LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-27-2006, 08:05 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
IPTABLES DMZ Rules


Can someone show the correct way to add a DMZ to my network using IPTABLES and the example below

Here is my network

PHP Code:
firewall/DNS/Squid/Dansguardian Server - - - - DMZ - - - Kids (192.168.2.0)
   -
   -
   -
Squid/Dansguardian Server (192.168.3.0)

   -
   -
   -
RADIUS Server (192.168.3.0)

   -
   -
   -
Wireless LAN (192.168.3.0 (Private) 
PHP Code:

DMZ_LAN
="192.168.2.0/27"
DMZ_IFACE="eth1"
DMZ_IP="192.168.2.1"
DMZ_PC_IP="192.168.2.30"

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

$IPTABLES 
-A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES 
-A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES 
-A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES 
-A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT  
$IPTABLES 
-A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES 
-A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES 
-A FORWARD -p icmp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP -j ICMPINBOUND
$IPTABLES 
-t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
$IPTABLES 
-t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP 

I cannot imagine anything more to be done to allow me to get out to the internet from my DMZ. I want to place a PS2 in this DMZ.

Last edited by metallica1973; 12-28-2006 at 08:44 PM.
 
Old 12-28-2006, 06:14 PM   #2
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I connected a laptop to the DMZ and I can ping external ip addrezs and domain names but I cannot use a web browser to get to any websites. I dont understand?
 
Old 12-28-2006, 09:08 PM   #3
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
If pings can get out, but webpages or not working, sounds like a DNS issue. Have you set the dns server1 address to the address of the dmz interface?
 
Old 12-28-2006, 11:34 PM   #4
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I have an internal DNS server that is not working so I just wanted to use my ISP DNS server. What would I need to add to my firewall to allow DNS entries to be answered by my ISP and not my internal DNS?

Another note;

I can ping by name and ip so what does that mean?
 
Old 12-29-2006, 04:39 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973
Code:
DMZ_LAN="192.168.2.0/27"
DMZ_IFACE="eth1"
DMZ_IP="192.168.2.1"
DMZ_PC_IP="192.168.2.30"

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT  
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP --dport 1:65000 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -i $EXTIF -o $DMZ_IFACE -d $DMZ_PC_IP -j ICMPINBOUND
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 1:65000 -j DNAT --to-destination $DMZ_PC_IP
those PREROUTING rules don't seem right... why would a packet coming into the external interface have the destination address of the DMZ interface?? it doesn't get that address until *after* it's sent to DNAT (right before it goes into the FORWARD chain)...

it's hard to figure-out what could be happening here without getting a view of the *entire* script... i assume this is just an excerpt from it due to the missing policies and POSTROUTING, etc...

Quote:
I can ping by name and ip so what does that mean?
depends... are you referring to Web hosts or hosts on your LAN?? if on your LAN, they could be getting read from /etc/hosts or something, so it wouldn't be an indicator that DNS is properly working... in any case, if you're using squid, make sure you double-check its config for your host in your DMZ...

Last edited by win32sux; 12-29-2006 at 04:42 AM.
 
Old 12-29-2006, 10:42 AM   #6
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
On that interface(eth1) of the DMZ I have DHCPD doing the IP assignment and it assigns the external DNS servers as well. When I plug my laptop into the switch that is connected eth1(DMZ) then it grabs the ip which in this case is 192.168.2.30 which is the DMZ_PC_IP on my script. From there I attempt to go the internet and you can see on the browser where is has found the website but cannot get into my DMZ to respond. From the command prompt I can ping google.com or linuxquestions.com or by IP address and it replys fine. I am using squid but it on another subnet(192.168.3.0). Maybe this will clarify what I am trying to say. I just want to simply put a PC,a playstation,or my VOIP phones on that DMZ and have them work. help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VOIP DMZ Firewall rules metallica1973 Linux - Security 0 10-20-2006 11:33 AM
iptables + DMZ Braytac Linux - Networking 3 10-06-2006 06:57 AM
DMZ VOIP IPTABLES rules metallica1973 Linux - Security 26 04-06-2006 06:41 PM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 08:04 AM
Setting up DMZ with iptables.... ghost-ils Linux - Networking 0 09-09-2001 08:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration