I need help getting restarted, I want to get deeper into networking but I lack direction to the info I am looking for. I made a doc of my set-up. It is probably very simple to alot of you, forgive my lack of knowledge. I learn more from example than I do from reading, and I have alot, perhaps all the wrong things.
I get lost pretty easy still from terminolgy. Be pateint please?






internet
|
|
provider
|
( I have assigned 3 ips out of a
10.x.x.x net that are routed live )
|
|
_|____________________________________
| | |
|NAT ( eth0, eth0:1 ) --------- Web / dns Server
| | DMZ ( eth2 )|
| | |
| | |
| |internal ( eth1 ) |
| |___________________________________|
|
|---- *dhcp server ( unless the vpn(?) is set up )
| internal file storage
|
|---- *internal net * present setup, remove for below ~
|
~
~
|
|---- mail ( is this the best place or in the dmz? there is
| more connections from internal, and one external
| maybe dns should be here as well?)
|
|---- samba server ( file storage, main copier/printer setup )
|
|
|-------------------------------------------------------------
| | |
| | |
dhcp / content filter dhcp / filter ip based
student/other administarion network camera server
log in ( or more likely static |
| ips - mac based, |
| accept only ) |
| log in |
| | |
| | |

sorry, the diagram messes up , tabs

I use Suse 9.x only. Not interested in changing at this time.

This is a model of what I have and what I would like to do.
( past the ~ ~ ) This is for a school. I included it all
so maybe a better picture can be seen. If there are any ideas of
a better more secure method PLEASE suggest it.

I really don't want it written for me, example code would be great,
hints, tricks, tips, recomendations, SUPER!
but there is an order to things to do it right.
Site me tutorials even, but "in order of need" and of
relavence per flavor / kernal.

Starting with nat, then to the internal, then to the dmz,
what is the proper steps in order to set it up. Either with
Yast or ( preferably ) with scripts.

eth0:1 is for the webserver
I start with a fresh box, have 3 nics installed and eth0:1 established
I know my external gateway and dns servers
I call my domain myclass.edu
the nat is to masq for the internal and dmz
I want to have the web server veiwed internal and external
I want to be able to ftp and ssh to the web server from internal only
( I may want to open ftp external later )
I want to ssh to the nat from internal and external

I can ping all directions from the nat and from all directions to the nat. eth0:1 is up because I can connect ssh to it and eth0 from home. ( set up via Yast )

A) I get stuck using Yast routing to the dmz from either internal or external.
That could be the quick fix I guess.
I would like to be able to do it all from command line, later into script.

B) Let's say I have the nics configured on the nat and I can browse from the nat.
( ping and tracert are disabled from provider due to blaster and such )
outside of Yast,
1) what do I need to do to ipforward / masq?
a) is anti-spoofing implied?
2) what do I need to do to see into the dmz from the internal for web?
3) what would I need to do to route from eth0:1 to dmz/web?

C) A thought ahead - I have seen on some of the tutorials that the 1st iptable
rule is to reject everything
then start allowing what you want, that seems really good. I want to later
install in the filters(above) a "black list". This would just add it'self in
to the rules, correct?

I have only messed around with iptable commands some. not sure which way to go so I have not done more yet. So I have no script yet to show, I am building one but .....

I feel so close but there is someting I am missing. Can anyone give any real help?
My normal discalimer: PLEASE don't just tell me to read something, I am reading, I am
learning, I need real help. This may show me what it is I am missing.

Thanks

Mike

Mike,
first of all, as it seems its not "basic networking" what you trying to do here...
Or at least, it doesnt look that way...
But thats no problem of course...

Is it possible to redraw your diagram an put it online somewhere as an image? This might clear things up a bit.

Also, i am not completely sure what your question is. You have put a lot of info, but is your question if you are on the right track with this diagram, or do you want us to help you finding the right way to set this up?

I am not sure if i am able to help you, but im always willing to try, as will others with me... (You came to the best forum i ever found on the net...)

Thx Satriani! thank you for your time, offer, and manor.

There is a lot of info, I hated to not include enuff to make "sense"? help me weed out the non-sense. I hate to sound stupid.

I will try to get a diagram posted asap! but the most of the diagram is something I need to do later, where to put the mail server, DNS server etc. I do want to know if this is a good way or is there better, right now I "just" want to get the dmz back up and understand how it happens.

My quick tale, I am a teacher, I had to put up a network for my class ( very long story ) I bought a copy of Suse ( so I knew it would be intact - my 1st linux ever ) and set up a nat with a dmz which had my web server. That much I could figure out.

