Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Network B 172.16.0.0/16, a mail_server on this network 172.16.15.10
Network A 10.2.5.0/24 , VPN server on 10.2.5.3, terminal server on 10.2.5.5 and several stations.
There's firewall with external interface 172.16.0.1 and internal interface 10.2.5.1 .
Question:
I'd like to configure firewall using iptables so that
external user from 172.16.0.0/16 connects to VPN server and uses services on Terminal server.
configure transparent proxy on firewall box and
internal users should only be masqueraded to use smtp on external network.
If you have a couple of spare computers to setup as firewalls, i would suggest downloading a copy of Smoothwall 2.0 or Ipcop 1.4, not the same as configuring iptalbes yourself, but if you need something up and runnig quickly without any fuss. They both contain vpn servers and are easy to setup, they have easy to follow setup and a web-based GUI. The bootable iso's will completely wipe all information from the hard drives, and will fit onto a drive as small as 500 MG.
This configuration uses nat, which will hide Network A from Network B (the entire Network A will be seen as the external ip of the firewall), as all traffic undergoes NAT.
From network B, the VPN and Terminal Server will be seen as 172.16.0.1
The alternative is to not use NAT and set up routes and FORWARD rules for your firewall.
The following are rules similar to what you will need as the basics, although there are probably a few other rules you will need to have for your configuration to work. I normally put all the rules into a script that flushes iptables and then adds my custom rules.
Assuming external interface = eth0
#----------#
#NAT incoming traffic
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.2.5.3:1723
iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.2.5.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.2.5.5:3389
#NAT outgoing traffic
# add "--dport 25" before "-j SNAT" to only perform NAT on smtp traffic
iptables -t nat -A POSTROUTING -o eth0 -s 10.2.5.0/24 -j SNAT --to-source 172.16.0.1
If you do not need to use NAT on the entire NETWORK A, just use "iptables -A FORWARD ...-j ACCEPT" in the above rules instead of "iptables -t nat -A PREROUTING ... -j DNAT --to ...."
You will also need to enable forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward), and either configure forwarding rules or set your default forward policy to ACCEPT (iptables -P FORWARD ACCEPT). Obviously there are some security issues with doing this.
You will need the following in squid for transparent:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on
Also check that squid is configured to listen on port 3128 (or adjust firewall rule 'REDIRECT' to use squid port), and create an acl to allow lan to browse.
You cannot transparent proxy https traffic.
example acl:
acl lan src 10.2.5.0/24
http_access allow lan
Originally posted by brettcave
[B]This configuration uses nat, which will hide Network A from Network B (the entire Network A will be seen as the external ip of the firewall), as all traffic undergoes NAT.
From network B, the VPN and Terminal Server will be seen as 172.16.0.1
The alternative is to not use NAT and set up routes and FORWARD rules for your firewall.
The following are rules similar to what you will need as the basics, although there are probably a few other rules you will need to have for your configuration to work. I normally put all the rules into a script that flushes iptables and then adds my custom rules.
Assuming external interface = eth0
#----------#
#NAT incoming traffic
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.2.5.3:1723
iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.2.5.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.2.5.5:3389
#NAT outgoing traffic
# add "--dport 25" before "-j SNAT" to only perform NAT on smtp traffic
iptables -t nat -A POSTROUTING -o eth0 -s 10.2.5.0/24 -j SNAT --to-source 172.16.0.1
If you do not need to use NAT on the entire NETWORK A, just use "iptables -A FORWARD ...-j ACCEPT" in the above rules instead of "iptables -t nat -A PREROUTING ... -j DNAT --to .
Thanks for your reply.
I already have configured ipfilters myself with the help of examples found on the web.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.