Hi,
I've been trying to configure LEAF Dachstein CD to firewall 5 IP
addresses. I have tried several configurations but cannot get the
beast to work. I have changed the IP's and removed the comments to
make it a shorter message... I hope those who may help are okay with
this.
Here is what I have:
Router/firewall with 3 NIC's.
Five (5) class C static IP's i.e. 231.123.123.242:245
ISP Gateway 231.123.123.246
2 servers on DMZ
192.168.71.242 WWW & SSH
192.168.71.243 SSH (SQL for WWW)
What I'm trying to do is this:
DMZ the two servers
NAT to workstations on 192.168.70.0/24 (each w/static IP)
With the following configuration, I get an ipchains table which I
have condensed and added below. I have removed the packet counts and
the logging options except for the one '!y' in the forwarding
section. When I test this and other configs, using
ipchains -C -p tcp -i eth0 -s 0.0.0.0 www 231.123.123.242 www
I get a deny, even though the chains list shows
ACCEPT tcp eth0 0/0 231.123.123.242 * -> 80
I'm thinking the problem is a line lower down which states:
DENY all eth0 0/0 0/0 n/a
Soooo, have I messed up and not set something right or am I just a
loonie and should go back to some basket weaving... or is there a
problem with a script (I tried to figure them out but I have a ways
to go before I get into that).
Thanks in advance for any and all assistance!
Scott
------- begin naked /etc/network.conf -------------
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
IF_AUTO="eth0 eth1 eth2"
IF_LIST="$IF_AUTO"
ALLIF_ACCEPT_REDIRECTS=YES
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=NO
BRG_EXEMPT_PROTOS=""
eth0_IPADDR=231.123.123.241
eth0_MASKLEN=29
eth0_BROADCAST=+
eth0_DEFAULT_GW=231.123.123.241
eth0_IP_EXTRA_ADDRS="231.123.123.242
231.123.123.243
231.123.123.244
231.123.123.245"
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO
eth1_IPADDR=192.168.70.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
eth2_IPADDR=192.168.71.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
IPFILTER_SWITCH=firewall
SNMP_BLOCK=YES
MRK_CRIT=1
MRK_IA=2
EXTERN_IF="eth0"
EXTERN_DHCP=NO
# nothing added via this mechanism _yet_
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# open external ports
EXTERN_ICMP_PORT0="0/0 : 192.168.70.0/24"
EXTERN_ICMP_PORT1="0/0 : 192.168.71.0/24"
EXTERN_UDP_PORTS="0/0_domain"
EXTERN_TCP_PORT0="0/0 53 231.123.123.0/24"
EXTERN_TCP_PORT1="0/0 80 231.123.123.242"
EXTERN_TCP_PORT2="0/0 22 231.123.123.242"
EXTERN_TCP_PORT3="0/0 222 231.123.123.243"
INTERN_IF="eth1"
INTERN_NET=192.168.70.0/24
INTERN_IP=192.168.70.254
MASQ_SWITCH=YES
NOMASQ_DEST="tcp_0/0_ssh"
NOMASQ_DEST_BYPASS="tcp_231.123.123.240/29_ssh"