The network worked so well ( talk about lucky ) that I now have the rest of the building on my network. I have NO time to do even half of what I need to do, partly, log the settings in the SuseFirewall2 that I and a student made to get it all to work. It is what makes this so hard, I only get started reading when I have to go do something.

BOOM, racoon gets in the main school power, 1 of 3 phases goes, blows my HD, MB, power supply and UPS.

I installed a new nat, temped it in. I cannot get the DMZ back online, ie no webserver. I guess my student figgured that part out and has now graduated high school.

I do not mind using Yast to set it all up, got that much running with it. I would like to know how to do it ( right ) by command line > script. I can log in now using putty and am beginning to figure out how to do more that way. I like that too. I love linux and networking for that matter.

#This is from online... the top 13 entries are like I have set, I assume the last are where I am losing it.

FW_DEV_EXT="eth0 eth0:1"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="eth1 eth2" # I have actuall addresses here, no idea if ifaces work here, hmmm, test test )
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_DMZ_TCP="web ftp dns"
FW_SERVICES_DMZ_UDP="dns"
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICE_DNS=""

### I left the info in the lines below the way they had as in their example--

# I want to have the webserver available to the internal and external - to all
# the webserver goes live on eth0:1 so all port 80 traffic ( maybe ftp later ) on eth0:1 needs routed to the webserver
# I want to be able to ftp to the webserver from internal
# I want internal to have access to the dns
# hmmm, I do want smpt for mrtg at some point



FW_FORWARD="0/0,200.200.200.200,tcp,80 0/0,200.200.200.200,tcp,443 \
200.200.200.200,192.168.1.3,tcp,4545" # access to the web server and allow
# access from the web server to the database
FW_REDIRECT="192.168.1.0/24,0/0,tcp,53,53 192.168.1.0/24,0/0,tcp,25,25" # all
# DNS and mail is done by the firewall
FW_REDIRECT="192.168.1.0/24,0/0,udp,53,53" # all DNS is done by the firewall

That gets me started, but I want to be able to maybe do away with Susefirewall and do it all by script, maybe it can be tuned better? as I learn? I want to be able to put in filtering later, porn and such, a blacklist. add and delete entries. would I really be better with a package out there to set that up? later





if I turn off susefirewall, I believe I kill forwarding, msq and all. I assume that iptables can start it all on it's own, no route command, no set-ups anywhere else?

I tried this on my test machines :

# Flush any existing rules and set the default policies

iptables -F

#turn it all on?

#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

I instantly killed my ssh - putty connection ( felt prety dumb just after I pressed enter, knew what I did as I did it, did it one line at a time, not as a script ) once I went to the nat and entered the next 3 lines, I was totally back in. Glad it is a test box.

I have read that you should turn it all off - reject everything, then start adding what you want to have happen.

I started this:

###############################
## IT Lab Firewall
## June 2005
###############################

## setup interfaces and IPs

INET_IP = 10.x.x.20 # routed live
INET_IFACE = eth0
IWEB_IP = 10.x.x.21 # routed live
IWEB_IFACE = eth0:1
LAN_IP = 192.168.228.0
LAN_IFACE = eth1
DMZ_IP = 192.168.92.0
DMZ_IFACE = eth2
#add the webserver ip here too?


# Flush any existing rules and set the default policies

iptables -F

#iptables -P INPUT REJECT
#iptables -P OUTPUT REJECT
#iptables -P FORWARD REJECT

then start adding the rules here, use nat/snat to set up forwarding and masq. ( is anti-spoofing a special set-up? )


wow, probably too much info again. I want it all, I get excited. I need the missing ( brain cells ? ) peices to fill in what to do.

Thanks again for any and all help. I will get a diagram up asap for later stuff. I am slow and this is a lot to ask. I may be asking more than I realize or it is so simple I am tripping over it.

Mike

http://home.earthlink.net/~kumado/pix/now.jpg

http://home.earthlink.net/~kumado/pix/future.jpg

Mike,

Do you mind if we split up your problem into several different ones? The current info is a bit overwhelming, and might scare others off ... If I understand correctly, these are the problems / requests:
[list=1][*] You have placed a webserver in a DMZ, and it cannot be reached by either internal nor external requests. Could be NAT, Routing or firewall.[*] You want to setup DNS but you're not sure in which zone to put it.[*] You want to be able to do some web / contentfiltering etc, for the internal users. (Blacklists)[*] You want to setup a mailserver, also not sure in which zone[*] You probably want some content / spam / virusfilters on your mailserver (Not mentioned, but very likely)[*] There should be some authentication done between internal network and the DMZ / External Net for administrative purposes etc...[/list=1]

Lets leave the Mall / SMB Fileserver out for this moment, and go through it step by step.
Can you confirm above issues, or make corrections?

