Three legged firewall with iptables. How to manage DMZ? - iptables

I'm trying to implement a Three legged firewall but my iptables rules for the DMZ are not working as expected.
The Three legged firewall is a Firewall with 3 NIC's. One for the Router, One for the DMZ and one for the LAN.
My DMZ network is on another network separately from the LAN. There is a route rule between the Firewall and the DMZ.
Firewall LAN NIC: 192.168.0.1
Firewall DMZ NIC: 192.168.100.1
DMZ Server IP: 192.168.100.12
The DMZ Server gateway is 192.168.100.1
So as a DMZ I will allow all connections from the Internet thought the Firewall to the DMZ and forbid only the outgoing connections from the DMZ to the LAN (to keep it safe) but allow the incoming ones.
But I wasn't be able to block all incoming/outgoing connections to test if iptables rules are applying properly.
So I tried (always in the Firewall):
iptables -A FORWARD -s 192.168.100.12 -d 0.0.0.0 -j DROP
iptables -A FORWARD -d 192.168.100.12 -s 0.0.0.0 -j DROP
But I still can RDP to the server, navigate, and all.
Okay maybe an INPUT/OUTPUT:
iptables -A INPUT -s 192.168.100.12 -j DROP
iptables -A OUTPUT -d 192.168.100.12 -j DROP
But it was the same.
As a result I wasn't able to block all the connections to my DMZ Server proving that my rules weren't working at all.
I'm not a network guy but a programmer guy, so I'm completely sure that my poor networking skills are failling here so hard. Sorry for that.
Thank you for the help!

Okay. I think I solved it
iptables -A FORWARD -s 192.168.100.0/24 -d 192.168.0.0/24 -j DROP
iptables -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 192.168.100.0/24 -i $dmz_i -j DROP
That was the correct rules to block the access to the Firewall (the INPUT rule) and to the LAN (the FORWARD rules)
Thanks!

Related

iptables FORWARD rule blocking return traffic

I have a VM running OpenVPN with client-to-client disabled and I need some specific forwarding rules. IP forwarding on the VM is turned on.
The OpenVPN base network is 172.30.0.0/16 and that is further subdivided into /24 subnets with their own rules.
172.30.0.0/24 should have access to all the clients. The rest should not. I have 2 subnets defined at the moment; 172.30.0.0/24 and 172.30.10.0/24.
Following the suggestion at the bottom here;
https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ - I set up my rules as follows;
iptables -A FORWARD -i tun1 -s 172.30.0.0/24 -j ACCEPT
iptables -P FORWARD DROP
This does not work. If I add a -j LOG at the top, I can see that traffic from my client at 172.30.0.1 connects fine to the client at 172.30.10.3, but all traffic it sends BACK is blocked.
If I set the policy to ACCEPT everything works and I can connect to the client just fine, so this is not a routing problem.
How can I set this up? And why doesn't the suggestion in that OpenVPN guide work?
I solved this by adding
iptables -A FORWARD -i tun1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
which allows established connections to return. Everything works as desired now.

Change source and destination address iptables

I need to transform destination IP of packets when they arrive from our client, ands also transform the source IP of packages leaving our network to the client's network.
I have IPSec VPN tunnel with a client on a Linux box. The machine has two interfaces with the following config:
eth0: 172.15.100.5
eth1: 172.15.100.15 (public IP 33.x.x.x)
Application server is 172.15.100.50.
Clients IP: 10.26.18.38/32
Client cannot use our internal IP 172.15.100.50 to talk to the application via the tunnel. Instead, they will send traffic through the VPN to 172.20.100.55 (which is not our IP) and they need us to response with source IP as 172.20.100.55.
My thinking is that I should be able to use iptables POSTROUTING and PREROUTING transform destination IP of incoming traffic from 10.20.100.55 to 172.15.100.50 (application server), and outgoing traffic from our network application server IP 172.15.100.50 to 10.20.100.55. However, I am not sure of the correct way to achieve this.
iptables -t nat -I PREROUTING -i eth1 -d 10.20.100.55 -j DNAT --to 172.15.100.50
iptables -t nat -I POSTROUTING -i eth0 -d 10.26.18.38 -j SNAT --to 172.20.100.55
I have monitored traffic with tcpdump and on the application server, but it would appear my NAT rule is not working.

