| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> hi my friends
<0> i have i firewall with 3 network cards, eth1 net internal, eth2 DMZ and eth0 net external (internet) i put a rule where my user exit to the internet with prt 80 http , this rule is ok , but i need to put a network for my user conecct in the internal net with my webmail in the
<0> DMZ
<0> how i configure this
<1> jsan: second URL in topic; I think you just need another DNAT and maybe an SNAT rule
<0> if the user get webmail he is going to DMZ if he get to www.google.com he is going to the net external
<1> -i eth1 -d $webmailip -j DNAT ...
<0> danieldg i am very confused, is possible helpme /
<1> what IP ranges are on each interface?
<0> in internal interface i have 10.50.0.0/24, in DMZ interface i have 172.16.0.1 address interface DMZ and 172.160.0.4 Mail server with webmail , the users are in internal netword and the problem is when the users get webmail in DMZ
<0> but if the users get www.google.com.br this isers exit to the internet wihtout problem
<0> understand ?
<0> the forward betwen net internal and DMZ i create wiht correct ports
<1> ok, so what
<1> DNAT rules do you have
<0> i dont now how i contruct de DNAT rules
<0> this is my problem,
<1> you already have one, right?
<0> i have one only to users go to the internet
<0> with MASQUERADE
<0> this i havve
<1> ok, do you have a port forward for the web server?
<0> yes i create this rule
<0> $PF -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -s $NET_INT -d $DMZ_SRVMAIL -j ACCEPT
<0> $PF -A FORWARD -i eth2 -o eth1 -p tcp --sport 80 -s $DMZ_SRVMAIL -d $NET_INT -j ACCEPT
<0> eth1 = internal interface, eth2 interface DMZ
<1> anything with DNAT?
<1> those rules just allow the traffic
<0> nothing betewen net internal and DMZ
<1> so 'iptables-save|grep DNAT' gives nothing
<0> yes those rules allow the trafic but when i try no surf in the net internal to the DMZ webmail the webmail dont get
<0> bewen internal network and DMZ there inst DNT rules
<0> only betwen external net and DMZ
<1> what is the DNAT rule that nats for the webserver
<0> betwen external -->>webserverDMZ
<0> only this
<0> imagine this
<0> tyou have a firewall with 3 network cardas and you hae a DMZ whith the services WEBSERVER + MAIL-webmail, and DNZ EXTERNAL
<0> but in the internal network (network card internal in the fiewall ) you have DNS internal resolving the ips the DMA and external
<0> you need to resolv the ipds externals , this is ok with por 80 , but with you users need to get webmail they are goig to get in the DMZ
<0> so , you need to resolv pot 80 in the internet and in the DMZ(webmail) understand ?
<1> you don't have to change DNS unless you want to
<1> do you have the DNS for webmail pointing to the 172.16.0.4 (from internal)?
<1> (sorry, had a phone call)
<0> no problem
<0> yes i have a DNZ in the internal network (10.50.0.0) and when the users get webmail.teste.com.br the DNS server respond 172.16.0.4, the 172.16.0.4 is in eth2 the foreall
<1> ok, so then you don't need any DNAT rules at all
<1> (for the internal clients)
<0> no
<1> just allow them in FORWARD
<0> only this
<0> betwen nternet and DMZ for users the internet resolv ips in the DMZ
<0> understand ?
<0> i have only FORWARD
<1> I don't understand that statement
<0> imagine this
<0> you have a dns internal with the address the dmz
<1> yes
<0> if you need to get webmail.teste.com.br you is going to exit port 80 in the eth2 - interface the dmz to 172.16.0.4
<1> yes
<0> if you need to exti to the internet port 80 www.googl.e.com.br you is going to exit to eth0 external interface
<0> ok
<0> to the internet i exit
<0> but to the dmz i dont exit
<0> betwen netdork internal and dmz netowrk
<1> so just add rules to ACCEPT the packets to the DMZ from the internal
<0> yes
<0> but what rules?
<0> only forwaward no resolv
<1> iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
<1> that allows internal full access
<0> i use this and no resolv my probles
<0> the internal networ is network 10.50.0. and the DMZ is 172.60.0
<1> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
<0> i dont do this related established
<1> why not?
<0> i dont remeber to put this rule
<0> then only forward is necessary
<1> yes
<0> becaouse the networks are in the similar segment eth1 and eth2 in the forewall
<0> yes ?