Please do not try to overkill information (yet) ... IMHO this will distract you from the problem as well as from the solutions... Im trying to get a clear simple picture first... (I know linux is so exciting you just want to go on and on and on, have the same problem... )

Satriani, you are absolutely on track! -- That is exactly what I have in mind. Thank you so much.

I want to be able to get all this working, but I want to be able to learn it, not just have it in done. I learn so much more doing a real project than some abstract example so this project is very dual purpose. All the info was to show the BIG picture, but I want to start near the beginning, peice at a time.


You have great insight:

1. You have placed a webserver in a DMZ, and it cannot be reached by either internal nor external requests. Could be NAT, Routing or firewall.

I used Yast before, could again. I may use some tool to set the filtering in later but I would like to be able to write my own scripts for iptables to work. I found 5 more useful tutorials on it since my 1st post. Guess the big problem is that everyone goes about it differently, which is fine. Just takes a little longer to learn what they have in mind then see what they did. Not that I am that much better at it, but there is a lack of comments on some lines of code.

I am tring to find more info on the -state field now. syn, syn-ack, related, etc - all the options and what they do and such.

Back to #1, still a lot of information but I am not sure what is needed at this point, sorry :


#This is from Susefirewall ( inside the file for a short listing )... the top entries are like I have set, I assume the last lines are where I am losing it.

FW_DEV_EXT="eth0 eth0:1"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="eth1 eth2" # I have actuall address/net here
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_DMZ_TCP="www ftp dns"
FW_SERVICES_DMZ_UDP="dns"
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""

### I left the info in the lines below the way they had as in their example--

# I want to have the webserver available to the internal and external - to all
# the webserver goes live on eth0:1 so all port 80 traffic ( maybe ftp later ) on eth0:1 needs routed to the webserver
# I want to be able to ftp to the webserver from internal

FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""



or an iptable solution, I have started one, I think, but I have much more to learn and figure out:

###############################
## IT Lab Firewall
## June 2005
###############################


#First we must enable packet forwarding, edit /etc/sysctl.conf

echo "1" > /proc/sys/net/ipv4/ip_forward

## setup interfaces and Ips variables, declared here for global use – ease of change

EXT_IP = 10.x.y.20 # routed live
EXT_IFACE = eth0
WEB_IP = 10.x.y.21 # routed live
WEB_IFACE = eth0:1
LAN_NET = 192.z.w.0/20
LAN_IFACE = eth1
LAN_BCAST = 192.z.t.255
DMZ_NET = 192.z.u.0/24
DMZ_IFACE = eth2
ANYWHERE = 0/0
WEB_SERVER = 192.z.u.2

#should the web, mail etc ips go in here as well?


# Flush any existing rules

iptables -F


# set the default policies if no match is found

iptables -P INPUT REJECT
iptables -P OUTPUT REJECT
iptables -P FORWARD REJECT


# remote interface, claiming to be local machines, IP spoofing

IPTABLES -A INPUT -i $EXT_IFACE -s $LAN_NET -d $ANYWHERE -j “reject-and-log-it” # where to go ??
IPTABLES -A INPUT -i $EXT_IFACE -s $DMZ_NET -d $ANYWHERE -j “reject-and-log-it” # example stuff
IPTABLES -A INPUT -i $WEB_IFACE -s $DMZ_NET -d $ANYWHERE -j “reject-and-log-it”
IPTABLES -A INPUT -i $WEB_IFACE -s $LAN_NET -d $ANYWHERE -j “reject-and-log-it”


# allow ssh connection to this machine

iptables -A INPUT -p tcp -m tcp --destination-port 22 -j ACCEPT # allows int or ext connection


# accept packets intended for this machine

iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT


# set masquerade and forwarding

iptables -t nat -P POSTROUTING DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth1 -o eth0
iptables -A FORWARD -i eth0 -o eth1


# In Microsoft Networks you will be swamped by broadcasts.

#iptables -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP


# If we get DHCP requests from the Outside of our network.......

#iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP


What should I post, or need to post? This is my assorted work so far. I hope that it is of help and not a henderance. Thanks to you and anyone else that is able to help. Perhaps this will help many others that are in my postition as well.

You are right, this is a great forum!

Mike

I am back to

If your network is not yet connected to the internet (or you are able to disconnect it for a while), please start with disabling any firewall rules...

Just to narrow the issues, it would be usefull to setup the NAT working first... Then if that works, setup the firewall again... If it then stops working, you know at least at what point the setup fails...

Also is there a reason for putting the DHCP in your DMZ??? I strongly recommend to place it in your internal "green" zone...

