[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipchains/routing gurus, pl help


I have a 486 with linuxrouter materhorn with charles extended scripts
1.0 installed, with 3 ethernet cards as shown in the following figure,
in my university computer lab.

 External Network (BAD)
           ||             Server 
           |               |eth2		
           |               |---------------------
           |               |     |    
           |               |                    |    
           ||                    |    
           ----------------                  ---------   
                  | eth1                     | WEB    |  
                  |                          ----------    
          Internal Network (GOOD)

One card is terminated with the external leased line(eth0). One card
is connected to my hub which caters to the private lan(eth1). The last
card takes care of my dmzone (eth2).

I designate external network by the word BAD, internal network by the
word GOOD and the web server by the word DMZ, and this terms are used
in creating my ipchains. Needless to say my
configuration is a copy of the example given at the end of


1. I am able to ping from the web server to all three cards of my
2. I am able to ping from router to the web server
3. From any machine in the internal network I am able to ping all
cards of router
4. From the internal lan, I can browse and do everything to external

1. My web server in the dmz cannot ping anyone other than the router
2. My internal lan cannot ping my web server in the dmz
3. The router log files *DOES NOT SHOW* any log entries reg. dmz-bad chain.
(ipchain rules are given at the end)

Therefore I cannot use my web server at all.

I have hacked the charles function 
		ipfilter_firewall_cfg() by replacing its contents
entirely by a set of ipchain rules which are given at the end of this
mail. I did this because, even with charles function as such, I was
unable to ping  from webserver (dmz) to outside world.

When I give the command "ip route show" in the router box, I get the
following. dev eth2  scope link dev eth0  proto kernel  scope link  src dev eth1  proto kernel  scope link  src dev eth2  proto kernel  scope link  src 
default via dev eth0 

Pl note that the first line above is due to my hack.

Now is it a ipchain problem or any route problem in the router
esp. when I can ping all cards of the router from my dmz machines.

Any ideas or suggestions would be greatly appreciated.

Thanking you in advance


--------------------------- MY IPCHAINS SCRIPT ------------------
Pl note this script is invoked by charles ipfilter_firewall_cfg() function.


# A function to configure the filters for firewalling

ipfilter_firewall_cfg () {

$IPCH -A input -i ! lo -j DENY 
$IPCH -A output  -i ! lo -j DENY 
$IPCH -A forward -j DENY 

$IPCH -F input
$IPCH -F output
$IPCH -F forward
$IPCH -F dmz-good
$IPCH -F dmz-bad
$IPCH -F good-dmz
$IPCH -F good-bad
$IPCH -F bad-dmz
$IPCH -F bad-good

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPCH -N good-dmz
$IPCH -N bad-dmz
$IPCH -N good-bad
$IPCH -N dmz-good
$IPCH -N dmz-bad
$IPCH -N bad-good

$IPCH -N icmp-acc

$IPCH -A forward -s -i eth2 -j good-dmz
$IPCH -A forward -s -i eth0 -j good-bad
$IPCH -A forward -s -i eth0 -j dmz-bad
$IPCH -A forward -s -i eth1 -j dmz-good
$IPCH -A forward -i eth2 -j bad-dmz
$IPCH -A forward -i eth1 -j bad-good
$IPCH -A forward -j DENY -l

$IPCH -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

$IPCH -A good-dmz -p tcp -d $WEB_SERVER www -j ACCEPT
$IPCH -A good-dmz -p icmp --icmp-type ping -j ACCEPT
$IPCH -A good-dmz -p icmp -j icmp-acc
$IPCH -A good-dmz -j DENY -l

$IPCH -A good-dmz -j ACCEPT -l

#$IPCH -A bad-dmz -p udp -d $DNS_SERVER 53 -j ACCEPT
#$IPCH -A bad-dmz -p tcp -d $DNS_SERVER 53 -j ACCEPT
$IPCH -A bad-dmz -p tcp -d $WEB_SERVER www -j ACCEPT
$IPCH -A bad-dmz -p icmp -j icmp-acc
$IPCH -A bad-dmz -j DENY

$IPCH -A good-bad -p tcp --dport smtp -j MASQ
$IPCH -A good-bad -p tcp --dport telnet -j MASQ
$IPCH -A good-bad -p tcp --dport finger -j MASQ
$IPCH -A good-bad -p tcp --dport www -j MASQ
$IPCH -A good-bad -p tcp --dport ssh -j MASQ
$IPCH -A good-bad -p udp --dport 33434:33500 -j MASQ
$IPCH -A good-bad -p tcp --dport ftp -j MASQ
$IPCH -A good-bad -p tcp --dport ftp-data -j MASQ
$IPCH -A good-bad -p icmp --icmp-type ping -j MASQ
$IPCH -A good-bad -p udp --dport 53 -j MASQ
$IPCH -A good-bad -p tcp --dport 53 -j MASQ
$IPCH -A good-bad -p udp -d $DNSEXT1 53 -j MASQ
$IPCH -A good-bad -p tcp -d $DNSEXT1 53 -j MASQ
$IPCH -A good-bad -p udp -d $DNSEXT2 53 -j MASQ
$IPCH -A good-bad -p tcp -d $DNSEXT2 53 -j MASQ
$IPCH -A good-bad -j REJECT -l

#$IPCH -A dmz-good -p udp -s $DNS_SERVER 53 -j ACCEPT
#$IPCH -A dmz-good -p tcp ! -y -s $DNS_SERVER 53 -j ACCEPT
$IPCH -A dmz-good -p tcp ! -y -s $WEB_SERVER www -j ACCEPT
$IPCH -A dmz-good -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A dmz-good -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A dmz-good -p icmp -j icmp-acc
$IPCH -A dmz-good -j DENY -l

$IPCH -A dmz-bad -p tcp --dport smtp -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport www -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ssh -j ACCEPT
$IPCH -A dmz-bad -p udp --dport 33434:33500 -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ftp -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ftp-data -j ACCEPT
$IPCH -A dmz-bad -p icmp --icmp-type ping -j ACCEPT
$IPCH -A dmz-bad -p udp --dport 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport 53 -j ACCEPT
$IPCH -A dmz-bad -p udp -d $DNSEXT1 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp -d $DNSEXT1 53 -j ACCEPT
$IPCH -A dmz-bad -p udp -d $DNSEXT2 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp -d $DNSEXT2 53 -j ACCEPT
$IPCH -A dmz-bad -j REJECT -l

#$IPCH -A bad-good -p udp -s $DNSEXT1 53 -j ACCEPT
#$IPCH -A bad-good -p tcp ! -y -s $DNSEXT1 53 -j ACCEPT
$IPCH -A bad-good -j REJECT

$IPCH -N bad-if
$IPCH -N dmz-if
$IPCH -N good-if

$IPCH -A input -d $ETHERNET0 -j bad-if
$IPCH -A input -d $ETHERNET2 -j dmz-if
$IPCH -A input -d $ETHERNET1 -j good-if

#$IPCH -A bad-if -i ! eth0 -j DENY -l
$IPCH -A bad-if -p TCP --dport 61000:65096 -j ACCEPT
$IPCH -A bad-if -p UDP --dport 61000:65096 -j ACCEPT
$IPCH -A bad-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A bad-if -j icmp-acc
$IPCH -A bad-if -j DENY -l

#$IPCH -A dmz-if -i ! eth2 -j DENY -l
$IPCH -A dmz-if -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A dmz-if -j icmp-acc 
$IPCH -A dmz-if -j DENY -l

#$IPCH -A good-if -i ! eth1 -j DENY -l
$IPCH -A good-if -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A good-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A good-if -j icmp-acc
$IPCH -A good-if -j DENY -l

$IPCH -D input 1
$IPCH -D forward 1
$IPCH -D output 1

--------------------end of my ipchains script----------------------

Suresh Kumar.R				Email: suresh@mycampus.com
Dept of Electronics & Communication
College of Engineering, Trivandrum - 695 016

Reply to: