iptables rule
in [Linux Networking]
|
Prev: Timer for every frame ?
Next: find and autofs
From: Mart Frauenlob on 6 Mar 2010 08:12 On 06.03.2010 12:48, Bonno Bloksma wrote: > Hi, > >>> I want a service on a server in my DMZ to be available via the standard port for internal >>> machines >>> but on a non-standard port to the outside. >>> >>> I have on my firewall machine >>> $IPTABLES -t nat -A PREROUTING -d $SERVERIP -p tcp --dport $EXTPORT -j DNAT --to >>> $SERVERIP:$INTPORT >>> and this seems to work to make the service available. >>> >>> Now all I need to do is block access from the outside to the standard port on the server. >>> However if I add >>> $IPTABLES -t nat -A PREROUTING -d $SERVERIP -p tcp --dport $INTPORT -j DROP >>> I get a warning: >>> The "nat" table is not intended for filtering, hence the use of DROP is deprecated and will >>> permanently be disabled in the next iptables release. Please adjust your scripts. >>> >>> But I cannot add it to the FORWARD chain as this >>> $IPTABLES -A FORWARD -d $SERVERIP -p tcp --dport $INTPORT -j DROP >>> will block access to the service via the EXTPORT as well. After all the packet passes the FORWARD >>> chain after it has been changed by the PREROUTING chain. > > >> Use the external interface in you nat rule, for the internet mapping. >> >> -t nat -A PREROUTING -i $EXT_IFACE -d $PUBLIC_IP -p tcp --dport >> $EXT_PUBLIC_PORT -j DNAT --to-destination $SERVER_INT_IP:$INT_PORT >> >> in FORWARD chain of filter table, allow this: >> >> -A FORWARD -i $EXT_IFACE -d $SERVER_INT_IP -p tcp --dport $INT_PORT -j >> ACCEPT > > All external traffic is coming via the external interface, internal traffic to the DMZ server will > never reach this firewall. > Either I'm not understanding what you try to write or maybe my situation is not clear enough. My > situation is: > INTERNET -- ExtFirewall -- DMZ -- IntFirewall -- Internal network > > All servers in the DMZ have public ip numbers. There is no difference in external and internal ip > number. > Traffic from the outside to a DMZ server will pass the external firewall and never reach the > internal firewall > Traffic from the inside to a DMZ server will pass the internal firewall and never reach the > exterenal firewall > > Besides tranforming outside traffic to the ip:extport combination I only need to block outside > traffic to the ip:intport combination. > As fas as I kown after the handling by the nat table there is no difference in traffic that was > originaly to the extport and then translated and traffic that was to the internal port all the time. > :-( > But, maybe I'm wrong. > > Bonno Bloksma > > You did not mention there are two firewalls. Yes I was assuming a different picture. -t nat -A PREROUTING -i $EXT_IFACE -d $SERVER_IP -p tcp --dport $EXT_PUBLIC_PORT -j DNAT --to-destination $SERVER_IP:$INT_PORT -t filter -A FORWARD -i $EXT_IFACE -p tcp -m conntrack --ctorigdstport $EXT_PUBLIC_PORT --ctstate NEW,ESTABLISHED -j ACCEPT Would be a possibility i think. Best regards Mart
From: Pascal Hambourg on 6 Mar 2010 18:48
Bonno Bloksma a �crit : >> [...] >> Can't you just have your services listen on both ports and just filter >> the forbidden port on the external firewall ? My motto is that NAT >> should be avoided as much as possible. > > I did not think that was possible but... after looking once more at the docs it turnes out it is > indeed possible to have this service listen on more than one port. > So now the service is indeed listening on both ports, I block the default port from the outside and > I have A LOT less failed connections in my logfiles due to automated hacking attempts. :-) That's good. This way when you switch to IPv6, you won't be annoyed by the lack of NAT support for IPv6. Yeah, IPv6 is a rehab cure against addiction to NAT. ;-) |