TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:13179] Firewall!!! (again)
On Tue, Feb 01, 2000 at 10:03:40AM -0600, Nate Carlson wrote:
> You need to do ip forwarding between the two interfaces. Here's something
> that should get you working:
> ipchains -P forward ACCEPT
AAAAHHHHHHH!!!!!!!
*REEOOOO...REEEEOOO...REOOOOO* Achtung!!! Alarm! No! Nicht! Niet!
Nada!!!
You have the classic Internet-DMZ-LAN setup... Check out section 7 of the
IPCHAINS-HOWTO. It's pretty straight forward. In fact, I've modeled most
of my firewall stuff off it. What you need to do, though is set up a
lan-dmz chain and a dmz-lan chain.
Your lan-dmz chain should allow your client-server traffic, including
ping. If you have an email server or web server in your dmz, then that is
the traffic you let through. If you want ping, then let that through, but
you should not do the following:
ipchains -P forward ACCEPT
unless the last rule of the chain is:
ipchains -A forward -j DENY -l
Otherwise, you're just opening yourself up. You basically said, "Yeah,
I'll accept any internet traffic coming through to my LAN." Yes, it's
more complicated than that, but it's usually a good practice to log those
denied packets you don't expect to see very often. Plus, it gives you a
good view as to what type of traffic you see on your networks.
My advice to you is read IPCHAINS-HOWTO more closely. If you need the
quick fix between your LAN net and your DMZ net, use a rule like
ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
ipchains -A forward -j DENY -l
At least this way if you have a packet that hits your inet-if and tries to
destin itself for your dmz or your lan, it won't get forwarded.
Another hint, the -j DENY -l is VERY useful for debugging WHY something
won't go through. Open up a console w/'tail -f /var/log/syslog' and play
around. Add rules as you need too.
--
Chad Walstrom mailto:chewie@wookimus.net
a.k.a ^chewie, gunnarr http://wookimus.net/~chewie
PGP signature