ipchains/routing gurus, pl help
Hi,
I have a 486 with linuxrouter materhorn with charles extended scripts
1.0 installed, with 3 ethernet cards as shown in the following figure,
in my university computer lab.
External Network (BAD)
|
|
eth0|
----------------|
|203.200.144.163| Server
| |eth2
| |---------------------
| |203.200.144.164 |
| | |
|192.168.100.254| |
---------------- ---------
| eth1 | WEB |
| ----------
| 203.200.144.162
|
Internal Network (GOOD)
One card is terminated with the external leased line(eth0). One card
is connected to my hub which caters to the private lan(eth1). The last
card takes care of my dmzone (eth2).
I designate external network by the word BAD, internal network by the
word GOOD and the web server by the word DMZ, and this terms are used
in creating my ipchains. Needless to say my
configuration is a copy of the example given at the end of
IPCHAINS-HOWTO.
FACTS
1. I am able to ping from the web server to all three cards of my
router.
2. I am able to ping from router to the web server
3. From any machine in the internal network I am able to ping all
cards of router
4. From the internal lan, I can browse and do everything to external
network.
MY PROBLEMS.
1. My web server in the dmz cannot ping anyone other than the router
cards
2. My internal lan cannot ping my web server in the dmz
3. The router log files *DOES NOT SHOW* any log entries reg. dmz-bad chain.
(ipchain rules are given at the end)
Therefore I cannot use my web server at all.
I have hacked the charles function
ipfilter_firewall_cfg() by replacing its contents
entirely by a set of ipchain rules which are given at the end of this
mail. I did this because, even with charles function as such, I was
unable to ping from webserver (dmz) to outside world.
When I give the command "ip route show" in the router box, I get the
following.
203.200.144.162 dev eth2 scope link
203.200.144.160/28 dev eth0 proto kernel scope link src 203.200.144.163
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.254
203.200.144.0/24 dev eth2 proto kernel scope link src 203.200.144.164
default via 203.200.144.161 dev eth0
Pl note that the first line above is due to my hack.
Now is it a ipchain problem or any route problem in the router
esp. when I can ping all cards of the router from my dmz machines.
Any ideas or suggestions would be greatly appreciated.
Thanking you in advance
Suresh
--------------------------- MY IPCHAINS SCRIPT ------------------
Pl note this script is invoked by charles ipfilter_firewall_cfg() function.
---------------------------------------------------------------
WEB_SERVER=203.200.144.162
ETHERNET0=203.200.144.161
ETHERNET1=192.168.100.254
ETHERNET2=203.200.144.164
DNSEXT1=202.54.6.1
DNSEXT2=202.54.6.20
# A function to configure the filters for firewalling
ipfilter_firewall_cfg () {
$IPCH -A input -i ! lo -j DENY
$IPCH -A output -i ! lo -j DENY
$IPCH -A forward -j DENY
$IPCH -F input
$IPCH -F output
$IPCH -F forward
$IPCH -F dmz-good
$IPCH -F dmz-bad
$IPCH -F good-dmz
$IPCH -F good-bad
$IPCH -F bad-dmz
$IPCH -F bad-good
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPCH -N good-dmz
$IPCH -N bad-dmz
$IPCH -N good-bad
$IPCH -N dmz-good
$IPCH -N dmz-bad
$IPCH -N bad-good
$IPCH -N icmp-acc
$IPCH -A forward -s 192.168.100.0/24 -i eth2 -j good-dmz
$IPCH -A forward -s 192.168.100.0/24 -i eth0 -j good-bad
$IPCH -A forward -s 203.200.144.0/24 -i eth0 -j dmz-bad
$IPCH -A forward -s 203.200.144.0/24 -i eth1 -j dmz-good
$IPCH -A forward -i eth2 -j bad-dmz
$IPCH -A forward -i eth1 -j bad-good
$IPCH -A forward -j DENY -l
$IPCH -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPCH -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