Then the DNS: Is it the primary DNS Server for your domain on the internet? Or is it just for serving your internal network?

That box is in service for the building which includes the buisness office and main administration. It has to stay online.

I have a second system that I use for testing that I can set up for this. I brought a laptop home today to use on my lil nat here at home.
My problem at home is that I am, at best 24k dial-up and I have never gotten the ppp0 up on that box to have access thru it at home. It has 2 nics and the moden that I have not had time to play with.... yet.

The DNS I had in the DMZ, thought it was safer there, but that was a question, should it be in the green?

I have to look at my diagram, I did not mean for DHCP to be in the DMZ ( yellow ? ).

The DNS server is for the intranet, for now at least. My other future concern is that the school will go fiber with no company at the front end doing filtering and mail - etc. I want to be ready to handle all this

Perhaps we can write a new book on all of this and post it here.

thanks Satriani.

btw, I live outside Portsmouth, Ohio USA, any chance you are close by?

Mike

I'm just a little out of Ohio, or better, a little bit out of the USA... I live in the Netherlands.. LOL So helping you onsite will become a problem... Hehehe...

FYI: When DMZ'ing, we usually talk of green (internal, safe), Orange (DMZ, less safe) and red (external, one big scary place!)

The reason for DNS residing in a DMZ is only when that server serves queries from the internet (you are the primary name server for your domain, as well internal as external). If you only use it for internal use, you could very well put it in the green zone.

For your future requirements, there is no problem at all with your current setup.. I think you thought very well about it... (At least, I would have set it up the same way)

Back to the problem then...
Can you set the debugging-level of your NAT higher? (to check the logfiles, helping us to find out where it's failing?) Maybe also the firewall-logging a bit higher?

had to switch hats for a bit, wife and kids at camp and school needed security cameras worked on. Which I am still doing.

However, I got the chance to read a couple more posts on SuSEfirewall and it finally made some sense. www.engrtp.com is now back up!!!

I did an iptables-save and have been looking at the listing, 5 printed pages in an 8 pt font!! geee!! I did find an error that makes sense too. I have eth0 and eth0:1 both live and I can connect to the web server by either live IP, not a problem right now but not what I wanted. I see that since SuSEfirewall has the 2 eth0 as external, it made a rule for both, not just eth0:1.

So, I am back to really understanding iptables. I see there are as many camps on this as there are on anything. Like C++, do I put main at the top or at the bottom of my code, etc. The code almost makes sense. I begin to see what is going on. Wish I could list the print-out but it is BIG.

SuSEfirewall has a few jump areas set aside as do many other examples I have seen. forward_dmz - [0:0] ( I do not understand the [0:0], it must be something they set for there reader to int something? ) forward_ext - [0:0], forward_int - [0:0], input_dmz - [0:0] etc.

I assume the best policy is to drop ( or reject - seems it is felt drop makes hacks take longer because of no reply, makes them wait ) everything and then allow the things I want.

I keep reading this listing for the iptables that SuSEfirwall made. I almost see this I think. My one problem before was getting it in my head that all the rules simply apply to the NAT and basically it alone. IT is the firewall. So when I read the -A INPUT .... lines do they only apply to the ext interface? For instance:

-A INPUT -i lo -j ACCEPT just simply accept
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING" --log-tcp-options --log-ip-options
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING" --log-tcp-options --log-ip-options
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP

# if the source or destination was to 127.0.0.0/8 network create a log entry with the " " text and the port and ip address requesting? then
# drop the packets since they came from the ext interface?



-A INPUT -s web_ip -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING" --log-tcp-options --log-ip-options
-A INPUT -s web_ip -j DROP

# since there was a request on the ext interface with the web servers' ip which is in the DMZ, log and drop?



-A INPUT -s ext_ip -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING" --log-tcp-options --log-ip-options
-A INPUT -s ext_ip -j DROP

# since there was a request on the ext interface with the source having the external interfaces' ip, log and drop?



-A INPUT -d ext_ip -i eth0 -j forward_ext

# this states which interface, the others do not, so if the request in their case is ANY input?


With my web server back up, I can ftp to it from internal only, etc. I feel alright about it now and I want to go on to writing a real firewall. I see there are utilities to do it. I would have to understand alot more to know what to set in them to use them. ( the "problem" I have now with both ext interfaces routing web traffic from SuSEfirewall for one ) If I am going to go that far, I may as well write it myself, incorporate any info I get to make it good and not slowing the system down doing it.

Looking at all I have so far, I hope it helps others with figuring things out too. There is a lot to read, too much.

Thanks much

Mike