Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-27-2006, 08:05 PM
|
#1
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Rep:
|
IPTABLES DMZ Rules
Can someone show the correct way to add a DMZ to my network using IPTABLES and the example below
Here is my network
PHP Code:
firewall/DNS/Squid/Dansguardian Server - - - - DMZ - - - Kids (192.168.2.0) - - - Squid/Dansguardian Server (192.168.3.0)
- - - RADIUS Server (192.168.3.0)
- - - Wireless LAN (192.168.3.0 (Private)
PHP Code:
DMZ_LAN="192.168.2.0/27" DMZ_IFACE="eth1" DMZ_IP="192.168.2.1" DMZ_PC_IP="192.168.2.30"
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT $IPTABLES -A FORWARD -p icmp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP -j ICMPINBOUND $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
I cannot imagine anything more to be done to allow me to get out to the internet from my DMZ. I want to place a PS2 in this DMZ.
Last edited by metallica1973; 12-28-2006 at 08:44 PM.
|
|
|
12-28-2006, 06:14 PM
|
#2
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
I connected a laptop to the DMZ and I can ping external ip addrezs and domain names but I cannot use a web browser to get to any websites. I dont understand?
|
|
|
12-28-2006, 09:08 PM
|
#3
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
If pings can get out, but webpages or not working, sounds like a DNS issue. Have you set the dns server1 address to the address of the dmz interface?
|
|
|
12-28-2006, 11:34 PM
|
#4
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
I have an internal DNS server that is not working so I just wanted to use my ISP DNS server. What would I need to add to my firewall to allow DNS entries to be answered by my ISP and not my internal DNS?
Another note;
I can ping by name and ip so what does that mean?
|
|
|
12-29-2006, 04:39 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by metallica1973
Code:
DMZ_LAN="192.168.2.0/27"
DMZ_IFACE="eth1"
DMZ_IP="192.168.2.1"
DMZ_PC_IP="192.168.2.30"
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP -j ICMPINBOUND
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
|
those PREROUTING rules don't seem right... why would a packet coming into the external interface have the destination address of the DMZ interface?? it doesn't get that address until *after* it's sent to DNAT (right before it goes into the FORWARD chain)...
it's hard to figure-out what could be happening here without getting a view of the *entire* script... i assume this is just an excerpt from it due to the missing policies and POSTROUTING, etc...
Quote:
I can ping by name and ip so what does that mean?
|
depends... are you referring to Web hosts or hosts on your LAN?? if on your LAN, they could be getting read from /etc/hosts or something, so it wouldn't be an indicator that DNS is properly working... in any case, if you're using squid, make sure you double-check its config for your host in your DMZ...
Last edited by win32sux; 12-29-2006 at 04:42 AM.
|
|
|
12-29-2006, 10:42 AM
|
#6
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
On that interface(eth1) of the DMZ I have DHCPD doing the IP assignment and it assigns the external DNS servers as well. When I plug my laptop into the switch that is connected eth1(DMZ) then it grabs the ip which in this case is 192.168.2.30 which is the DMZ_PC_IP on my script. From there I attempt to go the internet and you can see on the browser where is has found the website but cannot get into my DMZ to respond. From the command prompt I can ping google.com or linuxquestions.com or by IP address and it replys fine. I am using squid but it on another subnet(192.168.3.0). Maybe this will clarify what I am trying to say. I just want to simply put a PC,a playstation,or my VOIP phones on that DMZ and have them work. help
|
|
|
All times are GMT -5. The time now is 04:10 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|