Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm struggling to get my firewall to do what I need.
Setup is ...
Internal network is protected from the internet via a linux box firewall that does all the port forwarding to the local servers that need internet visibility.
Local machine internet browsing all goes though proxy which is another separate linux box.
I need a local server to be able to fully see and communicate with a remote server without going through the proxy. I have put a proxy bypass entry in the server but I don't seem to be able to get the iptables rules correct to see the remote server.
The rules I have tried are
iptables -A INPUT -d xxx.xxx.xx.xxx -j ACCEPT
iptables -A FORWARD -d xxx.xxx.xx.xxx -j ACCEPT
iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xx.xxx -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
How are you using the proxy? Manually? Automatically? Transparently?
It's a manual proxy that all the browsers are configured to use to get out to the internet. I have put a proxy bypass in for the remote IP I'm trying to get to which takes the default route through the firewall.
Quote:
Originally Posted by fukawi1
What do you mean by "fully see and communicate"? How is it trying to communicate, what protocol, what port, etc.
I want all ports, all protocols open to the one remote server.
Quote:
Originally Posted by fukawi1
Do the remote and/or proxy servers have firewall rules getting in the way.
Sorry missed this question. No, in a test I can see a webpage hosted on the remote server when I go through my proxy, but when I go proxy bypass I can't get to it.
The proxy server and firewall on my site are 2 separate boxes.
I basically want the firewall to operate as a NAT box but only to the one internet IP address
Either configure the proxy to allow traffic between the local and remote server, or use a different gateway device for the local server. Which device are the rules you posted for?
What is the function of the two servers? Which ports do they need?
I think you need to use the PREROUTING and POSTROUTING functions of iptables, rather than the forward and output. While masquerade MAY achieve your goal, I don't think it is necessarily the right approach. I am not trying to be obtuse in my reply, I am not expert enough in iptables to give you a direct solution. I think you are after the function referred to as SNAT for mapping hosts 1:1, where as masquerade is a 1:many mapping.
The second thing I would look into is running a traceroute between the two hosts, in both directions. This will help you to make sure that packets get directed through the proper gateway and tell you if traffic is getting stopped at a particular point, in which case you know where to look. Remember that traffic needs to go both directions AND that return traffic will NOT be on the service port, but on a random, higher, port number.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.