SQL Server linux forwarding

I'm wondering if I could forward SQL queries from localhost to another local IP address?
I don't want to install SQL Server on Linux, but I need to connect to it on another PC through localhost.
Thanks
You can use iptables:
iptables -A FORWARD -p tcp -i eth0 -s localhost -d x.x.x.x --dport 3306 -j ACCEPT
where x.x.x.x is the mysql server ip address, and eth0 is the interface you use.
It seems like you are asking if you are on a Linux machine you want to query to localhost and have that query forwarded to a SQL Server. In this case the above answer is partially correct and will allow packets to be forwarded but doesn't actually perform the forward/redirect. You also say "SQL Server" which I take to mean MS SQL Server. The default port in this case is listed as 1433. You would actually need (2) rules:
# iptables -t nat -A PREROUTING -p tcp -i lo -d localhost --dport 1433 -j DNAT --to-destination x.x.x.x # where x.x.x.x is the SQL Server IP address
# iptables -A FORWARD -i lo -p tcp --dport -j ACCEPT # only if your default FORWARD policy is DROP. Otherwise you just need the prerouting rule.

Redirecting from outgoing loopback traffic - is it possible?

I have 2 kinds of proxies in my local machine : stunnel and TOR-VPN.
stunnel is listening on port 6666
TOR-VPN is listening on port 9040
I want to get web traffic to go to stunnel first and the output traffic of stunnel go to tor-vpn. This needs double redirecting. is it possible to do it with iptables? I mean by using "table nat chain OUTPUT".
Because as far as I know "table nat chain OUTPUT" cant be called twice.
web traffic = browser listening on 127.0.0.1:6666
these are my rules:
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp -j
REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bob -m udp
--dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp --dport 6666 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp
--dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner bob -m udp
--dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -m owner --uid-owner bob -j DROP
the above rules make stunnel work independently from TOR/VPN.
i mean when browser is set with proxy, no traffic will go through TOR/VPN but if i turn off the proxy in browser, all traffic will go through TOR/VPN.
now i want to let browser have the proxy on and all web traffic go to stunnel first, but outgoing stunnel traffic(outgoing loopback traffic) redirects to TOR/VPN(127.0.0.1:9040)
is it possible ? how can i do that? somehow i mean double redirecting inside system.
Policy of all tables is ACCEPT
Checking that this is what you mean :
You have stunnel bound to port 6666 (localhost:6666) and you have tor bound to 9040 (localhost:9040). You want it so your web traffic will go THROUGH stunnel (so destination is localhost:6666) but the OUTBOUND traffic FROM stunnel (with inbound traffic originally from your client redirected to stunnel) should be DESTINED to tor (localhost:9040) ? Is this correct ?
If so, and I am thinking clearly enough (it is just 7:00 and I've been awake far too many hours for a difficult night), this is indeed possible (the reverse is, too). You need to masquerade the destination address (and indeed port) based on the source (address and port (you don't have to specify both, I might add)). Something like this:
iptables -t nat -I PREROUTING -p tcp --sport 6666 -j DNAT --to-destination 9040
If this is not what you mean (or alternatively I made a typo, am not clear headed or being an idiot in some way (in all cases showing myself to be a user as everyone is!), if any it is probably the latter) then please respond. I'll see about enabling email notification so that I see the response. If I don't, however, I apologise in advance.
As an aside: unless you have a final rule in each CHAIN (not table, just as an fyi: a table is filter, nat (which I specify in the above and indeed it is necessary), etc. and CHAIN is INPUT, OUTPUT, FORWARD and others created by the option -N) you shouldn't have -P ACCEPT ('that which is not explicitly permitted is forbidden' and similar wording - i.e. have DROP). The exception is perhaps OUTPUT (but depends on what you need, in the end). However, when dealing with interface 'lo' you'll want to ACCEPT all traffic always, in any case (i.e. specify -i lo and -o lo, depending on chain, and jump to ACCEPT). Of course, maybe you're behind another device but still best practise to not accept anything and everything! (I should also state that you have different chains per table so yes you can specify different tables but the policy is for the chain IN that table)
