Re: masq/foreward

To: tom <tallison@telocity.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: masq/foreward
From: Cory Petkovsek <coryp@petersen-arne.com>
Date: Fri, 23 Mar 2001 09:27:00 -0800
Message-id: <20010323092700.C214@c1052719-a.eugene1.or.home.com>
In-reply-to: <3ABB37DB.801784F4@telocity.com>; from tallison@telocity.com on Fri, Mar 23, 2001 at 06:47:39AM -0500
References: <3ABB37DB.801784F4@telocity.com>

Often, a DMZ is setup as three networks connected by one point.  Internet, Lan and DMZ with the firewall connecting all three.  

In direct answer to your questions:
Yes, setup your dmz as you did your internal lan, however use another IP network (see below).
Yes, portfw to your internal IP dmz web server, as you probably did with your lan.
Setup your DMZ as a private lan, masqueraded to the internet, and portfw back.  Make sure to restrict only certain access between your DMZ and your lan!  If your webserver in your DMZ is cracked, and you don't have any tight control between your lan and the DMZ, well it didn't do any good to have a DMZ in the first place.  You want to be able to have your DMZ servers cracked, and still have a secure network.  Such that if someone owns one of your DMZ servers, they still can't break through the firewall into your real network.

mini howto:
-----------
First setup your lan and the internet.  The lan has private IPs and masquerades (or SNAT with 2.4) to the internet, and the internet portforwards with ipmasq (or DNAT with 2.4) to particular ports within your network, if needed.

Then setup your DMZ as a second private lan, ie if your LAN is a 10.0.0.0/16 network, make your DMZ a 10.1.0.0/16 network.  These are different networks, as denoted by the /16.

Before messing with ipchains/iptables rules, make sure you can connect to, and forward between the networks.  Make sure your routing is correct.  This will make the next part much easier!

Your rules will say something like (pseudo rules):
#allow either lan access to the internet
if source 10.0.0.0/16 and dest anything but 10.1.0.0/16 accept
if source 10.1.0.0/16 and dest anything but 10.0.0.0/16 accept
if source ! 10.0.0.0/8 and dest 10.0.0.0/8 accept (internet packets coming back to either private lan)

#forward between dmz and lan
if source 10.0.0.0/16 and dest 10.1.0.0/16 accept
if source 10.1.0.0/16 and dest 10.0.0.0/16 accept

portfw external_ip port 80 to 10.1.0.5:80  (dmz webserver)

Rules number 1,2 and 3,4 are kind of redundant.  However, it's laid out like this so you can tighten the control, rather than just accepting everything.  For instance, you may say:
if source LAN to internet (ie ! 10.0.0.0/8) accept
if source LAN to DMZ port 80 accept
Deny everything else from LAN to DMZ

You'll also need corresponding reverse rules, such as:
if source DMZ:80 to LAN 1024:65535 accept

For clarification here, 10.0.0.0/8 will match either 10.0.0.0/16 and 10.1.0.0/16.  So you can define a variable privateIP="10.0.0.0/8" and use this to compare:
if source ! $privateIP to $privateIP  (this means if from internet to either DMZ or internal lan)

Hope this helps,
Cory

On Fri, Mar 23, 2001 at 06:47:39AM -0500, tom wrote:
> I'm trying to build a firewall with one card open to a DMZ.
> 
> But I'm unclear on how exactly to do this.
> 
> Do I start by forewarding all incoming requests on port 80 to my
> internal DMZ machine and then masq all outgoing traffic (as I do
> with all the networks)?
> 
> Is that how it works?
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: masq/foreward
  - From: tom <tallison@telocity.com>

References:
- masq/foreward
  - From: tom <tallison@telocity.com>

Prev by Date: Re: IP tables setup
Next by Date: Re: Firewall Eval.
Previous by thread: masq/foreward
Next by thread: Re: masq/foreward
Index(es):
- Date
- Thread