AW: some questions regarding netfilter theory

[Philipp Snizek]

> Hi all.
>
> I started working with iptables some days ago and would like
> to know if
> I am right with the assumptions describes below.
>
> I want to set up a firewall router with three network interfaces. One
> interface for connection to the Internet (eth0), one for the
> connection
> of a webserver in the DMZ (eth1), one for the intranet
> (eth2). We have
> only one assigned official IP, which should be used for the
> webserver as
> well as the intranet's internet access.
>
> What I did until now:
> I set up DNAT for every protocol that is served by the webserver and
> should be reachable from the internet.  This is http, https, smtp and
> pop3. I used SNAT for the traffic that comes from the intranet and
> should go to the internet. And I set up some rules for
> accessing the DMZ
> out of the intranet.
>
> My questions:
> 1. Will the above described scenario work (I want to avoid the
> try'n'error experience)? Any pitfalls to have a look at?

Yes, it will as long as you work with http(s)://ipaddress.of.your.server instead of
http(s)://www.blabla.com (or whatever)
To avoid this, set up up a dns server on the same box.

> 2. Having a look at the DNAT case for the services in the DMZ, is the
> following correct? Lets assume a http-packet arrives for the official
> ip. The firewall applies the DNAT rule and rewrites the destination
> address of the packet so that the destination ip will be the
> ip of the
> webserver. After that the routing decision is made for this
> packet. It
> will be put in the forward chain, as it is not destined to one of the
> local ip addresses.

AFAIK, yes

> In order to allow the passing of this
> packet there
> has to be a rule that allows passing ip packets for port 80 from the
> interface eth0 to the interface eth1. Correct?

Maybe this may help you (taken from the NAT-Howto
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html):

The classic case is that internal staff try to access your `public' web server, which is actually
DNAT'ed from the public address (1.2.3.4) to an internal machine (192.168.1.1), like so:

# iptables -t nat -A PREROUTING -d 1.2.3.4 \
        -p tcp --dport 80 -j DNAT --to 192.168.1.1

I think that's what you wanna do, don't you?

> In order to enable replies to the described packet I have to set up a
> rule in the forward chain that allows passing http packets
> from eth1 to
> eth0 having states "established" or "related". I do not need
> additional
> SNAT rules for packets that are a reply to a formerly
> received packet,
> as the rewrite of the sender address in these packets will be handled
> automatically by the connection tracking. Correct, too?

Can't tell you, have never done it before. sorry. Can somebody else answer that?

> 3. I must load the conntrack modules by hand on startup of the
> firewall/router in order to enable passing ftp transfer between the
> internet and the intranet. Right? Is there anything else that
> has to be
> done for this task?

Load these modules for ftp:
ip_nat_ftp
ip_conntrack_ftp

You can say what ftp ports these modules shall use. define it by adding ports=684,whateveryouwant.
Unfortunately I have not found out how to implement a range of ports.

Load this module for "normal" stuff:
ip_conntrack

I only was playing with passive ftp. I don't know about active ftp. From my point of view you should
use pasv ftp because the ftp server does not sync with your firewalling host but your fw-host syncs
with the ftp server. If you're going to use pasv-ftp open up ports 21,20,1024: for incoming and
outgoing traffic on $waneth for -t nat PREROUTING (if used) and -t filter FORWARD. Do not
use --state NEW for this kind of pasv-ftp. There aren't any new connections. Its enough if you
say -s your.network -d ! your.network --state ESTABLISHED,RELATED.

HTH

Philipp