Edit: something else: no, you don't have to deal with SNAT when you want DNAT and the reverse is true. Anything to the contrary is a misunderstanding. The reason is you're masquerading the CONNECTION. As the man page shows:
It specifies that the destination address of the
packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined.
Edit:
If I understand you (now) you actually have two interfaces involved. Or more specifically you need the following:
You have a service you want encrypted. This is tor. Now, you're using stunnel to do this. To this end you want stunnel to forward traffic to tor. Is this right? If yes, then know that stunnel has the following directives (I actually use similar for something else). Here's a mock setup of a service.
[tor]
accept = 6666
connect = 9040
In addition, just as a note: connect can also be a remote address (remote address implies an external address (with port) or even a certain interface (by IP and also with port) on the system (I use external in the sense of you specify ip and port rather than just a port). Furthermore, accept can specify address (with same rules: ip before the port (except that it is obviously on the local machine so no external IP)). You could explain it, perhaps, as stunnel is where the service would bind to except that the service is stunnel and the service it is encrypting is elsewhere (shortly: the bind(2) call allows specific IP or all IPs on the system, and you're basically configuring stunnel to do this).
(And yes, you're right: the sport should have been dport.)
IF this is not what you need then I do not understand all variables. In that case, if you can elaborate on which interfaces (this includes ports and which service per interface) are involved as well as clients involved (and where they send). Because it is a lot more helpful if others know EXACTLY what you need than infer certain parts. Makes it much easier to solve a problem if you know what the problem is entirely. Maybe I've been dense and I should put together it all (and I admit sleep problems - which I have for a long, long time - does not help that, but...) I haven't, I think.
I found the answer by myself. in my first post, i said something that was completely wrong and because of that, i could not do double redirecting.
i said:
Because as far as I know "table nat chain OUTPUT" cant be called twice
it is wrong and "table nat chain OUTPUT" can be called twice. i dont know what exactly i did 2 months ago that thought "table nat chain OUTPUT" cant be called twice.
this is the tables and chains order when using some services on loopback interface or not:
Without having any services on loopback:
Generated packets on local machine -> nat(OUTPUT) -> filter(OUTPUT) -> wlan(ethernet) interface
With having some services on loopback:
Generated packets on local machine -> nat(OUTPUT) -> filter(OUTPUT) -> loopback interface -> nat(OUTPUT) -> filter(OUTPUT) -> wlan(ethernet) interface
these are my rules to solve the problem:
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 6666 -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -d "StunnelServerIp" -o wlan0 -p tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 6666 -j ACCEPT
iptables -t filter -A OUTPUT -m owner --uid-owner bob -j DROP

Setting up iptables for a hostapd wifi login page

I need some custom iptables for a login page of my wifi hotspot on my raspberry pi. I want an http login page: this is how it should work, I just don't know how to configure the iptables.:
Any connections on an ip address that is not already logged in, should be redirected to the pi's port 8181 (the server for my login page).
Any connections on an ip address that is logged in should be allowed to access the outside internet.
Any connections initially requesting the pi's port 8181 should be allowed.
How should I set this up with iptables?
Thanks!
I've found the following article very helpful when learning iptables:
http://wiki.centos.org/HowTos/Network/IPTables
Basically you can start with a something similar to:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
This will block pretty much everything other than SSH, outgoing connections, and connections that are previously established (ie from previous outgoing connections)
Once that is in place you need to do the redirection:
http://proghowto.com/iptables-redirect-port-80-to-port-8080
And finally you need to run something like the following for each ip that gets authenticated:
# iptables -A INPUT -s 192.168.0.4 -j ACCEPT