LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2004, 12:38 PM   #1
alon005
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Rep: Reputation: 0
Setting up firewall and internal vpn server


Hi,

I've got the following setup:

Network B 172.16.0.0/16, a mail_server on this network 172.16.15.10
Network A 10.2.5.0/24 , VPN server on 10.2.5.3, terminal server on 10.2.5.5 and several stations.

There's firewall with external interface 172.16.0.1 and internal interface 10.2.5.1 .

Question:

I'd like to configure firewall using iptables so that

external user from 172.16.0.0/16 connects to VPN server and uses services on Terminal server.

configure transparent proxy on firewall box and

internal users should only be masqueraded to use smtp on external network.

Any help would be appreciated.
 
Old 12-27-2004, 12:32 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,286

Rep: Reputation: 62
If you have a couple of spare computers to setup as firewalls, i would suggest downloading a copy of Smoothwall 2.0 or Ipcop 1.4, not the same as configuring iptalbes yourself, but if you need something up and runnig quickly without any fuss. They both contain vpn servers and are easy to setup, they have easy to follow setup and a web-based GUI. The bootable iso's will completely wipe all information from the hard drives, and will fit onto a drive as small as 500 MG.
 
Old 12-27-2004, 01:06 AM   #3
brettcave
LQ Newbie
 
Registered: Aug 2004
Location: Johannesburg, South Africa
Distribution: Mandrake, RH, Fedora
Posts: 22

Rep: Reputation: 15
This configuration uses nat, which will hide Network A from Network B (the entire Network A will be seen as the external ip of the firewall), as all traffic undergoes NAT.
From network B, the VPN and Terminal Server will be seen as 172.16.0.1

The alternative is to not use NAT and set up routes and FORWARD rules for your firewall.

The following are rules similar to what you will need as the basics, although there are probably a few other rules you will need to have for your configuration to work. I normally put all the rules into a script that flushes iptables and then adds my custom rules.
Assuming external interface = eth0
#----------#
#NAT incoming traffic
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.2.5.3:1723
iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.2.5.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.2.5.5:3389

#NAT outgoing traffic
# add "--dport 25" before "-j SNAT" to only perform NAT on smtp traffic
iptables -t nat -A POSTROUTING -o eth0 -s 10.2.5.0/24 -j SNAT --to-source 172.16.0.1

#Transparent proxy
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j DROP
#-----------#


If you do not need to use NAT on the entire NETWORK A, just use "iptables -A FORWARD ...-j ACCEPT" in the above rules instead of "iptables -t nat -A PREROUTING ... -j DNAT --to ...."

You will also need to enable forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward), and either configure forwarding rules or set your default forward policy to ACCEPT (iptables -P FORWARD ACCEPT). Obviously there are some security issues with doing this.


You will need the following in squid for transparent:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_uses_host_header on
httpd_accel_with_proxy on

Also check that squid is configured to listen on port 3128 (or adjust firewall rule 'REDIRECT' to use squid port), and create an acl to allow lan to browse.
You cannot transparent proxy https traffic.
example acl:
acl lan src 10.2.5.0/24
http_access allow lan
 
Old 12-27-2004, 03:16 AM   #4
alon005
LQ Newbie
 
Registered: Oct 2004
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by brettcave
[B]This configuration uses nat, which will hide Network A from Network B (the entire Network A will be seen as the external ip of the firewall), as all traffic undergoes NAT.
From network B, the VPN and Terminal Server will be seen as 172.16.0.1

The alternative is to not use NAT and set up routes and FORWARD rules for your firewall.

The following are rules similar to what you will need as the basics, although there are probably a few other rules you will need to have for your configuration to work. I normally put all the rules into a script that flushes iptables and then adds my custom rules.
Assuming external interface = eth0
#----------#
#NAT incoming traffic
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1723 -j DNAT --to 10.2.5.3:1723
iptables -t nat -A PREROUTING -i eth0 -p gre -j DNAT --to 10.2.5.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 10.2.5.5:3389

#NAT outgoing traffic
# add "--dport 25" before "-j SNAT" to only perform NAT on smtp traffic
iptables -t nat -A POSTROUTING -o eth0 -s 10.2.5.0/24 -j SNAT --to-source 172.16.0.1

#Transparent proxy
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 10.2.5.0 -p tcp --dport 80 -j DROP
#-----------#


If you do not need to use NAT on the entire NETWORK A, just use "iptables -A FORWARD ...-j ACCEPT" in the above rules instead of "iptables -t nat -A PREROUTING ... -j DNAT --to .
Thanks for your reply.

I already have configured ipfilters myself with the help of examples found on the web.

Here's the script I wrote:

http://users.tpg.com.au/galutva/fwconf.sh
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up a VPN server bykte Linux - Networking 2 05-11-2005 02:48 PM
vpn server behind suse firewall gem124 Linux - Networking 1 03-30-2005 07:57 PM
Running internal DNS server with Astaro firewall jester_69 Linux - Security 0 01-20-2005 07:47 PM
Firewall and VPN server pilipk01 Linux - Security 2 08-26-2004 09:16 AM
I have a firewall. I want to configure a vpn server. How do I this Sergiu Linux - Newbie 0 04-13-2004 10:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration