1 |
Hello, |
2 |
|
3 |
I've been trying to build a simple firewall with a DMZ for a |
4 |
web server. |
5 |
x.x.x.x is the local single static IP y.y.y.y is the gateway IP. |
6 |
z.z.z.z is the broadcast. |
7 |
Outward access is working (ip and dns) Currently the dns servers |
8 |
I use are the cable modem company's, and they work just fine, |
9 |
for now. I can download packages and ebuilds just fine. Access |
10 |
to the mail servers outside the network works just fine. |
11 |
|
12 |
Note: I have an openbsd firewall with a dmz & web server, and all |
13 |
works just fine. It's disconnected while I try to get this gentoo |
14 |
firewall working with the same web server and other lan components. |
15 |
|
16 |
Following this simple example: |
17 |
http://www.gentoo.org/doc/en/home-router-howto.xml |
18 |
|
19 |
Here's what I did to add a DMZ based web server: |
20 |
|
21 |
A. (3) ethernet interfaces are setup via ifconfig and are working. |
22 |
|
23 |
B. /etc/conf.d.net |
24 |
I added these lines: |
25 |
iface_eth0="192.168.2.20 broadcast 192.168.2.255 |
26 |
netmask 255.255.255.0" |
27 |
iface_eth1="192.168.3.11 broadcast 192.168.3.255 |
28 |
netmask 255.255.255.0" |
29 |
iface_eth2="x.x.x.x broadcast z.z.z.z |
30 |
netmask 255.255.255.252" |
31 |
routes_eth2=( "default gw y.y.y.y" ) |
32 |
|
33 |
C. and here's the IP tables portion: |
34 |
Start with ' iptables -F' and 'iptables -t nat -F' |
35 |
|
36 |
|
37 |
|
38 |
export LAN=eth0 |
39 |
export DMZ=eth1 |
40 |
export WAN=eth2 |
41 |
iptables -I INPUT 1 -i ${LAN} -j ACCEPT |
42 |
iptables -I INPUT 1 -i lo -j ACCEPT |
43 |
iptables -A INPUT -p UDP --dport bootps -i ! |
44 |
${LAN} -j REJECT |
45 |
iptables -A INPUT -p UDP --dport domain -i ! |
46 |
${LAN} -j REJECT |
47 |
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 |
48 |
--dport 0:1023 -j DROP |
49 |
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 |
50 |
--dport 0:1023 -j DROP |
51 |
iptables -I FORWARD -i ${LAN} -d |
52 |
192.168.0.0/255.255.0.0 -j DROP |
53 |
iptables -A FORWARD -i ${LAN} -s |
54 |
192.168.0.0/255.255.0.0 -j ACCEPT |
55 |
iptables -A FORWARD -i ${WAN} -d |
56 |
192.168.0.0/255.255.0.0 -j ACCEPT |
57 |
iptables -t nat -A POSTROUTING -o |
58 |
${WAN} -j MASQUERADE |
59 |
iptables -t nat -A PREROUTING -p tcp |
60 |
--dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 |
61 |
|
62 |
D. Next: |
63 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
64 |
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; |
65 |
do echo 1 > $f ; done |
66 |
|
67 |
E. And finishing with: |
68 |
/etc/init.d/iptables save |
69 |
rc-update add iptables default |
70 |
vi /etc/sysctl.conf |
71 |
Add/Uncomment the following lines: |
72 |
net.ipv4.ip_forward = 1 |
73 |
net.ipv4.conf.default.rp_filter = 1 |
74 |
|
75 |
Questions |
76 |
Step C: Qestion 1: |
77 |
|
78 |
The rule I added: |
79 |
iptables -t nat -A PREROUTING -p tcp |
80 |
--dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 |
81 |
|
82 |
Does not give access to the web server, either from the outside |
83 |
internet, nor from the interlan lan. Can somebody fix the rule |
84 |
or tell me what I've done wrong or what is additionally needed? |
85 |
|
86 |
|
87 |
Here are the error messages: |
88 |
Warning: wierd character in interface `-j' (No aliases, :, ! or *). |
89 |
Bad argument `DNAT' |
90 |
|
91 |
Question 2: |
92 |
Where are the config files, built by iptables (filter, nat, |
93 |
mangle, |
94 |
raw) |
95 |
and is it OK to just edit these manually, trying various rules |
96 |
and testing the results? Any other files to edit directly? |
97 |
|
98 |
I've read about shorewall, but I prefer to |
99 |
directly edit these files (and any others I have missed) directly |
100 |
while I learn/test the features of iptables/netfilter. Shorewall |
101 |
or any other gui, is for later, when I've develop a |
102 |
certain confidence |
103 |
via understanding how iptables/netfilter works. |
104 |
|
105 |
This is only a simple network, I'm setting up to mostly to |
106 |
learn about |
107 |
iptables/netfilter. Any help or comments is appreciated. I intend |
108 |
to slowly add features and rules and to test along the way, as |
109 |
to satisfy my |
110 |
curiousity while learning firewalling on linux based systems. |
111 |
|
112 |
James |
113 |
|
114 |
-- |
115 |
gentoo-user@g.o mailing list |