[Leaf-user] [DMZ w/Dachstein CD] Am I going nuts?!?

Scott Sandeman-Allen Mon, 11 Feb 2002 17:54:51 -0800

Hi,

I've been trying to configure LEAF Dachstein CD to firewall 5 IP 
addresses. I have tried several configurations but cannot get the 
beast to work. I have changed the IP's and removed the comments to 
make it a shorter message... I hope those who may help are okay with 
this.


Here is what I have:
        Router/firewall with 3 NIC's.
        Five (5) class C static IP's  i.e. 231.123.123.242:245
        ISP Gateway 231.123.123.246
        2 servers on DMZ
                192.168.71.242 WWW & SSH
                192.168.71.243 SSH (SQL for WWW)

What I'm trying to do is this:
        DMZ the two servers
        NAT to workstations on 192.168.70.0/24 (each w/static IP)

With the following configuration, I get an ipchains table which I 
have condensed and added below. I have removed the packet counts and 
the logging options except for the one '!y' in the forwarding 
section. When I test this and other configs, using
        ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www

I get a deny, even though the chains list shows
        ACCEPT     tcp     eth0    0/0      231.123.123.242        * -> 80

I'm thinking the problem is a line lower down which states:

        DENY       all     eth0    0/0      0/0      n/a

Soooo, have I messed up and not set something right or am I just a 
loonie and should go back to some basket weaving... or is there a 
problem with a script (I tried to figure them out but I have a ways 
to go before I get into that).

Thanks in advance for any and all assistance!

Scott

------- begin  naked /etc/network.conf -------------


VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
IF_AUTO="eth0 eth1 eth2"
IF_LIST="$IF_AUTO"
ALLIF_ACCEPT_REDIRECTS=YES
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=NO
BRG_EXEMPT_PROTOS=""


eth0_IPADDR=231.123.123.241
eth0_MASKLEN=29
eth0_BROADCAST=+
eth0_DEFAULT_GW=231.123.123.241
eth0_IP_EXTRA_ADDRS="231.123.123.242
                        231.123.123.243
                        231.123.123.244
                        231.123.123.245"
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO

eth1_IPADDR=192.168.70.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO

eth2_IPADDR=192.168.71.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO

IPFILTER_SWITCH=firewall
SNMP_BLOCK=YES
MRK_CRIT=1
MRK_IA=2
EXTERN_IF="eth0"
EXTERN_DHCP=NO

# nothing added via this mechanism _yet_
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output

# open external ports
EXTERN_ICMP_PORT0="0/0 : 192.168.70.0/24"
EXTERN_ICMP_PORT1="0/0 : 192.168.71.0/24"
EXTERN_UDP_PORTS="0/0_domain"
EXTERN_TCP_PORT0="0/0 53 231.123.123.0/24"
EXTERN_TCP_PORT1="0/0 80 231.123.123.242"
EXTERN_TCP_PORT2="0/0 22 231.123.123.242"
EXTERN_TCP_PORT3="0/0 222 231.123.123.243"

INTERN_IF="eth1"
INTERN_NET=192.168.70.0/24
INTERN_IP=192.168.70.254

MASQ_SWITCH=YES
NOMASQ_DEST="tcp_0/0_ssh"
NOMASQ_DEST_BYPASS="tcp_231.123.123.240/29_ssh"

DMZ_SWITCH=YES
DMZ_IF="eth2"
DMZ_NET=192.168.71.0/24
DMZ_SRC=231.123.123.240/29
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
                tcp_${DMZ_NET}_domain
                icmp_${DMZ_NET}_:
                tcp_${DMZ_NET}_22
                tcp_192.168.71.242_80"

DMZ_SERVER0="udp $EXTERN_IP domain 192.168.71.242 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.71.242 domain"
DMZ_SERVER2="tcp 231.123.123.242 www 192.168.71.242 www"
DMZ_SERVER3="tcp 231.123.123.242 ssh 192.168.71.242 ssh"
DMZ_SERVER4="tcp 231.123.123.243 222 192.168.71.243 22"
DMZ_OUTBOUND_ALL=YES

