Forward to DMZ addresses

Jonathan Villa jonathan at innovativesource.net
Thu Aug 18 20:33:03 CEST 2005


>> What would I DNAT (--to-source) to.  My understanding is to check for
>> ESTABLISHED,RELATED state and forward onto either LAN/DMZ interface, but
>> how do I receive where -to-source should be?
>
> If you have a DNATing rule set up for traffic that is destined to your DMZ
> server coming in to your router on eth1 as such:
>
> iptables -t nat -A PREROUTING -i ${WAN} -d ${ExternalIP} -j DNAT
> --to-destination ${DMZServerIP}
> iptables -t filter -A FORWARD -i ${WAN} -o ${DMZ} -d ${DMZServerIP} -j
> ACCEPT
> iptables -t filter -A FORWARD -i ${DMZ} -o ${WAN} -s ${DMZServerIP} -j
> ACCEPT
>
> You will need something similar to this as well:
>
> iptables -t nat -A PREROUTING -i ${LAN} -d ${ExternalIP} -j DNAT
> --to-destination ${DMZServerIP}
> iptables -t filter -A FORWARD -i ${LAN} -o ${DMZ} -d ${DMZServerIP} -j
> ACCEPT
> iptables -t filter -A FORWARD -i ${DMZ} -o ${LAN} -s ${DMZServerIP} -j
> ACCEPT
>
> The idea behind this is that you are DNATing the traffic that is coming in
> from the world.  When you try to access your ""servers (globally routable)
> IP from your LAN your traffic will be coming in the interface connected to
> your LAN (eth0) and thus not match the first rule above.  This is why you
> need a similar rule to match on traffic that is coming in on your LAN
> interface.
>
> Note:  I went ahead and explicitly included rules for the FORWARD chain in
> the filter table that may be covered under a different rule, use your
> discression on these.
>
>> Ah...thanks.  Didn't think about that
>
> No problem.  Ideas is what this list is for.
>
>> IP Network = xx.xx.xx.182
>> Router WAN interface = xx.yyy.y.241
>> Router LAN interface = xx.xx.xx.183
>> Firewall eth0 connected to LAN switch = 10.123.x.x
>> Firewall eth1 connected to router = xx.xx.xx.184
>> Firewall eth2 connected to DMZ switch = xx.xx.xx.185
>> DMZ server eth0 connected to DMZ switch = xx.xx.xx.186
>
> # Let's handle any outgoing and returning LAN traffic.
> iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -t filter -A FORWARD -i eth0 -o eth1 -j ACCEPT
> # Presumably any traffic returning from outbound requests will be in a
> state of established (or related) and thus is not destined to the DMZ
> server.
> # I think this situation will be taken care of inherently.
>
> # Let's forward any (NEW or RELATED) traffic coming in to the WAN IP from
> the world over to the DMZ server.
> iptables -t nat -A PREROUTING -i eth1 -d xx.yy.yy.240 -m state --state
> NEW,RELATED -j DNAT --to-destination xx.xx.xx.186
> iptables -t filter -A FORWARD -i eth1 -o eth2 -d xx.xx.xx.186 -j ACCEPT
> iptables -t filter -A FORWARD -i eth2 -o eth1 -s xx.xx.xx.186 -j ACCEPT
>
> # Let's forward any traffic coming in to the WAN IP from the LAN over to
> the DMZ server.
> iptables -t nat -A PREROUTING -i eth0 -d xx.yy.yy.240 -j DNAT
> --to-destination xx.xx.xx.186
> iptables -t filter -A FORWARD -i eth0 -o eth2 -d xx.xx.xx.186 -j ACCEPT
> iptables -t filter -A FORWARD -i eth2 -o eth0 -s xx.xx.xx.186 -j ACCEPT
>
> # We need to SNAT the traffic out to the world.
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xx.yy.yy.240
>
>
>> LAN stuff works just fine...well, at least from what I can tell and it's
>> the only section with local IP's.  The others are all using globally
>> routable IP's from my block.
>>
>> Currently, and as stated before, I can access everything from the
>> firewall
>> itself, just can't pass through.
>>
>> **Once I get a basic setup going, I should be able to figure it out...
>> it's just this hurdle right now
>


Ok, I'm starting to see the logic...I think

I'm not sure about 2 of the examples

iptables -t nat -A PREROUTING -i ${WAN} -d ${ExternalIP} -j DNAT
--to-destination
${DMZServerIP}

Is $ExternalIP the external IP of the firewall or the dmz machine?

and then...

iptables -t filter -A FORWARD -i ${DMZ} -o ${LAN} -s ${DMZServerIP} -j ACCEPT

I'm understanding this as "all any packets from the DMZ to the LAN".  I
would prefer to not allow DMZ->LAN, i.e. using FORWARD, could I not do

iptables -t filter -A FORWARD -i ${DMZ} -o ${LAN} -m state --state
ESTABLISHED,RELATED -s ${DMZServerIP} -j ACCEPT

**normally I would just try it, but I'm not near the server right now...

and then the final SNAT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xx.yy.yy.240

wouldn't this SNAT everything outgoing, even the DMZ traffic?  I'll have
about 5 servers on the DMZ once this is all working




More information about the netfilter mailing list