| |
| |
| |
|
Page: 1 2 3 4 5
<Roey> forwarder
<trappist> client is outside the lan, server is inside?
<Roey> yes
<Roey> and the iptables host is on the DMZ
<trappist> yeah, you just need one DNAT rule. and possibly one FORWARD rule to allow the traffic.
<Roey> which has an opening in the firewall to let it access the exchange server via one port
<Roey> and I also need ip_forwarding on, right?
<trappist> yeah
<Roey> hmm
<Roey> ok
<Roey> trappist: so now, what if I want to send this traffic to a specific port on a specific server?
<Roey> -P port ?
<Roey> 1) iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<danieldg> --to-destination host:port
<Roey> 2) iptables -j DNAT --to-destination <server-ip>:<server-port>
<Roey> ?
<Roey> oh
<Roey> and why state instead of cn_state
<Roey> i.e. what is the difference between the normal state machine and conntrack
<Roey> ?
<danieldg> nothing
<Roey> so these two lines would work then:
<Roey> 1) iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<Roey> 2) iptables -j DNAT --to-destination <server-ip>:<server-port>
<Roey> yes?
<Roey> now, are all of these rules laid in on the same chain?
<Roey> INPUT?
<danieldg> you may also need -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<danieldg> and the DNAT rule needs to be in -t nat
<Roey> so:
<Roey> 1) iptables -A FORWARD -p tcp --dport <server-port> -d <server-ip> -m state --state RELATED,ESTABLISHED -j ACCEPT
<Roey> 2) iptables -t nat -j DNAT --to-destination <server-ip>:<server-port>
<danieldg> no
<Roey> yes?
<Roey> oh :(
<danieldg> a third rule
<danieldg> leave the state one as is
<Roey> ok
<Roey> and the first one too?
<Roey> and the third rule'd be iptables -t nat -something
<contraventor> danieldg it does not have as to block clone of mac-address?
<Roey> something to do with dnat.
<danieldg> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<danieldg> -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<danieldg> you need those as (1) and (3)
<Roey> oh
<Roey> so:
<Roey> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<Roey> iptables -t nat -j DNAT --to-destination <server-ip>:<server-port>
<Roey> iptables -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<Roey> like that
<Roey> ?
<danieldg> yes
<Roey> can we go over the second two rules?
<Roey> we specify "-t nat" because we're using the nat module (er, I think)
<Roey> and the jump target is DNAT (hence the "-j")
<danieldg> nat table
<Roey> ok
<Roey> ahhhh
<Roey> -t[able] nat
<Roey> -j[ump target] DNAT
<danieldg> and (2) needs -t nat -A PREROUTING
<danieldg> not just -t nat
<Roey> why prerouting?
<danieldg> because that's the chain where DNAT goes
<Roey> oh... ok
<morale> the PREROUTING chain/nat table rewrites the destination IP address of packets.. it does /no/ forwarding at all. the FORWARD table actually forwards the packet from the outside interface to the inside.
<Roey> ohhhh ok
<Roey> but with (2)
<Roey> we're not specifying an inbound port
<Roey> only a server port
<danieldg> oh. You need to specify an inbound port there
<Roey> basically, let's say we want /only/ port 41234 to get routed
<morale> yes, you need to specify a inbound port or an source ip so it can nat everything to that server
<morale> iptables -t nat -A PREROUTING --dport 41234 -j DNAT --to-destination 1.2.3.4:41234
<Roey> (and I see that rewriting IP headers is /all/ that the PREROUTING chain/nat table does... it just mangles the packets)
<morale> pretty much
<Roey> morale: and what handles the RELATED packets??
<danieldg> stick a -p tcp in there too
<Roey> 1) iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<danieldg> no, in (2)
<morale> roey, the ip_conntrack table on the firewall (iptables) will handle the connections in its own table.
<Roey> 2) iptables -t nat -p tcp -A PREROUTING --dport 41234 -j DNAT --to-destination 1.2.3.4:41234
<Roey> 3) iptables -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<danieldg> -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<Roey> so lines (1-3) seem right?
<danieldg> oops
<morale> iptables -A FORWARD -s outside_ip -d internal_ip --dport 41234 -j ACCEPT
<danieldg> 2) iptables -t nat A PREROUTING -p tcp --dport 41234 -j DNAT --to-destination 1.2.3.4:41234
<Roey> that line says to forward any packets with a source IP of (something) to an internal ip (which I speicfy
<morale> http://deadbolt.ca/iptables.txt
<morale> roey, correct.
<Roey> morale: that script looks complicated, I'll have to read it
<Roey> out
<Roey> thoroughly
<Roey> and carefully
<Roey> I already use openvpn
<Roey> as well (on the same server, too)
<Roey> so finally we get:
<Roey> 1) iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<Roey> 2) iptables -t nat A PREROUTING -p tcp --dport 41234 -j DNAT --to-destination 1.2.3.4:41234
<Roey> 3) iptables -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<danieldg> s/ A/-A/ in #2
<Roey> 1) iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
<Roey> 2) iptables -t nat -A PREROUTING -p tcp --dport 41234 -j DNAT --to-destination 1.2.3.4:41234
<Roey> 3) iptables -A FORWARD -p tcp --dport <server-port> -d <server-ip> -j ACCEPT
<danieldg> yes
<Roey> hmm
<morale> no.
<morale> you only need lines 2 and 3.
<Roey> (1) is very general -- it just says to allow connections
<Roey> morale: because (1) is default?
<morale> so does line 3.
<morale> line 3 actually is.. iptables -A FORWARD -p tcp --dport 41234 -m state --state NEW,RELATED,ESTABLISHED -d <server-ip> -j ACCEPT
<morale> make sure you have /proc/sys/net/ipv4/ip_forward set to 1.
<Roey> yes I have that alredy due to openvpn
<Roey> morale: ok, and I thought I was missing that NEW,RELATED,ESTABLISHED stuff :)
<Roey> thanks
<morale> no problem.
<Roey> ok, and since the internal server is exchange OWA
<Roey> it runs on port 443
<Roey> so I would have --dport 443 for that last line
<morale> yes
<Roey> also, you guys suggest writing the entire script -- not tacking this on to my existing rule table, right?
<Roey> I have no rule table.
<Roey> it's defualt right now
<Roey> i.e. I need to include OpenVPN connections
<morale> i prefer to write my own scripts for my clients
<Roey> ok
<Roey> where doyou put the script?
<morale> that would be the input chain if it is running on the firewall
<Roey> ok
<Roey> (this isn't the firewall, btw, it's just a DMZ box)
<morale> ah
<Roey> (but I want to protect them with personal firewalls with iptables, too)
<Roey> defense-in-depth and all that :P
<danieldg> I put the script in /etc/network/iptables, call it just before the network interfaces are brought up
<Roey> ok. BTW, you have: # Rule to allow OpenVPN traffic from cobalt.deadbolt.ca
<Roey> $IPT -A INPUT -i $EXTERNAL -p udp -d $EXTERNAL_IP -s 68.145.63.193 --dport openvpn -j ACCEPT
<Roey> $IPT -A INPUT -i $TUNNEL -s 172.16.100.0/30 -j ACCEPT
<Roey> $IPT -A INPUT -i $TUNNEL -s 172.16.200.0/24 -j ACCEPT
<morale> im not sure about redhat..
<Roey> let's say I want to be able to VPN in from anywhere
<Roey> can I remove the -s from line (1) there?
<morale> yeah
<Roey> ok
<Roey> what's the meaning of this:
<Roey> echo "Setting policies."
<Roey> $IPT -P FORWARD DROP
<Roey> $IPT -P INPUT DROP
<Roey> $IPT -P OUTPUT ACCEPT
Return to iptables
or
Go to some related
logs:
sigusr linux
laster.exe
|
|