$IPCH -A good-dmz -p tcp -d $WEB_SERVER www -j ACCEPT
$IPCH -A good-dmz -p icmp --icmp-type ping -j ACCEPT
$IPCH -A good-dmz -p icmp -j icmp-acc
$IPCH -A good-dmz -j DENY -l
$IPCH -A good-dmz -j ACCEPT -l
#$IPCH -A bad-dmz -p udp -d $DNS_SERVER 53 -j ACCEPT
#$IPCH -A bad-dmz -p tcp -d $DNS_SERVER 53 -j ACCEPT
$IPCH -A bad-dmz -p tcp -d $WEB_SERVER www -j ACCEPT
$IPCH -A bad-dmz -p icmp -j icmp-acc
$IPCH -A bad-dmz -j DENY
$IPCH -A good-bad -p tcp --dport smtp -j MASQ
$IPCH -A good-bad -p tcp --dport telnet -j MASQ
$IPCH -A good-bad -p tcp --dport finger -j MASQ
$IPCH -A good-bad -p tcp --dport www -j MASQ
$IPCH -A good-bad -p tcp --dport ssh -j MASQ
$IPCH -A good-bad -p udp --dport 33434:33500 -j MASQ
$IPCH -A good-bad -p tcp --dport ftp -j MASQ
$IPCH -A good-bad -p tcp --dport ftp-data -j MASQ
$IPCH -A good-bad -p icmp --icmp-type ping -j MASQ
$IPCH -A good-bad -p udp --dport 53 -j MASQ
$IPCH -A good-bad -p tcp --dport 53 -j MASQ
$IPCH -A good-bad -p udp -d $DNSEXT1 53 -j MASQ
$IPCH -A good-bad -p tcp -d $DNSEXT1 53 -j MASQ
$IPCH -A good-bad -p udp -d $DNSEXT2 53 -j MASQ
$IPCH -A good-bad -p tcp -d $DNSEXT2 53 -j MASQ
$IPCH -A good-bad -j REJECT -l
#$IPCH -A dmz-good -p udp -s $DNS_SERVER 53 -j ACCEPT
#$IPCH -A dmz-good -p tcp ! -y -s $DNS_SERVER 53 -j ACCEPT
$IPCH -A dmz-good -p tcp ! -y -s $WEB_SERVER www -j ACCEPT
$IPCH -A dmz-good -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A dmz-good -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A dmz-good -p icmp -j icmp-acc
$IPCH -A dmz-good -j DENY -l
$IPCH -A dmz-bad -p tcp --dport smtp -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport www -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ssh -j ACCEPT
$IPCH -A dmz-bad -p udp --dport 33434:33500 -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ftp -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport ftp-data -j ACCEPT
$IPCH -A dmz-bad -p icmp --icmp-type ping -j ACCEPT
$IPCH -A dmz-bad -p udp --dport 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp --dport 53 -j ACCEPT
$IPCH -A dmz-bad -p udp -d $DNSEXT1 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp -d $DNSEXT1 53 -j ACCEPT
$IPCH -A dmz-bad -p udp -d $DNSEXT2 53 -j ACCEPT
$IPCH -A dmz-bad -p tcp -d $DNSEXT2 53 -j ACCEPT
$IPCH -A dmz-bad -j REJECT -l
#$IPCH -A bad-good -p udp -s $DNSEXT1 53 -j ACCEPT
#$IPCH -A bad-good -p tcp ! -y -s $DNSEXT1 53 -j ACCEPT
$IPCH -A bad-good -j REJECT
$IPCH -N bad-if
$IPCH -N dmz-if
$IPCH -N good-if
$IPCH -A input -d $ETHERNET0 -j bad-if
$IPCH -A input -d $ETHERNET2 -j dmz-if
$IPCH -A input -d $ETHERNET1 -j good-if
#$IPCH -A bad-if -i ! eth0 -j DENY -l
$IPCH -A bad-if -p TCP --dport 61000:65096 -j ACCEPT
$IPCH -A bad-if -p UDP --dport 61000:65096 -j ACCEPT
$IPCH -A bad-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A bad-if -j icmp-acc
$IPCH -A bad-if -j DENY -l
#$IPCH -A dmz-if -i ! eth2 -j DENY -l
$IPCH -A dmz-if -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A dmz-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A dmz-if -j icmp-acc
$IPCH -A dmz-if -j DENY -l
#$IPCH -A good-if -i ! eth1 -j DENY -l
$IPCH -A good-if -p ICMP --icmp-type ping -j ACCEPT
$IPCH -A good-if -p ICMP --icmp-type pong -j ACCEPT
$IPCH -A good-if -j icmp-acc
$IPCH -A good-if -j DENY -l
$IPCH -D input 1
$IPCH -D forward 1
$IPCH -D output 1
}
--------------------end of my ipchains script----------------------
Suresh
-----------------------------------------------------------------
Suresh Kumar.R Email: suresh@mycampus.com
Dept of Electronics & Communication
College of Engineering, Trivandrum - 695 016
INDIA
Reply to: