DMZ and iptables breaks my head!!! Avanced Help please!!!!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, lets do some changes. Only for test purpose.
Do a copy of your script. Erase everything, and make new script with only:
Please note WITHOUT "-m tcp" - I don't know where did it come from.
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
When you apply that script, nothing should work except for transit traffic.
Next do "iptables --zero" - it will zero counter.
Make sure with "iptables-save" that you have only rules you need.
Do echo "1" > /proc/sys/net/ipv4/ip_forward.
Check that counters is zero (all of them).
Then ask some one to do from outside: "telnet <server IP> 80"
We don't care if server will refuse telnet, we need to find out if it comes in.
Telneting, from a Windows client connected through wifi from a ISP that's NOT same which provides Internet to server on testing.
Result: "Could not open connection to the host, on port 80: Connect failed", it same in 2 intents.
I attach 3 files.
zero.txt, (iptables-save) After run script and echo 1 forward and before iptables --zero
zero1.txt, (iptables-save -c) After iptables --zero and before telneting
Now I cannot telneting, close to me nobody can do it at this hour... But as before it has not connected, I'll pass that and I'll send you all the rest...
The command "iptables -Z > file.txt" don't write nothing... and I saw "iptables-save -c" as the right command for counters.... Also "iptables-save -Z > file.txt" warn "- Z no options... " ... Any idea?
Last edited by MikeHammer; 12-19-2009 at 12:58 AM.
Now I cannot telneting, close to me nobody can do it at this hour... But as before it has not connected, I'll pass that and I'll send you all the rest...
The command "iptables -Z > file.txt" don't write nothing... and I saw "iptables-save -c" as the right command for counters.... Also "iptables-save -Z > file.txt" warn "- Z no options... " ... Any idea?
I'm waiting for files, they are interesting.
You just need to do telnet and nothing else, and after that send here output of "iptables-save". Counters will be zeroed after reboot, or all modules will be unloaded.
Forget about it. Do telnet and send file.
Thanks
P.S. telnet should not work, we use it for test purpose.
zero.txt, (iptables-save) After run script and echo 1 forward and iptables --zero
zero1.txt, (iptables-save) After telneting.
Again thanks
PS: I'm confused because I see that both zeros txt again it not shows nothing about -A PREROUTING -d 190.xxx.xxx.x89/32 -p tcp --dport 80 -j DNAT --to-destination 192.168.222.22:80
Now I send fire.txt that contains firewall script so you check... In the file sended you the sentence of script "-d 190.xxx.xxx.xx9/32" has been changed for privacy reasons... but in real script it's right IP...
Last edited by MikeHammer; 12-19-2009 at 11:35 PM.
Reason: Add file
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.