DMZ_SWITCH=YES
DMZ_IF="eth2"
DMZ_NET=192.168.71.0/24
DMZ_SRC=231.123.123.240/29
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_${DMZ_NET}_22
tcp_192.168.71.242_80"
DMZ_SERVER0="udp $EXTERN_IP domain 192.168.71.242 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.71.242 domain"
DMZ_SERVER2="tcp 231.123.123.242 www 192.168.71.242 www"
DMZ_SERVER3="tcp 231.123.123.242 ssh 192.168.71.242 ssh"
DMZ_SERVER4="tcp 231.123.123.243 222 192.168.71.243 22"
DMZ_OUTBOUND_ALL=YES
------- end naked /etc/network.conf -------------
------- begin iopchains -L -n -v > compressed.txt -------------
Chain input
target prot ifname source dest ports
DENY icmp * 0/0 0/0 5 -> *
DENY icmp * 0/0 0/0 13 -> *
DENY icmp * 0/0 0/0 14 -> *
DENY all eth0 0.0.0.0 0/0 n/a
DENY all eth0 255.255.255.255 0/0 n/a
DENY all eth0 127.0.0.0/8 0/0 n/a
DENY all eth0 224.0.0.0/4 0/0 n/a
DENY all eth0 10.0.0.0/8 0/0 n/a
DENY all eth0 172.16.0.0/12 0/0 n/a
DENY all eth0 192.168.0.0/16 0/0 n/a
DENY all eth0 0.0.0.0/8 0/0 n/a
DENY all eth0 128.0.0.0/16 0/0 n/a
DENY all eth0 191.255.0.0/16 0/0 n/a
DENY all eth0 192.0.0.0/24 0/0 n/a
DENY all eth0 223.255.255.0/24 0/0 n/a
DENY all eth0 240.0.0.0/4 0/0 n/a
DENY all eth0 192.168.70.0/24 0/0 n/a
DENY all eth0 192.168.71.0/24 0/0 n/a
DENY all eth0 231.123.123.241 0/0 n/a
DENY all eth0 231.123.123.242 0/0 n/a
DENY all eth0 231.123.123.243 0/0 n/a
DENY all eth0 231.123.123.244 0/0 n/a
DENY all eth0 231.123.123.245 0/0 n/a
REJECT all eth0 0/0 127.0.0.0/8 n/a
REJECT all eth0 0/0 192.168.70.0/24 n/a
REJECT tcp eth0 0/0 0/0 * -> 137
REJECT tcp eth0 0/0 0/0 * -> 135
REJECT udp eth0 0/0 0/0 * -> 137
REJECT udp eth0 0/0 0/0 * -> 135
REJECT tcp eth0 0/0 0/0 * -> 138:139
REJECT udp eth0 0/0 0/0 * -> 138
REJECT udp eth0 0/0 0/0 137:138 -> *
REJECT udp eth0 0/0 0/0 135 -> *
REJECT tcp eth0 0/0 0/0 137:139 -> *
REJECT tcp eth0 0/0 0/0 135 -> *
ACCEPT all eth0 0/0 192.168.71.0/24 n/a
ACCEPT tcp eth0 0/0 231.123.123.0/24 * -> 53
ACCEPT tcp eth0 0/0 231.123.123.242 * -> 80
ACCEPT tcp eth0 0/0 231.123.123.242 * -> 22
ACCEPT tcp eth0 0/0 231.123.123.243 * -> 222
REJECT tcp eth0 0/0 0/0 * -> 113
ACCEPT tcp eth0 0/0 0/0 * -> 1024:65535
REJECT udp eth0 0/0 0/0 * -> 161:162
ACCEPT udp eth0 0/0 0/0 * -> 53
DENY udp eth0 0/0 0/0 * -> 67
ACCEPT udp eth0 0/0 0/0 * -> 1024:65535
ACCEPT icmp eth0 0/0 0/0 * -> *
ACCEPT icmp eth0 0/0 192.168.70.0/24 * -> *
ACCEPT icmp eth0 0/0 192.168.71.0/24 * -> *
ACCEPT ospf eth0 0/0 0/0 n/a
DENY all eth0 0/0 0/0 n/a
REJECT udp * 0/0 0/0 * -> 161:162
REJECT udp * 0/0 0/0 161:162 -> *
ACCEPT all * 0/0 0/0 n/a
Chain forward
target prot ifname source dest ports
