Problem with ipchains routing/masquerading/dmz

Problem with ipchains routing/masquerading/dmz

Post by ludmilla markowsk » Wed, 26 Dec 2001 03:20:10



I have a thick problem.  On a linuxrouter with Debian 2.2 I would like to
make masquerading
between the interface eth0 (WAN) and eth2 (LAN).
Interface eth0 should although work as quite normally router to eth1(DMZ).
First times - until everything is working - there is no importance on
security...
I tried the following without success:

#!/bin/sh
# /etc/init.d/rc.firewall
# simple masquerading and routing between outside and dmz

ipchains -F
ipcahins -X

ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY

ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A forward -s 192.168.0.0/24 -i eth0 -j MASQ

thanks for your help and Merry X-Mas!
ludmilla

 
 
 

Problem with ipchains routing/masquerading/dmz

Post by heho » Wed, 26 Dec 2001 05:30:28



> I have a thick problem.  On a linuxrouter with Debian 2.2 I would like to
> make masquerading
> between the interface eth0 (WAN) and eth2 (LAN).
> Interface eth0 should although work as quite normally router to eth1(DMZ).
> First times - until everything is working - there is no importance on
> security...
> I tried the following without success:

> #!/bin/sh
> # /etc/init.d/rc.firewall
> # simple masquerading and routing between outside and dmz

> ipchains -F
> ipcahins -X

> ipchains -P input DENY
> ipchains -P output DENY
> ipchains -P forward DENY better is REJECT

Try instead:
ipchains -P input ACCEPT
ipchains -P output ACCEPT

Quote:

> ipchains -A input -i lo -j ACCEPT
> ipchains -A output -i lo -j ACCEPT
> ipchains -A forward -s 192.168.0.0/24 -i eth0 -j MASQ

Skip the first to lines.

You might also to enable masquerading:
echo "1" > /proc/sys/net/ipv4/ip_forward

You might also want to read the Firewall howto and the Masquerading Howto.

hh

 
 
 

Problem with ipchains routing/masquerading/dmz

Post by Dean Thompso » Thu, 27 Dec 2001 11:12:30


Hi!



>>I have a thick problem.  On a linuxrouter with Debian 2.2 I would like to
>>make masquerading
>>between the interface eth0 (WAN) and eth2 (LAN).
>>Interface eth0 should although work as quite normally router to eth1(DMZ).
>>First times - until everything is working - there is no importance on
>>security...
>>I tried the following without success:

>>#!/bin/sh
>># /etc/init.d/rc.firewall
>># simple masquerading and routing between outside and dmz

>>ipchains -F
>>ipcahins -X

>>ipchains -P input DENY
>>ipchains -P output DENY
>>ipchains -P forward DENY better is REJECT

> Try instead:
> ipchains -P input ACCEPT
> ipchains -P output ACCEPT

>>ipchains -A input -i lo -j ACCEPT
>>ipchains -A output -i lo -j ACCEPT
>>ipchains -A forward -s 192.168.0.0/24 -i eth0 -j MASQ

> Skip the first to lines.

> You might also to enable masquerading:
> echo "1" > /proc/sys/net/ipv4/ip_forward

> You might also want to read the Firewall howto and the Masquerading Howto.

Take a look at this HOWTO called: "ipchains-howto" located at
http://www.linuxdoc.org.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. DMZ and ipchains and routing

Hi,

Isnt there anybody who had the same problem?
I want to use my Linux box as a DMZ-Firewall. The architecture is very
similar to the example of the IPCHAINS-HOWTO.

   External Network (BAD)
               |
            router  192.84.219.30
               |
               |
           switch (for unprotected servers) 192.84.219.20
               |
         eth2|
    -----------------
    | 192.84.219.10 |             Server Network (DMZ)
    |                         |eth0
    |                         |-------------------------------------
    |                         |192.84.219.250 |             |              |
    |                         |                          |             |
|
    |192.168.1.250  |                          |             |
|
    -----------------                   --------    -------     -------
           | eth1                            | SMTP |   | DNS |  | WWW |

       |                                     --------    -------    -------
           |                      192.84.219.128  192.84.219.129
192.84.218.130
           |
   Internal Network (GOOD)

And now my question: How do I have to set up the routing? I think it is a
problem that the eth2-Interface and the eth0-Interface are (logical) in the
same network (192.84.219.0). I also want to run some servers at the
eth2-Interface ( in front of the firewall) . Do I have to split the
192.84.219.0-Network into Subnets or is there another solution for that? I
dont want to use private IPs for the DMZ because I dont want to do
portforwarding for every port.

Thanks a lot,

Hape

2. SB16 SCSI-2 problems....

3. Routing ipchains and DMZ

4. Q: How do I do a "named pipe"?

5. Problems with ipchain, masq and dmz

6. Install problems with Red Hat

7. DMZ, ipchains, DNS name resolution problem ???

8. IBM Motif and MIT X11R5?

9. ipchains masquerading & routing

10. DMZ routing problem

11. Routing problem on a FireWall with a DMZ ???

12. Firewall on CD; DMZ/routing problem

13. Use ipchains for DMZ