[Sussex] ipchains help please

Steve Dobson SDobson at manh.com
Fri Feb 28 09:16:03 UTC 2003


Derek

On 27 February 2003 at 19:15 Derek Harding
> Once again I haven't been able to get to the meeting!
Sorry you couldn't make it - there were some new faces last night
as well.

> Can someone help please.

I'll do my best.

> Gateway/firewall box running SuSE 7.1 with kernel 2.2.x and 
> the "old" masquerade modules, all OK as a gateway (the 
> smtp/pop3 server is in the DMZ and is masqueraded to - so to 
> speak) with eth0 (10.18.203.1) pointing in and eth1 
> (10.18.200.1) pointing to the DMZ/Internet. Therefore default 
> ipchains (deny everything and use the masquerade and squid) 
> is configured.

I assume that you've based you're network design on this 
diagram from the IPCHAINS-HOWTO
    (http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-7.html)

   External Network (BAD)
           |
           |
       ppp0|
    ---------------
    | 192.84.219.1|             Server Network (DMZ)
    |             |eth0
    |             |----------------------------------------------
    |             |192.84.219.250 |             |              |
    |             |               |             |              |
    |192.168.1.250|               |             |              |
    ---------------          --------       -------        -------
           | eth1            | SMTP |       | DNS |        | WWW |
           |                 --------       -------        -------
           |              192.84.219.128  192.84.219.129  192.84.218.130
           |
   Internal Network (GOOD)

But all the addresses you have quoted are in the network 10.x.x.x.
This is a private network.  Your ISP's routers will NOT route
packets in that address space.  You cannot not have a DMZ as the
above diagram shows.

I don't like the way this is laid out.  All the addresses used
are very similar to each other and that can be confusing.  At
home I run two networks (CAT5 on 10.x.x.x and WiFi on 192.168.x.x).
At first I had them on sub-nets of 10.x.x.x but I was getting 
confused with which packets where ment to be going where.  Most
of my IP address where may up of 1s and 0s (e.g. 10.1.0.1 ->
10.10.10.10).  When I switched my WiFi to the 192.168.x.x space.
It then became very, very clear where packets were from and where
they where going to.

There are two possible things wrong with your set-up:

1). Your ISP has assigned to you a single [dynamic] IP address
    for your network. (The configuration for a home user).
    If so you cannot have a DMZ; as only one machine on your network
    is given an address that the rest of the internet can talk to.
    The connection machine must masquerade for all your other
    machines.  From other parts of your posting this is what
    I will assume.

2). Your ISP has assigned you a range of static IP addresses.
    If this is the case then the machines in the DMZ should be
    configured with address in that range.  The firewall should
    then be configured to forward those packet that you which
    to allow to the DMZ.  Masquerading should be turned of
    for these packets.

> Problem, webserver (10.18.203.69) inside the firewall. The 
> ISP is redirecting external www requests to eth1 on port 
> 8080. What rules do I need to get from 10.18.200.1:8080 to 
> the inside box on 10.18.203.69:8080 (and back out!)? The 
> kernel on the firewall is compiled correctly and forwarding 
> is enabled.

How can the ISP redirect packets to 10.18.203.69.  Its a private
address - anyone can use it.  If we share the same ISP (or even if
we don't for that matter) and I configure a machine to the same
address then how would the ISP(s) know which machine a packet with
a destination address of 10.18.203.69 is for?

A way forward
=============

I would also suggest that you upgrade to the 2.4.x kernel and
iptables.  The NAT in there is much better (so I'm told - I never
used ipchains) - but this should be possible with IPChains.

I think what you are looking for is the set-up I have for e-mail.

   External Network (BAD)
           |
           |
       ppp0|
    +------+--------+
    |194.222.168.155| Server Network (CAT5)
    |               |eth0
    |               |----------+
    |     hub       |10.0.0.1  |
    |               |          |
    |  192.168.0.1  |      eth0|10.0.0.2
    +---------------+      +-----------+
           |wlan0          | krasnegar |
           |               +-----------+
     Laptop Network        CNAME post
         (WiFi)

My configuration has the following features (the exact set-up
is to complex for me to remember - I'd need to be at home to
provide details):

* I configured routing rule from post to the IP address range
  of my ISPs e-mail servers are allowed through.

* Any SMTP packets that it hit hub are re-directed to post.

* All outgoing packets are masqueraded as coming from 192.222.168.155.

This works really, really well.  I may set this up for HTTP next - got
to be worth it.  If you upgrade to iptables I'd be happy to share my
configuration set-up scripts with you.

Hope this helps

Steve











More information about the Sussex mailing list