LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   DMZ and iptables breaks my head!!! Avanced Help please!!!! (https://www.linuxquestions.org/questions/linux-networking-3/dmz-and-iptables-breaks-my-head-avanced-help-please-775798/)

MikeHammer 12-15-2009 09:20 AM

DMZ and iptables breaks my head!!! Avanced Help please!!!!
 
Please, somebody can help me???

I ask you apologize for shoot you with this "pack", but before come here I had saw lots of forums and I have used google more than in my life, for resolve this problem...

Could someone checking this script of iptables and says me what's the matter with the rules?? Why I only see the webpages from the IP address of LAN BUT NOT from outside, from Internet??

Now I'm get strong headaches, it's guilt of iptables on a DMZwebserver - LAN - INET from ISP.

Structure
|eth0: Internet ISP DHCP |
|eth1: router-firewall-squid-samba-LAN trusted |
|eth2: DMZ webserver-bind9 |

All the conectivity ethernet and TCP/IP works fine on the network.

After I spend three weeks with this trouble, my ignorance has won!!!!

I know that the IPTABLES script is very long and complex (that not means which to be good... ) BUT FOR THIS REASON I NEED HELP!!!!!!!!!!!
------------Paste script iptables---------------------------

#!/bin/sh

#Debug
#set -x

#
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z

# 1.1 Internet Configuration.
#

INET_IFACE="eth0"
INET_IP=200.xxx.xxx.89
INET_BROADCAST="255.255.255.255"
HTTP_IP=200.xxx.xxx.89
DNS_IP=200.xxx.xxx.89

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IFACE="eth1"
LAN_IP="192.168.111.1"
LAN_IP_RANGE="192.168.111.0/24"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.222.22"
DMZ_DNS_IP="192.168.222.22"
DMZ_IP="192.168.222.21"
DMZ_IFACE="eth2"
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
#

#NAMESERVER_1="x.x.x.x"
#NAMESERVER_2="x.x.x.x"
#BROADCAST="x.x.x.255"
#LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
#
/sbin/depmod -a
#
#
# 2.1 Required modules
#
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable redir ping
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Register strange access, fakes ..
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
##########################################################################
######
# 4.1 Filter table
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
$IPTABLES -A INPUT -i $INET_IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
$IPTABLES -A INPUT -i $INET_IFACE -f -j DROP
#
# SPOOFING
# Most of this anti-spoofing stuff is theoretically not really necessary with the flags we
# have set in the kernel above ........... but you never know there isn't a bug somewhere in
# your IP stack.
#
$IPTABLES -A INPUT -i $LO_IFACE -s $LO_IP -j ACCEPT
# Refuse spoofed packets pretending to be from your IP address.
$IPTABLES -A INPUT -i $INET_IFACE -s $INET_IP -j DROP
# Refuse packets claiming to be from a Class A private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
$IPTABLES -A INPUT -i $INET_IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
$IPTABLES -A INPUT -i $INET_IFACE -d $LO_IP -j DROP
# Refuse broadcast address packets.
$IPTABLES -A INPUT -i $INET_IFACE -d $INET_BROADCAST -j DROP
#
# TCP rules
#
#WWW
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
#
# UDP ports
#
$IPTABLES -A udp_packets -p udp -j LOG
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 32768 -j DROP
$IPTABLES -A tcp_packets -p UDP -s 0/0 --dport 48639 -j DROP
$IPTABLES -A udp_packets -p udp -j DROP
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
#
# From LAN Interface to LAN firewall IP
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 32768 -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 --dport 48639 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
# Bad TCP packets we don't want
#
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# DMZ section
#
# General rules
#
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
#
# HTTP server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets
#
# DNS server
#
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets
#
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
#DNS
#$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 32768 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 32768 -j DROP
$IPTABLES -A OUTPUT -p tcp --dport 48639 -j DROP
$IPTABLES -A OUTPUT -p udp --dport 48639 -j DROP
$IPTABLES -A OUTPUT -p tcp --sport 32768 -j DROP
$IPTABLES -A OUTPUT -p udp --sport 32768 -j DROP
$IPTABLES -A OUTPUT -p tcp --sport 48639 -j DROP
$IPTABLES -A OUTPUT -p udp --sport 48639 -j DROP

#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
# 4.2 nat table
#
# 4.2.4 PREROUTING chain

###SQUID TRANSPARENT PROXY
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -d $HTTP_IP -p tcp --dport 80 -j REDIRECT --to-ports 3128
#
#WEBSERVER2SQUID#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
#
#
#POSTROUTING CHAIN
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
-------------------END PASTE------------------------------------------

Thanks in advance

nimnull22 12-15-2009 05:34 PM

Can you please, do: iptables-save, and post output here.

Thanks

MikeHammer 12-15-2009 08:54 PM

1 Attachment(s)
Thanks you... I send ipt.txt (unix format) with iptables output.
Regards

nimnull22 12-16-2009 08:10 PM

Send here please output from router-firewall for: "router -n"

Thanks

MikeHammer 12-16-2009 08:52 PM

Thanks, nimnull22...

------Paste:

Linux:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
190.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.222.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 190.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.111.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.222.21 0.0.0.0 UG 0 0 0 eth2
Linux:~#

----end paste

Regards

nimnull22 12-16-2009 09:05 PM

And what is internet GW IP???

MikeHammer 12-16-2009 09:10 PM

Quote:

Originally Posted by nimnull22 (Post 3794649)
And what is internet GW IP???

eth0 190.xxx.xxx.89
From ISP cablemodem DHCP (dinamic, but I have set Zoneedit)

nimnull22 12-16-2009 09:23 PM

Why do you do this:
PREROUTING -s 192.168.111.0/24 -d 190.xxx.xxx.89/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 ?

MikeHammer 12-16-2009 09:33 PM

Quote:

Originally Posted by nimnull22 (Post 3794665)
Why do you do this:
PREROUTING -s 192.168.111.0/24 -d 190.xxx.xxx.89/32 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 ?

For squid transparent proxy on LAN clients

nimnull22 12-16-2009 09:41 PM

For example you're going to 208.69.32.230 (google) = -d will be 208.69.32.230, and packets will miss your rule.

Am I right?

What was a purposes of that transparent proxy for LAN?

MikeHammer 12-16-2009 09:55 PM

Squid accelerates page loading as a proxy ... and as a "transparent" avoids having to configure each client with the proxy port 3128. For that cause is the rule in iptables: to force LAN clients to make requests through 3128...

nimnull22 12-16-2009 09:57 PM

Are you sure that request will reach squid?

Tell what happen with request: 208.69.32.230:80

MikeHammer 12-16-2009 10:12 PM

That address (OPENDNS) don't works, because wants to load some software incompatible... but 209.85.195.147 (google) works perfectly...

nimnull22 12-16-2009 10:28 PM

Quote:

Originally Posted by MikeHammer (Post 3794705)
That address (OPENDNS) don't works, because wants to load some software incompatible... but 209.85.195.147 (google) works perfectly...

It was just an example IP. The question was, will request go through squid.

MikeHammer 12-16-2009 10:42 PM

Quote:

Originally Posted by nimnull22 (Post 3794719)
It was just an example IP. The question was, will request go through squid.

Mmmm, no... When I said "Why I only see the webpages from the IP address of LAN BUT NOT from outside, from Internet??", I mean that the webpages of my site on DMZ 192.168.222.22 (webserver) only are see if I write the URL 192.168.222.22, BUT if I write www.mysite.com the pages don't see. This happens inside LAN. Outside LAN from Internet, the pages don't see....


All times are GMT -5. The time now is 09:17 PM.