Greetings, I’ve built a Debian firewall server for a small
business network, and there have been some problems. First of all, I have eth0 as an external interface (it’s
a dual-homed server). Eth1 is setup as the internal interface. An Ethernet cable
connects the internal interface to a switch which then splits the connection to
an internal router/switch (Linksys) and to a web server. I have added rules to
forward port 80 traffic to that web server. The first problem I am having is
that any internal traffic to the web server, either in the DMZ or in the
internal network behind the router/switch, cannot connect to the website via
DNS name or even the website’s IP; however, those same systems can connect via the internal IP
(192.168.2.25) including the internal network behind the router/switch (on a
different network). Additionally, I cannot ping anything lower than the web
server from anything higher than the web server. In other words, a computer
behind the router/switch can ping the web server but the web server could not
ping that system or either gateway in the router/switch. Any other internet
traffic to any other site works perfectly fine on any system The firewall script I am using is largely written from a
guide as I am somewhat new to iptables as of 2 months ago (found at http://www.aboutdebian.com/firewall.htm).
The script is as follows (note that my static IP has been changed so that it is
not so readily known to the public): #!/bin/sh echo -e "\n\nSETTING UP IPTABLES FIREWALL..." # Enter the designation for the Internal Interface INTIF="eth1" # NETWORK address of the Internal Interface INTNET="192.168.2.0/24" # IP address of the Internal Interface INTIP="192.168.2.110" # Enter the designation for the External Interface EXTIF="eth0" EXTIP="6x.7x.17x.21x" # -------- No more variable setting beyond this
point -------- echo "Loading required stateful/NAT kernel
modules..." /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo " Enabling IP
forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface:
$EXTIF" echo " External
interface IP address is: $EXTIP" echo " Loading firewall server
rules..." UNIVERSE="0.0.0.0/0" # Clear any existing rules and setting default policy to DROP iptables -P INPUT DROP iptables -F INPUT iptables -P OUTPUT DROP iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -F -t nat # Flush the user chain.. if it exists if [ "`iptables -L | grep drop-and-log-it`" ];
then iptables -F drop-and-log-it fi # Delete all User-specified chains iptables -X # Reset all IPTABLES counters iptables -Z # Creating a DROP chain iptables -N drop-and-log-it iptables -A drop-and-log-it -j LOG --log-level info iptables -A drop-and-log-it -j REJECT echo -e " - Loading INPUT
rulesets" ####################################################################### # INPUT: Incoming traffic from various interfaces. All
rulesets are # already flushed
and set to a default policy of DROP. # # loopback interfaces are valid. iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j
ACCEPT # remote interface, claiming to be local machines, IP
spoofing, get lost iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j
drop-and-log-it # remote interface, any source, going to permanent PPP
address is valid iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Blocked Ports # SSH from outside the network #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp
--dport 22 -j DROP # AUTH from outside the network #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp
--dport 113 -j DROP # FTP from outside the network #iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp
--dport 21 -j DROP # Allow any related traffic coming back to the MASQ server
in iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state
--state ESTABLISHED,RELATED -j ACCEPT # Catch all rule, all other incoming is denied and logged. iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j
drop-and-log-it echo -e " - Loading OUTPUT
rulesets" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces.
All rulesets are # already
flushed and set to a default policy of DROP. # # loopback interface is valid. iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed
routing, deny iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j
drop-and-log-it # anything else outgoing on remote interface is valid iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j
ACCEPT # Catch all rule, all other outgoing is denied and logged. iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j
drop-and-log-it echo -e " - Loading FORWARD
rulesets" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ #
Allow all connections OUT and only existing/related IN iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Web Server iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.2.25 -p
tcp --dport 80 -j ACCEPT # Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it # Enable SNAT (MASQUERADE) functionality on $EXTIF iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP # DNAT PAT to WWW iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp
--dport 80 -j DNAT --to 192.168.2.25 echo " Implementing change to
routing table" route add -net 192.168.3.0/24 gw 192.168.2.19 echo -e " Firewall server rule
loading complete\n\n" The route line has been added to properly route traffic to
the router/switch. This script is set to run at boot time near the end. After
it runs, the iptables –L command looks as such(once again, some names
changed do to privacy): Chain INPUT (policy DROP) target prot opt
source
destination ACCEPT all --
anywhere
anywhere ACCEPT all --
192.168.2.0/24
anywhere drop-and-log-it all --
192.168.2.0/24
anywhere ACCEPT all --
anywhere
www.****.org ACCEPT all --
anywhere
www.****.org state
RELATED,ESTABLISHED drop-and-log-it all --
anywhere
anywhere Chain FORWARD (policy DROP) target prot opt
source
destination ACCEPT all --
anywhere
anywhere
state RELATED,ESTABLISHED ACCEPT all --
anywhere
anywhere ACCEPT tcp --
anywhere
192.168.2.25 tcp dpt:www drop-and-log-it all --
anywhere
anywhere Chain OUTPUT (policy DROP) target prot opt
source
destination ACCEPT all --
anywhere
anywhere ACCEPT all -- www.****.org
192.168.2.0/24 ACCEPT all --
192.168.2.110
192.168.2.0/24 drop-and-log-it all --
anywhere
192.168.2.0/24 ACCEPT all -- www.****.org
anywhere drop-and-log-it all --
anywhere
anywhere Chain drop-and-log-it (5 references) target prot opt
source
destination LOG all
-- anywhere
anywhere LOG
level info REJECT all --
anywhere
anywhere
reject-with icmp-port-unreachable And, for additional information, the routing table looks as
such: Kernel IP routing table Destination
Gateway
Genmask Flags Metric
Ref Use Iface 68.79.174.208
*
255.255.255.240 U 0
0 0 eth0 192.168.3.0
192.168.2.19 255.255.255.0 UG
0 0 0
eth1 192.168.2.0
*
255.255.255.0 U
0 0 0
eth1 default 6x.7x.17x.xxx.i
0.0.0.0 UG
0 0 0
eth0 Finally, my /etc/network/interfaces file (with the edited
lines): # This file describes the network interfaces available on
your system # and how to activate them. For more information, see
interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static address
6x.7x.17x.21x netmask
255.255.255.240 gateway
6x.7x.17x.xxx auto eth1 iface eth1 inet static address
192.168.2.110 netmask
255.255.255.0 Any insight into the problem would be much appreciated. If
there is any confusion, please forgive me and feel free to ask me to clarify.
Thank you. Bill Shepherd |