AW: AW: some questions regarding netfilter theory

Philipp Snizek mailinglists@belfin.ch
Mon, 8 Oct 2001 15:32:07 +0200 

Hi Mike,

>  >> 1. Will the above described scenario work (I want to avoid the
>  >> try'n'error experience)? Any pitfalls to have a look at?
>  > Yes, it will as long as you work with
>  > http(s)://ipaddress.of.your.server instead of
> http(s)://www.blabla.com
>  > (or whatever) To avoid this, set up up a dns server on the same
>  > box.
>
> Maybe I should have mentioned that the official IP (which is
> static) is
> assigned to a domain name, and already works for the
> webserver (which is
> currently the only box using the internet connection). When the setup
> will be switched to the scenario described in my last mail,
> the DNS will
> still show up for the correct IP, with the only difference that the
> public services will be redirected to the server within the
> DMZ, having
> an intranet IP.

Ah, ok.

>  >> In order to allow the passing of this packet there has to
> be a  rule
>  >> that allows passing ip packets for port 80 from the interface eth0
>  >> to the interface eth1. Correct?
>  > The classic case is that internal staff try to access your `public'
>  > web server, which is actually DNAT'ed from the public address
>  > (1.2.3.4) to an internal machine (192.168.1.1), like so:
>  >
>  > # iptables -t nat -A PREROUTING -d 1.2.3.4 \ -p tcp
> --dport 80 -j DNAT
>  >  --to 192.168.1.1
>  > I think that's what you wanna do, don't you?
>
> This is what should be done, with the restriction that just
> and only the
> necessary ports should be DNATed. Any other port should be blocked,
> sometimes with and sometimes without adding a note in the system log.

Yes of course. You can do that on the PREROUTING rule or on the FORWARD rule, both inbound from inet
to $waneth. Since these are no local processes you can't do it on the INPUT rule.

>  > Load these modules for ftp:
>  > ip_nat_ftp
>  > ip_conntrack_ftp
>  >
>  > You can say what ftp ports these modules shall use. define it by
>  > adding ports=684,whateveryouwant.
>  > Unfortunately I have not found out how to implement a
> range of ports.
>
> Is this for incoming or for outgoing ftp transfers?

outgoing.

> In case of ftp I
> just need to SNAT ftp-traffic

yes.

> that is initialized by hosts in the
> intranet. There is no public available ftp server within the dmz.

It's not about public ftp servers but about how your lan clients connect to inet ftp servers. you
can use active or passive ftp. Active means that the ftp server connects to your firewalling host
for ftp-data transfers thus you must accept syn packets on $waneth. Passive ftp means that your
firewalling host connects to the ftp server for ftp-data transfers thus you can drop syn packets on
$waneth but must open ports 1024:65535.

> Bye, Mike
>