $UNPRIVPORTS \
-d $DMZ_ADDRESSES --dport 22 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $DMZ_IFACE -p tcp \
-s $DMZ_ADDRESSES --sport 22 \
-d $DMZ_IP --dport $UNPRIVPORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward from and to the LAN
iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $DMZ_ADDRESSES --dport 22 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -p tcp \
-s $DMZ_ADDRESSES --sport 22 -d $LAN_ADDRESSES --dport $UNPRIVPORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT

######################
iptables -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp \
--sport $UNPRIVPORTS -d $DMZ_ADDRESSES --dport 22 \
-m state --state NEW -j ACCEPT
#########################

# Accept SSH connection from the LAN
iptables -A INPUT -i $LAN_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT


What am I missing?

Thanks in advanced for all your help.
 
Old 10-07-2008, 08:29 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 123Reputation: 123
What does your routing table look like? Can you not SSH from the firewall to any of the 3 connected networks, or is it only 1 or 2 that you can't connect to?
 
Old 10-07-2008, 12:59 PM   #3
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by Matir View Post
What does your routing table look like? Can you not SSH from the firewall to any of the 3 connected networks, or is it only 1 or 2 that you can't connect to?
This is what my routing table looks like:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

I can't ssh to 192.168.2.0 nor 192.168.3.0 but, can connect from those networks to the firewall. Also, I can't ssh from 192.168.2.0 to 192.168.3.0 and vice versa either. Like if it is not forwarding the packets from network to network. I can connect to the internet from all the networks though.

Last edited by landysaccount; 10-07-2008 at 01:02 PM.
 
Old 10-07-2008, 02:00 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 123Reputation: 123
I assume you have ip forwarding enabled, correct? (/proc/sys/net/ipv4/ip_forward) That would relate to the issue between 192.168.2.0 and 192.168.3.0. Also, I'm not seeing where $UNPRIVPORTS is being set... so that might cause some issues with your iptables rules. Are any errors occuring when you execute them? Is the connection timing out, being refused, or getting some other error? Might be helpful to add a "iptables -A INPUT -j LOG" and "iptables -A FORWARD -j LOG" to see what packets may be getting dropped. (I also have never seen the nat table policies set to drop -- have you always had it this way?)

Nothing's jumping out at me yet, so I'm hoping these questions will shed some light.
 
Old 10-07-2008, 03:33 PM   #5
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
Post

Quote:
Originally Posted by Matir View Post
I assume you have ip forwarding enabled, correct? (/proc/sys/net/ipv4/ip_forward) That would relate to the issue between 192.168.2.0 and 192.168.3.0. Also, I'm not seeing where $UNPRIVPORTS is being set... so that might cause some issues with your iptables rules. Are any errors occuring when you execute them? Is the connection timing out, being refused, or getting some other error? Might be helpful to add a "iptables -A INPUT -j LOG" and "iptables -A FORWARD -j LOG" to see what packets may be getting dropped. (I also have never seen the nat table policies set to drop -- have you always had it this way?)

Nothing's jumping out at me yet, so I'm hoping these questions will shed some light.
I do have ip forwarding enabled and UNPRIVPORTS="1024:65535" set at the beginning of the script, I didn't want to post the entire script because is too long.

I also commented out the nat table line and still the same problem.

When I ssh from a network the prompt just sits there waiting for an ACK from the remote box. I ran tcpdump and wireshark to read the packets and it looks like if the connection is sending the SYN but doesn't receive an ACK. I don't see anything wrong with the script I thought I had it working. I don't get any errors when I run the script either.
 
Old 10-07-2008, 09:56 PM   #6
rnturn
Senior Member
 
Registered: Jan 2003
Location: Illinois (Chicago area)
Distribution: Red Hat (8.0, RHEL5,6), CentOS, SuSE (10.x, 11.x, 12.2, 13.2), Solaris (8-10), Tru64, MacOS, Raspian
Posts: 1,113

Rep: Reputation: 65
Quote:
Originally Posted by landysaccount View Post
Hello.

I have a situation:
I had a box with two NICs installed acting as a router between two networks: 192.168.1.0 and 192.168.2.0. I had everthing working ok between the two networks. I could ssh from one network to the other without a problem. Now, I added another NIC, now a tri-homed firewall. Now, I can't ssh from one network to the other and vice versa. I can't even ssh from the firewall out.
If you remove the new NIC, does everything work as it did before you installed it?

I'm wondering if installing the new NIC caused it to actually be eth0 instead of eth2 because of the order that the PCI bus was scanned during the bootstrap. I've seen things like that happen when installing second and third SCSI adapters. Could be a similar problem in your setup.

--
Rick
 
Old 10-07-2008, 11:36 PM   #7
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
Red face

Quote:
Originally Posted by rnturn View Post
If you remove the new NIC, does everything work as it did before you installed it?

I'm wondering if installing the new NIC caused it to actually be eth0 instead of eth2 because of the order that the PCI bus was scanned during the bootstrap. I've seen things like that happen when installing second and third SCSI adapters. Could be a similar problem in your setup.

--
Rick
I have the correct interfaces because:

Yes, DMZ and LAN can connect to internet.
No, DMZ, LAN and EXT can't ssh each other to the firewall.
Yes, the firewall can connect to LAN and DMZ
Everything else is blocked.

I would like LAN hosts to ssh DMZ hosts.
 
Old 10-08-2008, 03:47 PM   #8
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Original Poster
Rep: Reputation: 18
I got around it by doing PREROUTING from LAN to connect to servers in DMZ:

iptables -t nat -A PREROUTING -i $LAN_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $LAN_IP --dport 2222 \
-j DNAT --to-destination $SERVER:22

iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS -d $SERVER --dport 22 \
-m state --state NEW -j ACCEPT

That's the only thing I could've come up with.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding new Linux firewall/router on network with pre-existing gateway/router grittyminder Linux - Networking 4 08-13-2008 03:17 AM
triple-homed ubuntu server proxy/router acting as a fallback gateway mhykgyver Linux - Networking 1 12-10-2007 06:42 PM
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
CentoOS router/firewall prob - local network works but router can't access Internet elementalvoid Linux - Networking 6 12-12-2006 04:39 PM
Multi Homed Gateway Router Problem conradg Linux - Networking 2 03-31-2006 12:51 AM


All times are GMT -5. The time now is 10:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration