[Fwd: Server machines behind Firewall]

[Fwd: Server machines behind Firewall]

[edwardspl]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=x-user-defined, Size: 3 bytes --]

 

[-- Attachment #2: Type: message/rfc822, Size: 1599 bytes --]

From: edwardspl@ita.org.mo
To: Jason Opperisano <opie@817west.com>
Cc: "netfilter@lists.netfilter.org" <netfilter@lists.netfilter.org>
Subject: Re: Server machines behind Firewall
Date: Fri, 07 Jan 2005 22:48:19 +0800
Message-ID: <41DEA133.8319FDDD@ita.org.mo>


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2.1: Type: text/plain; charset=big5, Size: 915 bytes --]

From: edwardspl@ita.org.mo
To: Jason Opperisano <opie@817west.com>
Cc: "netfilter@lists.netfilter.org" <netfilter@lists.netfilter.org>
Subject: Re: Server machines behind Firewall
Date: Fri, 07 Jan 2005 22:48:19 +0800
Message-ID: <41DEA133.8319FDDD@ita.org.mo>

Jason Opperisano wrote:

> On Thu, Jan 06, 2005 at 12:14:16AM +0800, edwardspl@ita.org.mo wrote:
> > Dear All,
> >
> > Is there a sample ( nat scripts ) for the title ?
>
> EXT_IF="eth0"
> INT_IF="eth1"
> SRV1="10.1.1.10"
>
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 \
>   -j DNAT --to-destination $SRV1

I want to know why needn't to define the original IP ( Public IP ) ?
eg :

iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s 202.175.xxx.xxx --dport
80 \
  -j DNAT --to-destination 192.168.xxx.xxx

Sorry, what useful about the following function ( command line ) ?

> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
>   --dport 80 -j ACCEPT

In additional, if I want to setup a NAT ( 192.168.101.0/24 ) with a Server
machines ( 192.168.100.1 ) behind Firewall...
So, is there more than one sample ( nat scripts ) for reference ?

Edward.

Re: [Fwd: Server machines behind Firewall]

[Jason Opperisano]

On Fri, Jan 07, 2005 at 11:07:10PM +0800, edwardspl@ita.org.mo wrote:
> > EXT_IF="eth0"
> > INT_IF="eth1"
> > SRV1="10.1.1.10"
> >
> > iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 \
> > ? -j DNAT --to-destination $SRV1
> 
> I want to know why needn't to define the original IP ( Public IP ) ?
> eg :
> 
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s 202.175.xxx.xxx --dport
> 80 \
> ? -j DNAT --to-destination 192.168.xxx.xxx

you can; if the original, public IP is different from the firewall's
external IP.  if you want specify the original DESTINATION of the
packet, you would use "-d" not "-s" like so:

  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $PUB_IP \
    --dport 80 -j DNAT --to-destination $SRV1

> Sorry, what useful about the following function ( command line ) ?
> 
> > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > ? --dport 80 -j ACCEPT

um--it allows the packet through the FORWARD chain of the filter table.
remember--you're trying to build a firewall here.

> In additional, if I want to setup a NAT ( 192.168.101.0/24 ) with a Server
> machines ( 192.168.100.1 ) behind Firewall...
> So, is there more than one sample ( nat scripts ) for reference ?

go read everything linked from the netfilter home page in the docs
section:

  http://netfilter.org/documentation/index.html

-j

--
"Dear Mr. President, there are too many states nowadays, please
 eliminate three. I am not a crackpot."
        --The Simpsons

Re: [Fwd: Server machines behind Firewall]

[Jason Opperisano]

On Fri, Jan 07, 2005 at 11:45:32PM +0800, edwardspl@ita.org.mo wrote:
> Jason Opperisano wrote:
> 
> > > Sorry, what useful about the following function ( command line ) ?
> > >
> > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > > > ? --dport 80 -j ACCEPT
> >
> > um--it allows the packet through the FORWARD chain of the filter table.
> > remember--you're trying to build a firewall here.
> 
> So, must I enable this kind of function for using the Firewall ?

if you want your machine to be an actual firewall, yes.  if you're
building a NAT router--then no.

-j

--
"I bent my wookie."
        --The Simpsons

Re: [Fwd: Server machines behind Firewall]

[edwardspl]

Jason Opperisano wrote:

> > Sorry, what useful about the following function ( command line ) ?
> >
> > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > > ? --dport 80 -j ACCEPT
>
> um--it allows the packet through the FORWARD chain of the filter table.
> remember--you're trying to build a firewall here.

So, must I enable this kind of function for using the Firewall ?

Re: [Fwd: Server machines behind Firewall]

[R. DuFresne]

On Fri, 7 Jan 2005 edwardspl@ita.org.mo wrote:

> Jason Opperisano wrote:
> 
> > > Sorry, what useful about the following function ( command line ) ?
> > >
> > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > > > ? --dport 80 -j ACCEPT
> >
> > um--it allows the packet through the FORWARD chain of the filter table.
> > remember--you're trying to build a firewall here.
> 
> So, must I enable this kind of function for using the Firewall ?
> 
> 
> 

unless the firewall(ed) system is a stand alone <no other ststems on the
network> then yes, if you wish to forward or pass traffic to the internet
and the other systems.  A stand alone box with a firewall can get by with
just input and output rules.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: [Fwd: Server machines behind Firewall]

[edwardspl]

"R. DuFresne" wrote:

> On Fri, 7 Jan 2005 edwardspl@ita.org.mo wrote:
>
> > Jason Opperisano wrote:
> >
> > > > Sorry, what useful about the following function ( command line ) ?
> > > >
> > > > > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > > > > ? --dport 80 -j ACCEPT
> > >
> > > um--it allows the packet through the FORWARD chain of the filter table.
> > > remember--you're trying to build a firewall here.
> >
> > So, must I enable this kind of function for using the Firewall ?
> >
>
> unless the firewall(ed) system is a stand alone <no other ststems on the
> network> then yes, if you wish to forward or pass traffic to the internet
> and the other systems.  A stand alone box with a firewall can get by with
> just input and output rules.

Actually, there is only one machine for me to setup a system ( network ) for
Internet...
So, I'm planning the following functions with a single machine :
Firewall + Internet Server ( eg : DNS, WWW, Mail , FTP behind Firewall ) + NAT
( for other PCs / Clients connect to Internet ).

PS : There are TWO Network Interface with the single machine ( I think one port
connect with leased line / boardband, another one port with HUB to other
Clients )

Is there a sample nat scripts for using the multi-functions ?

Edward.