------- end  naked /etc/network.conf -------------

------- begin iopchains -L -n -v > compressed.txt -------------

Chain input
target     prot    ifname  source         dest           ports
DENY       icmp    *       0/0      0/0      5 -> *
DENY       icmp    *       0/0      0/0      13 -> *
DENY       icmp    *       0/0      0/0      14 -> *
DENY       all     eth0    0.0.0.0       0/0      n/a
DENY       all     eth0    255.255.255.255      0/0      n/a
DENY       all     eth0    127.0.0.0/8          0/0      n/a
DENY       all     eth0    224.0.0.0/4          0/0      n/a
DENY       all     eth0    10.0.0.0/8           0/0      n/a
DENY       all     eth0    172.16.0.0/12        0/0      n/a
DENY       all     eth0    192.168.0.0/16       0/0      n/a
DENY       all     eth0    0.0.0.0/8      0/0      n/a
DENY       all     eth0    128.0.0.0/16         0/0      n/a
DENY       all     eth0    191.255.0.0/16       0/0      n/a
DENY       all     eth0    192.0.0.0/24         0/0      n/a
DENY       all     eth0    223.255.255.0/24     0/0      n/a
DENY       all     eth0    240.0.0.0/4          0/0      n/a
DENY       all     eth0    192.168.70.0/24      0/0      n/a
DENY       all     eth0    192.168.71.0/24      0/0      n/a
DENY       all     eth0    231.123.123.241       0/0      n/a
DENY       all     eth0    231.123.123.242       0/0      n/a
DENY       all     eth0    231.123.123.243       0/0      n/a
DENY       all     eth0    231.123.123.244       0/0      n/a
DENY       all     eth0    231.123.123.245       0/0      n/a
REJECT     all     eth0    0/0      127.0.0.0/8           n/a
REJECT     all     eth0    0/0      192.168.70.0/24       n/a
REJECT     tcp     eth0    0/0      0/0      * -> 137
REJECT     tcp     eth0    0/0      0/0      * -> 135
REJECT     udp     eth0    0/0      0/0      * -> 137
REJECT     udp     eth0    0/0      0/0      * -> 135
REJECT     tcp     eth0    0/0      0/0      * -> 138:139
REJECT     udp     eth0    0/0      0/0      * -> 138
REJECT     udp     eth0    0/0      0/0      137:138 -> *
REJECT     udp     eth0    0/0      0/0      135 -> *
REJECT     tcp     eth0    0/0      0/0      137:139 -> *
REJECT     tcp     eth0    0/0      0/0      135 -> *
ACCEPT     all     eth0    0/0      192.168.71.0/24       n/a
ACCEPT     tcp     eth0    0/0      231.123.123.0/24       * -> 53
ACCEPT     tcp     eth0    0/0      231.123.123.242        * -> 80
ACCEPT     tcp     eth0    0/0      231.123.123.242        * -> 22
ACCEPT     tcp     eth0    0/0      231.123.123.243        * -> 222
REJECT     tcp     eth0    0/0      0/0      * -> 113
ACCEPT     tcp     eth0    0/0      0/0      * -> 1024:65535
REJECT     udp     eth0    0/0      0/0      * -> 161:162
ACCEPT     udp     eth0    0/0      0/0      * -> 53
DENY       udp     eth0    0/0      0/0      * -> 67
ACCEPT     udp     eth0    0/0      0/0      * -> 1024:65535
ACCEPT     icmp    eth0    0/0      0/0      * -> *
ACCEPT     icmp    eth0    0/0      192.168.70.0/24       * -> *
ACCEPT     icmp    eth0    0/0      192.168.71.0/24       * -> *
ACCEPT     ospf    eth0    0/0      0/0      n/a
DENY       all     eth0    0/0      0/0      n/a
REJECT     udp     *       0/0      0/0      * -> 161:162
REJECT     udp     *       0/0      0/0      161:162 -> *
ACCEPT     all     *       0/0      0/0      n/a

