Hello, I've been trying to build a simple firewall with a DMZ for a web server. x.x.x.x is the local single static IP y.y.y.y is the gateway IP. z.z.z.z is the broadcast. Outward access is working (ip and dns) Currently the dns servers I use are the cable modem company's, and they work just fine, for now. I can download packages and ebuilds just fine. Access to the mail servers outside the network works just fine.
Note: I have an openbsd firewall with a dmz & web server, and all works just fine. It's disconnected while I try to get this gentoo firewall working with the same web server and other lan components. Following this simple example: http://www.gentoo.org/doc/en/home-router-howto.xml Here's what I did to add a DMZ based web server: A. (3) ethernet interfaces are setup via ifconfig and are working. B. /etc/conf.d.net I added these lines: iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0" iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0" iface_eth2="x.x.x.x broadcast z.z.z.z netmask 255.255.255.252" routes_eth2=( "default gw y.y.y.y" ) C. and here's the IP tables portion: Start with ' iptables -F' and 'iptables -t nat -F' export LAN=eth0 export DMZ=eth1 export WAN=eth2 iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 D. Next: echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done E. And finishing with: /etc/init.d/iptables save rc-update add iptables default vi /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 Questions Step C: Qestion 1: The rule I added: iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 Does not give access to the web server, either from the outside internet, nor from the interlan lan. Can somebody fix the rule or tell me what I've done wrong or what is additionally needed? Here are the error messages: Warning: wierd character in interface `-j' (No aliases, :, ! or *). Bad argument `DNAT' Question 2: Where are the config files, built by iptables (filter, nat, mangle, raw) and is it OK to just edit these manually, trying various rules and testing the results? Any other files to edit directly? I've read about shorewall, but I prefer to directly edit these files (and any others I have missed) directly while I learn/test the features of iptables/netfilter. Shorewall or any other gui, is for later, when I've develop a certain confidence via understanding how iptables/netfilter works. This is only a simple network, I'm setting up to mostly to learn about iptables/netfilter. Any help or comments is appreciated. I intend to slowly add features and rules and to test along the way, as to satisfy my curiousity while learning firewalling on linux based systems. James -- gentoo-user@gentoo.org mailing list
