|
Antony,
INTERNAL IP = 192.168.1.0/24 -- range 1 thru
11
DMZ IP = 172.16.1.0/24 -- range 1 thru
5
The reason I believe I know it is not
forwarding....is that when I ping from the DMZ I get a "request time out",
although come to think of it, it is actually giving me a response, its just not
necessarily the response I want.
Well in any case I issue the command iptables -L -n
-v and it reports that packets did get to the forwarding rule it just looks like
I got a "request time out" response. So, (having some enlightenment), do I need
to specify a rule for icmp types here?
On the files attached I use ping from a box on the
DMZ to ping an INTERNAL box I ran the command "iptables -L -n -v -x and iptables
-L -n -v -x -t nat" and the results are in the files Lvnx and Lvnxtnat text
files.
I then used ping from a box from an
INTERNAL box to ping a DMZ box and ran the same commands as mentioned
and the results are in the Lvnx2 and Lvnxtnat2 text file. The other files
are obvious.
It really goes back to the sig, routing, routing
and routing......I just can't seem to put my finger on it. Thanks for the
assist, I appreciate the time and patience.
Tim Rodriguez
Network Security Student
--
To me, being a student means that misconceptions
and errors
are a way of learning. Frustration means that I'm
learning.
Perseverance is of the utmost if one wants to
learn. Having
someone to turn to ask for clarification is
invaluable.
Thank you.
--
|
#!/bin/bash # # LEARNING IPTABLES SCRIPT # ## Variables ## EXTERNAL_NET="eth0" DMZ_NET="eth1" INTERNAL_NET="eth2" # INTERNAL="192.168.1.0/24" DMZ="172.16.1.0/24" EXTERNAL="192.168.2.0/24" # ## Acquiring the ip address for the devices ## INT_IP=`ifconfig $INTERNAL_NET | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1` DMZ_IP=`ifconfig $DMZ_NET | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1` EXT_IP=`ifconfig $EXTERNAL_NET | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1`
## Flush the chains ## iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # ## Setting policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # ## Enable routing ## echo "1" > /proc/sys/net/ipv4/ip_forward # ## Logging ## LOG_LEVEL="notice" # ## FORWARD traffic between INTERNAL and DMZ iptables -A FORWARD -i $INTERNAL_NET -o $DMZ_NET -j ACCEPT iptables -A FORWARD -i $DMZ_NET -o $INTERNAL_NET -j ACCEPT #
Chain INPUT (policy DROP 23 packets, 2629 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 32 packets, 4647 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 eth0 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 172.16.0.0 * 255.255.255.0 U 0 0 0 eth1 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 172.16.1.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth1 172.16.1.0 * 255.255.255.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
Chain INPUT (policy DROP 21 packets, 2705 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0
4 240 ACCEPT all -- eth1 eth2 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 16 packets, 1186 bytes)
pkts bytes target prot opt in out source destination