Chain forward
target     prot      ifname  source         dest           ports
DENY       icmp    *       0/0      0/0      5 -> *
MASQ       tcp     *       192.168.70.0/24      231.123.123.240/29     * -> 22
REJECT     tcp     *       192.168.70.0/24      0/0      * -> 22
MASQ       all     eth2    192.168.70.0/24      192.168.71.0/24       n/a
REJECT     tcp     eth2    0/0      192.168.71.0/24       * -> 6000:6004
REJECT     tcp     eth2    0/0      192.168.71.0/24       * -> 7100
ACCEPT     udp     eth2    0/0      192.168.71.0/24       * -> 53
ACCEPT     tcp     eth2    0/0      192.168.71.0/24       * -> 53
ACCEPT     icmp    eth2    0/0      192.168.71.0/24       * -> *
ACCEPT     tcp     eth2    0/0      192.168.71.0/24       * -> 22
ACCEPT     tcp     eth2    0/0      192.168.71.242        * -> 80
ACCEPT     tcp  !y eth2    0/0      192.168.71.0/24       * -> 1024:65535
ACCEPT     icmp    eth2    0/0      192.168.71.0/24       * -> *
ACCEPT     tcp     eth0    192.168.71.0/24      0/0      * -> *
ACCEPT     icmp    eth0    192.168.71.0/24      0/0      * -> *
ACCEPT     udp     eth0    192.168.71.0/24      0/0      53 -> *
MASQ       udp     eth0    192.168.71.0/24      0/0      * -> *
MASQ       all     eth0    192.168.70.0/24      0/0      n/a
DENY       all     eth2    0/0      192.168.71.0/24       n/a
DENY       all     *       0/0      0/0      n/a

Chain output
target     prot    ifname  source        dest           ports
fairq      all     *       0/0      0/0      n/a
DENY       all     eth0    0.0.0.0       0/0      n/a
DENY       all     eth0    255.255.255.255      0/0      n/a
DENY       all     eth0    127.0.0.0/8          0/0      n/a
DENY       all     eth0    224.0.0.0/4          0/0      n/a
DENY       all     eth0    10.0.0.0/8           0/0      n/a
DENY       all     eth0    172.16.0.0/12        0/0      n/a
DENY       all     eth0    192.168.0.0/16       0/0      n/a
DENY       all     eth0    0.0.0.0/8      0/0      n/a
DENY       all     eth0    128.0.0.0/16         0/0      n/a
DENY       all     eth0    191.255.0.0/16       0/0      n/a
DENY       all     eth0    192.0.0.0/24         0/0      n/a
DENY       all     eth0    223.255.255.0/24     0/0      n/a
DENY       all     eth0    240.0.0.0/4          0/0      n/a
DENY       all     eth0    192.168.70.0/24      0/0      n/a
REJECT     tcp     eth0    0/0      0/0      * -> 137
REJECT     tcp     eth0    0/0      0/0      * -> 135
REJECT     udp     eth0    0/0      0/0      * -> 137
REJECT     udp     eth0    0/0      0/0      * -> 135
REJECT     tcp     eth0    0/0      0/0      * -> 138:139
REJECT     udp     eth0    0/0      0/0      * -> 138
REJECT     udp     eth0    0/0      0/0      137:138 -> *
REJECT     udp     eth0    0/0      0/0      135 -> *
REJECT     tcp     eth0    0/0      0/0      137:139 -> *
REJECT     tcp     eth0    0/0      0/0      135 -> *
ACCEPT     all     *       0/0      0/0      n/a

Chain dmzSpoof
target     prot    ifname  source        dest           ports
RETURN     all     *       231.123.123.241       0/0      n/a
RETURN     all     *       231.123.123.241       0/0      n/a
DENY       all     *       0/0      0/0      n/a

Chain dmzIn
target     prot    ifname source        dest           ports
RETURN     all     *      0/0      231.123.123.241        n/a
RETURN     all     *      0/0      231.123.123.241        n/a
ACCEPT     all     *      0/0      0/0      n/a

Chain fairq
target     prot    ifname source        dest           ports
RETURN     ospf    *      0/0      0/0      n/a
RETURN     ospf    *      0/0      0/0      n/a
RETURN     udp     *      0/0      0/0      * -> 520
RETURN     udp     *      0/0      0/0      520 -> *
RETURN     tcp     *      0/0      0/0      * -> 179
RETURN     tcp     *      0/0      0/0      179 -> *
RETURN     tcp     *      0/0      0/0      * -> 53
RETURN     tcp     *      0/0      0/0      53 -> *
RETURN     udp     *      0/0      0/0      * -> 53
RETURN     udp     *      0/0      0/0      53 -> *
RETURN     tcp     *      0/0      0/0      * -> 23
RETURN     tcp     *      0/0      0/0      23 -> *
RETURN     tcp     *      0/0      0/0      * -> 22
RETURN     tcp     *      0/0      0/0      22 -> *

------- end iopchains -L -n -v > compressed.txt -------------

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] [DMZ w/Dachstein CD] Am I going nuts?!?

Reply via email to