I have two firewalls with an IPSEC tunnel between them (on their own
private subnet). The reason for this complexity of two firewalls in
succession is to make it much more difficult for a system cracker to pass
our defenses. Anyway, when a host in the DMZ talks to a host on the LAN
inside the exterior tunnel DNAT's the destination address. Rules are
listed below. The problem I have is that I think the DNAT operation to the
inside server is causing the Source IP of External communicating to
Internal to appear from the the Tunnel interface of the Outside firewall
instead of the IP of the External server. You'd think the Source IP
address shouldn't be altered for a DNAT operation. I looked around a bit
for this to see if DNAT wasn't the right tool for what I want to do, but
it seems it ought to work. I did find mention of setting a POSTROUTING
SNAT, but that didn't seem to alter the traffic. I've still got that in my
rules. Am I on the right track or would someone please recommend a better
approach/solution to this?
Oh yes, Kernel is Linux 2.4.18 on i386 (Intel PIII) and iptables 1.2.6.a
on RedHat Linux 7.2 (iptables and kernel compiled by me)
kind regards,
Jim
+----------+
| Details: |
+----------+
Networks, IP Addresses, Hostnames have been sanitized for security
purposes.
Networks:
---------
LAN 172.16.3/24
Tunnel 192.168.0/24
DMZ 1.2.3/24
Relavant IPs:
-------------
Inner Server 172.16.3.10
Inside FW LAN side 172.16.3.2
Inside FW tunnel side 192.168.0.1
Outside FW tunnel side 192.168.0.2
Outside FW DMZ side 1.2.3.4
External Server 1.2.3.5
Diagram:
--------
Inner Server External Server
| |
LAN ------- Inside FW --------< tunnel >----- Outside FW ---- DMZ
Here's a sample of the traffic:
-------------------------------
17:12:40.993091 192.168.0.2.3292 > 172.16.3.10.80: S
167859891:167859891(0) win 8192 <mss 1460> (DF)
17:12:53.009676 192.168.0.2.3292 > 172.16.3.10.80: S
167859891:167859891(0) win 8192 <mss 1460> (DF)
17:15:52.785388 192.168.0.2.3293 > 172.16.3.10.80: S
167859899:167859899(0) win 8192 <mss 1460> (DF)
17:15:55.761851 192.168.0.2.3293 > 172.16.3.10.80: S
167859899:167859899(0) win 8192 <mss 1460> (DF)
17:16:01.770140 192.168.0.2.3293 > 172.16.3.10.80: S
167859899:167859899(0) win 8192 <mss 1460> (DF)
17:16:13.786758 192.168.0.2.3293 > 172.16.3.10.80: S
167859899:167859899(0) win 8192 <mss 1460> (DF)
Note the source address SHOULD be 1.2.3.5. Destination is OK
Here's a sample of the rules:
-----------------------------
# External Firewall External Interface IP is 1.2.3.4/24
# Internal Firewall Internal Inteface IP is 172.16.3.2/24
# Tunnel IP Addr are 192.168.0.1/24 - external and 192.168.0.2/24 -
internal
EXTIF="eth0" # External Interface
TIF="ipsec0" # Tunnel Interface
EXTERNALSERVERNET=1.2.3.5/32
EXTERNALSERVER=1.2.3.4
INTERNALSERVERNET=172.16.3.10/32
INTERNALSERVER=172.16.3.10
serviceports="80,443,22"
...
# Create a table for watching some accepting rules
echo Making the watch target
iptables -N watch
iptables -A watch -m limit --limit 10/minute -j LOG --log-prefix " Accept
"
iptables -A watch -p tcp --dport ssh -m limit --limit 3/hour -j LOG \
--log-prefix "- SSH Accept - "
iptables -A watch -p tcp --sport ssh -m limit --limit 3/hour -j LOG \
--log-prefix "- SSH Accept - "
iptables -A watch -p tcp -m state --state INVALID -j LOG --log-prefix \
"---> INVALID State Dropped "
iptables -A watch -p tcp -m state --state INVALID -j DROP
iptables -A watch -p tcp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A watch -j ACCEPT
...
# Connections ORIGINATING from Internal Service to External Service
iptables -A FORWARD -i $TIF -s $INTERNALSERVERNET -d $EXTERNALSERVERNET -p
tcp \
-m multiport --dport $serviceports -j watch
# ack
iptables -A FORWARD -i $EXTIF -s $EXTERNALSERVERNET -d $INTERNALSERVERNET
-p tcp \
-m multiport --sport $serviceports -j watch
# Connection ORIGINATING from External Service Server to Internal Service
iptables -A FORWARD -i $EXTIF -s $EXTERNALSERVERNET -d $INTERNALSERVERNET
-p tcp \
-m multiport --dport $serviceports -j watch
# ACK connections from External Service to Internal Service
iptables -A FORWARD -i $TIF -s $INTERNALSERVERNET -d $EXTERNALSERVERNET -p
tcp \
-m multiport --sport $serviceports -j watch
# Outbound NAT
iptables -t nat -A POSTROUTING -o $EXTIF -d $INTERNALSERVERNET -j SNAT
--to $EXTERNALSERVER
# Inbound NAT
iptables -t nat -A PREROUTING -i $EXTIF -s $EXTERNALSERVERNET -j DNAT --to
$INTERNALSERVER
...