<1> you don't need a NAT rule because the firewall is acting as a router
<0> danieldg iptables -A or iptables -I ???
<1> same thing, -I just puts it at the top
<0> my frined
<0> dont resolv my problem
<0> danieldg if i put a postrouting ?
<1> you don't need anything more in postrouting
<0> i dont understand why dont resolv my problems with forword
<0> iam very confused
<1> add a log rule to forward
<0> how ?
<1> iptables -A FORWARD -j LOG
<0> where i see the log ?
<0> the erorrs
<1> dmesg
<0> nothing
<1> ok, check where the packets are going with tcpdump or ethereal
<0> danieldg i dont no waht i neet to do
<0> iam very confused
<0>
<2> Tux_Paranoid ?
<0> daniels i try but i dont have good results
<3> mark3l
<4> I am still trying to resolve an issue with DNS requests going over two bridges. br-dmz is on eth0. br-apps is on eth1.
<4> Using iptables, I see the request go through FORWARD and into POSTROUTING. I snat it to my public IP address.
<4> I cannot see any response using logging in iptables. HOWEVER, I can see the response coming back in on eth0 using tcpdump.
<4> So what the heck am I doing wrong? If iptables can't see it then how can I confirm that conntrack is working?
<4> 'cause it appears like it isn't.
<4> Once I SNAT the udp packet 53, shouldn't conntrack manage the return request and redirect to the appropriate IP address?
<4> Here is something more... cat /proc/net/ip_conntrack shows that the udp packet has been snat'd.
<4> Packet and byte count show 0. [Unreplied]
<4> And here is something weird. When tcpdump is running, the udp response comes through INPUT chain. (confirmed via LOG) But without tcpdump running, the response does not hit INPUT. I ***ume this has something to do with promiscuous mode or something.
<4> It obviously has something to do with routing.
<4> So let me summarize:
<4> tcpdump monitoring br-dmz sees the outbound, snat'd dns lookup on port 53. It then shows the inbound packet to the public IP address and a second packet dnat'd to my original ip address.
<4> if that made sense...
<4> Anyway...
<4> tcpdump monitoring br-apps shows only the outbound packet.
<4> I confirmed that /proc/net/ip_conntrack shows the responses coming back. Therefore, I believe this is a routing problem.
<4> route shows destination 10.1.0.0/16 uses gateway 10.1.0.254 which is br-apps ip address.
<4> How can I trouble shoot route to know the requests it got and where it decided to route it to?
<4> BTW, arp does show that 10.1.0.32 is ***igned to the br-apps interface.
<4> Anyone home?
<4> Ahhh... got it. I didn't have the gateway address defined for my 10.1.0.0 network. Rockin!
<4> That only took two days.
<4> It is always the simple things!
<5> heh
<6> hi im trying to use --tcp-flags with the default install of iptables on debian
<1> you need -p tcp before --tcp-flags
<6> i was wondering if maybe i have the syntax wrong, or if that option isnt supported in version 1.2.11
<6> i have that before them telling it the traffic is tcp
<1> ok, what's the problem
<6> hmm
<6> thats interesting, im sorry to have bothered you, apparently it works but the shell script i wrote has it wrong
<6> this box accepted the command: iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
<6> so it has to be the shell script
<6> allright thanks and sorry to have bothered you...g'night
<7> hello
<7> sorry, was testing
<8> hello Guys....
<8> I need on help. Please see in my example: #iptables -t mangle -A FORWARD -j MARK --set-mark 100 This will mark the value of packet to 100. I would like to know what will be the value of packet before it will marked to 100.
<8> oh... god, nobody here to communite here
<8> what are you doing you all guys, yaar
<9> I saw the question but don't know the answer!
<9> I don't think there would be a mark before the --set-mark.
<8> oh... thanks dear rob0, any way, I would like to discuss on iptables. as I 've some issues on it.
<8> as we use -j QUEUE, I would like to know more about this QUEUE?
<9> I don't know about that, either ... :(
<8> ok rob0 no problem
Return to
#iptables
or
Go to some related
logs:
(defun Dijkstra)
smb share content engine
+virtualbox +full-screen +problem +off the bottom
macos grub invalid-or-unsupported
latitude C610 run XGL
determine if pear php
freebsd connect to wpa2
intel mac gcc ulong
gentoo network /34 conf.d
debian sis_sata
|
|