crowl
07-25-2004, 01:36 AM
My lab:
Internet - PIX - DMZ - Debian box with two network cards - Intranet
PIX IP: 192.168.0.10
Debian eth0 IP: 192.168.0.11
Debian eth1 IP: 172.19.0.11
The debian box should seperate the internet/dmz from local lan
(intranet). IPtables should work as firewall. All traffic from lan ->
internet should be allowed. All traffic from internet -> lan should be
blocked except established connection opened from lan site.
I have a iptables script, but it seems that I have missconfigured
something. If I try to do a ping a website or a pop3 request to my
internet provider from my machine inside the lan (ip 172.19.l.55), I
get no answer. SSH access to the debian box is working.
Here my script, hopefully that someone can help me to figure out my
mistake. Thanks in advance.
# intranet
IFACE_INT=eth1
# internet
IFACE_EXT=eth0
# loopback
IFACE_LO=lo
# flush filters
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# accept ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# enable ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# *** INPUT ***
# allow all from intranet
iptables -A INPUT -i $IFACE_INT -j ACCEPT
# no internet connection with a local ip!
iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP
# allow established internet connection
iptables -A INPUT -i $IFACE_EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** FORWARD ***
# intranet -> internet allow all
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT
# internet -> intranet only if for established connection
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** OUTPUT ***
# intranet
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT
# loopback
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT
# internet
iptables -A OUTPUT -o $IFACE_EXT -j ACCEPT
# Masquerading
iptables -A POSTROUTING -o $IFACE_EXT -t nat -j MASQUERADE
Internet - PIX - DMZ - Debian box with two network cards - Intranet
PIX IP: 192.168.0.10
Debian eth0 IP: 192.168.0.11
Debian eth1 IP: 172.19.0.11
The debian box should seperate the internet/dmz from local lan
(intranet). IPtables should work as firewall. All traffic from lan ->
internet should be allowed. All traffic from internet -> lan should be
blocked except established connection opened from lan site.
I have a iptables script, but it seems that I have missconfigured
something. If I try to do a ping a website or a pop3 request to my
internet provider from my machine inside the lan (ip 172.19.l.55), I
get no answer. SSH access to the debian box is working.
Here my script, hopefully that someone can help me to figure out my
mistake. Thanks in advance.
# intranet
IFACE_INT=eth1
# internet
IFACE_EXT=eth0
# loopback
IFACE_LO=lo
# flush filters
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# accept ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# enable ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# *** INPUT ***
# allow all from intranet
iptables -A INPUT -i $IFACE_INT -j ACCEPT
# no internet connection with a local ip!
iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP
# allow established internet connection
iptables -A INPUT -i $IFACE_EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** FORWARD ***
# intranet -> internet allow all
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT
# internet -> intranet only if for established connection
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** OUTPUT ***
# intranet
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT
# loopback
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT
# internet
iptables -A OUTPUT -o $IFACE_EXT -j ACCEPT
# Masquerading
iptables -A POSTROUTING -o $IFACE_EXT -t nat -j MASQUERADE