> I have a dahstein cd box with 3 ethernet cards (eth0,eth1,eth2) in it.
> for now as I'm still doing experiment, eth0 will only be bound with 2
legal
> ip#, but if I succeed, I expect to bound many more ip# in eth0.
> right now each legal ip# in eth0 is open only for 3 services which are
25,80
> and 110.
> I want to do port forwarding for those services to my servers in DMZ
network
> (eth2).
> eth1 will be used as gateway by my internal network to communicate with
the
> outside world.
>
> the folling is my network.conf file, please correct me if i'm doing wrong
> with it. and thank you in advance.
Comments inline...
<snip>
> eth2_IPADDR=192.168.15.5
> eth2_MASKLEN=24
> eth2_BROADCAST=+
> #eth2_ROUTES=
> #eth2_IP_SPOOF=YES
> #eth2_IP_KRNL_LOGMARTIANS=YES
> #eth2_IP_SHARED_MEDIA=NO
> #eth2_BRIDGE=NO
> #eth2_PROXY_ARP=
> #eth2_FAIRQ=NO
Everything to here looks OK
>
############################################################################
> ###
> # NAT 'virtual' interface (optional: required only for static-NAT DMZ
> systems)
>
############################################################################
> ###
> # Configured as an interface to allow flexible handling of bringing the
> # routing rules up/down in conjunction with the physical interfaces
> # interface spec is an indexed list of IP address pairs and a base
priority
> # number for ip rule creation
> nat0_BASE_PRI=100 # Unique base value for ip rules
> # Indexed list: <public IP> <private DMZ IP>
> nat0_PAIR0="202.149.81.61 192.168.15.16"
> nat0_PAIR1="202.149.81.61 192.168.15.25"
> nat0_PAIR2="202.149.81.55 192.168.15.200"
You don't need these set unless you're running a static-NAT DMZ (Not what
you indicated you wanted to setup). The nat0* settings are not hurting
anything (they have no affect unless you list nat0 in IF_AUTO or manually
bring up the virtual nat0 interface with "net ifup nat0", but the fact that
they're uncommented could be confusing later...
<snip>
>
############################################################################
> ###
> # IP Filter setup - can pull in settings from above
>
############################################################################
> ###
<snip>
Down to here looks OK.
> # TCP services open to outside world
> # Space seperated list: srcip/mask_dstport
> EXTERN_TCP_PORTS="202.149.81.55/28_25 202.149.81.55/28_www
> 202.149.81.55/28_110 202.149.81.61/28_25 202.149.81.61/28_www
> 202.149.81.61/28_110"
This is where you control what services make it through the firewall
scripts...you've got the right idea, but you're mixing individual IP's with
a network mask (the /28 part). So, what you've done with the above is
enabled smtp, www, and pop ports for your WHOLE IP RANGE *TWICE*. You
should probably just drop the /28's, so the entries will default to single
host specifications (or explicitly call out a /32, if you want).
<snip>
>
############################################################################
> ###
> # Port Forwarding
>
############################################################################
> ###
> # Remember to open appropriate holes in the firewall rules, above
>
> # Uncomment following for port-forwarded internal services.
> # The following is an example of what should be put here.
> # Tuples are as follows:
> # <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
> INTERN_SERVERS="tcp_202.149.81.61_80_192.168.15.25_80
> tcp_202.149.81.61_smtp_192.168.15.16_smtp
> tcp_202.149.81.61_110_192.168.15.16_110
> tcp_202.149.81.55_80_192.168.15.200_80
> tcp_202.149.81.55_smtp_192.168.15.200_smtp
> tcp_202.149.81.55_110_192.168.15.200_110"
These variables, while they *CAN* port-forward services to the DMZ, are
really intended to port-forward services to your internal network.
Regardless, the fact that you define the same services to be forwarded both
here *and* in the DMZ section is an error (you can only forward a particular
port once). I suggest commenting these, and using the DMZ settings (which
will allow your internal systems to access DMZ servers using the public IP
address).
> # These lines use the primary external IP address...if you need to
> port-forward
> # an aliased IP address, use the INTERN_SERVERS setting above
> #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
> #INTERN_WWW_SERVER=192.168.15.200 # Internal WWW server to make available
> #INTERN_SMTP_SERVER=192.168.15.200 # Internal SMTP server to make
available
> #INTERN_POP3_SERVER=192.168.15.200 # Internal POP3 server to make
available
> #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
> #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
> #EXTERN_SSH_PORT=24 # External port to use for internal SSH access
>
> # Advanced settings: parameters passed directly to portfw and autofw
> # Indexed list: "<ipmasqadm portfw options>"
> #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
> #INTERN_SERVER1=""
> # Indexed list: "<ipmasqadm autofw options>"
> #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
> #INTERN_AUTOFW1=""
>
>
############################################################################
> ###
> # DMZ setup (optional)
>
############################################################################
> ###
> # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
> DMZ_SWITCH=YES
> DMZ_IF="eth2"
> DMZ_NET=192.168.15.0/24
>
> # DMZ switches for all flavors except PRIVATE
>
############################################################################
> ###
> # For NAT DMZ's:
> # DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass
the
> # public IP range being NAT'd to DMZ_NET. Any systems
> DMZ_SRC=202.149.81.48/28
>
> # For Proxy-Arp or NAT DMZ's only:
> # For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT)
> # specification, above, that are NOT remote systems reached via DMZ_IF
must
> # be listed here. This potentially includes IP's of this LRP system, your
> # gateway, and systems connected to your external interface.
> DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP 202.149.81.48/28"
>
> ## Both of the following should be used together - ie if you turn on
> ## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
>
> # Allows inbound connections to high tcp ports (>1023)
> # You can also allow to specific machines using 1024: (or a smaller range)
> # as the dest port range in DMZ_OPEN_DEST (RECOMMENDED)
> DMZ_HIGH_TCP_CONNECT=NO
>
> ## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
> DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
>
> # Inbound services to allow to the DMZ
> # <protocol>_<destination IP/network>_<destination port or range>
> DMZ_OPEN_DEST="tcp_${DMZ_NET}_www
> tcp_${DMZ_NET}_smtp
> icmp_${DMZ_NET}_:
> tcp_${DMZ_NET}_110"
>
> # PRIVATE DMZ switches
>
############################################################################
> ###
> # Services port-forwarded to the DMZ network
> # Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
> DMZ_SERVER0="tcp 202.149.81.55 www 192.168.15.200 www"
> DMZ_SERVER1="tcp 202.149.81.55 110 192.168.15.200 110"
> DMZ_SERVER2="tcp 202.149.81.55_IP 25 192.168.15.200 25"
> DMZ_SERVER3="tcp 202.149.81.61 smtp 192.168.15.16 smtp"
> DMZ_SERVER4="tcp 202.149.81.61 www 192.168.15.25 www"
> DMZ_SERVER5="tcp 202.149.81.61 110 192.168.15.16 110"
This looks OK.
> # Allow all outbound traffic from DMZ (YES)
> # or just traffic from port-forwarded servers (NO)
> DMZ_OUTBOUND_ALL=NO
WARNING - With this set to NO, your DMZ systems will *NOT* be able to
web-browse, FTP, or generally access the internet. Only response packets
from the port-forwarded services will be allowed out. You almost certianly
want this to be "YES", unless you're EXTREMELY paranoid. The masquerading
that takes place is identical to what gets setup for your internal network,
just for DMZ machines.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