DENY icmp * 0/0 0/0 5 -> *
MASQ tcp * 192.168.70.0/24 231.123.123.240/29 * -> 22
REJECT tcp * 192.168.70.0/24 0/0 * -> 22
MASQ all eth2 192.168.70.0/24 192.168.71.0/24 n/a
REJECT tcp eth2 0/0 192.168.71.0/24 * -> 6000:6004
REJECT tcp eth2 0/0 192.168.71.0/24 * -> 7100
ACCEPT udp eth2 0/0 192.168.71.0/24 * -> 53
ACCEPT tcp eth2 0/0 192.168.71.0/24 * -> 53
ACCEPT icmp eth2 0/0 192.168.71.0/24 * -> *
ACCEPT tcp eth2 0/0 192.168.71.0/24 * -> 22
ACCEPT tcp eth2 0/0 192.168.71.242 * -> 80
ACCEPT tcp !y eth2 0/0 192.168.71.0/24 * -> 1024:65535
ACCEPT icmp eth2 0/0 192.168.71.0/24 * -> *
ACCEPT tcp eth0 192.168.71.0/24 0/0 * -> *
ACCEPT icmp eth0 192.168.71.0/24 0/0 * -> *
ACCEPT udp eth0 192.168.71.0/24 0/0 53 -> *
MASQ udp eth0 192.168.71.0/24 0/0 * -> *
MASQ all eth0 192.168.70.0/24 0/0 n/a
DENY all eth2 0/0 192.168.71.0/24 n/a
DENY all * 0/0 0/0 n/a
Chain output
target prot ifname source dest ports
fairq all * 0/0 0/0 n/a
DENY all eth0 0.0.0.0 0/0 n/a
DENY all eth0 255.255.255.255 0/0 n/a
DENY all eth0 127.0.0.0/8 0/0 n/a
DENY all eth0 224.0.0.0/4 0/0 n/a
DENY all eth0 10.0.0.0/8 0/0 n/a
DENY all eth0 172.16.0.0/12 0/0 n/a
DENY all eth0 192.168.0.0/16 0/0 n/a
DENY all eth0 0.0.0.0/8 0/0 n/a
DENY all eth0 128.0.0.0/16 0/0 n/a
DENY all eth0 191.255.0.0/16 0/0 n/a
DENY all eth0 192.0.0.0/24 0/0 n/a
DENY all eth0 223.255.255.0/24 0/0 n/a
DENY all eth0 240.0.0.0/4 0/0 n/a
DENY all eth0 192.168.70.0/24 0/0 n/a
REJECT tcp eth0 0/0 0/0 * -> 137
REJECT tcp eth0 0/0 0/0 * -> 135
REJECT udp eth0 0/0 0/0 * -> 137
REJECT udp eth0 0/0 0/0 * -> 135
REJECT tcp eth0 0/0 0/0 * -> 138:139
REJECT udp eth0 0/0 0/0 * -> 138
REJECT udp eth0 0/0 0/0 137:138 -> *
REJECT udp eth0 0/0 0/0 135 -> *
REJECT tcp eth0 0/0 0/0 137:139 -> *
REJECT tcp eth0 0/0 0/0 135 -> *
ACCEPT all * 0/0 0/0 n/a
Chain dmzSpoof
target prot ifname source dest ports
RETURN all * 231.123.123.241 0/0 n/a
RETURN all * 231.123.123.241 0/0 n/a
DENY all * 0/0 0/0 n/a
Chain dmzIn
target prot ifname source dest ports
RETURN all * 0/0 231.123.123.241 n/a
RETURN all * 0/0 231.123.123.241 n/a
ACCEPT all * 0/0 0/0 n/a
Chain fairq
target prot ifname source dest ports
RETURN ospf * 0/0 0/0 n/a
RETURN ospf * 0/0 0/0 n/a
RETURN udp * 0/0 0/0 * -> 520
RETURN udp * 0/0 0/0 520 -> *
RETURN tcp * 0/0 0/0 * -> 179
RETURN tcp * 0/0 0/0 179 -> *
RETURN tcp * 0/0 0/0 * -> 53
RETURN tcp * 0/0 0/0 53 -> *
RETURN udp * 0/0 0/0 * -> 53
RETURN udp * 0/0 0/0 53 -> *
RETURN tcp * 0/0 0/0 * -> 23
RETURN tcp * 0/0 0/0 23 -> *
RETURN tcp * 0/0 0/0 * -> 22
RETURN tcp * 0/0 0/0 22 -> *
------- end iopchains -L -n -v > compressed.txt -------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
